zgrat | 1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990

Analysis

max time kernel
292s
max time network
294s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/04/2024, 04:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990.exe
Size

1.3MB
MD5

3aa73406f878b7cb213e654a047d8399
SHA1

353e7abd8a726c1be6ae7e2a44bd0f3a6d1c9566
SHA256

1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990
SHA512

509bf6807db0ee461bc0cd9c2c79a37a9e09ac3e43f489be5ba0cb9da60a4e4d15c5d1b2e581c455e90138cefc8638decac4f4c43c83113feb625be789c1cda9
SSDEEP

24576:HNZ7Kb9pbvRPXtpsCvqrpLTZrOv7eMfLgP3BJzDWGbMf30yF+fvVH:t0bn7R/tV8tTZrOTeMfMP3BJuGbW+fvt

Score

10^/10

zgrat persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 32 IoCs

resource	yara_rule
behavioral1/memory/920-59-0x0000000000F40000-0x000000000101C000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-61-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-71-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-77-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-119-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-109-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-107-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-117-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-115-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-113-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-111-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-105-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-103-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-101-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-99-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-97-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-96-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-91-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-89-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-87-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-85-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-83-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-81-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-79-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-93-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-75-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-73-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-69-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-67-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-65-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-63-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1
behavioral1/memory/920-60-0x0000000000F40000-0x0000000001017000-memory.dmp	family_zgrat_v1

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 2832 created 1192	2832	Pension.pif	21
PID 2832 created 1192	2832	Pension.pif	21
PID 2832 created 1192	2832	Pension.pif	21

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftCraft.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftCraft.url	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2832	Pension.pif
920	RegAsm.exe
5452	SwiftCraft.pif

Loads dropped DLL 3 IoCs

pid	Process
2644	cmd.exe
2832	Pension.pif
920	RegAsm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Roaming\\RegAsm.exe"	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1844	schtasks.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2692	tasklist.exe
2524	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
552	PING.EXE

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2832	Pension.pif
2832	Pension.pif
2832	Pension.pif
2832	Pension.pif
2832	Pension.pif
2832	Pension.pif
2832	Pension.pif
2832	Pension.pif
2832	Pension.pif
2832	Pension.pif
2832	Pension.pif
2832	Pension.pif
2832	Pension.pif
2832	Pension.pif
2832	Pension.pif
2832	Pension.pif
2832	Pension.pif
2832	Pension.pif
2832	Pension.pif
2832	Pension.pif
8020	powershell.exe
2832	Pension.pif
2832	Pension.pif
2832	Pension.pif
2832	Pension.pif
5452	SwiftCraft.pif
5452	SwiftCraft.pif
5452	SwiftCraft.pif
5452	SwiftCraft.pif
5452	SwiftCraft.pif
5452	SwiftCraft.pif
5452	SwiftCraft.pif
5452	SwiftCraft.pif
5452	SwiftCraft.pif
5452	SwiftCraft.pif
5452	SwiftCraft.pif
5452	SwiftCraft.pif
5452	SwiftCraft.pif
5452	SwiftCraft.pif
5452	SwiftCraft.pif

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	tasklist.exe
Token: SeDebugPrivilege	2692	tasklist.exe
Token: SeDebugPrivilege	920	RegAsm.exe
Token: SeDebugPrivilege	8020	powershell.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2832	Pension.pif
2832	Pension.pif
2832	Pension.pif
5452	SwiftCraft.pif
5452	SwiftCraft.pif
5452	SwiftCraft.pif

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2832	Pension.pif
2832	Pension.pif
2832	Pension.pif
5452	SwiftCraft.pif
5452	SwiftCraft.pif
5452	SwiftCraft.pif

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2644	2160	1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990.exe	28
PID 2160 wrote to memory of 2644	2160	1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990.exe	28
PID 2160 wrote to memory of 2644	2160	1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990.exe	28
PID 2160 wrote to memory of 2644	2160	1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990.exe	28
PID 2644 wrote to memory of 2524	2644	cmd.exe	30
PID 2644 wrote to memory of 2524	2644	cmd.exe	30
PID 2644 wrote to memory of 2524	2644	cmd.exe	30
PID 2644 wrote to memory of 2524	2644	cmd.exe	30
PID 2644 wrote to memory of 2656	2644	cmd.exe	31
PID 2644 wrote to memory of 2656	2644	cmd.exe	31
PID 2644 wrote to memory of 2656	2644	cmd.exe	31
PID 2644 wrote to memory of 2656	2644	cmd.exe	31
PID 2644 wrote to memory of 2692	2644	cmd.exe	33
PID 2644 wrote to memory of 2692	2644	cmd.exe	33
PID 2644 wrote to memory of 2692	2644	cmd.exe	33
PID 2644 wrote to memory of 2692	2644	cmd.exe	33
PID 2644 wrote to memory of 2860	2644	cmd.exe	34
PID 2644 wrote to memory of 2860	2644	cmd.exe	34
PID 2644 wrote to memory of 2860	2644	cmd.exe	34
PID 2644 wrote to memory of 2860	2644	cmd.exe	34
PID 2644 wrote to memory of 2448	2644	cmd.exe	35
PID 2644 wrote to memory of 2448	2644	cmd.exe	35
PID 2644 wrote to memory of 2448	2644	cmd.exe	35
PID 2644 wrote to memory of 2448	2644	cmd.exe	35
PID 2644 wrote to memory of 2508	2644	cmd.exe	36
PID 2644 wrote to memory of 2508	2644	cmd.exe	36
PID 2644 wrote to memory of 2508	2644	cmd.exe	36
PID 2644 wrote to memory of 2508	2644	cmd.exe	36
PID 2644 wrote to memory of 2472	2644	cmd.exe	37
PID 2644 wrote to memory of 2472	2644	cmd.exe	37
PID 2644 wrote to memory of 2472	2644	cmd.exe	37
PID 2644 wrote to memory of 2472	2644	cmd.exe	37
PID 2644 wrote to memory of 2832	2644	cmd.exe	38
PID 2644 wrote to memory of 2832	2644	cmd.exe	38
PID 2644 wrote to memory of 2832	2644	cmd.exe	38
PID 2644 wrote to memory of 2832	2644	cmd.exe	38
PID 2644 wrote to memory of 552	2644	cmd.exe	39
PID 2644 wrote to memory of 552	2644	cmd.exe	39
PID 2644 wrote to memory of 552	2644	cmd.exe	39
PID 2644 wrote to memory of 552	2644	cmd.exe	39
PID 2832 wrote to memory of 1388	2832	Pension.pif	40
PID 2832 wrote to memory of 1388	2832	Pension.pif	40
PID 2832 wrote to memory of 1388	2832	Pension.pif	40
PID 2832 wrote to memory of 1388	2832	Pension.pif	40
PID 2832 wrote to memory of 1840	2832	Pension.pif	42
PID 2832 wrote to memory of 1840	2832	Pension.pif	42
PID 2832 wrote to memory of 1840	2832	Pension.pif	42
PID 2832 wrote to memory of 1840	2832	Pension.pif	42
PID 1388 wrote to memory of 1844	1388	cmd.exe	43
PID 1388 wrote to memory of 1844	1388	cmd.exe	43
PID 1388 wrote to memory of 1844	1388	cmd.exe	43
PID 1388 wrote to memory of 1844	1388	cmd.exe	43
PID 2832 wrote to memory of 920	2832	Pension.pif	45
PID 2832 wrote to memory of 920	2832	Pension.pif	45
PID 2832 wrote to memory of 920	2832	Pension.pif	45
PID 2832 wrote to memory of 920	2832	Pension.pif	45
PID 2832 wrote to memory of 920	2832	Pension.pif	45
PID 2832 wrote to memory of 920	2832	Pension.pif	45
PID 2832 wrote to memory of 920	2832	Pension.pif	45
PID 2832 wrote to memory of 920	2832	Pension.pif	45
PID 2832 wrote to memory of 920	2832	Pension.pif	45
PID 920 wrote to memory of 8020	920	RegAsm.exe	46
PID 920 wrote to memory of 8020	920	RegAsm.exe	46
PID 920 wrote to memory of 8020	920	RegAsm.exe	46

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990.exe
  "C:\Users\Admin\AppData\Local\Temp\1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c move Fancy Fancy.cmd && Fancy.cmd
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2524
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:2656
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2692
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:2860
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 1191
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "LightsListingConnectivityDown" Replica
      4⤵
      PID:2508
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Effect + Competition + Ict + Believe + Harassment + Bios + Burst + Toolbox 1191\R
      4⤵
      PID:2472
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1191\Pension.pif
      1191\Pension.pif 1191\R
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2832
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Ecology" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js'" /sc minute /mo 5 /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Ecology" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js'" /sc minute /mo 5 /F
    3⤵
    - Creates scheduled task(s)
    PID:1844
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftCraft.url" & echo URL="C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftCraft.url" & exit
  2⤵
  - Drops startup file
  PID:1840
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1191\RegAsm.exe
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1191\RegAsm.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RegAsm';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RegAsm' -Value '"C:\Users\Admin\AppData\Roaming\RegAsm.exe"' -PropertyType 'String'
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:8020

C:\Windows\system32\taskeng.exe
taskeng.exe {F0D3C356-7D51-4AA5-BE8E-9217E444EDDD} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
1⤵
PID:5220
- C:\Windows\system32\wscript.EXE
  C:\Windows\system32\wscript.EXE //B "C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js"
  2⤵
  PID:5348
- - C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif
    "C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif" "C:\Users\Admin\AppData\Local\SwiftCraft Solutions\T"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1191\Pension.pif

Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1191\R

Filesize
898KB

MD5
082fc64ab12fe5617c2d1c39e47087e8

SHA1
b2cb6d76b71c901c9b08442c53b3d703ebfeea90

SHA256
d59d26bd3c8b5180f0edafce17cecf6c4bc1ceb313454d8f89e06faa74451ccb

SHA512
4dc0e23d2302e354ed39d754a6ef71110d8f02cc5bb7d120be6785e8980c79dc1f963b8a524fcf19d77b870a624da08ab53cb2edb7f6516e96f09565f56ffa70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Believe

Filesize
171KB

MD5
84b8963d6e0be7253c0f7439184ede19

SHA1
75c4c2de0abbab955ffdbd3b80750fd6c59db410

SHA256
f1626970f2bb7e4521b5ee25f917d7b32be0fc24c531149f93a9207586a2aa2b

SHA512
429cca6b0ec71446101717c5e164fc028e3f3b7f57e01d23ccae5d8865d0db11db9aeac202b02125d5af0ef0be99bec1574beb5cd3d52b2dd8618e0d26143c4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Bios

Filesize
152KB

MD5
3826c7267e6a33cf0a5caf693ff35467

SHA1
eccec823ab4020e55d96c038e2d4d14042b36b37

SHA256
aaa85412f35cbe97f7c02cd2cf4d8c019ac97ac89c3642915dfa9099027b7472

SHA512
c16705362793d591b3f79fd5ea657cd547797d43e1b0a4f703a7d3108e84f3b91b5a613b589f4ebeb6e5b4c55b33f66c003959226b33b4f7f2f2a842e4449f6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Burst

Filesize
118KB

MD5
bab73e006009d7a5625e672db9ccd5db

SHA1
eeb7561ab415280608b9e9484d31eb23768150a5

SHA256
3180abd2fb794069731125550ea3e0a6eb71084494a9aef3388699d1df2948c2

SHA512
56e84a6ec40deef4c377191df32090d3cc783630814aecf3585b13c7a6320d5330320246f5bb8424619d5dba16763365d4eab9bc9c39b41512571408d0feef21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Competition

Filesize
20KB

MD5
091aae3bd1f07f9e174f53c654c6ed3d

SHA1
68c2da6fca30e5c65f1b286ccf132a6ae7aa71be

SHA256
df762e720c90c439eb5a1ca9af2c6e71bdcc2176bc5678652aea14a01c1d8871

SHA512
63b5280c48ede31e6b1deefa04c88430bc7a322416bcea309a4a03255548a90126a9a27fe1204d18c14844bc758b622ed2f3b932c3b67b982f1d9ff2adb58382

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Cumshots

Filesize
180KB

MD5
6c623f377545d7205643ccd91755c153

SHA1
be36fe56d62c76b98507e74350a6914d327de2fd

SHA256
25973305f172e577eecf44115e1d474144a206620458592eee2ad262e4337e9b

SHA512
48ed4b6bacdf8ee9975a47d80f51e93d6f148f4a3864fbc5b9b1b0ee6ff157f79d790d961b93f7efdab9384df23afd065b2f0b8ce772f78d6cfab38ed99a6e23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Effect

Filesize
160KB

MD5
662fde8634083a5a8a69e1e234858975

SHA1
b3c7b309ac3acd5f1eb2d5f03b58fc291be9a09c

SHA256
94fea62ec238e1035e6e728c2d3508166b5fa0bab4a43758de5bcc7db73b0bfb

SHA512
6304ed20d7b535e9dbccd5421059b305c53fb7a2d7975d57f181355927baead267f14bb3467959ee4ddf58de19bc992ef9c4a6d174705114d3a5ff65ad290a8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Fancy

Filesize
11KB

MD5
a7e06544f9ad7d58c5705cf1874e03cb

SHA1
a8fff3c4f688fc4f496058d2575115241c958d78

SHA256
bff5faf70466a49e899282fc84ec428790348d1b141dc3a98e46baa492ce58f2

SHA512
b0a165e5c60f8f7908080e055fc3f4a43d7773e84a9f6dfd2761f51a4663ffaafff08d3ebddbbc0c7b9a5bcb1d49026fe3713ae48fa223c1c96cb5511170f50d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Harassment

Filesize
73KB

MD5
b5bb3d9ed2e6d7354c5725b9667fa6e8

SHA1
3742b76d1cad7ad7d6c5c52b444951f7d6830d68

SHA256
f94a7a0952b8929d4b6d4c3af214ad4e50df119a126950263585721ad2a4a9e9

SHA512
426bb2323ab1faeaa6181242b9df0191c153a95b5c1376fbcb1e0b32b68b6cd7ef0d3ae1de17132eb444704d0fcad126796a99164ce132f18777f54563667a0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Heater

Filesize
173KB

MD5
6007a8ca0455cf69278da9b4b6cb9a12

SHA1
27084504d3c62f1a20ec1b6602327e7def4546fb

SHA256
7d282ee47798d0a129c2961079d94cbebc9940bcbb4d5a39fe464fefc10accf7

SHA512
f5c9c5f9f556807109ab30dd8373b627034fab72e4f397bb86fa6128fb00223bd4ce4554e97d72fc448643c6798fa45c9291c5c98ca233448cac2aea4203531f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Historical

Filesize
113KB

MD5
8846c829752abfd71bbe95f4ee589929

SHA1
18fa430e7d3a520c20bc5ba1361eec701031924c

SHA256
92421a7f7a3b71741f311e57668ec22c1939a4195a066d3cbc6217d7a1b1d5bd

SHA512
3b41b1d3a43df6d873ba826c51a2c421166eeb84749bbd123340caa280a23468f5468e778e02ab73a7565dcef13955748ac5b5a13791e72f5ef6a641d13544f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ict

Filesize
94KB

MD5
dbc4328fcde80bcda7e50313566525cd

SHA1
fe7b8321ae72c5c5148197cf48e8bc986b4f6f3c

SHA256
efe093a2edd597859c6aee6da0b862ff9a75d54cd4b3d0492f7cdf63128a5e85

SHA512
c6f0d8cecfbc7ef137899a8b0512e6efb9bc5f92844845e5744624aa78c2de1f57622c5f43cdd09f1a8cb75ef51fdb70023226c816fccf32777fd5be2e3fe875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Julie

Filesize
199KB

MD5
88f4d8dbbf1686993d6bbfe5cafc7bec

SHA1
a91f8cfdba4fcc5b13404a20d83e6f2971b9dda7

SHA256
58967b46f82093849e3236b019212c4c7e24b1585e46f5549dcad9ff03eb1a84

SHA512
0895da59e9049ec87db8f41e806b36bf2cb248cf522f0ae3114774ff020b68a1093db4c0dfcb3f7b8c19752ec4d80a4f48dab5ab092a7c90dfadcc5c36a6f45f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Replica

Filesize
198B

MD5
cf00f4e9240c539bbf64a1c20def7263

SHA1
9aa53cc59aaa7580a85c36a50659759683074568

SHA256
b90e8420622d3497b0e95496dff0c5f9ca72242aa8ae846d2f71ae85c97bf3c3

SHA512
2049857847148a83d295c6cd9485e3dbcb6cc165ac909fb1011e5b9fba78e2afbc1764b0bc06d0eba616080262248e6788cac115d7338e31179a3b4e1097b9a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Rewards

Filesize
13KB

MD5
00335905a2a89de13de6c2421575eee3

SHA1
e472af8bbc0ae7729c3a298d87721ae3f079de0e

SHA256
a5a998f37aaad218f989da68e0912fa7661340884b1a421f96e74204e915e87d

SHA512
85e9e5d774284298bab638330831ccd504f617064307548dc917d290482e9c09612493bb6a696b0f25cd45d885591804d33f978c617fa88dfd8b5530b77c088b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Threatening

Filesize
30KB

MD5
6804de931c9eb4b3d459ab030cda55ce

SHA1
182fc850106e372587039ff82aaac9386b0cf7d1

SHA256
9a4b7f50afe7000d7babae1ec667117a56ee84859642ed80d5a0ab2222d6fd25

SHA512
af91378384e50990aa38304719a524af0786c7a9df0ae802854ebc094e4482d7d3045ab21a1d1d19bf01a585e5922e183c765dd0f37b0726f0cd5f1d56ab73c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Toolbox

Filesize
110KB

MD5
f5f71d9e2109265bd186ec56ad0dc430

SHA1
3dba226bab4a0d6eb5347d575c4c8d40179ed048

SHA256
f984a61ef127393597b49d46df0ec3482880570c871ccdcacfe329e17c04e6fc

SHA512
1abf749a7b236617f3b26bf58b1fd8d7d4347e73dd3b4494c6b3c338af1dee943559af3f5dac3c748dec3c166d78d6056de188dd4c77434c8c7d8c8ad592f677

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Wiring

Filesize
164KB

MD5
c186c5f5e43b21e22648d604b76b8742

SHA1
fcc8ea3bea77b4d3d8d61703429d4950f57967ad

SHA256
fd5195e8e4d850db2e81763debed0c70e0dede4ee7667d1540197016dcb8ab6c

SHA512
e692ad7588b5976abb6f96061dd134ea9a66b74afefe506da35cb9e7d33be77887c912824dc99ca850a86ed6bf27c00cfb19bbd6ab900091da30742f4ab5507b

Download Submit
C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js

Filesize
184B

MD5
08c46f30149d351c591e9b3b70c9a64e

SHA1
9b63b98f4329107da1de8a049fa3cbec850b863f

SHA256
044c9d43801a15f6e8f8a36a77bc71a60f56abd4204e17e15f19be9c2fc2c006

SHA512
5ae51bacfe960d71845901b7a293f8f6cea23ee7cd7c854f13a85b5ea17f1d4633a27111dc29d94e13d29e48aa5c6813e53f8405db80dbcf0344d6bdd1050238

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1191\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/920-109-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-97-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-59-0x0000000000F40000-0x000000000101C000-memory.dmp

Filesize
880KB

Download
memory/920-61-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-71-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-77-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-119-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-56-0x0000000000090000-0x0000000000104000-memory.dmp

Filesize
464KB

Download
memory/920-107-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-117-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-115-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-113-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-111-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-105-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-103-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-101-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-99-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-55-0x0000000000090000-0x0000000000104000-memory.dmp

Filesize
464KB

Download
memory/920-96-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-91-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-89-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-87-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-85-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-83-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-81-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-79-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-93-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-75-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-73-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-69-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-67-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-65-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-63-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-60-0x0000000000F40000-0x0000000001017000-memory.dmp

Filesize
860KB

Download
memory/920-53-0x0000000000090000-0x0000000000104000-memory.dmp

Filesize
464KB

Download