discordrat | 4465abadd78c5bc61985767c3e9a340ab2efa1967a4bc9fc6ef4d4c5359af1ec

Analysis

max time kernel
157s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2024 13:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

file.html
Size

312KB
MD5

1ec96c67fbbdd77d12f8a6af1589fb68
SHA1

d8b348b8df1d383db75eebe66157f53466ceb283
SHA256

4465abadd78c5bc61985767c3e9a340ab2efa1967a4bc9fc6ef4d4c5359af1ec
SHA512

5f282b4f20456fe32fd2c9848b7f8350d0f1b5d11782159c71808e1cf7303e37f9375c36c61cbd3054969f7c64ff7cad1bb8f70867fa97f6d2f0b2737ab66193
SSDEEP

3072:2ifgAkHnjPIQ6KSEc/kHwPaW+LN7DxRLlzglKfVvPk:pgAkHnjPIQBSE5QPCN7jBfVvPk

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1MDExOTQ0MDQwMjQ4NTMzMA.GJQ5yu.LYQRYfRn2c9WS78liXjXvtX1oYGlEYXU_Ri5c4
server_id
1250120668813594766

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
3332	Client-built.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "91"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 50 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	mspaint.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "2"	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	mspaint.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	mspaint.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 3a002e80922b16d365937a46956b92703aca08af260001002600efbe1100000075b15b64d7e4da01de7f6068dbe4da013c9d486bdbe4da0114000000	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	mspaint.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2244	chrome.exe
2244	chrome.exe
3588	mspaint.exe
3588	mspaint.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
6136	7zG.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3588	mspaint.exe
3588	mspaint.exe
3588	mspaint.exe
3588	mspaint.exe
3588	mspaint.exe
3008	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2332	2244	chrome.exe	83
PID 2244 wrote to memory of 2332	2244	chrome.exe	83
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 2272	2244	chrome.exe	84
PID 2244 wrote to memory of 5056	2244	chrome.exe	85
PID 2244 wrote to memory of 5056	2244	chrome.exe	85
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86
PID 2244 wrote to memory of 1564	2244	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\file.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb5792cc40,0x7ffb5792cc4c,0x7ffb5792cc58
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1880,i,1589011677210464043,6550110057272661809,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,1589011677210464043,6550110057272661809,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1764,i,1589011677210464043,6550110057272661809,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2392 /prefetch:8
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,1589011677210464043,6550110057272661809,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,1589011677210464043,6550110057272661809,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4808,i,1589011677210464043,6550110057272661809,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=724 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4736,i,1589011677210464043,6550110057272661809,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:6012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5256,i,1589011677210464043,6550110057272661809,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  PID:6140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5448,i,1589011677210464043,6550110057272661809,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5008,i,1589011677210464043,6550110057272661809,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:916

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3472

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe"
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4836
- C:\Windows\system32\dashost.exe
  dashost.exe {a2bb3021-b150-4140-8add8c920fb47f69}
  2⤵
  PID:1532

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5208

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\client zip\" -spe -an -ai#7zMap23930:82:7zEvent2480
1⤵
- Suspicious use of FindShellTrayWindow
PID:6136

C:\Users\Admin\Downloads\client zip\Client-built.exe
"C:\Users\Admin\Downloads\client zip\Client-built.exe"
1⤵
- Executes dropped EXE
PID:3332

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3962855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ebd1e0c475994371b3998462615f0d05

SHA1
14e355cb59a4e518018b776164c6d0217aca50e8

SHA256
6982055c717bbdaed4aeec95fd9209e1f933093cf5419bc09194366ee80b0541

SHA512
7aa0bc09e0f291418fe3b6683c2e6e83781a2d96af1d36fd47162a132cfb1fe0051135fe401c6f953c85948974aa79343fb88a0d40ed31be7c60249ae21a3a32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
22b5c4476bc26d44bca6dea023c8ae0c

SHA1
4e5bf132c531ddf511ba0714372c58ac9d081a83

SHA256
33eeeb6bd807cc09d8cb0428e74033a350a578b7351c5e9c25bda59f78025a13

SHA512
e7f493cba1e269f08c8d531b9e452f59ba18e49570e2432e9b306e340c1b7f593f4c8d2e2f4089babefb0af914e1dd80a60ba3025a9688a046716f66e28e203f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
23b3e087fc15aaf4c130965439b7530f

SHA1
1d863b8b5e1da44af4ae6bec2d160da084d999a3

SHA256
cc6e5e1feeba5e02bdb03aff9912d1c0a7e7fda419e30e5f33f2ba54735687be

SHA512
31390e61ba6a863fe8772601652afea1767ed7d4f5d0685ce69d14d5212d00c58038cc99ee045a0ee69b59c5072fd3ebbc08fdbd9e0a39b2cbcb96a8100e4d35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
852B

MD5
8bb5343b71c25b96d5310a0ebdde2fb4

SHA1
cae241bec4fa6d1c79ccc3f1d897ef7ce1eb3635

SHA256
83c93f5205c0e4d947791af384851103406f37dd2e82c246bceef43334fb2934

SHA512
3a92754dbf30fd64871e103891dc402e2db93f6633bba8d02ab353b1a5edd6b2489b274617563e7772429ba1fe38a17f297c1bbe4eeb5f125a7022645f7e14f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
77c79d3ac0591fffe9005f2ba07dcf33

SHA1
b15d5f7364ca36629006dcf6032a4d344e803f86

SHA256
19041dbc84b1f6ea0504f093ff81bb132f09c44a21ad27b19dcedc4710d68113

SHA512
9ee984d404be31428951d24dd63ba17678682f0660544b440265eefe5fa8407a6e8a74d099c944c7ceb1bd52c39c459b0385425e84cc4260facb0f1e91b744d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
10c3259530f74a9c87ac4c3e667597d0

SHA1
1423c0acd03b83ccbc99496f8314d82c196e7c5a

SHA256
9fc56bc739f0c6aeecb3d0018f870837c9f1835b4c776dbbbb0e3f236af59bb9

SHA512
2cfe09b2e70a406a88aaf9bf4edfa308b4a7f049e4dd42b9c742e55d334c3a0e16fe168c889a987ff7f3fb559845fbefa281b23db4cbf72e19e1992550c32c19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
2150ec55826f7b3e45f7f2410c99ebaf

SHA1
9540f26dabc795eb8a5dfacb2eef997b4d76b86f

SHA256
4169350793c2c04c803e1f0278ae8177b898089c1165892f43570a2da35f207f

SHA512
9276e8079391719f48bdc2235f875b226074b7fc88b227502f6d1b5246c4bc0ca4a422c083febfb5ab9c6992ce784d1405db007f0727cfeb71a1fc3c3c53dd78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7e2ab9628b2e1811b96287a95db9e6df

SHA1
2622e121b1b1c04bfd2efade975a7d98b11724d0

SHA256
a97cdba02e3ff8ebfe500232a0e4719e24cb8b13aaeec52299bef5eba8716b56

SHA512
02cf669991ea5d18ff317a49336bfac5481a2a1c960bd5964836c9dd4c3b07951583b6ab2f48c76cab7d3cdc15cdb10b21450f6c1b7499921f5014b9a868de12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ef99f9371337d85641dbe4809c9ed5fa

SHA1
8a142decd66934ad414bfe4d9ffe496920c84fe7

SHA256
cdf5fdbfadbbaef2626f67633a5a1f8873e1788cc4539d31278a3e709a5e858d

SHA512
030981621bd3d419fb05bfd339ad6224f9db9ae143d464cd83f1ecc9298d1e19bb3a56d6852e2b29c7ff36a7d06c4a9b8afb5c9bbc7bfc9aa639c0c46893c30b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
024cd187462f7984f9d02afcb72f9b44

SHA1
0bc0b66ca2e84b3281d14982c73481bee61ff0e3

SHA256
2e7656be33976c7b6a7502cc96414033650000737da001366409df8a2f07c0bb

SHA512
7134c7243569b33a042edfe0a3cb24a5455ab47bd2cdcd8c0585376f67b25b312b084f5b401490318941abc1a816a00e0d0ba1b7d298590a8cc513e944fa8e6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f19784f9-08d9-4170-bebb-f76fdfcb6b03.tmp

Filesize
8KB

MD5
151b14be2cab5e557217973218395a59

SHA1
5c964b377138827a67ab540c85d90326aefe182c

SHA256
2f1bc4fee4d4b0bffbf252168ffb652d730b15bf7fa6f8643dadc09a098c005c

SHA512
857bb1e1d75f846d43da605cc11a1982cf891e5ddb3f7cdf28379d34c736463a194d050a3d22f39eb08d2c9e7ec86200244ed123d48a5d6fbd7ed8b7eb03c086

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
24e584ce17a22110b8f83426902319cf

SHA1
21a84ee89e0b81fed741b9d029ac230ae9c4e63f

SHA256
3ad703e1e2407607089eaf313b5f244d39a000c16c1fb4cbfb3f6e7d19402167

SHA512
b699a01cc7b8c66d2dcca0fddb11b74a94b6c72e4f3771d6826a261556f567f2997f77d42c918f24ae6fce65ce516fbb5b5c2ed2a2ce36a338b241233ffb82a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
3231d1dac4c596779b6496ce2b8af3bf

SHA1
cfe8705d4c539e90f0c3e60eef0637315b7760b6

SHA256
21e08266bbf84ff1b89f4a804b48fe1a9ce8ce13e3ec1cb16771e98e276878b2

SHA512
36239ffc5a9465a1432ef2ef195056d7f4bf010429ab640ecdb8448780daabe7f7f17793dba9cb47776e1cf451c97caa317120901d34a46059a8a51111aa2bd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
955728521ab5f4e852aeb8c64b999be8

SHA1
2c8ca9538366bba0e175f4be5d6210a4e86ed268

SHA256
e95072d57d891b7b4c5faadd61fb48e84877a1f255ee59e286071beec1850814

SHA512
8c4157f192cfb1017eed6b9cdbb7c1ec91511e138257888211a7df11e608be2d4d741160a18b7d409c7fe78ad0099ed72dca63dbc05f2c9a3860fa0a70b39280

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
fd23971dab1897ffcb4b536b74922819

SHA1
0ff4b761732483fd50aecbd5a91cbbed4d567894

SHA256
d9be7fa6373c088eeee52b643f2fd0832410c260543242348442c36801d9a0c0

SHA512
955e5170a131f8ed7f412db49ac76fb013aa84d1f3d4125b01350cfc09f05ca0e49f97cf369c4f79f0d456b1c068d9ec46c28da62a92a7f0869721bde3d5da2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Untitled.png

Filesize
1KB

MD5
ea8fb2edfe2bb4ad0c42a25f6b21efa0

SHA1
bde55a08d0b7669d77afaae9b4a5d127aee5ed75

SHA256
0ca9caf363281310e909b57fae2441207a0aa22eabff9e23a6e9629616262ded

SHA512
1af6133359b911b40d155cae2065a52a6841afa5edaba4fb81115ed0b4fa9ab5b617057b11be9f79f44ecc0c94cf70157cf0be26c201cda98761f08a7e3a409a

Download Submit
C:\Users\Admin\Desktop\ApproveCopy.xlsx

Filesize
12KB

MD5
3da8cfe69e899810df7e2c7c8b214939

SHA1
43bc37f46a56cfe603731a9883b851d02edea425

SHA256
84aa57366cfcb866e62a6c6c17096518d4a92f0273b8ed01c567bd2be6f1dd72

SHA512
65c1151fb397f95c07674f9c7fcc49984aeca8d10048af0d73f6738338f760a6b31585b7b20927e61ad4b2f7400701424f5aa57c412a88bc7e2619455e400106

Download Submit
C:\Users\Admin\Desktop\AssertUnpublish.nfo

Filesize
264KB

MD5
d107acfa3d16882593cf76b96bc7027c

SHA1
b5cea610cce2105d134ac781645b313de54cf197

SHA256
80cdeabf71e23f5c9275f277eacfe001f07e9a604f21d26a7448fa880fca7e88

SHA512
07985ec6c7af77cd772d02737aa0b8b6cdd2ea3ab6f8bb6a784512d903d1b06e0a7239926c74a080e7681503a449922fbceb8eca82098554abd213b0a7d7bcac

Download Submit
C:\Users\Admin\Desktop\BlockPush.vstm

Filesize
398KB

MD5
ae24e5daebafc2342e080a044c035b81

SHA1
47fa1c93503e042aba5677102f782cb49326621d

SHA256
43c7bbd0e3acd186e4c105338e704a3fea3d7d4e17cdf1577b9e30f00555c9ab

SHA512
ad8a13a6c852bfead3e947b5094a88659d94fbc1dba0f1e11fad401841a142ed9ef21507cc3acb0918856ca381cc534fdccdd340895004b2a8844114fdd05a55

Download Submit
C:\Users\Admin\Desktop\CloseRequest.ini

Filesize
207KB

MD5
3f7b42cd3405e1c36d83eb3540d3ea04

SHA1
deacaf42a3fc87bfcbd094ca92db0f130e66fe21

SHA256
1955444835845f972d6f722c81cdafc77aa6e8c748e83a5695b90c66857ddf43

SHA512
a87c8fa147aee9c93b13e6da11e870db25f28e22d8a26c808edacbcd05506bd629cd8f8802d353c200e3b8d895fe4687ad3b53bec9f6b9fc3700275334d74fae

Download Submit
C:\Users\Admin\Desktop\CompareShow.ppt

Filesize
387KB

MD5
6d9ba00a246ed78a84ab01febdaf92ff

SHA1
4042474a8682ada4010119eb312041023244b397

SHA256
a5b05df144eecde1de08c502eb4f9d27de0e91b1bdec694fedd1d78139f5cd41

SHA512
f9d61ac3d0205de813feeca01ba009318b28e96a09fc290b4aa56da57ad7a615265013027cfba34981e1a26d4d6fd58d7cd4c425bf46a1fee76a29ceecda435b

Download Submit
C:\Users\Admin\Desktop\ConnectRegister.ini

Filesize
241KB

MD5
de89e2de9b44af6ff35596748baef2d5

SHA1
ecf4680f5654299cd28043bfd055c2e7c45625b8

SHA256
46b7c810d0c528296d8afe8e3477a36121c32f9a505810d221c0afcabc546d77

SHA512
acb72257072b2e55c8f6a912ded0d210a49e1c8de9d49a75ae516cb10e88d6e5ff63d191db3f3a4bb0074d202a70217b79ea663b7c675bc56ce10ffd24b5818e

Download Submit
C:\Users\Admin\Desktop\ConnectSkip.sql

Filesize
162KB

MD5
fcc4aed2b3c60a1847f05531e5dd7b94

SHA1
a4ab04f99af54efad56f9642d0f40fb58faa8731

SHA256
74dad18e0dc5f7f00cb948b29edf7b70edad168616ca00a7a688c4d3b4f125f8

SHA512
36f1246fb37e9d4353b49ea2343ff81638d533e70bb61c4a4a3847e35e6902e7dbfbadbc4e0feeb077cef04028f4cc6b556f727420449266f981cbf62cda8b9d

Download Submit
C:\Users\Admin\Desktop\ConvertLock.temp

Filesize
365KB

MD5
df9ae522b27c3d038eac16d9c0873e36

SHA1
8cd13ad5784b8d18e64c621ad1765b0aeb69961c

SHA256
ff96203d1a68edef6a1534ee2fac21356a888354f2bd8fab03278b8ac70771e1

SHA512
5b382347cd3e7076cc6ccf811da44dffe319195a0c6ec7994157fe84078f353db4aa89eae58fca53502ff41f21e4dc75949ed11d5a8d45820c30485286b01751

Download Submit
C:\Users\Admin\Desktop\DisableApprove.dotx

Filesize
432KB

MD5
df016ebe0da729332f51c02cf33a576e

SHA1
d6b98322cb21a80332d57e3614f8d5cfcd2b0d72

SHA256
69136112199a417d9cbb5e5bfd86480a3ebb52979c4b4747040109c0670d61d8

SHA512
726fd44b843df1d8103a90cde2651140bef645d58c87da1a482c4f4ed3dd56f8eacbd5b82723a0eac6420dbe43952e33afaee081c7a5e15ce7ac30483d0bcf68

Download Submit
C:\Users\Admin\Desktop\EnableReset.ttf

Filesize
297KB

MD5
7219a44f2a72bf1969b724a465602ed1

SHA1
412133e0e4d583f541414a1bdf4127f8e629ac95

SHA256
dfd36c54d0a75a7b21dc5e3508bd1a9c9e3ba8e83daca5a46a7f0920073c8ece

SHA512
0d1ef381a560732336905e4f83ceca24380e4310d7de01367701eeebc9ae6f03e1f1ed1e5ece26b6a5b30e59224f0761033c9ec99587eb63c03d959cbe06ed20

Download Submit
C:\Users\Admin\Desktop\ExportClear.txt

Filesize
595KB

MD5
80d08ab5bc950fcc38f668abf21ea2b0

SHA1
5fb1bddbfa34d90b074a5c3a02fdff93211982f9

SHA256
f9de57c243a0dcadc494f12444381af737a70b6443dfd2fe5257cd59d3bb8bc4

SHA512
646ac50c16b7dd8093c2ca9918fff1a22b5f94f796caf9982a8e36c37d2cc80002f1fb0adf434626b90c46ca18b2f2092f8c0e17318db91750394fec27ad5208

Download Submit
C:\Users\Admin\Desktop\ExportLimit.inf

Filesize
196KB

MD5
d692c29377fd35cf95de7eff38e4d58f

SHA1
5683da6ece7a73853389152d775de2d596b1c103

SHA256
f9d746b70704eaf0a74c1bcad23e1a76a9cb10fb14c96f2f8716ccd91e5c2659

SHA512
26d85e9bb684555372e0ca57ec2e89b78dd7eed8d15a4334386affdd8d8f109fbba0b7937c812ef077db142fadb255f68e91fba09297273a2165e33a93ccdec9

Download Submit
C:\Users\Admin\Desktop\ExportRename.xlsx

Filesize
9KB

MD5
ce415f77b227a3d03bf5b3c5996878dd

SHA1
310af617653d1b8455544448ad97fe56b7284867

SHA256
f6a3b4c723fd596b189ad024cf291c41661f3dc715a6b9daca627ac5343ad6f6

SHA512
ab496e8611fa5a67f931ff1d0ebdd9a81939e6dbe526670f55e75d44f5639c94645e32eb5359a801bcceb0b353236280428a3f20b484702bca3393ea3ce78eac

Download Submit
C:\Users\Admin\Desktop\FindMeasure.cr2

Filesize
421KB

MD5
b08563de66c437b3f6697700b5f3789d

SHA1
3b4b4863f4d07e0c8b17295351dcadb3697b3e5f

SHA256
5755b90c4098b86ba78be3ad42d0699f5eab1dd3889389b2862e6166e9e7f7ed

SHA512
8ea8ed547151350575b36c65ccb009a255fe559cbc5c303f3c373fc0395850bfeb6d6fc385b6064ec924b177cce17f7b0994ae42ae8b5d4b072a783aa667d64e

Download Submit
C:\Users\Admin\Desktop\FindMove.avi

Filesize
342KB

MD5
a85097ef6f0121fc3a761ef9aac5959f

SHA1
1a6537eab93811618635f290b83911e2ebe7c209

SHA256
eb4ec7fd1a897c7066c01814e81d01def545ee141194e690c2b58cd1a3a72d20

SHA512
94521244d9a1b09bd67a37cd91e31a4b305643595a50e80d5b5b1434f7881f2dbc1fcc6da90946120f85395de784718cb1b83e6f644fad74441a207f7415340a

Download Submit
C:\Users\Admin\Desktop\GrantResolve.docm

Filesize
275KB

MD5
fd8683cb0e5ebd45a571a0d5d3b84eb6

SHA1
38e566927b6aa9d3fb869349b10836a85b951ae3

SHA256
70045d695d1c5a2d739fd672b67d8daeb448012f77a8a58053d62d1298009b50

SHA512
aed813132cf8ac0fb40ea4173f2fc4380999c85f0834e84e2b86d6d57d9a38b7ba63e5d540f2c6ea70fca797de9156e974e7d89a6d6f6a24e2ad87289e52ca42

Download Submit
C:\Users\Admin\Desktop\GrantWatch.m4v

Filesize
230KB

MD5
ff57df2ad48355886f0b81904de63ced

SHA1
2343c28de58ca198b1de88c8069b7ca404d34ce2

SHA256
f27e0163d7d9fba23b2e3cfe25611e3e4e55d4f7ab06a65788369cf293ecc5a4

SHA512
5e3266ffa67c5007bde99b04b559cf12abb7930f66022fdd692365123fb7969cf0a4cdac34eebd755a9262f9e0aeb38d26591e0f410093c32efa5eb16a99d043

Download Submit
C:\Users\Admin\Desktop\ImportFormat.rtf

Filesize
410KB

MD5
e1cd55f6141f953f292ed97010196eb4

SHA1
c4cad3a0ce51d160c5978ca5769b68cef42005a9

SHA256
df3eea9dd51bf91414f13d21093abb86a96d202fb6b84a62f9ff65219070c6ef

SHA512
0394fefbadbd55ddb97205532f2a83684f6acea36ab1e925a287d63a4ea25427cd5288fecac0a6c29dc8323447077cf227149c977474214bc5670f4391b3d22a

Download Submit
C:\Users\Admin\Desktop\InvokeSwitch.dotx

Filesize
320KB

MD5
0e3267ce9ac662e9755d06cb29349611

SHA1
408aa1c4f926821a306197e1c98351d950e734d8

SHA256
4b8d3b2c2bba93a4d66b62514d75e63caa1502df7eaa43d15414a556cabba74e

SHA512
71babe33220eb2527be165cd0b41f6af8c938625a1dec0ece0977cc0efc84bf387922020feb9c063a75d44e584e50284595c3870fb2c01fc3302800575f2d059

Download Submit
C:\Users\Admin\Desktop\OutImport.contact

Filesize
376KB

MD5
58e51a76676315c057c96d4e69eb27ef

SHA1
c69eb10095a9d45059e4d3fd8b1e4e80b2e132be

SHA256
3c0244380ff510a2ead799c303eb8973617ef6580fd5e418c4794d32c2ea9105

SHA512
199a57f6e365b8e072be7b80a637423a7ebdfe7c1b65ac417f96b27f8256c56a4ee4b65c7f10761180c9317d4e505b05f7f2153f3e86b023cba4c961a16ebb3f

Download Submit
C:\Users\Admin\Desktop\OutStop.mht

Filesize
331KB

MD5
5bc3409d18fe39f3b59e30e1aa4a358c

SHA1
11091b1939c50b45d71844a4882d9b398791e86e

SHA256
f3ba7ebe3c20e8e952676ba6beb3bfb431df867c06f5e46862fa2223733b02a2

SHA512
23046fb9845f08d39c2c866f13b9c12e29293f2b163398648e3501d15542cb62d17a845750350353fc6bf1f5036f40c323ccdd40e1c9b9b6f1bc9dcac9b0ae95

Download Submit
C:\Users\Admin\Desktop\ReceiveEdit.ini

Filesize
151KB

MD5
042e9981eaf2f062c93e6bcc6d158891

SHA1
9dd9196f187b671ae33b33b932d3f30cd0a577d4

SHA256
9b11e946b2051841cf7caa0cb75c83b186ad64822f23dc76d33ef1455005673d

SHA512
64e540da509a17626c2294b77a2d012036f88d5c8169056bfb45c905c87d08dad9f8b544f75a2f5b0a92da8e4dcd652e3fd7f2580f1731724df8ca8167ba26b2

Download Submit
C:\Users\Admin\Desktop\RemoveRestart.docx

Filesize
13KB

MD5
af09d45f3c5a5aa4cc38fb9a52d6626e

SHA1
5fb5e524d0c1ff09c3db75d46dd186d3d33be835

SHA256
4dabcda2e326361d20ee8d2aafb17e4026b1894f282bc92fca586cc0e321147f

SHA512
3f79a20f4e07352390b143223fb40870b06631157f97ea63e864e6252542544149396ba71bf49300cbb440f0b61b3275e5d950e95ee1e7573ed15e79f12e512d

Download Submit
C:\Users\Admin\Desktop\RequestUnlock.jpeg

Filesize
309KB

MD5
c712f36392aa26b5441aa04ce330fbb0

SHA1
872ab051e37ef0acbcfc7d422c16e77058cdf078

SHA256
acdfa029b143b256752d055f2e4283127ed9366e3580e7c156e22b5fe494e2ee

SHA512
b5a73d6db8ae5132a75532489121492d4ee5edba4062671ec3593a594931adc8502b3c0c41cfd0d858728e3d62911f8afda99bb52de92f4cac090a3a7496c9d6

Download Submit
C:\Users\Admin\Desktop\ResolveReset.xla

Filesize
286KB

MD5
da22131d03fa1ce9fc47b30c2e511431

SHA1
bed8e7444a9cb995e5689969423bf292aa01389d

SHA256
34a890020580f04c8c6211fb6924dd3bca8ffecf37b52bbcba173a68aacb5cc0

SHA512
767abc01531a13abf5635f3b8c8a9c9f54387b3d91fbeb9224c22f5bd74b5829e30bcdf573fb7c6ef3e2552583994822b01c0e93f98dfce2f0b09aa41f3c3dae

Download Submit
C:\Users\Admin\Desktop\RestartPop.txt

Filesize
353KB

MD5
66e14d17b878c5980cc443c3b31018a9

SHA1
d210530d010ef5adc74de72b82b6c0e03987d554

SHA256
0b865b59b8aa36f7bcd32e403bc270bef9902c491b4c65597b9aa5eb71771f4c

SHA512
f778665f0b406516f939167ee51a9e8ce39ef131823a90903de422ebe38a8f65135fd18d1dbc4cf9d10f6b0e57f73b486a0dfc5975db6643b1f339ff9599042f

Download Submit
C:\Users\Admin\Desktop\RestoreExpand.asx

Filesize
219KB

MD5
fdecbb27ac801ce32b2b671881c89d86

SHA1
c3feb6c1abb8776f323adddd7d4fd04c91dc07a0

SHA256
68cce3fd64229406a5dcbd6c0160475acdd8653461cb09eee9d6a4a23da79d28

SHA512
cef1bda725a931bcfba442ad8ed02d277e290e70205e2a33a5be0e7ba5f9386110552467ba78b3fcd69ca8155689dd3d8577f42206a517aecc4e4bcfb4e5eaf4

Download Submit
C:\Users\Admin\Desktop\StartBlock.xla

Filesize
252KB

MD5
beb6a738899183df98391a22d63567e1

SHA1
bbbf88daf66b571c6126648251f3ab234f3ef4aa

SHA256
d08bee75a61bbf1efe2eab3c15ab40edb846693f4d13157a4fe2ebbb371c6866

SHA512
1ad171668349ba1dff85fb47ab08fb803eded77e051c17412b18c2fb5c32624d40734e8b195b218839dca0ba08192579c82019b60ad4afbd8dd1d21bcf5d119b

Download Submit
C:\Users\Admin\Desktop\StepCompare.xlsx

Filesize
11KB

MD5
370499c35929da519658b278872a0a9c

SHA1
14955ecf55a6cbeeda48451ad071d7473bdbff61

SHA256
c567323f38a6e71ab840a9d2629bafb596f22e578e17a768c8be567a7490f71a

SHA512
25839c6a5a92dad355b10231782f74c2d07f8dc895c0f78b341dd7ccde1bf2b7eb0c7659b61bbaa14ae1de956601b21ba02a6b3d3d1a9d400934ab8bb1e2f202

Download Submit
C:\Users\Admin\Desktop\StepLimit.xhtml

Filesize
185KB

MD5
f1d4fee9b5d62861d561d10270dc105a

SHA1
998753cb2de65f3390dfe05b635956f43007317f

SHA256
20db89da03ae2d1d719c4eeb5b05cbbaa0dbc04ad6ffb7b47c32935f78cbb2da

SHA512
f403449bc6e37ad392700342e5a60a11ab285e8cb6bd0a912680e7dfc353ae86fc1ce7e732836ef829c5ac5e5ba5eb3babc9467fae95541e3cb8417989d63ddf

Download Submit
C:\Users\Admin\Desktop\SuspendJoin.docx

Filesize
19KB

MD5
8231651b755be4e9e448157573581e5b

SHA1
b4b3edf20dc1fe5812a4abbd962dd07f0601d7d4

SHA256
1043b5e938802b3533ffed532344171bcbf7927ec4a9141a7a30cb1ff0dfcc7a

SHA512
7b39f26984fbd335d0093db9310b3ee038ae874525c222e1b242dcdb328aaab628da1a9487e4da517afa293c7fa77b9831f9b4d63070482529457b1e047dcb04

Download Submit
C:\Users\Admin\Desktop\WaitExpand.docx

Filesize
19KB

MD5
e8db2ea62a86a50251b2b6bf50c0ccff

SHA1
8e7695f135cac30257d621d353845b17151287ba

SHA256
ddbf2cd1b56611b8bea519c461fbab2a3291765a535253078753b715afa625ca

SHA512
3840a4fe407d3c9a72c25e4cc0b435f7f914d78c6ba75fea6644aa02dc4acb2e674141e565ce8ac58564e9d56a10856d52acccaa1c0d75995957a538228782e9

Download Submit
C:\Users\Admin\Desktop\WaitSync.vstx

Filesize
174KB

MD5
7ea9bd82796ee508f3a61e8f0274d089

SHA1
b26c44961ec4b095b6275ad193f250c449d1f444

SHA256
1758122a643918644c99ff37fccf2700d3b6b61d7dacabec615f8eb062429e47

SHA512
25bf7cf284de001a5501b608e73a214b81e840a1feee52d5760d26281b99c149ddad10465e607b723821b61cc17117d53cf95ce14aa2150ccb1916ea721fd479

Download Submit
C:\Users\Admin\Downloads\client zip.zip

Filesize
27KB

MD5
abe8e1cb0c0c2849abce1a513b4ff1c7

SHA1
05f3b85bbc3063b8b8f07d7dce3457dc33183860

SHA256
ca100fb06ac1606517517acd795c200365c3250c8220d936b8e0a693f2895dc4

SHA512
3604fc11a29ab78490c7492c8108bb8680ac6ccaf5d4c813f11a13ded8d7d423661fdd7886ee26b9336b1da4002be1c2954bd88d0f86281daac87c7325d720bd

Download Submit
C:\Users\Admin\Downloads\client zip\Client-built.exe

Filesize
78KB

MD5
1a8da52ab8b03b97b5405d2f4e058040

SHA1
995c2c343c7b239ecf697d12f3711f16f72bf1bb

SHA256
327417bf4a34ffaaf057f672284064d7817fe2b30cb505578d19c6bfefee3e90

SHA512
9e9aba194973dfd864eb93213f6dcb19869258cd9873fad63e01ee791d68574029bec006b18cba6183a084f10179b6a1000f4b4d1e13cf2c3752a41f593b3ab6

Download Submit
memory/3332-302-0x0000015FE0C80000-0x0000015FE0C98000-memory.dmp

Filesize
96KB

Download
memory/3332-303-0x0000015FFB2A0000-0x0000015FFB462000-memory.dmp

Filesize
1.8MB

Download
memory/3332-304-0x0000015FFBAE0000-0x0000015FFC008000-memory.dmp

Filesize
5.2MB

Download