sliver | hxxps://cdn[.]discordapp[.]com/attachments/1268313369623007305/1268315150658703484/self_extracting_PC-4C4C4544-0034-3710-8058-CAC04F59344A[.]exe?ex=66abfa08&is=66aaa888&hm=0141752d6bddb0c20bbe01f932ee48771bfb0206e2418b6fd5b4d682366862b0&

Analysis

max time kernel
110s
max time network
110s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
31-07-2024 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1268313369623007305/1268315150658703484/self_extracting_PC-4C4C4544-0034-3710-8058-CAC04F59344A.exe?ex=66abfa08&is=66aaa888&hm=0141752d6bddb0c20bbe01f932ee48771bfb0206e2418b6fd5b4d682366862b0&

Score

10^/10

sliver backdoor defense_evasion discovery execution trojan

Malware Config

Signatures

Sliver RAT v2 1 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001ac41-118.dat	SliverRAT_v2

SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1688	powershell.exe
696	powershell.exe
4712	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
1848	self_extracting_PC-4C4C4544-0034-3710-8058-CAC04F59344A.exe
2328	mssearch.exe
1084	cache_G3NRoUdjfdug0zsAPpgIYsoJOM.exe
496	self_extracting_PC-4C4C4544-0034-3710-8058-CAC04F59344A.exe
2288	self_extracting_PC-4C4C4544-0034-3710-8058-CAC04F59344A.exe

Indirect Command Execution 1 TTPs 1 IoCs

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

defense_evasion

Indirect Command Execution

T1202

pid	Process
1684	forfiles.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cache_G3NRoUdjfdug0zsAPpgIYsoJOM.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133669339911737379"	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4900	chrome.exe
4900	chrome.exe
1688	powershell.exe
1688	powershell.exe
1688	powershell.exe
1688	powershell.exe
4900	chrome.exe
4900	chrome.exe
696	powershell.exe
696	powershell.exe
696	powershell.exe
696	powershell.exe
4712	powershell.exe
4712	powershell.exe
4712	powershell.exe
4712	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4900	chrome.exe
4900	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeShutdownPrivilege	4900	chrome.exe
Token: SeCreatePagefilePrivilege	4900	chrome.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeIncreaseQuotaPrivilege	1688	powershell.exe
Token: SeSecurityPrivilege	1688	powershell.exe
Token: SeTakeOwnershipPrivilege	1688	powershell.exe
Token: SeLoadDriverPrivilege	1688	powershell.exe
Token: SeSystemProfilePrivilege	1688	powershell.exe
Token: SeSystemtimePrivilege	1688	powershell.exe
Token: SeProfSingleProcessPrivilege	1688	powershell.exe
Token: SeIncBasePriorityPrivilege	1688	powershell.exe
Token: SeCreatePagefilePrivilege	1688	powershell.exe
Token: SeBackupPrivilege	1688	powershell.exe
Token: SeRestorePrivilege	1688	powershell.exe
Token: SeShutdownPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
1084	cache_G3NRoUdjfdug0zsAPpgIYsoJOM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 428	4900	chrome.exe	73
PID 4900 wrote to memory of 428	4900	chrome.exe	73
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 4612	4900	chrome.exe	75
PID 4900 wrote to memory of 2744	4900	chrome.exe	76
PID 4900 wrote to memory of 2744	4900	chrome.exe	76
PID 4900 wrote to memory of 236	4900	chrome.exe	77
PID 4900 wrote to memory of 236	4900	chrome.exe	77
PID 4900 wrote to memory of 236	4900	chrome.exe	77
PID 4900 wrote to memory of 236	4900	chrome.exe	77
PID 4900 wrote to memory of 236	4900	chrome.exe	77
PID 4900 wrote to memory of 236	4900	chrome.exe	77
PID 4900 wrote to memory of 236	4900	chrome.exe	77
PID 4900 wrote to memory of 236	4900	chrome.exe	77
PID 4900 wrote to memory of 236	4900	chrome.exe	77
PID 4900 wrote to memory of 236	4900	chrome.exe	77
PID 4900 wrote to memory of 236	4900	chrome.exe	77
PID 4900 wrote to memory of 236	4900	chrome.exe	77
PID 4900 wrote to memory of 236	4900	chrome.exe	77
PID 4900 wrote to memory of 236	4900	chrome.exe	77
PID 4900 wrote to memory of 236	4900	chrome.exe	77
PID 4900 wrote to memory of 236	4900	chrome.exe	77
PID 4900 wrote to memory of 236	4900	chrome.exe	77
PID 4900 wrote to memory of 236	4900	chrome.exe	77
PID 4900 wrote to memory of 236	4900	chrome.exe	77
PID 4900 wrote to memory of 236	4900	chrome.exe	77
PID 4900 wrote to memory of 236	4900	chrome.exe	77
PID 4900 wrote to memory of 236	4900	chrome.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1268313369623007305/1268315150658703484/self_extracting_PC-4C4C4544-0034-3710-8058-CAC04F59344A.exe?ex=66abfa08&is=66aaa888&hm=0141752d6bddb0c20bbe01f932ee48771bfb0206e2418b6fd5b4d682366862b0&
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc82a39758,0x7ffc82a39768,0x7ffc82a39778
  2⤵
  PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1796,i,4813514669726354026,2358910318906187102,131072 /prefetch:2
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1828 --field-trial-handle=1796,i,4813514669726354026,2358910318906187102,131072 /prefetch:8
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2084 --field-trial-handle=1796,i,4813514669726354026,2358910318906187102,131072 /prefetch:8
  2⤵
  PID:236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2848 --field-trial-handle=1796,i,4813514669726354026,2358910318906187102,131072 /prefetch:1
  2⤵
  PID:652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2856 --field-trial-handle=1796,i,4813514669726354026,2358910318906187102,131072 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 --field-trial-handle=1796,i,4813514669726354026,2358910318906187102,131072 /prefetch:8
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5260 --field-trial-handle=1796,i,4813514669726354026,2358910318906187102,131072 /prefetch:8
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5448 --field-trial-handle=1796,i,4813514669726354026,2358910318906187102,131072 /prefetch:8
  2⤵
  PID:3548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 --field-trial-handle=1796,i,4813514669726354026,2358910318906187102,131072 /prefetch:8
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 --field-trial-handle=1796,i,4813514669726354026,2358910318906187102,131072 /prefetch:8
  2⤵
  PID:1256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5588 --field-trial-handle=1796,i,4813514669726354026,2358910318906187102,131072 /prefetch:8
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5612 --field-trial-handle=1796,i,4813514669726354026,2358910318906187102,131072 /prefetch:8
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 --field-trial-handle=1796,i,4813514669726354026,2358910318906187102,131072 /prefetch:8
  2⤵
  PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3692 --field-trial-handle=1796,i,4813514669726354026,2358910318906187102,131072 /prefetch:8
  2⤵
  PID:3312

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:496

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2536

C:\Users\Admin\Downloads\self_extracting_PC-4C4C4544-0034-3710-8058-CAC04F59344A.exe
"C:\Users\Admin\Downloads\self_extracting_PC-4C4C4544-0034-3710-8058-CAC04F59344A.exe"
1⤵
- Executes dropped EXE
PID:1848
- C:\Windows\system32\whoami.exe
  "whoami" /priv
  2⤵
  PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Public\Downloads
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Users\Public\Downloads\mssearch.exe
  "C:\Users\Public\Downloads\mssearch.exe"
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\system32\forfiles.exe
  "forfiles" /p c:\windows\system32 /m cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$SELF-EXTRACT-EJgm3Ecnt1nNzdVyKuo2lm7JGGWINRAR\cache_G3NRoUdjfdug0zsAPpgIYsoJOM.exe
  2⤵
  - Indirect Command Execution
  PID:1684
- - C:\Users\Admin\AppData\Local\Temp\$SELF-EXTRACT-EJgm3Ecnt1nNzdVyKuo2lm7JGGWINRAR\cache_G3NRoUdjfdug0zsAPpgIYsoJOM.exe
    "C:\Users\Admin\AppData\Local\Temp\$SELF-EXTRACT-EJgm3Ecnt1nNzdVyKuo2lm7JGGWINRAR\cache_G3NRoUdjfdug0zsAPpgIYsoJOM.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:1084

C:\Users\Admin\Downloads\self_extracting_PC-4C4C4544-0034-3710-8058-CAC04F59344A.exe
"C:\Users\Admin\Downloads\self_extracting_PC-4C4C4544-0034-3710-8058-CAC04F59344A.exe"
1⤵
- Executes dropped EXE
PID:496
- C:\Windows\system32\whoami.exe
  "whoami" /priv
  2⤵
  PID:1560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Public\Downloads
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:696

C:\Users\Admin\Downloads\self_extracting_PC-4C4C4544-0034-3710-8058-CAC04F59344A.exe
"C:\Users\Admin\Downloads\self_extracting_PC-4C4C4544-0034-3710-8058-CAC04F59344A.exe"
1⤵
- Executes dropped EXE
PID:2288
- C:\Windows\system32\whoami.exe
  "whoami" /priv
  2⤵
  PID:4064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Public\Downloads
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Indirect Command Execution

T1202

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
872B

MD5
3360fd04a986eb6e358cb03d4ea761fe

SHA1
eb7df81bc3abcacc3bedf6a277b283af4bb241d1

SHA256
5b648e503ad14dfc55fda03ecd3b6e8e77326a97586c1aed4133743cd452a229

SHA512
681c0ca47dbe4cf5500b647b3f907fc8aa53695ff14103f5782a78ecc7abb0d3b20945d339910858f4aa518e06e5db40cf54a3a221c3b198737f7b6fcbf344c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f3276d9c-59a9-4ec1-99e3-f564ee4185dd.tmp

Filesize
6KB

MD5
6af7f3b2a360b97e6cb2db0f41401c22

SHA1
b5b0bef09ae740c53314458b720c96d82d5b8086

SHA256
4fd1206f921795bbd9ad314498c9fbe3043c2f3df57542b1a6687b7e09fbf9dc

SHA512
27d717ece18becaffc787b0f517b39ff6dfb4569caa77a1d6e9da290f5d37c2640e2ddc6678ec51904e170ad40ba82cec00e5af246ea360ad4e02318d3013d10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
158KB

MD5
eecfa52e1468076fc4f770c388c68350

SHA1
34e68688ec01452f2daac451a35fb96a6f8c2ef9

SHA256
75ee7f057b0307facb9730cb2ad17677c80774066bbcc901442039c7a9239edf

SHA512
8433dd8bdf563639aedfbba83fcbe4905e4c86a13e4965bd802be1495640ab73380fd32ab0bcc98fa1664078569519aeb5f278704d3e58b71ac0cb88ad40dbb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
137KB

MD5
7b8ec1ebd09b779d614d0d935ea2ac1f

SHA1
e3e4e33e4b741f10a98ca982f546c11d231fa00f

SHA256
addc9fc8ad7b7448bcdd77ca660b2ab275cb23b9bb93c73bcdab77e379750907

SHA512
5dbde66f7a772c85cf7d1f2d716a22edf8fdfa84858c1e2512ae0152ed0da720d716d828bea4bae8000bb69cf40115717105ab7f823aceba6b3d3cd9de6e008d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
d750ee9245247882c3e5cd953ca3e4b7

SHA1
758c829a6f4eb3ae94cb1f01ecbf0e69668b7447

SHA256
82c4e496e1dca382712d5afbbcbefdf4617826bdabc7dde4608aea167a44cc4f

SHA512
fd1c46d33e8cd873f1c53cfff396da27a36dcf434a02ae559b0e7bfe005aa0049fbccf11dd5e0f6b1192ca3959fc6ab433f52f7e8e4d73be2a8a2c266f44f012

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\d539e357-4193-4181-b7db-0c11c75014ae.tmp

Filesize
138KB

MD5
205a574127bcb123b967f1846e88edb3

SHA1
21c0b018102ff063951c37d74b0167f0f408b7f6

SHA256
0352c727ad1654dd14155392dccbc4daedb0dc7371e9bd3b45f608dbd37602ae

SHA512
4587ccea32ccf8048dd39ab7fec1079359683379b4ae47c56acea3189d3058d122aeed55feda154f048e9b5a02985ce986d59de8995c75ba81fe9ce9030d9a13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f96d1fe8b175d81b238f6175fb8af6a0

SHA1
763172abece4186536bda44772adeeae85c5c86c

SHA256
93c3fb1182db43844d78072901618240118920fcfc3f7189a7de43d617d021cf

SHA512
8e049486a8fb9ea1a656c015c82bfa01f1b89bd3ffff26a4a0903cc3bde09275da258976785fbe6ae43eaf0a42256c659ba77f5c43f8f7aa881935ce27e020c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
494095fa98f816071f95be314cde72fb

SHA1
82a1483ef95951bddd9758d7a8206de38f365ebb

SHA256
de95346d036bcc10a6d967ff6596f341cfaf9c84aecfeb349384a4de4e5d47ec

SHA512
1d36e74db5498fe3d5570b34857754b5fa7a9e5047370dfff0ebbe15875809acd8dd5c3302d26accc5b962aef1ec26e6b8cf1e330890959fd6f17d9e46eec95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$SELF-EXTRACT-EJgm3Ecnt1nNzdVyKuo2lm7JGGWINRAR\PC-4C4C4544-0034-3710-8058-CAC04F59344A\🗝️ PASSWORD\🛒 AUTOFILL\Microsoft Edge 003.txt

Filesize
447B

MD5
2839f9c6d3acbe7a739745b61fd49989

SHA1
cb0a836793c4730a816c0787bbe8b2637ff04178

SHA256
616cca42831d643d01bd2c06380385bdec260cf88fd1586f43f082331bd1096a

SHA512
739602274a0b928fb52bd6bd68b3de1c6c7187b88752f83ae2487d60ed54bb7db9f894fcfcce563fbf4eaeb77f109c793a653a89f86a53a41df7fdc9d0ddf245

Download Submit
C:\Users\Admin\AppData\Local\Temp\$SELF-EXTRACT-EJgm3Ecnt1nNzdVyKuo2lm7JGGWINRAR\cache_G3NRoUdjfdug0zsAPpgIYsoJOM.exe

Filesize
496KB

MD5
34fdde8a0b704e8830002df3a77ba9b3

SHA1
03192b985b8179d9a1d991be54ae23855fefde02

SHA256
acec955ecf7c13b5841bd0c558ff0becfa9d63eaebd3796156eb2c8d4eb161ea

SHA512
fff275c1c2826ae0b668575f9b3cacaad104e9606a524b92cac834fba89a2a1f01f13935b5a6d8730704b58b997417463d871c36971e1077003a1b8b35385d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r34z0qpr.fxo.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Downloads\BlockPush.ppsm

Filesize
361KB

MD5
c91d0ee8a69ccc49ff25b74ab3c9c071

SHA1
b69cd1efb9e39e02de525d5f5596f30f97fff1a6

SHA256
bc9a683247e4348e0fefa7b585e5fe4257502f13dc4a56d50637da9b810a0b00

SHA512
4ec30c1679bfc89dcd97e362c2e2fdbba9149c31215f7bdf9f3d2e3af630112fd6a617c75455b24624ad4f546eb25695ef85f525a47de4c63d94988c33753265

Download Submit
C:\Users\Admin\Downloads\CloseDisconnect.aif

Filesize
223KB

MD5
c89255422a8fe2aa4c1408227243dbff

SHA1
89aed72e66c7dc5b07562442e8c1b5f820bbc923

SHA256
a0fafab3a7f4f73e6b898494fc8d83d7b0f04baaab41056e1835cdfff40c1951

SHA512
fbf07f0447606242e2ed664e048477a7c493ed18df3ac4b8cfe5f68f92714a25f1dd5944f671be31320657349da6882237bb0968b382b671b974bdf380864905

Download Submit
C:\Users\Admin\Downloads\DenyUndo.mp4v

Filesize
318KB

MD5
7047826eff8dfb295172edad4fda5059

SHA1
9fde4b215bcafe05aad9e8f72beb56c73385223e

SHA256
84cfb69954d1426eaebc52fb4cf6fd26e2417449c6eb6ef8132c01378015a12f

SHA512
a738bb997692f589d455b3d4e7d9cf943746a398ff23edfe5ba1281041fcc0ecd4870921b93c542ee3483109ca2e30dbc181a92b06d01c1155d4ed2fa46d0123

Download Submit
C:\Users\Admin\Downloads\ExpandRedo.xlt

Filesize
435KB

MD5
f124f4b16428cbb1676c313bf99e9cd3

SHA1
4fef09842d6503024e7914739fd7c7f92aaa6052

SHA256
d97c0a56eedc3bb55b2eafb2501865d09f212780eda1df6c8b32b5665c821c76

SHA512
2ffc91f8d500d8231e9ed4f07f707821f744503cffdaaff938fecc28156acd56bdddbd1792f76329a30a6aed55ebdb943b45a1315c2fc407a331f833b6d944af

Download Submit
C:\Users\Admin\Downloads\ExportImport.WTV

Filesize
499KB

MD5
7bae99817c4d4781bbbd925dbe5d398d

SHA1
489b624db78d49c68c894a260fe73ce60f235c42

SHA256
40174d9c1750c89ef4c4f0b98a384d504a9ec7456e88a98bc1074c150372cbc5

SHA512
886d8a58aac7d864ce2e0fd4c6cae698c3fd494d28ca74a9858dcf1b2f416441159987643a055c84b98a09ccc9dacb367e188bc2ae9576563807b4c68ebea41a

Download Submit
C:\Users\Admin\Downloads\ExportImport.vstx

Filesize
329KB

MD5
c44e1d1b2882cdafe099ed4bc5b86bb7

SHA1
86f85780a3bf0f21ae2423d4d2f9adf6d95488af

SHA256
91c85a62786aa17f54abb4372e09b4da7eb6938ed1545e68d6e18ea2745f8aed

SHA512
62b9e05a4a71d404df819ffc3bcfcdfdadbffb517a1da386b1415eaa756725089883621b65e1501c448afe9223cb26f1961b08d46ded0d86238322e114a19535

Download Submit
C:\Users\Admin\Downloads\FormatGroup.cab

Filesize
488KB

MD5
dac3cc7bc4cda97eac351c06e4f59596

SHA1
45ebd2fb81e79bd1795aac374e31742c5e5de7ec

SHA256
8caef4b5f17eb40835af0fd4f8fb35244c722598eb1f0f6f946151ad2cb4d538

SHA512
d809a847c8a50e8e05a4a057b2a5e74e4195f21a999f5f26c9a9e476a6149e76e5cf7d811533eb0b050495f0c39a18df58313b2301b48dc79f5da9d3b84b6ae5

Download Submit
C:\Users\Admin\Downloads\GroupClear.wpl

Filesize
350KB

MD5
a48e5c2cf7720bb277bc9199a40e5d14

SHA1
04258b5519e9d11b31024a8e9e64ece34a3edbea

SHA256
a34d5117e3c6bc345aef98d1d50f169264c0c8cb206c15b6e77f0255b42954c9

SHA512
f3ff8692f14a5f236f1e7a8c0b27b8021b2b63bf0c902140c3906f6c4025b27bdb300ae2daee65a9438e6d83e5b6c8293e444d211a7fc4f7c07ca774f48d8748

Download Submit
C:\Users\Admin\Downloads\GroupComplete.TTS

Filesize
425KB

MD5
947da745a52329a5e984d2c0e379dd17

SHA1
e0ead32a9415d859cf2283fd6ddb0dc1f4b5ec12

SHA256
53d1bbbec2a1e5619d05cb4e60e8d4464a5bc7a3bd42edb94f7b6f653281d573

SHA512
ba472a90776310cb3d5fe9f8c280c7d41ae481ad28a4c6abdb82be743ba79301a24e8ae20c21edb8fa4e03d31ec1589af6a26adcfed0592c9bcc6174826cd39b

Download Submit
C:\Users\Admin\Downloads\GroupConfirm.cab

Filesize
340KB

MD5
76c3f38034f9a83b64e0e25e9ca6876d

SHA1
716f86ed7438a977b2f9094482ddad1be9558a64

SHA256
a27ec2d642b38923fb9e9aa20b0348d2700bbd7c79adf66a80248242bd0ef260

SHA512
56606f3dad00721007fb4881f56bba856bb5bf39fbee6528f60d28b30bc08581902c2d0e264302eb0e4776195380a35832ef441474cc8040a4d9d6f40d06efe3

Download Submit
C:\Users\Admin\Downloads\ImportJoin.mpg

Filesize
403KB

MD5
e71b92528d92db8cf59a48c350950672

SHA1
e3bcb39db227f33b75bc22c144aed6055b71b814

SHA256
ca3a17cab5094cece7e44d30d5691b320ee649994fa36720a7cfd93053872a0b

SHA512
6c508807faf4c7eb49e54db7224871f63b00a55b22d5fcb95a9052b17fec85d66026fc7d9e2cfacca462fd9e0bab88953871a3915772c13f25dd4d7594ea34a6

Download Submit
C:\Users\Admin\Downloads\LimitBackup.bmp

Filesize
201KB

MD5
f08be5ecbff20cf4302b9af9def72553

SHA1
a80c97859c765b587257f1f2bd7472ba4fe1f97b

SHA256
59fa90937ae26234ad2a47175d3a811d8b221c4f61b243d96f0ee2b392300bda

SHA512
1e2914ecd9ae29c1d31d77a7ee23cc7dbdd04ac705de17452d2c518166695d6f541ad593ce1a12929cf873b7f57bbae97862d6164c88657ffcafaa2cbff22f04

Download Submit
C:\Users\Admin\Downloads\LockGrant.lock

Filesize
191KB

MD5
f815eb8f6847071b66a3d11e5e20dfc0

SHA1
6824162a27d322935f68cc5f5bec3a9c0705ad4d

SHA256
23a97534653c9ad1526e0c100c453468abc7a9f7851d1896f4ca0e9ba407db3e

SHA512
dd70e8e4f1b3c2bbaaf4a89af6efe092653ac4817ead7b85ad1466952ae07cefd492525acd862ad9a74142141425931a8cffe0e48a50491415473370e977fb08

Download Submit
C:\Users\Admin\Downloads\NewDisable.3gp

Filesize
520KB

MD5
1f232495bdebe7149131e0285c55ffeb

SHA1
2658502151e8cf1284907a51357a890ff8c9482e

SHA256
e2231fa4b9c530df129c827c2d6d9fde5433ed686d9307180ccf00d82227b0ec

SHA512
3581c5ee8b13c2fb4e7c03cfa444671d564714134c7dfc6a9ac9ec62136276fcf5f9bbf06c037faf688dcbc6877a16f383dcf00ec4bf819e132b86674ccb9edb

Download Submit
C:\Users\Admin\Downloads\OpenInitialize.vsdx

Filesize
287KB

MD5
474ce72e506711b69a1109759106a42f

SHA1
e902e67a23895151baba7391ccfca057a42b380a

SHA256
302902e685303831fab1d4856003acb5d85d0ed375957050cff1f69bed0b7618

SHA512
717db5c65fd89ae0b2a437f8dc7eb3bd6ca300722b52ecf0e941d68ce6b38270e2678486da3697ddab10d6b98f18448b3ede4efb77f89793500160279d9e8f77

Download Submit
C:\Users\Admin\Downloads\OptimizeSwitch.docx

Filesize
276KB

MD5
236f7a495779027ef585a5df2ce02b8b

SHA1
8640b461c4d3c325eecbab78570562aafe9e73ce

SHA256
b371b2694994a58ac752ce477a80d05f754ef3ee256241a385b007becd008ae0

SHA512
fdd2b4279f1693f49f83ee7b7e2da1f084443d3c29283078a31fca1d35ad3f49f7eae9f1900cc5301670d1ebd37845a9bc0df05417c61eb58093f8c905321add

Download Submit
C:\Users\Admin\Downloads\PingSave.ps1xml

Filesize
244KB

MD5
43095a7cce5b8eb7feafaf04672b56e9

SHA1
5a30e08c0c1819dab9e68e5c37be44b65ca021ae

SHA256
70e021c5a6e11e096b05c3938a202e93e5df1fe0d647abadfd187edbc353554d

SHA512
e8bf9239c8478a1eb4f79939b966d294e3bbe87ce09d5363f2d5764f79e2dd8a89abcc0c70c506c7cd0822373fae2f027e5eaa7672ec6d88df111966b935bc43

Download Submit
C:\Users\Admin\Downloads\ReadUninstall.mht

Filesize
212KB

MD5
147d2839551dd6ab7d9c435c944b2505

SHA1
cc8dfb185571d4aa62d5e585a6d6194a60766b72

SHA256
b8db7d6253ee3d86aaff403b00db046ae08644d4405c9c80e35f6f66e1408c08

SHA512
4e5cef64344d18590787895a519b4c75b7aa3c87ac2e77930ec19aa02e3520ef9182f9fd8f9b5c2d5c167e3101ab91d6e19ab70f53e461b87ff795db83bb8388

Download Submit
C:\Users\Admin\Downloads\ReceiveCheckpoint.mp4

Filesize
414KB

MD5
a4b886b7f2c6a207c7df07d997e2bcc9

SHA1
09acefb20d981f730403ebc4c096cf14c30426ee

SHA256
a742906f3747c2d4bca595ccdce74f66fa686d64449d7b38038341bc73223f13

SHA512
bdc358ac24bd11751c62be30267e7d43b847841ff3b0e678beac581dc655ef2467f76afe655a3dc8e81aad3a1f7c2fface952fcf10e90617957ab6d6ec9d6f0b

Download Submit
C:\Users\Admin\Downloads\ReceiveRead.pptx

Filesize
308KB

MD5
34f1716d8adaa3661fa36de8e15cdfde

SHA1
c8800194fccf7e6c3f2db6e3ab54123f5ff72de2

SHA256
85629f524dfd99fd2c4c33dc4079271928adbf791d907afee42c5eed2743f4c3

SHA512
de8e4276b4abf29bbab3abad66d1fdcf04c5e76910001e5535e66b512b829145bee295c7ac2e0701a9a3f6b7b6d41f2befbade4d72d75727a7710bea07de9933

Download Submit
C:\Users\Admin\Downloads\RemoveClose.mht

Filesize
446KB

MD5
a71d64d83346406fb441434070577c30

SHA1
068fc58c2fe4c0ecf4868046d3a5ee2ab27fa1b0

SHA256
e3f698226a8631701c019d59bc47024fc263b35a39c4c6e205080a1756788622

SHA512
58c940248576222ac84fdee63d9357df93899168bb393426f1d7d5ecf2525d4f7db4ac176773e4245a6fcd6a94e15a54e2e283eccb37a58a8b0011fde532f959

Download Submit
C:\Users\Admin\Downloads\RestoreJoin.html

Filesize
255KB

MD5
37537d9805e6a39b52b9ba8a70710b19

SHA1
7f435a9abd56c33af3ade9c5a48031dd071f0467

SHA256
ac6a49280daf11914454874c2e9c7c903771878ae253034ba19eddc0e757e81a

SHA512
6af9beb4fac8d71aa14bd5a36d133816d5d9aeb67e26a987456f69f4d2b35d6b0e52dc0fa339ed5d930514896ec5abe257be81bc2fd623ddd87b7f641230156f

Download Submit
C:\Users\Admin\Downloads\SearchMount.edrwx

Filesize
467KB

MD5
4b4fe5a9d593a5dffd72ee5a4d7d671e

SHA1
13cbab68c3b3a53db671c23cfaf766ac77ea6601

SHA256
2a1fc303bc24afc4a657c2503089de42345c92f5d6e7cb61895bf91084d40559

SHA512
238f63a5a89239881dd6eceb636aa09b173a38947b1cf6c8d6c1cc56179d1910acdda1ca500ef60b81d3d0b3cad56fb5d2cc8afad437e968892209684c2d78d0

Download Submit
C:\Users\Admin\Downloads\SearchStart.odp

Filesize
457KB

MD5
19c898b7f3ac2160fe4f684041708ef5

SHA1
48e38005046139c6f6078fca1fabc59e2feac1cf

SHA256
c8d6e43dc73a4763f82812e2a766274e32dd1a28bd167307cf0b87f79d68f959

SHA512
bd231afdac18acedf68db76577f5a00a9d4c2e0b45d74b2eb94fab01b2acb7037b03f592753ccdd8c7b98439ec862db90023252cd4f53c56b3b183768ecc6e93

Download Submit
C:\Users\Admin\Downloads\SetCompress.mp4v

Filesize
265KB

MD5
a688c74142ec383d12c6b61763a630fd

SHA1
96b4757aeb06e3db594a7d65eb1228494ad951c3

SHA256
692599aeaa854aa2853624aaec20d894f381912eeafb2c33b3fcf88a1e4355b7

SHA512
9a65502cbfa2867fecf5a72f206011e731adff78c48c1cd2748d4e7097bacd5d888422cadf622414a9cfe96172d38b2648d5bd0902e9dc34b3af9b03fdbffc24

Download Submit
C:\Users\Admin\Downloads\StartCompress.wav

Filesize
233KB

MD5
980dc820c58a601569dc9e785663fd3c

SHA1
e456897d4b8506097397dcacde67829f00b8aca7

SHA256
5c94edcc317895c85a7662c26bb7c9d1f9cbfd4cc7039543256136ce1c806ea5

SHA512
a0e4ce85fd8054315488503b91672731a78557f2e1fbbf5fd3af075b933a9fe9b6cb5986578f3df7cebd0bd43c061522ee266750ac12025a13dfddf1e8abc839

Download Submit
C:\Users\Admin\Downloads\SwitchComplete.mpeg3

Filesize
297KB

MD5
8effe7eea752a60a8346f63c4e1ff98f

SHA1
90b805809d48ffe5649b1f20987e52f267ef2509

SHA256
23f2cc432a6b0b78e6beadb0976cc1f373f8e4e6cb0c15ea75e57c58f85c1140

SHA512
d1bad7135a52712effcdc592a93568f49d4bf912e6c1d2c52d182c0136a27ac99b9719981501666ed5914ff5a58659921cc1b83f8ce0cbf19d0262ae59682a1b

Download Submit
C:\Users\Admin\Downloads\SwitchStart.xlt

Filesize
180KB

MD5
18ff6cb84722b9cfcb9ee7feb1527eed

SHA1
2e9ea1ff0dfef9cdda20d6063d5546e7b732e57c

SHA256
f1b330e5d4417f8745d76b1df3a85c0497da0ed2eb5d65866cad49ce07172c99

SHA512
f02157123790af5116d7474fe992d69c04f05f2c099f7086de15fdf1041855662039cd3caf6d6fa8b8f1ddff55c980b282f3e24278e918b17c398d103c378423

Download Submit
C:\Users\Admin\Downloads\TraceStop.snd

Filesize
382KB

MD5
09307759eb31aad5ecbe91b4f78f3d19

SHA1
632b86e39c21ff288970169a24d88501e3097ccb

SHA256
63138de96e4e38295da97012de8930974898f8a0589482cd5ce74f57a46256fe

SHA512
80c980bd3e32a02beab095cca45fa8d19d18881a7dcef86e30e9f04c60ffd163182d0a61310ad5bb613ccf1a1322e30d29ca9ca3f6afc25d0246f05871f7342e

Download Submit
C:\Users\Admin\Downloads\TraceUnregister.ppsm

Filesize
372KB

MD5
526c22ab11d0f4915c887f607dd9fe92

SHA1
e8dee0090cd7d62343248d3dbec13350b8f0c359

SHA256
9278b3eb1b88fa290927bac05678adfee8afab5df283f4eb7e5668080711d546

SHA512
40a5113195753e3e82f3bcec0ada5257507961013ea5ac5815e4b6d47a4761be763111e34c4e22cc473ffc9417fa3c66d0cf334d03a706706c2633598fe6230e

Download Submit
C:\Users\Admin\Downloads\UnblockSkip.xlsx

Filesize
712KB

MD5
b33feb59808c3d30149c995f0362f200

SHA1
73b85cb3b19953f29c4613bd5961859b1bfc5856

SHA256
fe1b8642c61371843997d836a543fd96ccf8ba5fec95cd0675bbc75644b84256

SHA512
b6be8b9a62c7bcde605c806dbffb8c1aab033d1c005c711d039c7bb594558820b492f72918076c7f03b7934bb7b63ae7e7c3590b4e918dde56ec5af9b2a12770

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 213198.crdownload

Filesize
2.0MB

MD5
ff80c0ada67aff5ffe2615a235538ec5

SHA1
d8c86b141420a3345285e704b24de3ea41d35f24

SHA256
9f0015279990287ff564d48949ae9f36c69f22cfe3ff97a29e32b19a8f925388

SHA512
7e02f2f54851d26d9e2bfe8fb9b0c6467fb47f611a6f12959dd52608563f837c799aa4bf67e8ce4ea4f49d5ce3c011d5d660b2b3c1a708027b11a3db542177fe

Download Submit
C:\Users\Admin\Downloads\UninstallPop.mp3

Filesize
478KB

MD5
ee891e5a0e0c4168d207dbca08e2b80b

SHA1
66f978d4ed455f47ecf3a27c49665452925f868c

SHA256
bfd60837c420fd0fc04ed1fe2e7012e60f8415038df2a92fc37d13b8e52635d1

SHA512
32361b0e76d2697c9533770af5e172983b3494f25fcc13538191e8c39706671dd2c5432f6d9bc487738034d8565b138c91b57655a0a519629f3bc1d8b0334bfa

Download Submit
C:\Users\Admin\Downloads\WatchNew.wpl

Filesize
393KB

MD5
9ad4038b3d83a7758be3fc167d87a05d

SHA1
0ccc84eb11e54ffdd032842a6b58cf6d4194ee40

SHA256
abd4613429d3fe591eccac13d3eb96db266fe4c93bc15b02dab9e80d08e9bb5b

SHA512
fc3fe40a80fba8b911b3f99402446d4dc9c1f18dcb921c449b91f1e356a8ff527502eaa7b473d093d2bd460122e28fd0b50e908a74abb249d64e10fdc83a058c

Download Submit
C:\Users\Admin\Downloads\WatchUnregister.dwfx

Filesize
510KB

MD5
9236caba639e671e0a38815b46f52141

SHA1
4783c0671ce875c721cb08023c2a5197efa769de

SHA256
d1dd6f471bfc0147b1fc9d01006c4526cc535c6cd93f70be3a7425a30d72f9ed

SHA512
b5c6a155ed2040216b5b29f66821954e4c55101777602ef0a5b1e6db19fa183e3dc42bfe7581a994410713973fdfb4bed15d82ba2cc5a6d9ebdf9c60b4eb85a9

Download Submit
C:\Users\Public\Downloads\mssearch.exe

Filesize
15.1MB

MD5
40bff20634ac05d1f02ad29364f3e21d

SHA1
12405525151bab6034b22f78903d7273d9aa6df2

SHA256
57efe20ef3b8af561b4b397447916f7db2dec59cbf06d15731faf7e0ec30dc9d

SHA512
e18ba1b81fd21839a6101fbe3927d825329e53010a2eb361a602853236cd1a56a0fa4bd5bc717d1693853fe88babc3993872eed5eec9b91892f4f803d2de759c

Download Submit
memory/1688-72-0x0000016CFC4E0000-0x0000016CFC556000-memory.dmp

Filesize
472KB

Download
memory/1688-69-0x0000016CFC210000-0x0000016CFC232000-memory.dmp

Filesize
136KB

Download