discordrat | hxxps://www[.]mediafire[.]com/file/mizdk5pdyjew6u3/free[.]zip/file

Resubmissions

29/09/2024, 13:56

240929-q8xfgaxaqj 10

29/09/2024, 13:55

29/09/2024, 13:50

29/09/2024, 13:49

29/09/2024, 13:43

Analysis

max time kernel
299s
max time network
293s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/mizdk5pdyjew6u3/free.zip/file

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI4NTMzMjE4NzIyNjU3MDg5NQ.G8JbnQ.e3hcNRGJvvOi8ZO6GYOCKIQI-BykD71Mo5llnc
server_id
1281541058815066162

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 7 IoCs

pid	Process
4068	free ad blocker.exe
1676	free ad blocker.exe
3888	free ad blocker.exe
5716	free ad blocker.exe
5584	free ad blocker.exe
5920	free ad blocker.exe
5192	free ad blocker.exe

Loads dropped DLL 14 IoCs

pid	Process
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5940	taskmgr.exe
5940	taskmgr.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 19 IoCs

Web Service

T1102

flow	ioc
482	discord.com
458	discord.com
462	discord.com
467	discord.com
474	discord.com
475	discord.com
470	discord.com
457	discord.com
466	discord.com
488	discord.com
490	discord.com
491	discord.com
485	discord.com
486	discord.com
465	discord.com
471	discord.com
478	discord.com
480	discord.com
484	discord.com

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\free.zip:Zone.Identifier	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1452	SCHTASKS.exe
4404	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2636	firefox.exe
Token: SeDebugPrivilege	2636	firefox.exe
Token: SeDebugPrivilege	2636	firefox.exe
Token: SeRestorePrivilege	3200	7zG.exe
Token: 35	3200	7zG.exe
Token: SeSecurityPrivilege	3200	7zG.exe
Token: SeSecurityPrivilege	3200	7zG.exe
Token: SeDebugPrivilege	4068	free ad blocker.exe
Token: SeDebugPrivilege	1676	free ad blocker.exe
Token: SeDebugPrivilege	3888	free ad blocker.exe
Token: SeDebugPrivilege	5716	free ad blocker.exe
Token: SeDebugPrivilege	5584	free ad blocker.exe
Token: SeDebugPrivilege	5920	free ad blocker.exe
Token: SeDebugPrivilege	5192	free ad blocker.exe
Token: SeDebugPrivilege	5320	taskmgr.exe
Token: SeSystemProfilePrivilege	5320	taskmgr.exe
Token: SeCreateGlobalPrivilege	5320	taskmgr.exe
Token: 33	5320	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5320	taskmgr.exe
Token: SeDebugPrivilege	3052	taskmgr.exe
Token: SeSystemProfilePrivilege	3052	taskmgr.exe
Token: SeCreateGlobalPrivilege	3052	taskmgr.exe
Token: 33	3052	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3052	taskmgr.exe
Token: SeDebugPrivilege	5940	taskmgr.exe
Token: SeSystemProfilePrivilege	5940	taskmgr.exe
Token: SeCreateGlobalPrivilege	5940	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
3200	7zG.exe
5320	notepad.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe
5320	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe
2636	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 2636	3200	firefox.exe	83
PID 3200 wrote to memory of 2636	3200	firefox.exe	83
PID 3200 wrote to memory of 2636	3200	firefox.exe	83
PID 3200 wrote to memory of 2636	3200	firefox.exe	83
PID 3200 wrote to memory of 2636	3200	firefox.exe	83
PID 3200 wrote to memory of 2636	3200	firefox.exe	83
PID 3200 wrote to memory of 2636	3200	firefox.exe	83
PID 3200 wrote to memory of 2636	3200	firefox.exe	83
PID 3200 wrote to memory of 2636	3200	firefox.exe	83
PID 3200 wrote to memory of 2636	3200	firefox.exe	83
PID 3200 wrote to memory of 2636	3200	firefox.exe	83
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 4216	2636	firefox.exe	84
PID 2636 wrote to memory of 3628	2636	firefox.exe	85
PID 2636 wrote to memory of 3628	2636	firefox.exe	85
PID 2636 wrote to memory of 3628	2636	firefox.exe	85
PID 2636 wrote to memory of 3628	2636	firefox.exe	85
PID 2636 wrote to memory of 3628	2636	firefox.exe	85
PID 2636 wrote to memory of 3628	2636	firefox.exe	85
PID 2636 wrote to memory of 3628	2636	firefox.exe	85
PID 2636 wrote to memory of 3628	2636	firefox.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.mediafire.com/file/mizdk5pdyjew6u3/free.zip/file"
1⤵
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.mediafire.com/file/mizdk5pdyjew6u3/free.zip/file
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb66243c-01dc-464f-b8ee-58c5ff45013c} 2636 "\\.\pipe\gecko-crash-server-pipe.2636" gpu
    3⤵
    PID:4216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b66a8668-9152-4013-9d90-a2d2a553afb6} 2636 "\\.\pipe\gecko-crash-server-pipe.2636" socket
    3⤵
    - Checks processor information in registry
    PID:3628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3160 -childID 1 -isForBrowser -prefsHandle 3068 -prefMapHandle 3168 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb7ef423-0ccc-4149-b142-248b91af3c55} 2636 "\\.\pipe\gecko-crash-server-pipe.2636" tab
    3⤵
    PID:3208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3076 -childID 2 -isForBrowser -prefsHandle 3584 -prefMapHandle 2592 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5291bd72-91f2-4fed-85a1-94ef5976ce33} 2636 "\\.\pipe\gecko-crash-server-pipe.2636" tab
    3⤵
    PID:4752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4844 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4836 -prefMapHandle 4832 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98af46ec-000a-40bb-bbd3-5ff4e81811a4} 2636 "\\.\pipe\gecko-crash-server-pipe.2636" utility
    3⤵
    - Checks processor information in registry
    PID:4360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5600 -childID 3 -isForBrowser -prefsHandle 5564 -prefMapHandle 5472 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49c2a6a6-ad4a-4872-9210-2e029f7b2307} 2636 "\\.\pipe\gecko-crash-server-pipe.2636" tab
    3⤵
    PID:2496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5732 -childID 4 -isForBrowser -prefsHandle 5740 -prefMapHandle 5748 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da750566-32ac-4d31-b440-282da8eac44b} 2636 "\\.\pipe\gecko-crash-server-pipe.2636" tab
    3⤵
    PID:436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6048 -childID 5 -isForBrowser -prefsHandle 5800 -prefMapHandle 5804 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {865cbd01-58f8-4c08-8650-fad161f6e052} 2636 "\\.\pipe\gecko-crash-server-pipe.2636" tab
    3⤵
    PID:4284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5952 -parentBuildID 20240401114208 -prefsHandle 6108 -prefMapHandle 6112 -prefsLen 29278 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a3506ef-f3b0-47ad-b2a5-cc69e318fbb4} 2636 "\\.\pipe\gecko-crash-server-pipe.2636" rdd
    3⤵
    PID:3572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5320 -childID 6 -isForBrowser -prefsHandle 6612 -prefMapHandle 6532 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d092cb0-af83-4117-aa52-08e21e5849a6} 2636 "\\.\pipe\gecko-crash-server-pipe.2636" tab
    3⤵
    PID:4924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6736 -childID 7 -isForBrowser -prefsHandle 6744 -prefMapHandle 6748 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9e36c86-6237-44e7-ae41-5d56fab5bb0e} 2636 "\\.\pipe\gecko-crash-server-pipe.2636" tab
    3⤵
    PID:3164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6952 -childID 8 -isForBrowser -prefsHandle 7028 -prefMapHandle 7024 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c5a354e-e427-44e8-a778-c5ccdeabf252} 2636 "\\.\pipe\gecko-crash-server-pipe.2636" tab
    3⤵
    PID:3228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6772 -childID 9 -isForBrowser -prefsHandle 7172 -prefMapHandle 7116 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6c7fbb7-4602-47c1-9409-8530d7f181a6} 2636 "\\.\pipe\gecko-crash-server-pipe.2636" tab
    3⤵
    PID:1224
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7408 -childID 10 -isForBrowser -prefsHandle 7492 -prefMapHandle 7488 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5745386-2e18-4359-b550-67823b4d251f} 2636 "\\.\pipe\gecko-crash-server-pipe.2636" tab
    3⤵
    PID:8

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5712

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap27236:66:7zEvent15592
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3200

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:5320

C:\Users\Admin\Desktop\free ad blocker.exe
"C:\Users\Admin\Desktop\free ad blocker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4068
- C:\Windows\SYSTEM32\SCHTASKS.exe
  "SCHTASKS.exe" /create /tn "$77free ad blocker.exe" /tr "'C:\Users\Admin\Desktop\free ad blocker.exe'" /sc onlogon /rl HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1452

C:\Users\Admin\Desktop\free ad blocker.exe
"C:\Users\Admin\Desktop\free ad blocker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Users\Admin\Desktop\free ad blocker.exe
"C:\Users\Admin\Desktop\free ad blocker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Users\Admin\Desktop\free ad blocker.exe
"C:\Users\Admin\Desktop\free ad blocker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5716

C:\Users\Admin\Desktop\free ad blocker.exe
"C:\Users\Admin\Desktop\free ad blocker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5584

C:\Users\Admin\Desktop\free ad blocker.exe
"C:\Users\Admin\Desktop\free ad blocker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5920
- C:\Windows\SYSTEM32\SCHTASKS.exe
  "SCHTASKS.exe" /create /tn "$77free ad blocker.exe" /tr "'C:\Users\Admin\Desktop\free ad blocker.exe'" /sc onlogon /rl HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4404

C:\Users\Admin\Desktop\free ad blocker.exe
"C:\Users\Admin\Desktop\free ad blocker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5192

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5320

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\activity-stream.discovery_stream.json

Filesize
28KB

MD5
3601c62f1aa2cc28813a6bc7d7ea07e6

SHA1
8fef206cc9b5c78d57662e23c84aaf1057249535

SHA256
f3cee373c8fbbfd086af68d3a875409f65ab28af958059d8cc7972ba19648852

SHA512
f6718a08e8761facee8893857baaee66f3a7ab335a438981262b02801cf5e1bca541a2df104b03677a380a9ae9bc210a158b77c97a077edc8645ebbb478edb13

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\AlternateServices.bin

Filesize
6KB

MD5
955fbfde8413274c2b9af7b2b4eb912c

SHA1
9a70fd50905ecc747b41f7a5db4f3779b9a63bdc

SHA256
310847471446577b76ec5af05b36112b2c2bed4ff773d470f5d6a0b95e1ce3fb

SHA512
af4f22f737a978943580dfa41df2756a305b2c5d23b3efd1ffb2e3428172894e669c64a1f721b5a2b5f42943435364bfcd9bb26327f71125701caaacbd498ffa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\AlternateServices.bin

Filesize
8KB

MD5
f78743cc9cdddd6229758b27a4f1b631

SHA1
85dcaad0347727cec5ab7aaef9d78dc7b0b1c1b6

SHA256
7112d869a59a98562be096026cba15481ebd6e752ef27cc164b0fb776ac5df0f

SHA512
9c38625936067c4bbd0a38597249ab61ba6c8164a64eb262689d2e0fea359a5e553cb1448734f8529a64139cd039541bc566715bcd6fffd3d3c011dc1807dea0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
e81e4e1a23d4db6d0acf9c0a28e95727

SHA1
352a50b5432fd69a5d601517f4ce10f3b9c39a2c

SHA256
5f4281ce4dfcd9e111b35e485a80d7c99b07eb45eac34a50816792801e7896ed

SHA512
096df6335c7e3672ed601a0d3e1703fba5cafb529390040a7219126968741d56c432ff0a7a2fa75a5c53e8f2427ad5359e6f741bc2304e4e967eab7729dcc3e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
718d2300096e18fe37ecde465db6d6e3

SHA1
a13c2b74a25ce9135f1d6d20167398126cc71349

SHA256
ce7861f345bb732aea45bb9b200451a8d6d72ad59caaabb1543b7ccc109e2ae6

SHA512
ba7d4a43b6661ac4db6203902b37a64cd31e2ac413e5549acb627df9ce28b91d05a7a9502c7e3dd32ec6229c55129ca62f872378416ede4223e322285ff12ff5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
f0f09cb8b60cad06a8537ed329b19c19

SHA1
fc4363d0a553f0eb98c9af4f0a169e7c358e618a

SHA256
9ee2fb97944d57ffef5c9d3cf8ffb5300039d39f4746562efd81ee1a663c922a

SHA512
384ddaacc642d460eeac8b2a8f77dd108c9149bef93c33fecef37a78e81b76f34bbde78c058cda669256d6fd408d025012251b27c3d2b27fc6acbcea41b53d0d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\4fdb6983-d68f-44ad-aafb-bf6f0b11168b

Filesize
28KB

MD5
038e228687acc93a69f7eace1017e41d

SHA1
c12790bc561d04bea65d9a8b3b1998a50713752e

SHA256
1e6a186d23019cc6e19951e46fe0e8cabda25370ceb7ba359a5457594dcd633d

SHA512
a1092997cb7896b964fc9540cfbfe731a87e91353e32ca9bcf14ef802c442dc9f2d08ae04a8656abb32414c3796e763143ccfed6d3a1df2c3095ec38d577f328

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\b6c71088-198b-4f55-89a5-f8a53548fead

Filesize
982B

MD5
42b1404901e82b8065dc26382f91c032

SHA1
749a6c679109aea2e6dde8fb4bf8027d9048f720

SHA256
e41e607dbab6be557919fbad34bff56beceabfb6936ac7bdacaf255ec0a2a1a1

SHA512
36079730641c346501a4d6e3e2c967315a926472c00eeef5684352c3311a34103fe51d18bc08685df4bb566df4f222187eb13f2f5d60af77266eec3815ce360d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\c98407b5-eb30-4530-ae99-5fb69126fdd3

Filesize
671B

MD5
7f9826b2b5a2d6d2aa42ab3e3021e974

SHA1
1f31abd818c9292d365d60a316a127c52c9e62af

SHA256
d158cf23c07992bff8aa59c2cabceedb0fdcf460358e937e2ae4f180e48ef468

SHA512
056bc3e4f653d6e0578e1d91e4d2494684aa07273019e58ecd614204433af6525fcc2e2bc87dd4f0d8a77eaba2c3245edc94db172bdd7ac54f65e17ef3497cae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\d05b038d-9a13-4de2-bce7-61d760eeb260

Filesize
848B

MD5
dc549f6815cacfedac51b1239e2513bd

SHA1
5207cde0e0c016f465e233f93a3ffd3aa56f99b8

SHA256
91b3435e780d3c080b08e2a91fb8165d59e34d8dffc747c3bf7b990c6fc6db37

SHA512
f5b1dbea50f6d329a6554e63e2252848c2d6f0add05e2339fc61dcdffb1ba1f42bea1fdc79515d4db1caa1d256234756335c7c0e6bf462f368d3f8e3857a7efb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs-1.js

Filesize
11KB

MD5
bc95fc2cff387bd04b1f6eda78976d18

SHA1
1c1444f3e47ec0bf017d2f6ab26f8bd1e40a1b23

SHA256
9003b559c9896ffba811ec7dd6a200b7d0dc9737c5a044ebee1db73c37b0ea4a

SHA512
f68bddc05e1df0ed205dd08f6202b52044140194ac13b08fcb8da3bc213ebb0c58a2ba2ba29a4d9d796dc3159be81ddb6d6c3e5a7984cf445a068e9879b8d5cb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs.js

Filesize
11KB

MD5
c9d8335d3d7a051d22f992192ffadfbd

SHA1
f20c4225ced3692ef5cf21c4e2b3890ce85f656c

SHA256
c9a1883251106158e3ad1cfbb09941f86c45b0bb0aac2f4e17b6ebc496de55b9

SHA512
0a8cae921e3a9222f7f97c2c9b17d267c8ee2996ec4f9a59bb6b9d28993515322d4c99c2b62f218d363510440a68a3cbea6215965e305b09187f8ce4d16d2c93

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs.js

Filesize
11KB

MD5
5ea0cf6075d06a272ab2dbea92207daf

SHA1
d2ee095451c40892cc59ea9d38d61b1ad1e9bb1d

SHA256
722da63b9bab366d26a4ccd25fbdbfe043dc1331eebd1da1da838ffb14de5f8f

SHA512
365d806173e2f3ed68055a409906d64c75a71777ff210654673c948c14875017a061818e4de325e7fb17ef5613eb10789d580fa71ad1cb2002011f8b1ab6e2dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
376KB

MD5
5bef36aee869e915d57334ded9610ad0

SHA1
1636c31672ef76ca2e2d9f86f7bd121613d86d9c

SHA256
18295cf05b35de3e48ca83356cb26f0ca38140b35cbeed0ceab6ddac8e189eac

SHA512
56500ad410dac891d61cc889f9b59ce7bb3db19d34d26fb87c26239b6d6ca3bb2046761870038009554930a1ad5af41de5a2698ed892dbb97f8ae59f8ff6121b

Download Submit
C:\Users\Admin\Desktop\ApproveProtect.zip

Filesize
711KB

MD5
5e665ddd163493a2f0196c7eaf0a4523

SHA1
55f74c19f47fee8336c5ee88c263eb30591f66e5

SHA256
45401f8f93e17285cfd84b1829098a507763eb0fb970504de066077813324d54

SHA512
5c1a6fecf52a2539cb43d4fef7574c3872c9f87789da4eddf680f06b0bc059b8050e79a0cd813cf11f17b5f6bc0ac1c32758c22f4e8cc90fad5bff6050da0b66

Download Submit
C:\Users\Admin\Desktop\ClearUnpublish.docm

Filesize
624KB

MD5
fb29aaf95b8f897a120c9ccc0cb8c386

SHA1
dff5b3f063449913011b26f0b9008e5497609d22

SHA256
bb209e3e003c6595ab759ab93f6bd2eb308142ff92a6800d8aa804fb76b9629d

SHA512
5a91da87a698f0c255528621172b52213e74f2924d250cf2285e1cd89f94b23f63dbcbabef0d379afa9ee6fefe136679fae83aa7ba4b0564481558ce6dac47f2

Download Submit
C:\Users\Admin\Desktop\CloseInstall.odt

Filesize
391KB

MD5
50466599d80766d670ac9fbef89c82a5

SHA1
456a4724447de11e276a4016713f53f2bc6a8c0e

SHA256
490f92939ec07a7210c89931ce8f4b5b2b10996d68632666e6a80d07a7493c06

SHA512
67c295aa64c877446e12b07bf735c38002b1d302f8137ac6850f40ba3395949648e992d027111eda9ec5e0f1b56314cfb17572702224cb82db4c4c41bb956e34

Download Submit
C:\Users\Admin\Desktop\CloseRedo.vbs

Filesize
362KB

MD5
42631f1c9f5edadb4670bd3c271dd04d

SHA1
a0e9019cea7fee9128f705a49285131538fe5030

SHA256
877be35a2585c6fa08b9c07ee4d80f40a2530515c716142f04c27a594880cc24

SHA512
b6ee353a0de0f6d363bbcfd3d30de3144b31d93615e37101b53da85faa7c57db7b5be6634aa8cce95462c155b2dd8328e3e1ed57d216423b3073725bafb90693

Download Submit
C:\Users\Admin\Desktop\ConvertToGet.clr

Filesize
885KB

MD5
d538e9cd46dc951033bd55923d41e777

SHA1
0959efdd7f45152e49f5dc5f24ea0697534470f8

SHA256
b343b3704baccd82b10af7138f2a86176f0423289eef6c48c8675209aa97160a

SHA512
ed6e7ffe2debfff8d9bd0838f03b15fb8d9ad16015f635461a10f6239a34433d9bc16a4b155c11837e097c8bdd7eeb9c56f09eda22d529224396afea51bf2a56

Download Submit
C:\Users\Admin\Desktop\DebugEdit.txt

Filesize
856KB

MD5
25f66b443922638cc13b4d6cf1899e25

SHA1
59518cbdd63e80daa1b733551ed3ef1191b77e38

SHA256
96d4e46b9e47ee319a15b05d5e1ae4d2e2cf94cf811eab77252b6ed254e798bd

SHA512
f5ecc6668bb2c8f871c53c27e2ed793c9ecab93f89ddbd31886f5164ea5eceafe5fe784fc9834cb9e9bc4b47e9875f2657c00df7dc73938f41e9318a62c6cc61

Download Submit
C:\Users\Admin\Desktop\DebugImport.7z

Filesize
798KB

MD5
0b9c79684e9df2006bf8cd8869ee8125

SHA1
bddc43d6ef5b913c5f3bf1f5cd2ed570f3a6f4bc

SHA256
4e353a816a3cbac75bd608d9d76273c32cf2e904c6aab19e70ebfa71c6447058

SHA512
5239d816fc049ca4112d6630b1a7e46744b8b0cc105b77b1d84c4b9463c85d21053ef8c8a11ee67aa7d80b5fa2dce87b02348c32df791762ce09c849fb832320

Download Submit
C:\Users\Admin\Desktop\DebugWrite.docx

Filesize
13KB

MD5
33c592032b7201ff6f61a29f10b75038

SHA1
a143fb4d7703938d58213508fbdd81c48d25fc9f

SHA256
5631e10b4362b26aed2f4bd6e0aafad27bd59942dc9c5831516fefcbd232f350

SHA512
59ed542b830e5f7259979ed5cde732c69ddedd464c27ad1a2ea5b65c756bd5fea0ef6781ef0d3651538df1b5e4e14ea0ac96d3d90181d8840741a9872c765eba

Download Submit
C:\Users\Admin\Desktop\DismountExport.3gpp

Filesize
682KB

MD5
a3625fbe03eca56db562010c88ae5d6a

SHA1
18419b5b510f4602638d21156c4895c7f3ae6686

SHA256
f85f6986bd41a8fb16b8f1913cfc63f77f8d1374331700446c9834f985b27694

SHA512
05cf6f56326c6174738a994f8147baf1200c80f40291069d6fe20454c37658c3f265dbba7f09a7258857584acfec6ac0a62d86a83b0c4a5033d821c3ea18ecd9

Download Submit
C:\Users\Admin\Desktop\ExpandUpdate.xltx

Filesize
421KB

MD5
8c0d0c6dde8f0e5952637bdfdcc252aa

SHA1
bc9baeecb1ed56be35080cfa67a698dd79f91349

SHA256
0c14bd0742645629487accce9d02cfb478a9add24c7b13c43399119cd6aaf5b8

SHA512
f215307b601ed5d1b9afecd6f145656f43c5ca34e9dc3047b3dca9cec116feedc0318a30461d685fb0d539159852be481048ed0d1e9810e641e78eba6554976c

Download Submit
C:\Users\Admin\Desktop\FindRedo.midi

Filesize
827KB

MD5
5add96cf44566fadb74c9fe3fa5cc78d

SHA1
89e352dac01f92d3ac6cb98c36928c773b276d3d

SHA256
756c96ffbf0de874f485ce5fb65d4589ad38e2b49bb3734032b706006ab9fe99

SHA512
92a56ba8ef4cb17c8c8bd391ea37d35d15bffcaeac243a55cf3e100780b3c4630182d5479c633d1a489491327df489f72ee3696fe895a9259cb4d6518550e6e5

Download Submit
C:\Users\Admin\Desktop\GrantConfirm.docm

Filesize
479KB

MD5
3867757c6ce316f5ce32af6dfee3a0eb

SHA1
dd3400d7d2936aa3a9433d55fee06d4d1e45b254

SHA256
757def47cb12bc27c93d945f63906c555327a89efeb577d993af5cd47d1b1eb0

SHA512
ffe0e1629d283ba005b3603e7290070269c73989f9ff12e45fcc08ac2e62fc08489ae9d068899318cf4453a4353c325a82c4f5e6e6a3ba66bf249faecd8c021f

Download Submit
C:\Users\Admin\Desktop\HideUnlock.mpe

Filesize
508KB

MD5
6e665d4a9ef64831fde385623f2b1be8

SHA1
a72b171bd8115eac5a252c7edf09ac88691316fd

SHA256
e90910f699b6e59c6da2672b7c9736759c72e4afba951666fc9fb06359c6c843

SHA512
f3f1d2feef11f952a5ef9fc80e0085961aa393b39d14911eb74550963c046a93429d5322c7482c83c15dd678af2de06c9d9f55e2d4e44418f499d565095ba69a

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
7deb1c5ca7b35696ce4dff97b5bbf1c6

SHA1
6ed83ea50a26071d4d1e52608935d5d04892e8c1

SHA256
7151dc306e0ded55c326d2ca1e86f7097ec665a49ab61fcb8d16fc66db8fcc3d

SHA512
cf385c2c59ecba2e9d7c6484ad941728c91e1a3963612f8374e41d9bb17622945c49e4981b683227dafd388f5d69daaf892e3b7ef4157c0ec7a4b818b91880ae

Download Submit
C:\Users\Admin\Desktop\NewAdd.asf

Filesize
653KB

MD5
f592f69b91cef7dcc942651b14bcba58

SHA1
c5471ff1977e276e617646d7631a37bdbf861eaa

SHA256
d3e2809191448474d0fd8df270c8030459c79db5939f185d5e0f948e83657a79

SHA512
b0c0ed6f179684eab591176bfe237bd53b65be31e445de2ee74cbd9a1a5244b2dcf9a93115ea3e596b013e99cec0a9858ba8554de4dc66555128b622ec5ddc3c

Download Submit
C:\Users\Admin\Desktop\OutRepair.docx

Filesize
13KB

MD5
3d2b8b846a3854df8f64e432c65ab9fc

SHA1
141e331dc56edb94f1709c448e4ffb40d6b4bc9a

SHA256
f81241c45f5764dc280a0c5bcbbd8f01d4a4d5962e681a13f1025ce6cf37805e

SHA512
da4bed91a3cc61a83cbc588d5290ac2b4f5ab6911e35192cce320a0ef424137e3fbbd3138d7e93cd575b79b09838ce8adac767c3cefb884ba29ea96d9e8627bb

Download Submit
C:\Users\Admin\Desktop\ReadProtect.cr2

Filesize
914KB

MD5
641dad3aacacbd891e5f39748717e243

SHA1
cc00ddb94cb2f9879245423444de015066446b03

SHA256
36617a12ae900aa060f4f5b7f1710946d15459be644ed99a79e9d3c571da3d9c

SHA512
37d49c63cd0537ef8e59b23d26b1c889cdd36fcd5b2bbced186420ef9efeea19cd1c8633293ad99799dac37f20dafc04ac6245903957278e6342d53f8cb8ce15

Download Submit
C:\Users\Admin\Desktop\RemovePush.mhtml

Filesize
537KB

MD5
25014ebdbacb9b1aa36ff91475c7a68a

SHA1
e056f44cf6c4a89c9c94cd7ff623f640b0d8ba6a

SHA256
82b4be0363c8f0e6b89835a86c781ce476e404d109da78b0238ee235d0ff37c2

SHA512
b3e28ad542b7aeba21a6f3bf872300fe6ec7dabd4f03c59a7816b5ab71630132dc6472d7d29bd61aa3087a3141c7bb24a548ce1cadb971fe81ecadaf7465ac64

Download Submit
C:\Users\Admin\Desktop\RequestUnregister.AAC

Filesize
595KB

MD5
a8c4f1ea2769180fe717e346df970293

SHA1
487b51a3e738080ffc1c47c86aa95dd76e4e9792

SHA256
c32d8a7954844f465fd2d6970a919fccab24925510479880c376b5ae70e144aa

SHA512
6a508addf6c24538339701273481940448cb3dd91697d20fcfe20e24c3ada53fdfcc0732d9e611843cee19c5d7933affa6a2e773489cc56e32863e42588cb71d

Download Submit
C:\Users\Admin\Desktop\RevokeShow.midi

Filesize
450KB

MD5
a078495383d2f3a441a613824c7d4984

SHA1
74fab1f084fe639b48eb2c63413fabae7dff4669

SHA256
14af689f9853780ca76c5071182670888f4ceead94d956c7ed247f6495318412

SHA512
353b9ef69e6772f12a1c7a7ae4a46282d67267e55cd9e09e135597a761c0a18115da47fcbe85839def79d4f75c0b67fade2a0ffa39eb49e397c5cc12795f2d10

Download Submit
C:\Users\Admin\Desktop\SaveRevoke.vsdx

Filesize
566KB

MD5
9715b25b141b87a9afdbd80e5e80f256

SHA1
b8df1da7975a339cf352f8a8b82830d76c1144f0

SHA256
0c5ef0ab12004d15a708e1a148f26d880dccf7e5d99eed7622d829f0ccc491aa

SHA512
ab3d4d568bbf3fc41048fdf3f88d22dbfb83d7f272d2fe5bfca469f249fa6b493df63f179dd5a055e6b41eed49cac7b71615350b27297250f0e96de0713b3e76

Download Submit
C:\Users\Admin\Desktop\SaveStart.ini

Filesize
943KB

MD5
b3be3c7222d3799786ca3292ed6d82f7

SHA1
5518d08ef8182ad21a22524efaaaf6666427e1df

SHA256
d3d930e1b4e487e04d7896be5eaac836386fa26dd345631d909230e3e38cd50c

SHA512
cd16d00a4fbe8e7480245254d60d6502bb47e4a709b5bed0bb76df0cc50c3c028f1d93735d6a646135133b18f783a08478016ef697384b21e69d1f07e71cfda8

Download Submit
C:\Users\Admin\Desktop\SearchCompare.mp4

Filesize
333KB

MD5
d8a13adf8d7817199d8e3bf2c36c9017

SHA1
02303e9d0aa725ca46ba633c6a71ade704783eb8

SHA256
58934dfa7d5b386b1381359dcf86ebfb4c35d327c702e850ddede61c55cd664e

SHA512
454267d08805671d9c8a840ff03d23670d8873e0077ad390f943a94a3c4d86a13cc8559298e043edd132fbd1eb166607b6a41de3a5119987bd35a3f35a78b52f

Download Submit
C:\Users\Admin\Desktop\SetConnect.dotx

Filesize
740KB

MD5
c883a8fa556a85154040f8827fe487a5

SHA1
20aa33a39d1d43dc61e63a58796e643835959279

SHA256
31182592964f061d9a1efb1b6a49ddce12f0556a365213518e3ecd13db20779b

SHA512
9a1cc67ba12af942774672f93eedd0970885ff70de94de744759ca5e456415b75e343472ab4303dfab679704cdbca2584462fe881b34ef7bfc258f17462410d5

Download Submit
C:\Users\Admin\Desktop\StartMerge.mpeg3

Filesize
769KB

MD5
d377b02f2f4ffaab3c5cfd1f5c63a6e2

SHA1
cbb4baa4e95abda41d7d24a425db120f9dcdc337

SHA256
7d1ecdcc69fc909b88b2990acc9cf856e4b5a353e8a9870d39398a97bbcc3e98

SHA512
a0f02ee440e486cbdb8b230447d120a6005558d04c738ec261ff234a0d2bff455764b783c469ea565f8dd2fc8c43cd1d2dacd2fd64cb97f4e296b18a02f9edc9

Download Submit
C:\Users\Admin\Desktop\StartPublish.xps

Filesize
1.3MB

MD5
29db5d452ff2f12d7bd0171d30bdabd7

SHA1
f9208eea5d379097111ccaed6ec554fac30862f4

SHA256
a6e41c6e7ba07cab2efa00e76e125837cdab348f7aaa63ebf08a613b57b5d50d

SHA512
ead1838ddbc537777c265c2fb3d2fea0b5449d9ae4a065b3584981dc31529d6e8c0e0e52b85ca2b7b970e7f416c8cdd60373e39866a39bf18c003623ae7f94a8

Download Submit
C:\Users\Admin\Desktop\free ad blocker.exe

Filesize
78KB

MD5
e97e6c4b84ebe3f39a84b274f2923420

SHA1
2b66fcdaf064cb73197341f6d4a9c17ad54b01c4

SHA256
da4aa77f84aec83c245fec4e29a3494c2e9210597b32c5b55f0f9ac288dbb1fe

SHA512
540439d42142f4d51f130efba5e505d80e524610a94e8bde8602e2acc9586c007671e750ae219b0cb8e21ba4360e5754b6e31465aea66ce0ce544c4c0b30d060

Download Submit
C:\Users\Admin\Downloads\GEKbdexI.zip.part

Filesize
28KB

MD5
b01d2c1febbe930daba2e48d14f1fdf6

SHA1
b88afcd2fd223693abe39381226ff16dcc227024

SHA256
d447ad3e8fba942d645b116ef4cce892bc7dc230b15a1d1d313298f97fe947cc

SHA512
077deb748632cb3d1b82364d1b326439f54938a665c086156eb1fbd8f87fa97cadde9fdbf80c8b6682d679fd982feac807b2bec3e9e32828b81203d04e4e6729

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
d430547f4c6d64c4f36053f42de1b4d0

SHA1
9e92d41693a134f3ac4fb06f7aba663c8c856115

SHA256
10b0351332b326d17b516202e0a5bdf2f793377db77c373547b1eb564942cee4

SHA512
ac3db5254d551c1864c1ae411c8d6f87435277e18c1f5642c6b36da013a30087e56f28b66a7b6128de98e5ea0f87a57f5fd9061c545a8beb85658db85819b6da

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
b5b1db65ee4b5444f47f3ba856ba3a2c

SHA1
e26f2a2d3ce5c951d6540977e25eec2fc644b808

SHA256
7cf618a1e89f30170449a33a2ad7c8063970c71548beda7c31a808582cb8bce0

SHA512
27cee9c30552a6db9ce35d37e7207af7fdf1ef4db62bf2de712974976d3af8d8d0c1c2cd4624cb238daa4e26eb07147eb653a618630b9fa1daecba95d18c9607

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
506b5c060574b432deecfd9b8ce43ef5

SHA1
364f5adb90065d1df1c84c088e3248f8bd166dd9

SHA256
e41ff00c3bb1a2cfe3d73e11e9ef290fc69fb243bd0f6f34c4d337d98784a16f

SHA512
eede8f95a5ceb64ff58b5ebe314d8e80a8b291cb2e2ad51b080abf39a0163a9f19518d071095da50e0ad2e5c6df85b6d491a3d574132deb646ae40a07020699a

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
d90d015c1ee2f3ce05a221185a209f92

SHA1
13bf0ab97b52e901b3573dcea67f0be856f5f49d

SHA256
66261ef5bff2722cdafecdb7b705c22ace1bd18bd9c515bea4f9e177ccfe431b

SHA512
e854bbd237b8ba92150db6c4ab8cfdb0e48a42264d73a73c1f1dbd3cd7f988d3c493d2cde94f9b52cbfaad0b8d2acbee6baae457776c68831095ea3923e1ccb1

Download Submit
memory/3052-820-0x000001F506790000-0x000001F506791000-memory.dmp

Filesize
4KB

Download
memory/3052-821-0x000001F506790000-0x000001F506791000-memory.dmp

Filesize
4KB

Download
memory/3052-822-0x000001F506790000-0x000001F506791000-memory.dmp

Filesize
4KB

Download
memory/3052-817-0x000001F506790000-0x000001F506791000-memory.dmp

Filesize
4KB

Download
memory/3052-810-0x000001F506790000-0x000001F506791000-memory.dmp

Filesize
4KB

Download
memory/3052-811-0x000001F506790000-0x000001F506791000-memory.dmp

Filesize
4KB

Download
memory/3052-812-0x000001F506790000-0x000001F506791000-memory.dmp

Filesize
4KB

Download
memory/3052-818-0x000001F506790000-0x000001F506791000-memory.dmp

Filesize
4KB

Download
memory/3052-819-0x000001F506790000-0x000001F506791000-memory.dmp

Filesize
4KB

Download
memory/4068-744-0x0000022251720000-0x00000222518E2000-memory.dmp

Filesize
1.8MB

Download
memory/4068-745-0x0000022252BA0000-0x00000222530C8000-memory.dmp

Filesize
5.2MB

Download
memory/4068-743-0x0000022237140000-0x0000022237158000-memory.dmp

Filesize
96KB

Download
memory/5320-790-0x000001F45D610000-0x000001F45D611000-memory.dmp

Filesize
4KB

Download
memory/5320-791-0x000001F45D610000-0x000001F45D611000-memory.dmp

Filesize
4KB

Download
memory/5320-792-0x000001F45D610000-0x000001F45D611000-memory.dmp

Filesize
4KB

Download
memory/5320-793-0x000001F45D610000-0x000001F45D611000-memory.dmp

Filesize
4KB

Download
memory/5320-794-0x000001F45D610000-0x000001F45D611000-memory.dmp

Filesize
4KB

Download
memory/5320-795-0x000001F45D610000-0x000001F45D611000-memory.dmp

Filesize
4KB

Download
memory/5320-796-0x000001F45D610000-0x000001F45D611000-memory.dmp

Filesize
4KB

Download
memory/5320-786-0x000001F45D610000-0x000001F45D611000-memory.dmp

Filesize
4KB

Download
memory/5320-785-0x000001F45D610000-0x000001F45D611000-memory.dmp

Filesize
4KB

Download
memory/5320-784-0x000001F45D610000-0x000001F45D611000-memory.dmp

Filesize
4KB

Download