discordrat | 42cdb16f6dd64c4fec30c7a71960fe4d0015862c37e7b02c8dba5c0d68384c74

Resubmissions

04-04-2024 14:14

240404-rkg7baaf46 10

04-04-2024 14:11

240404-rhlrqaae83 7

Analysis

max time kernel
168s
max time network
190s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
04-04-2024 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rufus-4.4.exe
Size

1.4MB
MD5

7a4662bb7f331d2252f3d949657d821d
SHA1

ad53fddfbcead7b3e6c322c0aad8c4a826bd4967
SHA256

42cdb16f6dd64c4fec30c7a71960fe4d0015862c37e7b02c8dba5c0d68384c74
SHA512

a1d111fc91cd470d36bd4640884b3550c6a4035e8c5bc5176dc9f67aa2ef8be6fc12956d0b351c272d8bb89646546dac868b32d1d1985dee86ffb6e971b14f3f
SSDEEP

24576:wOyBSB04yZT5Z6iqUbVEMs6MrhXlPrBnr/TwcEgzXIdVWLpuL94q:XgZT5ZSU1fUhXhrBnbTbaAIt

Score

10^/10

discordrat evasion persistence rat rootkit stealer trojan upx

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIyNTQ0Mzk5NzkwMDYwMzQ1Nw.GWuERT.FvjiredISYysQu4CtwubME2Lb2KTKTUG8SW5yM
server_id
1225162463952109721

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1952-0-0x00007FF662A00000-0x00007FF662DDF000-memory.dmp	upx
behavioral1/memory/1952-20-0x00007FF662A00000-0x00007FF662DDF000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rufus-4.4.exe

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
27	discord.com
126	discord.com
131	discord.com

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	rufus-4.4.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rufus-4.4.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rufus-4.4.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rufus-4.4.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rufus-4.4.exe

Executes dropped EXE 1 IoCs

pid	Process
1616	Client-built (1).exe

Checks SCSI registry key(s) 3 TTPs 17 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	rufus-4.4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	rufus-4.4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters	rufus-4.4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	rufus-4.4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	rufus-4.4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	rufus-4.4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	rufus-4.4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	rufus-4.4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	rufus-4.4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	rufus-4.4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	rufus-4.4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	rufus-4.4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	rufus-4.4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133567137436599611"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Client-built (1).exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2956	chrome.exe
2956	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1952	rufus-4.4.exe
Token: SeLoadDriverPrivilege	1952	rufus-4.4.exe
Token: SeLoadDriverPrivilege	1952	rufus-4.4.exe
Token: SeLoadDriverPrivilege	1952	rufus-4.4.exe
Token: SeLoadDriverPrivilege	1952	rufus-4.4.exe
Token: SeLoadDriverPrivilege	1952	rufus-4.4.exe
Token: SeLoadDriverPrivilege	1952	rufus-4.4.exe
Token: SeLoadDriverPrivilege	1952	rufus-4.4.exe
Token: SeLoadDriverPrivilege	1952	rufus-4.4.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: 33	2876	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2876	AUDIODG.EXE
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1952	rufus-4.4.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 784	2956	chrome.exe	89
PID 2956 wrote to memory of 784	2956	chrome.exe	89
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 848	2956	chrome.exe	91
PID 2956 wrote to memory of 3320	2956	chrome.exe	92
PID 2956 wrote to memory of 3320	2956	chrome.exe	92
PID 2956 wrote to memory of 4884	2956	chrome.exe	93
PID 2956 wrote to memory of 4884	2956	chrome.exe	93
PID 2956 wrote to memory of 4884	2956	chrome.exe	93
PID 2956 wrote to memory of 4884	2956	chrome.exe	93
PID 2956 wrote to memory of 4884	2956	chrome.exe	93
PID 2956 wrote to memory of 4884	2956	chrome.exe	93
PID 2956 wrote to memory of 4884	2956	chrome.exe	93
PID 2956 wrote to memory of 4884	2956	chrome.exe	93
PID 2956 wrote to memory of 4884	2956	chrome.exe	93
PID 2956 wrote to memory of 4884	2956	chrome.exe	93
PID 2956 wrote to memory of 4884	2956	chrome.exe	93
PID 2956 wrote to memory of 4884	2956	chrome.exe	93
PID 2956 wrote to memory of 4884	2956	chrome.exe	93
PID 2956 wrote to memory of 4884	2956	chrome.exe	93
PID 2956 wrote to memory of 4884	2956	chrome.exe	93
PID 2956 wrote to memory of 4884	2956	chrome.exe	93
PID 2956 wrote to memory of 4884	2956	chrome.exe	93
PID 2956 wrote to memory of 4884	2956	chrome.exe	93
PID 2956 wrote to memory of 4884	2956	chrome.exe	93
PID 2956 wrote to memory of 4884	2956	chrome.exe	93
PID 2956 wrote to memory of 4884	2956	chrome.exe	93
PID 2956 wrote to memory of 4884	2956	chrome.exe	93

C:\Users\Admin\AppData\Local\Temp\rufus-4.4.exe
"C:\Users\Admin\AppData\Local\Temp\rufus-4.4.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1952

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2940

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3596

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff87e669758,0x7ff87e669768,0x7ff87e669778
  2⤵
  PID:784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1828,i,8223808530319479007,6056224617209857631,131072 /prefetch:2
  2⤵
  PID:848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1828,i,8223808530319479007,6056224617209857631,131072 /prefetch:8
  2⤵
  PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 --field-trial-handle=1828,i,8223808530319479007,6056224617209857631,131072 /prefetch:8
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3200 --field-trial-handle=1828,i,8223808530319479007,6056224617209857631,131072 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3228 --field-trial-handle=1828,i,8223808530319479007,6056224617209857631,131072 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4540 --field-trial-handle=1828,i,8223808530319479007,6056224617209857631,131072 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4512 --field-trial-handle=1828,i,8223808530319479007,6056224617209857631,131072 /prefetch:8
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 --field-trial-handle=1828,i,8223808530319479007,6056224617209857631,131072 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5084 --field-trial-handle=1828,i,8223808530319479007,6056224617209857631,131072 /prefetch:8
  2⤵
  PID:652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5108 --field-trial-handle=1828,i,8223808530319479007,6056224617209857631,131072 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4548 --field-trial-handle=1828,i,8223808530319479007,6056224617209857631,131072 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3244 --field-trial-handle=1828,i,8223808530319479007,6056224617209857631,131072 /prefetch:8
  2⤵
  PID:880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4772 --field-trial-handle=1828,i,8223808530319479007,6056224617209857631,131072 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5368 --field-trial-handle=1828,i,8223808530319479007,6056224617209857631,131072 /prefetch:1
  2⤵
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2856 --field-trial-handle=1828,i,8223808530319479007,6056224617209857631,131072 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5392 --field-trial-handle=1828,i,8223808530319479007,6056224617209857631,131072 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2728 --field-trial-handle=1828,i,8223808530319479007,6056224617209857631,131072 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2856 --field-trial-handle=1828,i,8223808530319479007,6056224617209857631,131072 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5564 --field-trial-handle=1828,i,8223808530319479007,6056224617209857631,131072 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5536 --field-trial-handle=1828,i,8223808530319479007,6056224617209857631,131072 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5396 --field-trial-handle=1828,i,8223808530319479007,6056224617209857631,131072 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5576 --field-trial-handle=1828,i,8223808530319479007,6056224617209857631,131072 /prefetch:8
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2776 --field-trial-handle=1828,i,8223808530319479007,6056224617209857631,131072 /prefetch:8
  2⤵
  PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5948 --field-trial-handle=1828,i,8223808530319479007,6056224617209857631,131072 /prefetch:8
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 --field-trial-handle=1828,i,8223808530319479007,6056224617209857631,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5900 --field-trial-handle=1828,i,8223808530319479007,6056224617209857631,131072 /prefetch:8
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5096 --field-trial-handle=1828,i,8223808530319479007,6056224617209857631,131072 /prefetch:8
  2⤵
  PID:4660
- C:\Users\Admin\Downloads\Client-built (1).exe
  "C:\Users\Admin\Downloads\Client-built (1).exe"
  2⤵
  - Executes dropped EXE
  PID:1616

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3096

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x0000000000000480 0x00000000000004E8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
23KB

MD5
cd7b3e4dfecea7028bc1bdeda5a47477

SHA1
5c37dcaa4ed3c2a4051e4dc1714a342ac0de8365

SHA256
4d401337713e7f1c9f6588f8f7d79721e531c837b5f2f73c0b3cb372fd8f9b87

SHA512
ea11eb8d8347a39a1aa990a05cce6543e47145a1e618091750e2ad77497449e12e8b4d5b1e3385c9669cdd6a66e7dac96ff0e67913730c27c0ef2ff40a669f2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000003

Filesize
20KB

MD5
4588208961b6b7ed6cd974687346348a

SHA1
52085a4f6c875b6949261704f05050c1727e9c55

SHA256
95a95b07b4e0d051f83a51b680810572bd1244b42cb6e640d3b29b98f3e92885

SHA512
a9853353e68286f62535548ddbf1a97f1b39c1b6200161a660b1a4eac6864a1f6e93ab72d2cfe61249bf4543e2317f04babb3be211a37c12a55d55ee08b2b515

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004

Filesize
23KB

MD5
82db06ca267ac7fdd878a1df35f41f4e

SHA1
9dae7f1ae60d7b83dbdada64fd1b4296f8f20051

SHA256
3847721350fd764d4d21cb4d2e02ab95c4ccdaa9d8ffefeb6f1078bf169ac6fb

SHA512
6e9beeca7caa94fc5dcf929d5af18d24acfc2a56612840b7084fb6057785d85b272eec8acdf4457c7dd1de9bee5e03fefc082a170131002229da0c01da9a8fb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015

Filesize
37KB

MD5
17a6051bd593593a2945ba34d959296a

SHA1
d305d22ac5d9fcb5ccf914b8bd025a724ab9b587

SHA256
b5593b3d636fa78cd7e89201d687eb3d9f1923043bf7a634fef35600c9376146

SHA512
9d1537e7080774248fc1c0c457f71f82d9bff495cf07e3013fa3cadbed708d1ef90fb0d56757241f13b9c0d1ffc040c1a86b6924c251a23557fe922a0679e99a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000018

Filesize
428KB

MD5
3509a0a06a7e50bec7bfcf5a1330cc69

SHA1
2c70baa183eb2334544eb91b68b3aec5886f38e4

SHA256
bf0143dd91a41539f8e62d023b04d451f6e1e1fcfc9b152def8a54bacf95fa02

SHA512
af75c341daedb219caec964efa9be3d8dd2649251eddfb37ccdd9f5fb3c114ba42e576dfb9459d3683ede7208b226eb66f3bf4593b879afcd8ab4ce69a35bd0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
1KB

MD5
363c1fd94d0a7246a4efb7483747ba1b

SHA1
9f743ac549ac273d12fc13c0a3e1968e6ab04f87

SHA256
1c542d7d4e477ba9607a493f0146ee734f50892205ced555295f186719c299e1

SHA512
21047e968bf012bb7d5c067cc8720572c1921ffbc5b93e1ed9e12961369f48c2bfb4ce418eced9caec2fa3c017183f69d7eca2d25f2708777c3985fba7c601a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
5fec7c9cb307991254465fe320aedb1b

SHA1
4518dddf7f0302fb8c594876f867d76bbaf9c789

SHA256
9d817dd2ddd584b1688b9c66874814ea314ca556c869c878a86235f0486bc274

SHA512
5dee27fc72d9e28dc22feb084193e903b7e429c1acb7a0c58d6368031257a0eccfd9b471afb456b0857fc1f9265d916e11efb684658cdafb41ce335fdda4c139

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
cdc08ad6c8ec009149308a553a9b25a6

SHA1
ea2b1ad348e88c0cb811d426f225fcb147da2e78

SHA256
b030708022746647cb2e5682a7b680150342fe59a1190955c8df2c31ecc344ff

SHA512
82f17d710a27deae03c1e6637b55c0703bafc07ba7f2221825e582db4658a043c5fa9a09ec0633a1cdfaa0296fae8b373d541b3b32874f37c1b2b9b7711b361e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_download.oxy.st_0.indexeddb.leveldb\000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_download.oxy.st_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
bc786b934f693623af4b0ebedc697324

SHA1
f0bb518cd107cd1fd26289819c547860eea7b062

SHA256
994307b49b8f06d9a410f181f9348009d2a39d44cbdbea77c355fceb36cc855e

SHA512
b1f925b203972867924354786852c0cb3eeafbb65d9f6a75d81b2a9fbecaac22004e12ce3c9dee20d36813ff225fbb436d6f1a8d14ff1f3be0c3bd1a2861d391

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
ff7f630c456f9a926eb1e4d9d0114458

SHA1
21c57d80e83aa770d6a0a79e817d6475d572a07a

SHA256
facd18f88a286bff1984537541df685af70aff3088d8f63e9b471d508338ac74

SHA512
db10d25aed5fdda4f282a286d72f66440517823a2e1e92f4884a387f6fd04895265893ed5ea7c08dbfe9792603b395b3189ddf6a551ce3c221de1e3af3632099

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
c830ef7675a23aa645f64742feb3ba7a

SHA1
0f21d98a216ea2d7bad12f16577a8069d65b0889

SHA256
9ad24d4e30a3bc7a84df2fe75dbbc1302f12bf85ceff5bea30835381a54f47f6

SHA512
4d1ea49d0e52872e5a4672a9927a16cb8777f1cdd29b3592b7b19478b23eaf79ca8bd645a76d1039826c383716288a1abff20bf78d2bfc01e2721d2a9e4512e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
e8889fe906b4dc393e944a86eba800f5

SHA1
4186215d73f05a1adac11c6e92d214359dd66530

SHA256
a41f9dabce99fe41d131cbdfa8064f0a335854a8128a733e28882e88453f1fdc

SHA512
5e458e1f5fc5d2fb601bf8fcaeb65b472903f490f8679315063f423600dfaee8709c47b4d3479227f0421e80807a98af42e769e45696aa8084f78aea77a4ece8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
875B

MD5
2fb4b704af93278fe2369452b1c86be3

SHA1
257a600a822e1ffdbeae001824f8aff976e0cf08

SHA256
b3c656792db8b149a6478ff6997358be2bd3d0e2fe1741a27de03d57c9762524

SHA512
3ab1d276730869e17a84dbdd0d0c858874f75526820c2874c5839ee13f81b24fadd15656eb2742db1a8d473cf3ef3aec269ed89b8086a434f46a0849d14d7c6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
80ae45d8c0efeb71ae98addc58beaced

SHA1
81acb042094dbc3de9fa1263dea889b6f46a477f

SHA256
949b491d1e5b89386c10d5e8ed5c9eb45c69f0ae888e62522c8f61cb0e44faba

SHA512
f9c61e229ce12d9f00b03590a6f685da59933971d8acea88889a35eb351fc03b20051f05b705ce58ae0d0fc89cedfdb7ac57eebcfa9c8af699d134f94dc0d022

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
b42a19c6fd5e6f55cd78bc96088043b3

SHA1
d3f28e999f2472ebbdf3757a610e0e7d106f77fc

SHA256
4203593b4b37d3a1109f5e193b84396b9f3ce5d137804a0c373f3c9c2b011e9b

SHA512
9b9db56aa10438e634be782912d8b0ff5fb7f128d72274e8c6e0631ebcb25dbc8e5ff6bfca531e7309636ed54c6c6ea47cfbf21126ebc5887759e59de48cf94b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
875B

MD5
c9d38a0d6162f71c50474c9bd82867c9

SHA1
e7327c62374808b8020e1a2a625ae39f37c063e7

SHA256
336af6c62b2c89bd37612d82209e338943ac7b8a39f182dc2c635d79da3e1964

SHA512
15f2652926184b0533f9a38662618879533b497717e4ee215317dc086c057fdcc3e92e106c90befaacf67818194da8d7f6fdcbfc373bcbc36ea78ec7b93f2ded

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
610dea8556b83ff0cfdee03854db0e51

SHA1
12e0251a40e063feb1647ea8bdb043da8e201b00

SHA256
58899375df9d36a67ad8f1cd6ebaa19816d74a813df4b66afe18ae9f49e1e10d

SHA512
9c7c01e783e3ff6af1a05cf5026a77bb4fc2a9a1e11109cb86f1baebec42175346bdc9ad9f2a3320685ddfd7ae2e5bf27089500130e648ccbfa1a323886f9b9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
aef833b7ecbcb75392a91c96ea008834

SHA1
71430fa921cad046d6359fa09b0169568b4f0bb4

SHA256
0d4e7d5d1bcfee228bc8c6c403ae74885f798fcd217a66c673ce50079fdbe312

SHA512
d95ab8f7d1a8d13c6f3ece30216e0a562c64d279957c89ec5c74eed76146208f2348e755d9db0fc46b8ce628bac91d5121252beebe08f21b5b721933851295f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b6f7c266bc891e1f7a364677b514f19d

SHA1
9d39caad63a1dc7b3018d84736b63f3177720dcd

SHA256
9a74bd6c4b9dbb7f32e337b9145f49259e765fa56178cede4c5362746b17cd6c

SHA512
1baa8d97520bae3eed8220886c7dc92985c45664c186187c9a125100b0720592192084b53d4431d82a854273ead0cac08b9a536be5d1baab67a3bdabb388bcf8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
effa4cf0d54e385da0fcd237fce1e619

SHA1
bcd3232263620003b333c292e3fbb25fd8b9ceee

SHA256
d84eed705922d502ea39c7178b0bc529c41ea7bab8fb109f27e557dad399bdc0

SHA512
aeeb92b9a96a7f3696833231d42f422306278f95f23e8cf54cfe739ce6d6cada3ea6d28e7f739c96e590339e5a04f995db8746bddcb12735e03173cc46e8a173

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b73ac82c3b52200d4bd85f810a03b3bf

SHA1
b13094b76301354ffab78c79aa043092f3281495

SHA256
557351b41282ca54d0f9260c1718cea3b7651b8401c9e9a17028576e3bb06cf4

SHA512
c152e0c4f196721a5a303c190dc8e2fca9e866d8cdda1ca0a94daed0f65b24d5f4e47875d655992449f6483cd2b16efdc0874214716530cc569625764dadd5bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b403fbccfd2080a9919c22c848312cfa

SHA1
4541d8eca1125822070a223763b2fa97233cddb7

SHA256
40d49992ed07737664ed3fe9addfec0810610af3f681af7771d1eb223f70ade1

SHA512
830a937b32e52b1ba3a9b83ec1e2d8fa28e79bfcfa4d8efa6abe18bc48f3581b874ca6bcdfb74a34aa919d0c6ffff10b7e47c2fd8c245e8b6932f558e57684b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a22b59e5c20c667cf00e33751ef9d7cc

SHA1
b44fb3ad01283100749d1ba4401fbe221aa24057

SHA256
bab7a4deccb0a7ef4aa75bfa0b5623e5f163f54ee857cd22ff8eba997fcb747f

SHA512
6d14fb9013513f570841aeec6028c22524d3e537a76d776dfbc7012245bf6cf48d1373f3954b35f152bed484a103fafbb6a08519652a2d90f88607e1a56c15f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
650adc07b255634b9819e5bfbde05bf8

SHA1
eab281dd1ccf18a40d139db7be3011f1ed1eb077

SHA256
7e305a016f2750ad8c847cb1520e69ee4d3f541ba7edfdb0463944147af6025d

SHA512
7fe0b30e56c3532d0976b739333bb1a0f51a47bbac989f003cdda15480e3fb5c2ebb7cba5a02b9ce14e7a7091f3735618fb5e61a23874ce23b92ab84772f3263

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
3acbcc6cd92467a601c64a74099c4d90

SHA1
f4fd39415979c892719f63145f23459b0b2b1f4c

SHA256
115f536d5625868dc2579f6ed31931a0d98ef65be3fa6f688e51a7d835566204

SHA512
fdca7e7bc44c58e088e63a4b87b45c0bdbd6de7aea381e9d4d0712bff478f2e598a2a8da85f1344018ec9f8fcb3dd7e5acfc5c79ec9cf2a3f08e390f427367cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
92KB

MD5
eef7b87db5fde5db58cd90a4feb7e397

SHA1
41e91ecc2d17d0fba0d3dbb5e581e3b1377b5712

SHA256
ec7223be93fd67ab44f48999d5961e96c750bc60959cf751c0e5152962885916

SHA512
f37670d62d8b88a849f6d2a83f5fd040726f4ca20112825ff796153f22429a7117a585abc72df1bd3204b2626c9dd970ff2e845e10906621aba20ae61b504674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe586481.TMP

Filesize
88KB

MD5
b44f2e4e60b650682de716f07c8b2666

SHA1
3045e9dfd914ae4fcb9c65c3776b6ca3b7b4e286

SHA256
1c4cd672730d1519ec5a796f1d45be03b00c7ff2108d4f7334aaacae7115e280

SHA512
9be3cd2b23bc6ba7ab8e97ec6583e0366bb0e3032fdb367516fbfa851ab783478d51ea41f3f51a7e9becc3c429b28b85685054ea2f4ffce446572ba3441e3750

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
3adbf576820859053d111abba7329b72

SHA1
4d1c9a404c8fd09b5cefa5ba56fc51a5f22346c7

SHA256
31c71d78ac9e5df0ef461843f2b4e2f3d343d95f73f4c171771080e7efe5d8b4

SHA512
f85311a81919fa156730a7d2394a59cfb4d608f87d28db1ccab9f094077a1add59dafcf9bf9c7d6535860e8912cf60ac579b8b44c16575f10432ac6c8188480f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Desktop\AssertConnect.eps

Filesize
674KB

MD5
c551c380b65d2850086675981ddd0afe

SHA1
d2e5ac898b100ffb99d9a98458bc2397c33a1fda

SHA256
4ddf5ad8758fddba00868adbd382d3132b9aba93b1e197a10cf0948b49f05c75

SHA512
7e5ec76f502d1bfb677e82c78748f0bc52170a5cba8911a2edc17fa21075f72360a0b5802f8f25546a121c08d662f071d504b83a5d70ba35ea4c3ec7122428c9

Download Submit
C:\Users\Admin\Desktop\ClearRead.pcx

Filesize
806KB

MD5
6259a048db5c5c7495fb38527cf1b3f5

SHA1
869635e8c5c3850f6dcbf0d2a27f84b2107b47e7

SHA256
09436050933b091dc798f7bb2ef335873cdde0b0c597bdd4c1e4278c431d5c5b

SHA512
15d5181947aef6efc0336daae6d8f2ca770557558966d0e4dfb41533b62d561d17124acd0b8c160f0bd96e34940783fc82dcfcd16bccf4cfe01175c3b3f0f9d7

Download Submit
C:\Users\Admin\Desktop\ConnectEdit.html

Filesize
444KB

MD5
37d97f5803dd4bcd2d718a2a544cfdb7

SHA1
e5dc674c888f1608160c258a2170a7e6b04f8f5c

SHA256
eee928ebfc4476925f1abb1c0a153711b6f5ef3992576e60f7a025120b4c40b7

SHA512
5a547f2c3e03cbdbbf0f48a1ecd2edef65e0fe39b61280f6012da29fb8199e48f4a896b60342d0baf942be017c2ed0bb771644d9a9a800ba7e006317b91a4988

Download Submit
C:\Users\Admin\Desktop\ConnectSwitch.ex_

Filesize
904KB

MD5
4c900f17f9c9f1ce3a8f020ec8fa8b7d

SHA1
31c2786ca8241545e9506750c5388c873a03c502

SHA256
e924337d8127a2d545c87601f498d2ce295ddb365e7adc2c4d922d5f05e6efba

SHA512
32611e3f5ca66bd90ee2a86fa341ec9e6f7b05cd0dae11a68be1159bb1d7d7f07dfcd92db68f59a00386d10cfafab6811868415fe60eddeffbabbb68018711eb

Download Submit
C:\Users\Admin\Desktop\ConvertFromSearch.001

Filesize
740KB

MD5
c728f4d99dbeda0993e7a247e54182df

SHA1
73db756ef2b22101e307943cc2710c85232c437b

SHA256
5cb72e487cacce384246e6f4d362f3636e5b67fcd56924f11a4fd4413fe81d4a

SHA512
a47c95a8006e7ec7266112b9f004a7450272476ea855d21ee1d8bf0ae471b80273d70c8c5ab605ad39d2cf576b817e2ee6aa19c4300b192ecd13e9cf66a4430d

Download Submit
C:\Users\Admin\Desktop\ConvertFromShow.dot

Filesize
773KB

MD5
bbfff6068f0f3e76c48c9e623d468686

SHA1
19f0bfb606489e33beaab73fe03448b92f59f664

SHA256
2a1f46becc4552cd6595f5924b0bb7408c06efddb9782b346ba24ab7958222a1

SHA512
9dd1ab1a5b0113d955530506ae6cad4eb0d791dbfd07fdecab2a6798fea2378dc0a65761859e20d0ccad59d35d1ee4565242d9b1f8c03a73398c903e129d0542

Download Submit
C:\Users\Admin\Desktop\DisableDisconnect.TS

Filesize
411KB

MD5
4e8d7152dbebd0cafc39e9302d151125

SHA1
ac082e925ca55d96e19156815f0bba0ca77cd802

SHA256
9e2b3c03e277486694003b747a2359fb9fa4cb557f2968c17705dcfd517a473b

SHA512
c43e8c5d4ce558c1d1905b211b0a07fdc21fbeb4c2368155a83bf19b6d8bac8ab4aa14f7348de75b9f05067e597e2d58886da52e3591b3ec2f5d76f661ca979d

Download Submit
C:\Users\Admin\Desktop\ExportRequest.mpp

Filesize
641KB

MD5
53e8a871acd194d7c92ea72a080b25cf

SHA1
3d80e09cd40f2c135bfca48334319e158bbc8bbb

SHA256
a756bc595ae0ced65022a629af56ab8770b9e0cf87107792ceb3202c23cbe89f

SHA512
e7a9d5be99cfe4c72e92b44fe2e1e0962abb6d3ba3b9240f3f3a17bd622d467502d73a0508031ac43db52a54211bf9b5a5c9787d80716dfa83560b1dbf903d92

Download Submit
C:\Users\Admin\Desktop\HideSubmit.mov

Filesize
477KB

MD5
2792dfc54b8b27ef6cabb8f68a14d871

SHA1
1b1c5b0c7a6b158f8fe6cf2d80fa579bab2aee73

SHA256
f9b8595a6754e33eb7431c66a16c708cd734781d2871c4a218b903238e1d2dea

SHA512
ccdf053a9cddb302cf6ee7a39e6e9c29573391fbea2553613e92e716d7e349b255660b71a2a29dec1f84cc2f312353ad5c28dc383685a1fdd8dc363fba19536a

Download Submit
C:\Users\Admin\Desktop\InitializeSubmit.mht

Filesize
1.4MB

MD5
bf7fc29daba152f21a9f92ea114796d0

SHA1
922dde93822d38b09cd76b9a3285e12c2112804f

SHA256
80c599b95b81b9d7ef417ef39a1ff0e51ad15efda35f8d770f4a9fc24a28e1a1

SHA512
61c8ef126e78e2d3565003763e6710955b0434780bb3cc0304718c6785ab9d5574240ce9e3f5fc18d37aa7248c1864f2d102ea755ccc6c53252ffd6f3c709ff6

Download Submit
C:\Users\Admin\Desktop\MeasureGet.wmv

Filesize
510KB

MD5
96c06d1f25193957435640907331acd4

SHA1
692ab0531a73fa0e0a58873a29a032d6ea33a7fb

SHA256
b39392001ba2d6ce5765ff28d636bde0d6f030113d295af912063a2151810747

SHA512
5dbb34de7dbc7f5308930861509277760841e55d4837f4bb88c108b31ff41af3c11df5a54ae3fd38742d0f127cd86b416257dbde8ed363ebf3a1a391dab7171d

Download Submit
C:\Users\Admin\Desktop\MergeCompare.cfg

Filesize
707KB

MD5
b8e35e237b2a88f0dddedb9bffeda3fd

SHA1
75a0cd75ce3c54ea89aa649fd3fb4a7dcae42943

SHA256
423a090074091e53605c255dae07599297483eef0d691758700f5094104cec36

SHA512
6404dd47b276982541e5d83bed204a68e83c62aaa50d9b4ed425283c045d0f7e19cf4d2d02a959a47ca9e5698c76623f229bd486afa158a84f36cc46a35cece9

Download Submit
C:\Users\Admin\Desktop\MergeUse.svgz

Filesize
542KB

MD5
b3fa28b57a76fb70dccf9c97f8a88d46

SHA1
7b74112da4984bde1b713791044e9350e79c80d0

SHA256
13a23b7262b28a916c28206f03e7d7e5ddc3770e7cd5d82e7cbfa4a8047d73a6

SHA512
899f1f00e7e33a299b12980996970702bdf7014819faac1dce0996dd75f07941f226616bef9c3a74a07a4140ace32857b38ff10274f8aec10fad0f0276dc49f7

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
86ae8668f338fc53829a4cd9e1b2c959

SHA1
39fe4e40ff40f9194a7ee64678fafe2338339154

SHA256
4041ac9cc15b1f956cf44442db7700a0bd8e8926e7fd2a19388899558476842e

SHA512
9529fe4388fc9624e72f0516ed34f068d8a69d049c36d4d1c3dd0261be6bad7c21d9db6bfbba1d6908c5dff5cb356951878c844ef436e5a36111383f0a39fd38

Download Submit
C:\Users\Admin\Desktop\OpenRevoke.WTV

Filesize
378KB

MD5
860fa449ef41407bbe1a3ab79398b205

SHA1
79a92e945941cd57d6efd8eb707ce5401d596679

SHA256
3f922048517a1e4d1b1e03ee5101c2120ada681083d1eaae481dce9bb8a003c8

SHA512
86cea01b688c39daf7dd9a12049965761d92d8a021b03606cda9d28ef595eb98e53e19ebf6f0d787af5c64b4434a88ce434f111da20a7b5416214fd103c72db2

Download Submit
C:\Users\Admin\Desktop\ReceivePop.tmp

Filesize
839KB

MD5
b7c5ed2515d31b1f6af60bd94063b9a8

SHA1
1c924cc5a6df9a21beaa2e1ace4aeea373f11650

SHA256
64a2bdafe448488b380f014895a1cebd5d2dfcff2494f835f00a1e5baae926b0

SHA512
6094587c5f6556aa92df374058e26a5b51ab2f37a357e23b859b229c5dd274232fd218ae0c2d7e773882a89cd58f3d00508ed186e687a7cde8407ada86ee44f9

Download Submit
C:\Users\Admin\Desktop\RedoPublish.scf

Filesize
1.0MB

MD5
a7c944884af69b3ec99e17691dc50b46

SHA1
1e0ba6f0f84e9fd77120cde389845c7b680df346

SHA256
0a3fa0471f8f43eea110385e11ce7052f6a27dc8bbba7f75ae3a89164c417f65

SHA512
2a41778836911a9decc683187dc687650ba665aec185d21fb4b678c37d4409b50467f20a3de6ce791cb6f3f9b71200e24a5b33a165c3ea62bb8169b9a0021912

Download Submit
C:\Users\Admin\Desktop\RemoveApprove.jtx

Filesize
937KB

MD5
8c4dce54f8146908171b26955ad010ef

SHA1
d527d1d1929da737f2975230a4da1b6fc12b3a61

SHA256
773b0c278f6952d379e8575f26fece05990982c8b0e766f9fd73af5db0f8ee3c

SHA512
ce819620d398ca793fe7899e5300060ccfe043e4c138df9afeb7d453f859585d3113b4ee3a6dd8f146f480062700db0e8f680279133169a5a4c9a5ff07ed0b36

Download Submit
C:\Users\Admin\Desktop\RequestInvoke.hta

Filesize
970KB

MD5
5823c84574d11e5cfed49faf2e6b25aa

SHA1
65cdb7d4aac5185fe4d47c0a5bf11c39fc11c51d

SHA256
43ad4453563f7438cd5cdc3c1fc38f8fbe669419c9dfffa2d3e88f8cb1139b43

SHA512
869017ad997f70549e2a276776a8181c89f9a32bae47fc4bb987774ab5270511aaa6465c43c21746d8a8b278f54755c7793ff98c5dfe9007f8cb832e1bd55780

Download Submit
C:\Users\Admin\Desktop\RequestSubmit.pptx

Filesize
608KB

MD5
6a6e219c6af4e5fefd44abf772d1d07f

SHA1
ffa476c9b58eb86dd0b71b21a5cd8e75f70cdc4b

SHA256
fb5ff35b250b226cb8b11a9079fc6944a3601ae5518a9214bce2e31c6ed846b0

SHA512
aba4f1fe5c6be836235b23d925eb28b4cc931b819855d69c544a327c55de3611613f7a3ea4446bada1dc41f1d21ffb751533be23eecda20436d2f4e1b258510a

Download Submit
C:\Users\Admin\Desktop\RestartClear.ps1

Filesize
575KB

MD5
259e8788b60e26d93e58dede718aec03

SHA1
7a6bf31e0f682e72f8b8e7add008c51f27f6c0da

SHA256
6001237dcdf2ab1c685edd40127aa428e5d27eea531ba58204a009c000900aaa

SHA512
25c4a35d999f94949f3bdd8c238d712b8dd491c610afb659aa979a4d239265bc0888775557f4961928a85dbe8d83436f5b91dd5c5cf215b81978463204afac40

Download Submit
C:\Users\Admin\Desktop\UninstallStart.wav

Filesize
1.0MB

MD5
ce184cc04b1af95b153d2c87f17f2229

SHA1
266d338b582d1c4d82b878530c42292044a2cb1b

SHA256
00b260d19f5215be9ffa908f977888bdfc4a3b9bc952a958537ce726b71ddbb2

SHA512
9e0ad762e9472ca14f7178d183c5747a11540f73722415c932f0101c627faf9858a3688bd5c4880959b8cdbdd793d89b9aeb3dea86038dfd96c8575fd0a42f61

Download Submit
C:\Users\Admin\Desktop\UnpublishUnblock.edrwx

Filesize
1003KB

MD5
ff0f4954122879cbfad1bb801cd2a9e1

SHA1
6c68ad113ea410817f1ddbd2c2411b8122ac5956

SHA256
5ead04507a0a03bd855f3e35f53511f31fad39d166f82e76b506569e92effb1f

SHA512
11bbe862e43d29535b335ff276125b9a6d3dc32586cdec5a73828aa15c9452315ff45002d0dbd0df0488923109b94e55e1c3c002a841d2185dc2673c2915d5f2

Download Submit
C:\Users\Admin\Desktop\WaitBlock.mov

Filesize
872KB

MD5
645aa4df5f45603bb85b9ef34118a668

SHA1
72709a83e45d3d421d7b308cd36776a21cdf30ab

SHA256
7591493d416e3bb343ebdae17457a8424b8ec3cdddad98acc4214bcae26075c5

SHA512
5cbe723cf8f727ece613de2d53a665c9b7c8efdf8fb83b84399fe7777e8a51928afba9e38f4333382de5e3e481edb54d89e4b3dcf2d85dc2bb3c8ef72ed13a13

Download Submit
C:\Users\Admin\Downloads\Client-built (1).exe

Filesize
78KB

MD5
901cefc057201e055bf5811e52f1d3c6

SHA1
7eedcc00e7d71c86c752d6ed11c740dd91b2e078

SHA256
591157c7b3acd00b0dfc7434133a5cd492fc2dfcf632f406051b9d66dcd33d5a

SHA512
7c3a57849b2efd31f258378135c9affa71d4504d7f25757a055cbe12b4c83d38a8049db6109624a8ec6e45150c0ee7f9995c8280af313f500aa68218da62e4ca

Download Submit
C:\Users\Admin\Downloads\Client-built (1).exe:Zone.Identifier

Filesize
60B

MD5
98bfc821dd17ceab99bf109837d5e5de

SHA1
e7984a5394d76911040439bcb69ec90edbe90f27

SHA256
94db7eb75ccb8e8c70986849ab0cbb8396d5109a11b829823bcbbe6b7cf347e4

SHA512
975d030330acc53ab2d4222b9a3a06bf29e3b9259353755eab3bb4a6957f3b70c6f8b3e08cdaed3e1327aee42e0972b02a5ef74eff7908541e439a06aaf956d7

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
f183a9d9fe118a9851bdfcf9b40d8553

SHA1
87d60ab853e5e42e9641ae0b297ad680df60c0b0

SHA256
292e3edf56de599de1acbae5c36f72c87a14f1ccfbf7b1f0c3830d31ca4e74b9

SHA512
d73fc4a927ecf475422b5737a1f120f7e9f2aa67ca370753cf3fbe9bc0e259f060abd52d4f01a594c73e03c95a79cb25fa4a283a9923da8b7e9a4e983cd95e82

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
0f9251c6659fd029f8c143050019741f

SHA1
598eac5c4d81b61b8499e38660574c70f25165a2

SHA256
2fe822715997471ed04c7dd49a9356fb1d68c63e292b94bab0e863cce7d015af

SHA512
9f32f7afaf4edfeb3b9a7200ee7eafa1700443e197cee1efd0bd46b1df8e3c897364ff058ae0556eb42f3aa8394269395d2eb898bb99766010368a8b459111e2

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
ef08e5ca41a964ff769e48ff8002f24e

SHA1
eaed4af13f608915e5a49e4b01337864c8f6dd19

SHA256
c6b3e175ba5ddd09248f8a663f55fded9b64e1170d990a1e810fb20376876a16

SHA512
1a35058123fd22a6c20f45e4c96b26b2693b23824b3b0792c47b65cd5814d5eee881af50f4cbc0939e137d7086661b22bf60f9be7a506612e4f39565bd1e8b98

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
f9a49a3e2415016fa85ddff0b8b38419

SHA1
f8c987119269e58d22a6b17ae2e8eca7744fb385

SHA256
14694dbee3897b6bd5aa596ebfd893e727179b67811920c174dc70e6eee8e579

SHA512
91ea129a51d2c3b342287c1250f5b0da6ba2a61eff11791d1cfae1f5c6dd2654c935be1452f4a681e794fd723a3c295e9bc9e59b9005aa4d8bd55ed36c9ad91c

Download Submit
memory/1616-516-0x000001B93B5A0000-0x000001B93B762000-memory.dmp

Filesize
1.8MB

Download
memory/1616-517-0x00007FF87AB90000-0x00007FF87B652000-memory.dmp

Filesize
10.8MB

Download
memory/1616-518-0x000001B921220000-0x000001B921230000-memory.dmp

Filesize
64KB

Download
memory/1616-519-0x000001B93BCA0000-0x000001B93C1C8000-memory.dmp

Filesize
5.2MB

Download
memory/1616-515-0x000001B920DF0000-0x000001B920E08000-memory.dmp

Filesize
96KB

Download
memory/1616-650-0x00007FF87AB90000-0x00007FF87B652000-memory.dmp

Filesize
10.8MB

Download
memory/1952-0-0x00007FF662A00000-0x00007FF662DDF000-memory.dmp

Filesize
3.9MB

Download
memory/1952-20-0x00007FF662A00000-0x00007FF662DDF000-memory.dmp

Filesize
3.9MB

Download