a4ec2410d85704d6320fbd41dd7d7ea7f10b04f67c3795947b47f13a0e23bb0e

Analysis

max time kernel
2699s
max time network
2677s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

leaves - Copy.png
Size

294KB
MD5

c92228f40102a1f59d5a6bdfe2bcae4d
SHA1

0d14412e366ad188fc46639d746cfffa0e262cfc
SHA256

a4ec2410d85704d6320fbd41dd7d7ea7f10b04f67c3795947b47f13a0e23bb0e
SHA512

0b65d362a03d73a414b83fbe32de49eb9cc13c36e224dea3ffc6e2b8604da3c1a6d57e3588d1def364893745769a0e1513f0d719e5aec41e4c4a0c523f29a8cb
SSDEEP

6144:IqiiBlWMrs+La6EX1XPEf2m4SODx7eBhkCz+GhD0iIOlLkOYMrJcH:IqiiBlYzm4Ssx7Sz+GhVJJcH

Score

7^/10

discovery link pdf

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BeadTool4.exeBeadTool4.exeBeadTool4.exeBeadTool4.exeBeadTool4.exeBeadTool4.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BeadTool4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BeadTool4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BeadTool4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BeadTool4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BeadTool4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BeadTool4.exe

Executes dropped EXE 8 IoCs

Processes:

BeadTool4925.exeBeadTool4925.tmpBeadTool4.exeBeadTool4.exeBeadTool4.exeBeadTool4.exeBeadTool4.exeBeadTool4.exe

pid	process
1708	BeadTool4925.exe
3520	BeadTool4925.tmp
2860	BeadTool4.exe
2304	BeadTool4.exe
2356	BeadTool4.exe
2332	BeadTool4.exe
4776	BeadTool4.exe
4104	BeadTool4.exe

Loads dropped DLL 64 IoCs

Processes:

BeadTool4.exeBeadTool4.exeBeadTool4.exeBeadTool4.exe

pid	process
2860	BeadTool4.exe
2860	BeadTool4.exe
2860	BeadTool4.exe
2860	BeadTool4.exe
2860	BeadTool4.exe
2860	BeadTool4.exe
2860	BeadTool4.exe
2860	BeadTool4.exe
2860	BeadTool4.exe
2860	BeadTool4.exe
2860	BeadTool4.exe
2860	BeadTool4.exe
2860	BeadTool4.exe
2860	BeadTool4.exe
2860	BeadTool4.exe
2860	BeadTool4.exe
2860	BeadTool4.exe
2304	BeadTool4.exe
2304	BeadTool4.exe
2304	BeadTool4.exe
2304	BeadTool4.exe
2304	BeadTool4.exe
2304	BeadTool4.exe
2304	BeadTool4.exe
2304	BeadTool4.exe
2304	BeadTool4.exe
2304	BeadTool4.exe
2304	BeadTool4.exe
2304	BeadTool4.exe
2304	BeadTool4.exe
2304	BeadTool4.exe
2304	BeadTool4.exe
2304	BeadTool4.exe
2304	BeadTool4.exe
2356	BeadTool4.exe
2356	BeadTool4.exe
2356	BeadTool4.exe
2356	BeadTool4.exe
2356	BeadTool4.exe
2356	BeadTool4.exe
2356	BeadTool4.exe
2356	BeadTool4.exe
2356	BeadTool4.exe
2356	BeadTool4.exe
2356	BeadTool4.exe
2356	BeadTool4.exe
2356	BeadTool4.exe
2356	BeadTool4.exe
2356	BeadTool4.exe
2356	BeadTool4.exe
2356	BeadTool4.exe
2332	BeadTool4.exe
2332	BeadTool4.exe
2332	BeadTool4.exe
2332	BeadTool4.exe
2332	BeadTool4.exe
2332	BeadTool4.exe
2332	BeadTool4.exe
2332	BeadTool4.exe
2332	BeadTool4.exe
2332	BeadTool4.exe
2332	BeadTool4.exe
2332	BeadTool4.exe
2332	BeadTool4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 39 IoCs

Processes:

BeadTool4925.tmpBeadTool4.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\BeadTool4\BeadTool4 Libs\SSLSocket.dll	BeadTool4925.tmp
File opened for modification	C:\Program Files (x86)\BeadTool4\zlib1.dll	BeadTool4925.tmp
File created	C:\Program Files (x86)\BeadTool4\is-OM8QD.tmp	BeadTool4925.tmp
File created	C:\Program Files (x86)\BeadTool4\is-HVVV8.tmp	BeadTool4925.tmp
File created	C:\Program Files (x86)\BeadTool4\Language\is-GBIDS.tmp	BeadTool4925.tmp
File created	C:\Program Files (x86)\BeadTool4\is-ATTUU.tmp	BeadTool4925.tmp
File created	C:\Program Files (x86)\BeadTool4\unins000.msg	BeadTool4925.tmp
File opened for modification	C:\Program Files (x86)\BeadTool4\BeadTool4.exe	BeadTool4925.tmp
File created	C:\Program Files (x86)\BeadTool4\BeadTool4 Libs\is-Q4CNI.tmp	BeadTool4925.tmp
File created	C:\Program Files (x86)\BeadTool4\is-9HENG.tmp	BeadTool4925.tmp
File created	C:\Program Files (x86)\BeadTool4\is-D1LNU.tmp	BeadTool4925.tmp
File opened for modification	C:\Program Files (x86)\BeadTool4\BeadTool4 Libs\REALSQLDatabase.dll	BeadTool4925.tmp
File created	C:\Program Files (x86)\BeadTool4\BeadTool4 Libs\is-TV95A.tmp	BeadTool4925.tmp
File created	C:\Program Files (x86)\BeadTool4\Language\is-NTU9M.tmp	BeadTool4925.tmp
File opened for modification	C:\Program Files (x86)\BeadTool4\unins000.dat	BeadTool4925.tmp
File opened for modification	C:\Program Files (x86)\BeadTool4\BeadTool.db	BeadTool4.exe
File opened for modification	C:\Program Files (x86)\BeadTool4\BeadTool4 Libs\Appearance Pak.dll	BeadTool4925.tmp
File created	C:\Program Files (x86)\BeadTool4\is-1SN4V.tmp	BeadTool4925.tmp
File created	C:\Program Files (x86)\BeadTool4\Language\is-8SKQM.tmp	BeadTool4925.tmp
File opened for modification	C:\Program Files (x86)\BeadTool4\libhpdf.dll	BeadTool4925.tmp
File created	C:\Program Files (x86)\BeadTool4\BeadTool4 Libs\is-GAHGA.tmp	BeadTool4925.tmp
File created	C:\Program Files (x86)\BeadTool4\BeadTool4 Libs\is-N9CHQ.tmp	BeadTool4925.tmp
File created	C:\Program Files (x86)\BeadTool4\Language\is-UKN10.tmp	BeadTool4925.tmp
File opened for modification	C:\Program Files (x86)\BeadTool4\BeadTool4 Libs\RegEx.dll	BeadTool4925.tmp
File created	C:\Program Files (x86)\BeadTool4\unins000.dat	BeadTool4925.tmp
File created	C:\Program Files (x86)\BeadTool4\is-LR6H1.tmp	BeadTool4925.tmp
File created	C:\Program Files (x86)\BeadTool4\is-H0S0M.tmp	BeadTool4925.tmp
File created	C:\Program Files (x86)\BeadTool4\BeadTool4 Libs\is-EMFCK.tmp	BeadTool4925.tmp
File created	C:\Program Files (x86)\BeadTool4\BeadTool4 Libs\is-UFFEM.tmp	BeadTool4925.tmp
File created	C:\Program Files (x86)\BeadTool4\BeadTool4 Libs\is-C966H.tmp	BeadTool4925.tmp
File opened for modification	C:\Program Files (x86)\BeadTool4\BeadTool4 Libs\MD5.dll	BeadTool4925.tmp
File opened for modification	C:\Program Files (x86)\BeadTool4\BeadTool4 Libs\XML.dll	BeadTool4925.tmp
File opened for modification	C:\Program Files (x86)\BeadTool4\BeadTool4 Libs\Internet Encodings.dll	BeadTool4925.tmp
File opened for modification	C:\Program Files (x86)\BeadTool4\BeadTool4 Libs\Shell.dll	BeadTool4925.tmp
File created	C:\Program Files (x86)\BeadTool4\is-83BND.tmp	BeadTool4925.tmp
File created	C:\Program Files (x86)\BeadTool4\is-R2AMJ.tmp	BeadTool4925.tmp
File created	C:\Program Files (x86)\BeadTool4\BeadTool4 Libs\is-Q1EPO.tmp	BeadTool4925.tmp
File created	C:\Program Files (x86)\BeadTool4\is-GIDM5.tmp	BeadTool4925.tmp
File opened for modification	C:\Program Files (x86)\BeadTool4\BeadTool4.url	BeadTool4925.tmp

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Program Files (x86)\BeadTool4\BeadTool4.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133585794027888959"	chrome.exe

Modifies registry class 64 IoCs

Processes:

BeadTool4.exeBeadTool4925.tmp

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	BeadTool4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.btc	BeadTool4925.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	BeadTool4.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	BeadTool4.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	BeadTool4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	BeadTool4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	BeadTool4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BeadTool.Palette\shell\open\command\ = "\"C:\\Program Files (x86)\\BeadTool4\\BeadTool4.exe\" \"%1\""	BeadTool4925.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BeadTool.Layout\DefaultIcon	BeadTool4925.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BeadTool.Layout\DefaultIcon\ = "C:\\Program Files (x86)\\BeadTool4\\btl.ico"	BeadTool4925.tmp
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	BeadTool4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.btp\ = "BeadTool.Pattern"	BeadTool4925.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BeadTool.Pattern\DefaultIcon	BeadTool4925.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BeadTool.Addon\ = "BeadTool Addon"	BeadTool4925.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BeadTool.Layout\shell\open\command	BeadTool4925.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	BeadTool4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	BeadTool4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BeadTool.Palette\ = "BeadTool Palette"	BeadTool4925.tmp
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	BeadTool4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	BeadTool4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	BeadTool4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	BeadTool4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BeadTool.Pattern\ = "BeadTool Pattern"	BeadTool4925.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BeadTool.Pattern\DefaultIcon\ = "C:\\Program Files (x86)\\BeadTool4\\btp.ico"	BeadTool4925.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BeadTool.Pattern\shell	BeadTool4925.tmp
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	BeadTool4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	BeadTool4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	BeadTool4.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	BeadTool4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	BeadTool4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	BeadTool4.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	BeadTool4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	BeadTool4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "4"	BeadTool4.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	BeadTool4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BeadTool.Pattern\shell\open\command\ = "\"C:\\Program Files (x86)\\BeadTool4\\BeadTool4.exe\" \"%1\""	BeadTool4925.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BeadTool.Layout	BeadTool4925.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BeadTool.Layout\ = "BeadTool Layout"	BeadTool4925.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	BeadTool4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	BeadTool4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	BeadTool4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	BeadTool4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Downloads"	BeadTool4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.btl\ = "BeadTool.Layout"	BeadTool4925.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BeadTool.Layout\shell\open\command\ = "\"C:\\Program Files (x86)\\BeadTool4\\BeadTool4.exe\" \"%1\""	BeadTool4925.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BeadTool.Addon\shell\open\command\ = "\"C:\\Program Files (x86)\\BeadTool4\\BeadTool4.exe\" \"%1\""	BeadTool4925.tmp
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	BeadTool4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	BeadTool4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	BeadTool4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BeadTool.Addon	BeadTool4925.tmp
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	BeadTool4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	BeadTool4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Documents"	BeadTool4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BeadTool.Pattern\shell\open\command	BeadTool4925.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BeadTool.Palette\shell	BeadTool4925.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e80922b16d365937a46956b92703aca08af0000	BeadTool4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BeadTool.Palette\DefaultIcon	BeadTool4925.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BeadTool.Layout\shell	BeadTool4925.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e8005398e082303024b98265d99428e115f0000	BeadTool4.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	BeadTool4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	BeadTool4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	BeadTool4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	BeadTool4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	BeadTool4.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

chrome.exeBeadTool4925.tmpchrome.exeBeadTool4.exemsedge.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
4556	chrome.exe
4556	chrome.exe
3520	BeadTool4925.tmp
3520	BeadTool4925.tmp
3132	chrome.exe
3132	chrome.exe
2860	BeadTool4.exe
2860	BeadTool4.exe
1804	msedge.exe
1804	msedge.exe
3116	msedge.exe
3116	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
3152	identity_helper.exe
3152	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 6 IoCs

Processes:

BeadTool4.exeBeadTool4.exeBeadTool4.exeBeadTool4.exeBeadTool4.exeBeadTool4.exe

pid process

2860 BeadTool4.exe
2304 BeadTool4.exe
2356 BeadTool4.exe
2332 BeadTool4.exe
4776 BeadTool4.exe
4104 BeadTool4.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

chrome.exemsedge.exe

pid	process
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe
Token: SeShutdownPrivilege	4556	chrome.exe
Token: SeCreatePagefilePrivilege	4556	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exeBeadTool4925.tmpmsedge.exe

pid	process
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
3520	BeadTool4925.tmp
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

chrome.exemsedge.exe

pid	process
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
4556	chrome.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

BeadTool4.exe

pid process

2860 BeadTool4.exe
2860 BeadTool4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4556 wrote to memory of 4716	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4716	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 1584	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 508	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 508	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe
PID 4556 wrote to memory of 4452	4556	chrome.exe	chrome.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\leaves - Copy.png"
1⤵
PID:3180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd868dab58,0x7ffd868dab68,0x7ffd868dab78
2⤵
PID:4716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=2016,i,3093680075221766712,17941633694068479824,131072 /prefetch:2
2⤵
PID:1584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1672 --field-trial-handle=2016,i,3093680075221766712,17941633694068479824,131072 /prefetch:8
2⤵
PID:508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2296 --field-trial-handle=2016,i,3093680075221766712,17941633694068479824,131072 /prefetch:8
2⤵
PID:4452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3124 --field-trial-handle=2016,i,3093680075221766712,17941633694068479824,131072 /prefetch:1
2⤵
PID:4868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3148 --field-trial-handle=2016,i,3093680075221766712,17941633694068479824,131072 /prefetch:1
2⤵
PID:3976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4356 --field-trial-handle=2016,i,3093680075221766712,17941633694068479824,131072 /prefetch:1
2⤵
PID:4796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4352 --field-trial-handle=2016,i,3093680075221766712,17941633694068479824,131072 /prefetch:8
2⤵
PID:1588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4624 --field-trial-handle=2016,i,3093680075221766712,17941633694068479824,131072 /prefetch:8
2⤵
PID:1720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 --field-trial-handle=2016,i,3093680075221766712,17941633694068479824,131072 /prefetch:8
2⤵
PID:4404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=2016,i,3093680075221766712,17941633694068479824,131072 /prefetch:8
2⤵
PID:4432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4632 --field-trial-handle=2016,i,3093680075221766712,17941633694068479824,131072 /prefetch:8
2⤵
PID:2412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4556 --field-trial-handle=2016,i,3093680075221766712,17941633694068479824,131072 /prefetch:1
2⤵
PID:1200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3124 --field-trial-handle=2016,i,3093680075221766712,17941633694068479824,131072 /prefetch:8
2⤵
PID:4000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3972 --field-trial-handle=2016,i,3093680075221766712,17941633694068479824,131072 /prefetch:8
2⤵
PID:4104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5000 --field-trial-handle=2016,i,3093680075221766712,17941633694068479824,131072 /prefetch:8
2⤵
PID:4868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2848 --field-trial-handle=2016,i,3093680075221766712,17941633694068479824,131072 /prefetch:8
2⤵
PID:1428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2872 --field-trial-handle=2016,i,3093680075221766712,17941633694068479824,131072 /prefetch:8
2⤵
PID:3996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3508 --field-trial-handle=2016,i,3093680075221766712,17941633694068479824,131072 /prefetch:8
2⤵
PID:2524

C:\Users\Admin\Downloads\BeadTool4925.exe
"C:\Users\Admin\Downloads\BeadTool4925.exe"
2⤵
- Executes dropped EXE
PID:1708

C:\Users\Admin\AppData\Local\Temp\is-B7CLG.tmp\BeadTool4925.tmp
"C:\Users\Admin\AppData\Local\Temp\is-B7CLG.tmp\BeadTool4925.tmp" /SL5="$E0066,4587600,121344,C:\Users\Admin\Downloads\BeadTool4925.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3520

C:\Program Files (x86)\BeadTool4\BeadTool4.exe
"C:\Program Files (x86)\BeadTool4\BeadTool4.exe"
4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.beadtool.net/purchase.html
5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd915146f8,0x7ffd91514708,0x7ffd91514718
6⤵
PID:2852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,13466957552222377459,6150298566606375929,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
6⤵
PID:3716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,13466957552222377459,6150298566606375929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,13466957552222377459,6150298566606375929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
6⤵
PID:1192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13466957552222377459,6150298566606375929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
6⤵
PID:3976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13466957552222377459,6150298566606375929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
6⤵
PID:2976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,13466957552222377459,6150298566606375929,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4912 /prefetch:2
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4500

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,13466957552222377459,6150298566606375929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1924 /prefetch:8
6⤵
PID:1824

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,13466957552222377459,6150298566606375929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1924 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13466957552222377459,6150298566606375929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:1
6⤵
PID:2056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13466957552222377459,6150298566606375929,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
6⤵
PID:1492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13466957552222377459,6150298566606375929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
6⤵
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13466957552222377459,6150298566606375929,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1
6⤵
PID:1588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2864 --field-trial-handle=2016,i,3093680075221766712,17941633694068479824,131072 /prefetch:8
2⤵
PID:2828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=244 --field-trial-handle=2016,i,3093680075221766712,17941633694068479824,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3132

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1504

C:\Program Files (x86)\BeadTool4\BeadTool4.exe
"C:\Program Files (x86)\BeadTool4\BeadTool4.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2304

C:\Program Files (x86)\BeadTool4\BeadTool4.exe
"C:\Program Files (x86)\BeadTool4\BeadTool4.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
PID:2356

C:\Program Files (x86)\BeadTool4\BeadTool4.exe
"C:\Program Files (x86)\BeadTool4\BeadTool4.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2332

C:\Program Files (x86)\BeadTool4\BeadTool4.exe
"C:\Program Files (x86)\BeadTool4\BeadTool4.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:4776

C:\Program Files (x86)\BeadTool4\BeadTool4.exe
"C:\Program Files (x86)\BeadTool4\BeadTool4.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:4104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1544

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BeadTool4\BeadTool.db
Filesize
924KB

MD5
ddf2b2810ad530ed474d5f44aeb95d8d

SHA1
56a4fca7ffc760b1696f41e4b3f0bae017479ab0

SHA256
0754668291dbb098e022dbbe0da43520fe4eca94090dd3963ccd1f614d915277

SHA512
c9bed1ac7f3ff2d501eeb607643c2166957c7e952cc4aa6da6f5fd41e84e982da9c4019246f3e93a62efad3f11e00dffda6fe9c36f823a024e53dc4cfdc527e1

Download Submit
C:\Program Files (x86)\BeadTool4\BeadTool4 Libs\Appearance Pak.dll
Filesize
132KB

MD5
88c48a17095476743e390971d6a88918

SHA1
4ae2d749882c71d9f423eaa5b3cb1b9e8b9390a9

SHA256
2f9634b1e28c70ee013c45cd36aeca55dc90cf47126d42c114c35f815102e826

SHA512
972688defffc3aadaa7478deaad26dafaf4300e8c55dede1717c19bf24fc2e1ac92985963945b3b535574528295cb05468389e21c61d6e4b3c67f71ec9da5ecf

Download Submit
C:\Program Files (x86)\BeadTool4\BeadTool4 Libs\Internet Encodings.dll
Filesize
72KB

MD5
30a8d4e5a292c9cbf899fd93fc100fb9

SHA1
f63645d25d3b8ad740804438c606bb829b0e3c85

SHA256
148d9e1b93b1860dcb1df0de7756fccbff2788f3a71708e509a6861b95208a6a

SHA512
13306f010ca3470f4d4b2baddd127b791e40fdca567a7c4ece9a5969d6d967d9a937ee129352ebd31c8e0d7bd4876906a7b3a6440402e247b49fe88772dc2f8f

Download Submit
C:\Program Files (x86)\BeadTool4\BeadTool4 Libs\MD5.dll
Filesize
92KB

MD5
d8c7e94b3795d8d8ce759ddabc8d92f7

SHA1
611223224115a8b4b9884afe396e08e2352237f5

SHA256
cd9f9d156e6914974f4b5e111b4798bdd19515404cdc6b5fb116e118cf8262d6

SHA512
b9c9e3038bfde9d927267d5f1ddf3a7d3f074ac5a2aa541befb226eeacdd771da427a6baf2124296a2996044206886087cc05799181eab1c891deb662ee67d5d

Download Submit
C:\Program Files (x86)\BeadTool4\BeadTool4 Libs\REALSQLDatabase.dll
Filesize
440KB

MD5
450a7aa843783c4d7030c3eefedbd58a

SHA1
d5ff80833c02f90c01b31fe5728dc40333dde661

SHA256
6724a79321e2316cfa20bee87c6dd697f75c47ae3f1c373da2cccd9901a725e3

SHA512
e08c54cf790b72bdd595acaada0c7385731d08437244cc46c3ffcfc05de16b80d3b3de735a4b31486df173413b065e4530e8a0e5cebb19af1de374e4cc07c6d1

Download Submit
C:\Program Files (x86)\BeadTool4\BeadTool4 Libs\RegEx.dll
Filesize
144KB

MD5
8a4725be0666fa6cc9c9accb7dce46f6

SHA1
3126aa4fb34aa3f839cccbbeef4d9aeb38ba1921

SHA256
399dd6e8e8b56ad9b565250ec1374bf4d582ab8751613ed03a599713e29b2371

SHA512
336c4383ff971f5420e7ded2204fd625d2289f1c92b7f85713b5ed48d8f53282a97c7dc9039cc30aa0c8c6a1cd7643ee753ed74d6edde3af4e9693376e7b43a1

Download Submit
C:\Program Files (x86)\BeadTool4\BeadTool4 Libs\SSLSocket.dll
Filesize
1.2MB

MD5
cfba405f4bb9d20096f939c8e0c4c99c

SHA1
3df1234583ed175213cdda37d92e97f1e6da803e

SHA256
31c8e1b875ecab4b04df169b37b98298ea0231c08b065ada078c119e51f3291c

SHA512
8ffccc54ae6cf4ef50ed7761d26d9ca7f939e3e4449a6ffa79c91024ac78c4ac46952519a87103a02d8830fa841b6ac48044d02300905ac7b23d788feb9abe91

Download Submit
C:\Program Files (x86)\BeadTool4\BeadTool4 Libs\Shell.dll
Filesize
96KB

MD5
3f1e04f28ee56a2427b9c564b9a65ff2

SHA1
cfe1ef35dde8077c4ee89a8a003561b8bdac894f

SHA256
06390ea9f9beabd14b5a9ccfbf5e5fe7ee5dc3d6ef71c1b792c5607347359d11

SHA512
cd5961d12fe1ad7b7c75f179eb0e9b8af32cb28fe3d7210aa60525d9573c3ca9294a4384e78dbbd781c84e22a1c861108e7a846f602b551b38ac7aa9956d6f07

Download Submit
C:\Program Files (x86)\BeadTool4\BeadTool4 Libs\XML.dll
Filesize
744KB

MD5
b82eef6abcb5071f1d54d7abc33935f1

SHA1
784de8dacc2aa1aee8ef9d874d0cb216172dcc1e

SHA256
7aaeafa033bf96fe3914f864e948a115388cb644ddf3cfb33eb5947f0e7eac87

SHA512
c327b61f3a84b1bf03234e890c01026c3b6c67ab670115a5d599cde40df2c5fb56fb686769c84a2376a5ec1f54fa02d4b73ddd76f6088c6bca0dfc9f5bf2df66

Download Submit
C:\Program Files (x86)\BeadTool4\BeadTool4.exe
Filesize
11.3MB

MD5
90534c4473452af1347495866cb2e754

SHA1
99120c1d3f9a9fa8e909adf8c28571dc891a2751

SHA256
43e0d6df9ec0181eec72686e0dab43a64429f1a0a258fb048aec23fe5f368a4b

SHA512
23b0a3a4a10fd43fc1101487c84066ab63df586089dd29236dcde7735d15bf7d8bc1562e7d018c7fb1988d17c5fee9bc7bdb6106fdbe8f15a963a5699885b64a

Download Submit
C:\Program Files (x86)\BeadTool4\BeadTool4.pdf
Filesize
278KB

MD5
9dc3c250f31ebc581f52535749a9f49b

SHA1
ac870ffdaeee9c07ac061c62090c7e047826b821

SHA256
178a0ed216bcc5d61a620336eaf77ac064bb995a257749d8a68d8155f6bd8493

SHA512
ecc526a35b2c23ca092864279b7076e72e356464fb455567a48ecc9514a432d0c7db0afc5b5b6da8c511996f8be8b86185f10320a926300253438984c23c1533

Download Submit
C:\Program Files (x86)\BeadTool4\zlib1.dll
Filesize
61KB

MD5
6c39173ee2d67806de165e28e6c427cd

SHA1
508a4eba4b2a1901a6c832432557a9821d05965d

SHA256
ae1920e3bc258c5f063e4e4b5c3e33c91ca1dbd065bf98759af328128009220f

SHA512
f11e6fbc30cd338e210af295ac1f433f987248ac6a448e6f7cdc36b44ea60ebae6d889660547d3ad0a20a3308a1005d08aa1fe47f1f27fd8069c0f4606951c5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\654867aa-a4f2-4dad-979c-15028fffdf1e.tmp
Filesize
253KB

MD5
b419d6aacf6d3d2ba49ae1070dec6848

SHA1
53ad2be902c434b3f4ddc6119783aec79030a5d5

SHA256
7e781d4a5754aaf1714f7b8e13a2ba9b157cdaa2dbda1c9758f738d30d8ebfa4

SHA512
bcd1982939024141d0cf708bde41f5c2d360594a2a4fee81d38c7d6b7f5005e70f08f3f2dc283272683f1eca48941b94378c2f7f1f85580821adc9d0670b02c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
216B

MD5
a1a1e20f2ae4b1818a74a2a77016a1a6

SHA1
8469727472d8f3effd38d34ffbd842ab67d326a6

SHA256
49b527bb181e0fff6085822e8df1a0fb45ab36f1c54946af5156bfd41b700e5a

SHA512
3f5fe4d7dbacfc481019514da78c6cfcaa8bf224f40efaac866402e83450631adad1dc8486b2a4e0afdff1b2031968dab91d9385f4ade839b6945967e9284147

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
b037c4349f8dbab7bb755d335f745da7

SHA1
e01438dcb2ee17758b3207ce8a756c3bd51bdb3e

SHA256
9e1c6c3a988574b9664957ada7d5a6711aedabe220a9adb7ed73af6080d7adf3

SHA512
d91e5a50501d9c8248a9dc15ddfd2f1c053f9ef3e5bcbcc1f5b2aba4642bba6322cdfd597740d0dd58af7fe02653e3f82d7d4a86a2725a525725a65671f01f6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
5de6f47faf54eeac7ac3bb3e08fbd80d

SHA1
6181498e29c956f393709c99923224e1bdf9570d

SHA256
a8b77c053efa0dd19b08dfd4bd94f9c20b1d115d016aea1443cd4089788be454

SHA512
2421bbdc997aabc8a407d776a2037f3ec6d8ac888738e87f20fc63e4b5b52014592fefa9d7f7a42e8c60d835d171245179865eb0028cdf2ae84db3be461faac8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
a9d65c3e89fa0649b14711c78f37d238

SHA1
5a3a5bceb060ac0c63476ecfd8531e0bc49d4c47

SHA256
6ff61e9796c0a99cb34b0acd58f910797665ced19381f6ca5638660b6cbe3e9a

SHA512
01faad05758431f65c58728194ebc4cde9ed42e161b378c9ae2e1f101f9ab3b57b7986ede48701ee0a5e2e0eddaac376605e82b826aa841bee52ccf515b54610

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
7968ee35c532c9fdee9dd1ffac18199d

SHA1
46dc9500a6d5ef516135b26cd8084b89fb272ed1

SHA256
c945c75d085466cf0279a8016dc66547f1eeb88ba4fd73d9ccf119bfcfd8c968

SHA512
e60176565cec85a85bb732d859394333be579e42f895b4454a88a4941eff3e93e80d6d493fd061ba32d5ef8457a8f1f9e79906fc77f447871e74aed21926002c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
44a5f020cec2ffdf6ae1fdf164c56d73

SHA1
82d064323d55aed64ce4a771faf4aea450839e97

SHA256
ac9b6655c22a71141825bb1bc6857c350541524238daf83202f2e19a9f27fa18

SHA512
242418d346bb0a71bf02b03121b0e354732233ec209591d4c3ab1373f1cfd77a94b9f8cba1eeefab2cc994393a469d6c8e4829d07b01b5aff891dd2e6b0dcd36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
42ce401aab06ab207b40c6836e65e5d1

SHA1
9ed3761c0353f38899f330a4d7e43a65d8c0f840

SHA256
ba4cd9996579139c8f6846cc87374b27a6bb4b5ec3155d048261c347c86b1f47

SHA512
62c3cbd7efa4e98da33b055b969054d244bbf031a6d4ac6915aaeb40989fa0ccbaac7fb45568db10a122b6f683e6a4b6c3c42b040e63097a49fe1e13c7ac8fef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
253KB

MD5
3c52ce25c5dd5db35475ccdb22a8f1a4

SHA1
2cec0c34151a9e967d18abf5a3997eebb4ae5d8c

SHA256
211e6dcff3e5258e7a371dbfe13aaa166a6a68d159342c5296aa0c4e4b7b73c6

SHA512
74feaec7e475ab559fb439268899460edb91d61b121b6b3b5489d0cb822b89b48c6e5f5612c92c1ca786c41062c7e622954445205317c55c28f0f2819bcfa8ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
101KB

MD5
d1f06b55e76c1c88f1bf5c67637882a9

SHA1
d10d838be88f1dcd1ffeaf9d8205205e3df37171

SHA256
e46361bc6bc7723267dc859ab40a748bcbdde10f5555c7b04e9941ac7037c2fc

SHA512
bb2cae01d64a01fc301ee0d6fbb9d4fcd5baa2dafd26ba55854a159d209b386d7f69e73647c38a49092d79a335be30e55dac1443af071236388ff31341da051b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5864ef.TMP
Filesize
89KB

MD5
775432d326dfda02016824fce656735f

SHA1
f0ff3a09283bbcdd5e87c1ff0924c59f0323bab4

SHA256
46a8d0d81c524ca4cd357637596bc7eb92047846dafe30e8e948733e1b735f29

SHA512
8eb816de88d77e7f436e0f42344a0b15f301ffb7fd5738272f23e80dd3923edd387bb7127481970737b0487f0c5f025880c85c2041fbcd304997375393a9dd2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
48cff1baabb24706967de3b0d6869906

SHA1
b0cd54f587cd4c88e60556347930cb76991e6734

SHA256
f6b5fbc610a71b3914753feb2bd4475a7c77d0d785cc36255bf93b3fe3ccb775

SHA512
fd0c848f3f9de81aca81af999262f96ea4c1cd1d1f32d304f56c7382f3b1bb604e5fbe9f209ad6e4b38988d92357ef82e9668806d0727f2856c7dc1f07aae2b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001
Filesize
75KB

MD5
7cb699fdda8b5311054e6fa429821358

SHA1
f6eb4e9c100ff259a806250b09fc3532e0841483

SHA256
0f5e853fb37aca250bda0b4b7f562ccfccc06b05a66c08893e3564490d1d9692

SHA512
5eeeffda6d1407a8b68c3acc9823f25fb4cd04721b4a54d9275b03e489a2e130e0b71d7a00d7a4f133523889601a4ae62a86390e06f6c0ec3b5a864484ab60c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
Filesize
154KB

MD5
d4521ad049fa5cb005648299b2dd448a

SHA1
01b6f9388ea2182ea2a53f023ea08c11d2549cd3

SHA256
3ef2a59849adc072549e1ceec1fb0f887b47dcecdd34b33ca6169b7987378540

SHA512
92702836bcc4864888ae52851ebdb4be82006a005442ab2882506e5f5a4dbc8acada0a854cd41afbf1e996e355234d7c0450c7cf7d59db0bd5f89e88189ad1be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
Filesize
55KB

MD5
e9a35dba6746c336fa7b1a90942f1416

SHA1
188cce4a0f4424220e50f3d8b09b15e13c3a17c2

SHA256
ad5e2c988ccb716da71d9a84493091d33e9d0bfea40419ea4a9cb627079f9706

SHA512
b2a13552e6a51efa5899969e7ffab8f696bca9ba4348d4d025731546c766b7ac2a097d4d7da349939240f8702b03351b3166261b612feeae90dbfae08695bb22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
168B

MD5
581965d6cb05a0e8510963eaa92f4685

SHA1
04742ff4c317cca70f858f13775ab51af07eaa31

SHA256
29f2bd777c8292df739602df566b4e1150f09a786bd1285745de40d7512ee120

SHA512
6f4c846a06afb8866df78b290db696ede3d62d760dd44746268bce45c0bcce7fff7e8c3a3b156129f561ea72e1a88268d26f4d55597b71d547d420885a9e4606

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
313B

MD5
e4e3b9d6fcc676688716422b3f582d17

SHA1
ce15fba4c5d86721721274f69d704e4a73308fff

SHA256
a0357037959f184ef93f1c926022de9713ce2110559bd744c8e0916b20b8192c

SHA512
52f0dfb53316a93d3e79a87d5ce0656c6be91fd1dba6a466c8863fb82f39dd2fee5fd146765c57f2d0ab2e7f87368c5e12051811bab3a6c44400d3cad357a0de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
882bb790dd933e1e3032c85494139a27

SHA1
1854db1a3aca543075af05319148333731d1f09a

SHA256
2c1a22740aab07f5fb5c6217cca73cda0d36bb9019c24a0a02ff37ebf0bb2619

SHA512
cf325cddf1a099bcfb8deb401eb443906566b5b691417c296ff3bcff1897889e6d8e2c8bceb65f5598fc675aeabbf1fd141efa5b704a3b3cdfe9244be753476b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
497fc59a6c60d839d5c52d44692643ea

SHA1
b54393d3d6d35507506fff12ad23cf51bf250372

SHA256
2cf3cecb1da73e78f8f86da9a1d7c244b3f30e54d944d79ed88b05a886b3a1a4

SHA512
9388a06d5e242b04ffef110f3dd37e106f50bbfe9eb03f8578d99c52982d3a17f874b97e8bd0e49dcadc59b3c1e7cbd0176e9c80ad3c3e947421fc751afcb9d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
ffa1910ec3112e4e66c1af2f5ae95303

SHA1
d6b395703b47223f914f6ff5c0637e5087b3e4b6

SHA256
84b7f93eb9d305862c13fb988b0f55acfa6ba3168db4d6fa0823ac2d1529f459

SHA512
646cd51d4ddb3fbbc5128578d2ea953168f16c9455ba78c6e39b3a8cc2944cfb80c867b7dc96820a78f4e18493983611593aceef8a4a010dbe11fa375f16e31b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B7CLG.tmp\BeadTool4925.tmp
Filesize
1.1MB

MD5
cd242415f47c54555b64ab519f418391

SHA1
0adf9033f5e48a675115031e177faa1ccdc3b0fc

SHA256
645e2a179f061ec66f2f2f2e5ab2cde1151dc6a76c9fccfea0e0de59b6d61f12

SHA512
b447afdb17d56de2006dd4bd5013547c609c1c402dcd5ad6a27237b452e18fe1fcba492a04ae31e04c1cf7982a87ddd96d82bccd7a7b322c01edbf51ebecf777

Download Submit
C:\Users\Admin\AppData\Roaming\BeadTool\BeadTool.db
Filesize
924KB

MD5
c8ef55550a0dc4ccecd7f9d959079f98

SHA1
1f8f20777559ae90cd60fe95e35872b798a9afab

SHA256
0e8b5d7983d39a108822ddb73b2cf1447e4cd52416bfa486baf6880f564284ec

SHA512
377fb69c26bd5366ed5c4ea5fb057cd2637fdc330a298cadfd8ff9fb285cb1cdf7e49bb7282e43da8d46dbd9ba38fcf0bdb6c0f424dc322d474620161195708c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 233768.crdownload
Filesize
4.8MB

MD5
4216d8da6c9d0fa2a0970f65910e656c

SHA1
cbfaea8585f1e040c09a320f7d86d91d141bfe29

SHA256
5a600d5b28725e4ea3268844a8eb03251bc48663116d2d2709787b2e6bed5d35

SHA512
2acc3f9cb831612195d51475fd57aa35f644c50c7ce6fa7fb90d45928a6b744d8417fa831ae074125173d9a1b9700a5eeaacd604123e9c3af52e1129762d8252

Download Submit
\??\pipe\crashpad_4556_QQLHDZWTRYSJTOYN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1708-300-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1708-177-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1708-140-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2304-459-0x0000000002520000-0x0000000002C81000-memory.dmp

Filesize
7.4MB

Download
memory/2332-531-0x00000000026F0000-0x0000000002E51000-memory.dmp

Filesize
7.4MB

Download
memory/2356-489-0x00000000025E0000-0x0000000002D41000-memory.dmp

Filesize
7.4MB

Download
memory/2860-271-0x0000000003540000-0x000000000355A000-memory.dmp

Filesize
104KB

Download
memory/2860-284-0x0000000003980000-0x000000000399A000-memory.dmp

Filesize
104KB

Download
memory/2860-346-0x0000000003A10000-0x0000000003AD3000-memory.dmp

Filesize
780KB

Download
memory/2860-293-0x0000000003A10000-0x0000000003AD3000-memory.dmp

Filesize
780KB

Download
memory/2860-288-0x0000000003B50000-0x0000000003C44000-memory.dmp

Filesize
976KB

Download
memory/2860-305-0x0000000003B50000-0x0000000003C44000-memory.dmp

Filesize
976KB

Download
memory/2860-266-0x0000000003520000-0x0000000003532000-memory.dmp

Filesize
72KB

Download
memory/2860-304-0x00000000063C0000-0x00000000063D3000-memory.dmp

Filesize
76KB

Download
memory/2860-267-0x0000000002700000-0x0000000002E61000-memory.dmp

Filesize
7.4MB

Download
memory/2860-306-0x0000000003A10000-0x0000000003AD3000-memory.dmp

Filesize
780KB

Download
memory/2860-280-0x0000000003950000-0x0000000003975000-memory.dmp

Filesize
148KB

Download
memory/2860-275-0x00000000038E0000-0x0000000003950000-memory.dmp

Filesize
448KB

Download
memory/3520-299-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/3520-243-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/3520-241-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3520-229-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/3520-178-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/3520-150-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/4104-578-0x0000000002570000-0x0000000002CD1000-memory.dmp

Filesize
7.4MB

Download
memory/4776-550-0x0000000002600000-0x0000000002D61000-memory.dmp

Filesize
7.4MB

Download