quasar | hxxps://github[.]com/Pearlism/pearlism[.]github[.]io

Analysis

max time kernel
206s
max time network
209s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2025, 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Pearlism/pearlism.github.io

Score

10^/10

quasar office04 defense_evasion discovery persistence privilege_escalation pyinstaller spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

10.0.0.8:4782

Mutex

379dbf22-a236-442a-afe5-721ce507f6c6

Attributes

encryption_key
6B3553F1B9B921C4AA30C6F7A837CE7918E6A7A3
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000002439a-661.dat	family_quasar
behavioral1/memory/2584-663-0x0000000000B30000-0x0000000000E54000-memory.dmp	family_quasar

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\pIcvvlJVcltLHHWVtVfiUbtztte\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\pIcvvlJVcltLHHWVtVfiUbtztte"	Map.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FGVLxNtPWLdTzggsZxuSUpdtW\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\FGVLxNtPWLdTzggsZxuSUpdtW"	Map.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 13 IoCs

pid	Process
5648	chair.exe
2584	Client-built.exe
5360	Client.exe
2992	die4cross.exe
5568	quantum.dev.exe
5912	noxar.exe
4168	noxar Services.exe
2036	Map.exe
5632	map_1.exe
2256	Map.exe
1300	senex-valo-injector.exe
5000	die4cross.exe
3008	Map.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x00070000000243d3-659.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 11 IoCs

defense_evasion

pid	Process
5252	taskkill.exe
2160	taskkill.exe
4792	taskkill.exe
1952	taskkill.exe
4844	taskkill.exe
2068	taskkill.exe
4588	taskkill.exe
2716	taskkill.exe
2228	taskkill.exe
2384	taskkill.exe
4944	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133873901971826165"	chrome.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings\Shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings\Shell\Open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings\Shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings\Shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings\Shell\Open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings\Shell\Open	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\1829.vbs"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings\Shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings\Shell\Open	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings\Shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings\Shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings\Shell\Open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\9458.vbs"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings\Shell\Open	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\3435.vbs"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\ms-settings	reg.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5892	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4136	chrome.exe
4136	chrome.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe
5912	noxar.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4788	OpenWith.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
2256	Map.exe
3008	Map.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe
Token: SeShutdownPrivilege	4136	chrome.exe
Token: SeCreatePagefilePrivilege	4136	chrome.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
3264	7zG.exe
5360	Client.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
4136	chrome.exe
5360	Client.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
5912	noxar.exe
4168	noxar Services.exe
2036	Map.exe
2256	Map.exe
3656	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
3008	Map.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 5400	4136	chrome.exe	86
PID 4136 wrote to memory of 5400	4136	chrome.exe	86
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 32	4136	chrome.exe	87
PID 4136 wrote to memory of 4120	4136	chrome.exe	88
PID 4136 wrote to memory of 4120	4136	chrome.exe	88
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89
PID 4136 wrote to memory of 2160	4136	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Pearlism/pearlism.github.io
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff978c1dcf8,0x7ff978c1dd04,0x7ff978c1dd10
  2⤵
  PID:5400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1928,i,7703772119285467208,7893181710816335586,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:32
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1548,i,7703772119285467208,7893181710816335586,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  PID:4120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2392,i,7703772119285467208,7893181710816335586,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2544 /prefetch:8
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,7703772119285467208,7893181710816335586,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:5736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,7703772119285467208,7893181710816335586,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4276,i,7703772119285467208,7893181710816335586,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4292 /prefetch:2
  2⤵
  PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5164,i,7703772119285467208,7893181710816335586,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  PID:516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5424,i,7703772119285467208,7893181710816335586,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=208,i,7703772119285467208,7893181710816335586,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5620,i,7703772119285467208,7893181710816335586,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5736 /prefetch:8
  2⤵
  PID:5704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5748,i,7703772119285467208,7893181710816335586,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5812 /prefetch:8
  2⤵
  PID:4568

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1240

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:2508
- C:\Windows\system32\dashost.exe
  dashost.exe {7e35eaf2-d991-4bf6-a6d01489952c07e1}
  2⤵
  PID:4140

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap30082:104:7zEvent26576
1⤵
- Suspicious use of FindShellTrayWindow
PID:3264

C:\Users\Admin\Desktop\pearlism.github.io-main\chair.exe
"C:\Users\Admin\Desktop\pearlism.github.io-main\chair.exe"
1⤵
- Executes dropped EXE
PID:5648

C:\Users\Admin\Desktop\pearlism.github.io-main\Client-built.exe
"C:\Users\Admin\Desktop\pearlism.github.io-main\Client-built.exe"
1⤵
- Executes dropped EXE
PID:2584
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5360

C:\Users\Admin\Desktop\pearlism.github.io-main\die4cross.exe
"C:\Users\Admin\Desktop\pearlism.github.io-main\die4cross.exe"
1⤵
- Executes dropped EXE
PID:2992
- C:\Windows\system32\cmd.exe
  /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
  2⤵
  PID:4940
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
    3⤵
    PID:4948
- C:\Windows\system32\cmd.exe
  /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\3435.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
  2⤵
  PID:5068
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\3435.vbs" /f
    3⤵
    - Modifies registry class
    PID:1096
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
    3⤵
    - Modifies registry class
    PID:2980
- C:\Windows\system32\cmd.exe
  /c start /B ComputerDefaults.exe
  2⤵
  PID:4776
- - C:\Windows\system32\ComputerDefaults.exe
    ComputerDefaults.exe
    3⤵
    PID:2716
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" C:\Users\Admin\AppData\Local\Temp\3435.vbs
      4⤵
      Checks computer location settings
      PID:920
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
        5⤵
        
        PID:5268
- C:\Windows\system32\cmd.exe
  /c del /f C:\Users\Admin\AppData\Local\Temp\3435.vbs
  2⤵
  PID:2260
- C:\Windows\system32\cmd.exe
  /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
  2⤵
  PID:2324
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
    3⤵
    - Modifies registry class
    PID:1300
- C:\Windows\system32\cmd.exe
  /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
  2⤵
  PID:3764
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
    3⤵
    PID:2736
- C:\Windows\system32\cmd.exe
  /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\9458.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
  2⤵
  PID:4068
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\9458.vbs" /f
    3⤵
    - Modifies registry class
    PID:1624
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
    3⤵
    - Modifies registry class
    PID:5972
- C:\Windows\system32\cmd.exe
  /c start /B ComputerDefaults.exe
  2⤵
  PID:636
- - C:\Windows\system32\ComputerDefaults.exe
    ComputerDefaults.exe
    3⤵
    PID:4040
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" C:\Users\Admin\AppData\Local\Temp\9458.vbs
      4⤵
      Checks computer location settings
      PID:664
    - - C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" interface ip set dns "Wi-Fi" dhcp
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4108
- C:\Windows\system32\cmd.exe
  /c del /f C:\Users\Admin\AppData\Local\Temp\9458.vbs
  2⤵
  PID:3140
- C:\Windows\system32\cmd.exe
  /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
  2⤵
  PID:2376
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
    3⤵
    - Modifies registry class
    PID:5644
- C:\Windows\system32\cmd.exe
  /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
  2⤵
  PID:5188
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
    3⤵
    PID:2052
- C:\Windows\system32\cmd.exe
  /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\1829.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
  2⤵
  PID:4160
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\1829.vbs" /f
    3⤵
    - Modifies registry class
    PID:1576
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
    3⤵
    - Modifies registry class
    PID:3504
- C:\Windows\system32\cmd.exe
  /c start /B ComputerDefaults.exe
  2⤵
  PID:2108
- - C:\Windows\system32\ComputerDefaults.exe
    ComputerDefaults.exe
    3⤵
    PID:2004
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" C:\Users\Admin\AppData\Local\Temp\1829.vbs
      4⤵
      Checks computer location settings
      PID:5116
    - - C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" interface ip set dns "Ethernet" dhcp
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:912
- C:\Windows\system32\cmd.exe
  /c del /f C:\Users\Admin\AppData\Local\Temp\1829.vbs
  2⤵
  PID:3664
- C:\Windows\system32\cmd.exe
  /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
  2⤵
  PID:2440
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
    3⤵
    - Modifies registry class
    PID:1156

C:\Users\Admin\Desktop\pearlism.github.io-main\quantum.dev.exe
"C:\Users\Admin\Desktop\pearlism.github.io-main\quantum.dev.exe"
1⤵
- Executes dropped EXE
PID:5568

C:\Users\Admin\Desktop\pearlism.github.io-main\noxar.exe
"C:\Users\Admin\Desktop\pearlism.github.io-main\noxar.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5912

C:\Users\Admin\Desktop\pearlism.github.io-main\noxar Services.exe
"C:\Users\Admin\Desktop\pearlism.github.io-main\noxar Services.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4168

C:\Users\Admin\Desktop\pearlism.github.io-main\Map.exe
"C:\Users\Admin\Desktop\pearlism.github.io-main\Map.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2036

C:\Users\Admin\Desktop\pearlism.github.io-main\map_1.exe
"C:\Users\Admin\Desktop\pearlism.github.io-main\map_1.exe"
1⤵
- Executes dropped EXE
PID:5632

C:\Users\Admin\Desktop\pearlism.github.io-main\Map.exe
"C:\Users\Admin\Desktop\pearlism.github.io-main\Map.exe" C:\Users\Admin\Desktop\pearlism.github.io-main\HardWare.sys
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of SetWindowsHookEx
PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\pearlism.github.io-main\FortniteCleaner.bat" "
1⤵
PID:4296
- C:\Windows\system32\taskkill.exe
  taskkill /f /im epicgameslauncher.exe
  2⤵
  - Kills process with taskkill
  PID:2384
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Kills process with taskkill
  PID:4792
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Kills process with taskkill
  PID:1952
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Kills process with taskkill
  PID:4944
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteLauncher.exe
  2⤵
  - Kills process with taskkill
  PID:4844
- C:\Windows\system32\taskkill.exe
  taskkill /f /im UnrealCEFSubProcess.exe
  2⤵
  - Kills process with taskkill
  PID:2068
- C:\Windows\system32\taskkill.exe
  taskkill /f /im CEFProcess.exe
  2⤵
  - Kills process with taskkill
  PID:5252
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Kills process with taskkill
  PID:4588
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEService.exe
  2⤵
  - Kills process with taskkill
  PID:2716
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEServices.exe
  2⤵
  - Kills process with taskkill
  PID:2160
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BattleEye.exe
  2⤵
  - Kills process with taskkill
  PID:2228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\Desktop\pearlism.github.io-main\FortniteCleaner.bat"
  2⤵
  PID:5804
- - C:\Windows\system32\findstr.exe
    findstr /b ::: "C:\Users\Admin\Desktop\pearlism.github.io-main\FortniteCleaner.bat"
    3⤵
    PID:4712

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3656

C:\Users\Admin\Desktop\pearlism.github.io-main\senex-valo-injector.exe
"C:\Users\Admin\Desktop\pearlism.github.io-main\senex-valo-injector.exe"
1⤵
- Executes dropped EXE
PID:1300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\pearlism.github.io-main\mapper.bat" "
1⤵
PID:2288
- C:\Windows\system32\net.exe
  net session
  2⤵
  PID:2620
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:648

C:\Users\Admin\Desktop\pearlism.github.io-main\die4cross.exe
"C:\Users\Admin\Desktop\pearlism.github.io-main\die4cross.exe"
1⤵
- Executes dropped EXE
PID:5000

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4788
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\pearlism.github.io-main\chair.py
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5892

C:\Users\Admin\Desktop\pearlism.github.io-main\Map.exe
"C:\Users\Admin\Desktop\pearlism.github.io-main\Map.exe" C:\Users\Admin\Desktop\pearlism.github.io-main\SuperDriver.sys
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of SetWindowsHookEx
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3cad8ff6e9f5fce782b546bfa3216cf5

SHA1
3d936b911a5f5886d6ae1ddafd2398f262506ecd

SHA256
88633c6b9b64638d8d79ac6a2654b867aafdace139b62499b05690792f95d0af

SHA512
20438cb029d22a5beba5bd9726c92c35f2c9dcc5e33fddf80179d031c989880f8bfd98a7e84a112f6074803ee5048f702df61b85198ecdefcc1ae0562c220e26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a489b7d966081b12c212375f329f5b59

SHA1
7195e8529417305113bce5bc7c6b513df5b17747

SHA256
6f8aacee7275f9dbede08b3fa03d477b6d73b3b06019dbfb0c03be12c00cba3d

SHA512
dad3f8f03bf4d8ee09d87f1de644353b47cfba928e061a1716cc7cc70a03261d630c5dff2f24b04b670fa67fb10d27031e7fa20bd840b9daabd3e5e7e7fe45cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
2f94ab5c52eb5aad05708d541021d01b

SHA1
555e516324e8419bc4e0082bdb2d0a71a8d932ae

SHA256
ae0482a2d59d4360c69d8c30e7d1e42acb634972c6bf5612b81669e0adf541e4

SHA512
076fa7915c2c955c77cfbeaa73147e03f015de5eae8b9c7e82c673c8455c62a291c4f6477bd36d0c85336b6eaeebae10e3425d23f00d0863068974f5c8294e93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7fd930643ddbdba4f9019c5711472d95

SHA1
916a2a606aebce83fce30dd71c98901e2ae398aa

SHA256
5b409e0189072566d8bdb3d4cb5393bb5144c63da317da18ac2a0e6ae1aba509

SHA512
501517190466951b64221297df2caa9f59c110efc82b7b1be1792cef2add618697b0708e437d18067cfb30c1a575f6ad5f5d174c0fd467dab42d84d0690328d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
144230f0cea5b317c94d83cd5bfbcb10

SHA1
ec64d10873fa5e5de0dd284ddb44c2557792d8cc

SHA256
036dc526ace03ddf0c278430c5a8e8627e07b5d62f20612878bdd2c81faf534c

SHA512
a28da5be73669f972dede2c13c8930b86e1094e6fc3107af527e1c5215bc3976694abba687bd69b8cd80184bd77117d5fc7a26d84089f7292a203cd0f6ff9da3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
6a3914ae9ed4c115ed89ffb3fcf42667

SHA1
9b4b0f6febe206748abc92e044e3faef106fc07c

SHA256
23e2687ec176d7377ef07e8ba4cde8ec7917945b139c1d400d93f3d092aa394b

SHA512
f75a2c52bbbcfa55c41acb1b746c0ff1fd95470ac851a7f8d883a23c9d75124e9a1d44b09e3a446a6afeb847131548aa504ae162848aaa2ed891d7f87462132b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
a1d7cf55601d99aa5fb6e6feddb57f48

SHA1
97d02ef820fe4a19f6495306c6c27486213a0cee

SHA256
4ba2e1d1d5ae1f4a92fe56ad0ed7214f6e5fc16432611bcfca27ba1ea7836c89

SHA512
e848042e1dc3f870c71af5fd0dde23d8245222d7d476b579367735830c31171bc9d1be6334652bc0a5597f7fc9f206d0afa4c5e6533cd51dd3dfb79343c8143d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
0e041b8beb62109bc612bd433aecbfbd

SHA1
15b0515597c527f32376c2faf6d7f4084d208ab8

SHA256
749129b2c7e5e151a012ba92a99b29c216369146a1469915fb7d4eaa4c1700f2

SHA512
f8581544274d402fb6345c08b1bc8972b9156218704e2bed646a61e2af28029072a8c9eab331475d60647b2648f827d93b6eee8d386acb3c1fa14c35678f5573

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
c9624edc419af5064a3dc64f9e8b19ef

SHA1
6403d278e0d60d519d61727c70acbf2ff7106346

SHA256
7181085d8687f8bd8393b70b62108ba874d072e3a72d9e3b6062000b78cf19ad

SHA512
03d42d59bffaba2f3995d47ef886e75b630963cb14cb8b3634d5b61626a595469afb03d4a8ede027d35021a72db36d424b66167e7d89a0d3f82b2a42f9955583

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57dfa2.TMP

Filesize
48B

MD5
ded9123a9f820c501f20bb02430f3408

SHA1
87ff8830d983424feb3f533af89645b8d366dc17

SHA256
5419ff79a4cc1e6e89986812ac2b8c51efa10741b4529632a7fc159f34288122

SHA512
57f0209c6a064c4a08bec61b052ef8ed90e8cd45991a4ad5717d2ac0f7ed77f220953a20ab872023f419773c884ca64933f014054d7014d71deaa69a35388851

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1

Filesize
264KB

MD5
2452cc68c2b730acaab0d1404190b6ca

SHA1
b00268a172a153c3bc3f8c7e00977a164e80c70b

SHA256
71f1f0f2b69afb7f6dd722497e0eac498adddd28b294a22780a80fa280442bd7

SHA512
a931cc813dbfabebc807e72812b9ab5640ae0c2edea59f4cddb3c34189f0f5ca75e0bb31d922eaf306fcb9c17e2eeefbf0ccf5998435eee8038c5fd7d1e4096a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
093e97809b17198045f2a9413c312880

SHA1
5cefb36004686a12a3153c9595e2e203002d2805

SHA256
8b05d31d5d8ca0d65feb286f47ed5a2d21a0528735a78561d3815e1480d0d387

SHA512
2db54888a5a3fba795746ad5ed7a1e5e4a8194d0d56b6d368f1d2e8dbb0bb7a0bba377a8f91726ccd50c064ca92079200fe781629a62c62ea2fad5f9b340b2ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
36d80692c31f795b2eef0d9c41b10b42

SHA1
1922194097d3496e4f3f2318ca6674524a8ebd3a

SHA256
41facfdb100ec20d1a909b9c6c4c308c5c713f21b1047cb881b27752d8b220e7

SHA512
6ed3099092633905a00c717aaaa1130213ef5db7668d5dfd83a27d8890cfb328d035da5ebb1343b230bf4e5014d1870b8aa840db15d7afdb0b50e8e1c2a0e166

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
79c78f077f22241719105423c8ca62fe

SHA1
ebc463cb459bc518cfb8c589207d5c1c0faf0969

SHA256
a9c6b123a4ad05c51984491fa716725910d67544a9d4ae4e2d5af06d5e4563ca

SHA512
bd73bcf004a71f8f4a9c5e5f46096cf620be97f00ce148116fce91466fbdc5b959304708b2f9fe431735502b0c7bd71ad772957009c00a69e1688253dfc04770

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
5f9e6952256970aa38f0c50ccf55a288

SHA1
ec82a57480946eadd0887806cdcc0024d43b2242

SHA256
f450b361fce134d526428db12e4c3d2d4a1014d320faadf207e2c0d01398caa3

SHA512
1d8e869bc57021a389343490ba29e3d60243f178e034bb6e1345546e010e82095951749180652591fcb124c272c7d60d7d5599386708d731d48a19c58a57c6b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3435.vbs

Filesize
125B

MD5
8b4ed5c47fdddbeba260ef11cfca88c6

SHA1
868f11f8ed78ebe871f9da182d053f349834b017

SHA256
170226b93ac03ac3178c0429577626add00665e1d71be650a4c46674f6e262a5

SHA512
87e5bcaa143e616c365557f5af73e131a10eb380016633b8c7e38c83b0a216a8f6768cfa0166fad208d47830808444517e57d07d850ff2bd575ca67bad9eabdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\9458.vbs

Filesize
114B

MD5
34b33b5a437e20d03d79b62a797dfe99

SHA1
9b57b598a7e9d66157a05a44bc7c097bf5486e6c

SHA256
f920f526773c0565072fcfd250319c9dd53b9197d448b9d29307598e0fa004e1

SHA512
757be8161af2eb4af36772e2e0d912e0967540cb42ef6ef8cd85f28edb478756c99d9e7a6fef04b16e6bf63a3dc9ddb9c2adf490e8d9ae2ca0e3e9b76ef6fa6c

Download Submit
C:\Users\Admin\Desktop\ApproveUnregister.odt

Filesize
621KB

MD5
2a19ad561f27b7b52441b97f56ea31cc

SHA1
7411f30204225e98a35ea0269ae5fab2d856093d

SHA256
d8dab29df48381f4cba1e1c6ceaaacd58f06766e3fd729ed8b037c8d17fec819

SHA512
66150fdff7b5fe9e6e10be7786d67c09ca99e0bd7d9d24dd2a986d8dfd9e1640d62475d5468e60c9113f42946a36e986a8812d0336c5b0a06c06b99806dfa177

Download Submit
C:\Users\Admin\Desktop\CheckpointDisconnect.pps

Filesize
531KB

MD5
ca5b54c411f21b101b8ec624c51f2e35

SHA1
e44055eeacb4a16608e19638dcaf01af614259cf

SHA256
41ef56834f1a96c2d8aa094ddb2a6e865fc457d5cf785a2c5be441c86eb2b513

SHA512
bc9d37d52fd283cfee85c86035dae03b84b996aca9ceda090385988ba02e5ec5721f85c5e982d1b5f034b6e599d6306727deb30431f7c8bac62ff509ceb0609a

Download Submit
C:\Users\Admin\Desktop\ClearPop.xlsx

Filesize
9KB

MD5
2e0c84a62b707ffd0bd51e7b2aa9bbf2

SHA1
834bf18af8138f5a2d1940c5cf0a8773c8d94f39

SHA256
68fe342f7d5616197c60904a5553d317c7f001d3bdef90b72abeb5e637d14732

SHA512
d103a20e5424a005156bbdf9066235ceb8eeb2aa66b637e7cd9de54be2932f8fba0011197a4c0dd1e97f16bc2aa15f813ac96d5b2e6930bcc340451388e46a79

Download Submit
C:\Users\Admin\Desktop\ConvertBackup.emf

Filesize
603KB

MD5
92b9afa69c2c08486b56eaa36ba60395

SHA1
e60cf47b11007a445b10e71c72c2616b34d3ea51

SHA256
cdd781b7be3e3be9525f893e7e327ef5a9661867707a5db88d57963cfb5c38b9

SHA512
d45aa0fcfb60b3adc7dc98fb7ccf3d255946cb060f75e6d557c29ef896bda4051ef45570503904c15945226bb9a5754eae3ba71c028cb9538a42fb1e4c5a9af6

Download Submit
C:\Users\Admin\Desktop\ConvertDeny.MTS

Filesize
477KB

MD5
502bb58ce5435b23492a97ce0783a259

SHA1
f2588a28a62ff0c89bb9ad2ed1e2da0a43bc340e

SHA256
cfa2cabb244432aa6c180e7bc432b3153f902c4a7fad4558b6b84e61015a7bbe

SHA512
63f67239ab1ad1cff88c54839221016db092f5d7507f6a0c949ae328675aa1aba2d96922568f16232c85d878184b15e869b02351fdfa13d39c6352a8888a9ebe

Download Submit
C:\Users\Admin\Desktop\ConvertToRepair.nfo

Filesize
351KB

MD5
aad1b17d7a332451ee7caa2a6d137f0d

SHA1
da6bb7e2c3f0ca1c38c8402a380d2df9c23503ec

SHA256
48d837123e8d6c0638dbc51a7278ebd67e1b2320f0bce08ea92efa933d61f6b7

SHA512
bbc06c8aaddb8bc90027b027f96bc242b03a47f0a3b76279724657c65f75a3d7009673ed95e1b1c975043850228eeb2dff98ec449daea5908edbe7aea8431b80

Download Submit
C:\Users\Admin\Desktop\DenyDisable.m4a

Filesize
459KB

MD5
e9baa2324e20382775b046943f524cfb

SHA1
556076576ccdaedf307b9885c5aecfadb5ec3b2e

SHA256
d279c5bb5f5a100d31c2e080bdd95fb649dcd5848b1e19c6ef8286fc20889bb9

SHA512
334cb06a0e496e3f87110227c09710862788521db98174269342eb73a75c9b842184e6402692b46d6d03f8c2ff7ab098bfd691d327c491e47f20296513c34740

Download Submit
C:\Users\Admin\Desktop\DenyOpen.xlsx

Filesize
9KB

MD5
8d759530683ccde273c41d6c5fa4d638

SHA1
ebf86906a279867d630cc042859be1dbc7a6dfe0

SHA256
d80b42985c96d85ea86b29facfcafbc6937889a5a8e0e0d04f860d36e7240a0f

SHA512
d8688ab1f333a86862896ee1a9d5e094fde56987194e04ce9260fd26a36284e19fcc3fa76f1aae60ae95a5472f55f0c8175c280adc97af2975c3d05f8caa8e7d

Download Submit
C:\Users\Admin\Desktop\ExitStop.3g2

Filesize
261KB

MD5
d10b0ccdf62219e214e5e4a70a088b54

SHA1
7e6b95635f0a39d84ef4626c8afcaf8211c669df

SHA256
162e25f8b9673b2f469b7bfd47b6d4e58e56a0162742f6e91b31642397ae97d1

SHA512
8a8bba0aba3d8032eea86e40446f75fe281ba204fd4122785259d16175d5901cde77c840630e2339a700ccb2b418bf69970a4a3e5de4835ec8dfc2f0ea3aa310

Download Submit
C:\Users\Admin\Desktop\GrantWait.m4v

Filesize
369KB

MD5
1353b92036143bc435bbb26564bf8b3f

SHA1
23b119e1eb0690124203471293b0f28083a2e5da

SHA256
99e98207d389d4050828b9d025f2df9e842be208afd7ede36094cca95e2ec2ef

SHA512
cacb58d86933d2c9d54716a83758395135d384187b86ca5de7f89b11ba212c0def1fb1e0751b365521891d0d4ace8ea16b9c9e3cb74c30eece9d801a5dd038f0

Download Submit
C:\Users\Admin\Desktop\HideRestore.pdf

Filesize
495KB

MD5
459e7ae36168f6bd6b201e9547b839a0

SHA1
6a5cc900166e7abb4964a860af0d0d9c40734fad

SHA256
49c5cabe364fea9317c47f281b28941267deda2f25d66e0a01ce27de4fa35b72

SHA512
0f13005189b4be7f287d5d51113e81aab276699c08dcf23a63ac6a724850219ab4c5c1c7890b7c8381ff7b4eeb41aa693c85aecabac2b835b2551a81f58dde97

Download Submit
C:\Users\Admin\Desktop\InitializeConvert.ADTS

Filesize
243KB

MD5
611224676c529dff0d95715018817d9b

SHA1
f2232df3817aef53996e42945de5be630b71430c

SHA256
d11fb025f7cca46a1e1d9ea6916e13788c389b2fdff91c247051749744ef54e1

SHA512
d2f766b1078b694debc000b15662796dcf05077f145597c2918b4fdd8f325c7d5ec7c368e05be0acaac4199326a2de20a77c5091f7932da7db442a625220c478

Download Submit
C:\Users\Admin\Desktop\LimitUnlock.MOD

Filesize
423KB

MD5
cf7b586f527d0fe90bc73d9255e9f5b8

SHA1
fdf598666fbbbc42e26417de82ec25b775b4b619

SHA256
8a8375e58d44c1c89cd0417a90d56e7f4687a4c7b5ade3b0ea6e5cc59fcf7409

SHA512
4b490546a997f053f553b9752037cc468c00425b0cb1cad4d58f190f32a44d9a4c45b620f0cf1fc7e0cc417bcc2a82bc14f5e5a81460ba7031952f5d244364d9

Download Submit
C:\Users\Admin\Desktop\LockInvoke.docx

Filesize
13KB

MD5
deb5df1e8766f9f264e66cccf369f9cc

SHA1
a90b49b9449970ae745da0b76291a96c3c873418

SHA256
dc44e2aa1630cdae719a396a13e266648bb2c3ba9c8e5cb4939d3171832ef436

SHA512
d162d497fa6a63bd085d2744efe76121b3d3565f64c8fa921459029d14177c3f8c7c81ca0bc5b5a2245e11db736264856076abe796b08cc461c45ecd3edd48d7

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
5474553789f8f831c92cce8977c9d75a

SHA1
5ba2ecef9ac93ea3a8da9811948fa457a87acb7f

SHA256
21208f9edbcd1ea93f676e4b968da0135010584eae67804856b549db04721475

SHA512
9b281d9fa02951562aea3a58e0bde3d0d722bc977504d205afad1f80af02175c91513a5d18bd0800df5d8700abc92bc9b559a7d4d7bcb2f71998eb4d06d3dbd2

Download Submit
C:\Users\Admin\Desktop\OutMerge.M2V

Filesize
883KB

MD5
0869693d12bdc42773f1986b4400931d

SHA1
cab53d838c2a9b5cee436d5c9708262770173637

SHA256
bb624ef3de7ca9c802f5cea59b8693c749bb427e9c620d8ad79528b067fe82af

SHA512
13eab64fe672d5df3c4a0e3cf10d540f667274bcf1ddd62bf49802c6cc37c2c1c2e1c85f6bc7d3b8bdcad1893189544f22b062648fcb8c381b36e784249f7c60

Download Submit
C:\Users\Admin\Desktop\PopResize.gif

Filesize
225KB

MD5
a1b4dd98f0c369b4e2b7b5306062bf4e

SHA1
6d361c997f6bd0c2aeff1dd3d9fa5ea08d7d1fb1

SHA256
ad5867fdd99012de47e6dec90f7909eda377734f16ce9851e27608798b0572dc

SHA512
346bf1606cbbfd25b85445756407e22e857f4542ffde7f8199e1adf6422d394c25c00ebb12780607bd45ec46a438285c9d75eef756813cf2f20bc16738d3b32d

Download Submit
C:\Users\Admin\Desktop\RepairDebug.xml

Filesize
513KB

MD5
6acdc46befe3afbd822650aa3bb3bf16

SHA1
32fca9fe5e2037b4ede6a0eb023f7668c8037f31

SHA256
79442221b636555576ad6caf9a3e283f0f9ec9fa23345bcaafc327873abda321

SHA512
486facaecfa31a27e4964ddf12f961cb8bbabd4c47e841e8775b87d1c4009f63d55817f5130886eba998dc16f07c4851dd6a07b91f040ae263ce278b708d6c67

Download Submit
C:\Users\Admin\Desktop\RepairWait.mpe

Filesize
585KB

MD5
242a497ab45fabc5038755e56dd71bfc

SHA1
18f03463080ab692072041891ed901fad71aff5c

SHA256
ff48cff354c2f669af97d2f492515c83df208a26eed0d7e108f028c96c5c3524

SHA512
d6002b08b6cb09b1cf5ca1dee77fa06312fc0ed921778b5a760ef4073b25b9d2ce979bfdae29bff8b3f7951cd21016a683bb6114cc4ecc956f07bc95ef9d990d

Download Submit
C:\Users\Admin\Desktop\SendAdd.nfo

Filesize
441KB

MD5
f6d694fcfc777104b56dd6de46286c08

SHA1
fa88fd11c1afdef619c1e549ba64dff58457aeb3

SHA256
1a1558997a5d95b2a3dd5bbe72dc602c10e61d91f46afa53ca05bdcf718ff72a

SHA512
04c92b6b6e5d2563dcffb7bbd84246320745b50284a2c9c77eca05a6550288a770f31f31bc81b663a23a5626da0b44bf22327488bdebc8832874b76f83e2f920

Download Submit
C:\Users\Admin\Desktop\SetRestore.xla

Filesize
387KB

MD5
11cd69f2dcfbbbfe425c3850e007c560

SHA1
e42726f44db01f42eeb43eba2f59214549a08d09

SHA256
90cc856bfab18bd84ba84dd46669a591ff86c7c03df6a9a005f50434a95d0ebe

SHA512
17007819e6991c7e91df45c46339f66605b3f3587bef5dfa6150503b5cbec53fee31663a698e0e6b01e88927d9428f2dafd4ae9a73bb82cb81a27d33b792575b

Download Submit
C:\Users\Admin\Desktop\SkipMount.docx

Filesize
15KB

MD5
9a18a925ee741e4357adef39c7675fa0

SHA1
49d183b5edd68ac04af4158183d92de0d0b1a6fe

SHA256
cf9194b9d384544884b39c76b5a8aa304300a00549b176ec98fadd173996f271

SHA512
ba75faff3ee410f8078b4fe875b14a8aa71b626586cd1f7178c6535d3a3ec1f3728eba79dd6ce797964f512f8197ba6a2166629dfab9d47eeca5a731f7225a4f

Download Submit
C:\Users\Admin\Desktop\SkipRevoke.jpe

Filesize
315KB

MD5
c5c2b624f5e46b616539764a9c3bddf4

SHA1
802919cbd40061c9e15e8b3ac1f07c84a15fea0f

SHA256
4be08ef14983fbcc8105027c64f9f27dc8614d46a93d7feda16dda7b28ef5461

SHA512
c5d2ff586c3fdbc614c45c718dbf2820fd1062e690fcd823d77d09e3638089d0c424acd9af747d5fac83dab4d599687fc3b6ecebe33434d175f437c32fe52e29

Download Submit
C:\Users\Admin\Desktop\StartResume.lnk

Filesize
639KB

MD5
6f0f0e0f5ef8d0ab3e1f018ec5cfc224

SHA1
51399e6c31d6553092c0db3943d1c18261fe8738

SHA256
8dc7c4645c35367853442b72baa0e9c3be2ce0c725ee946cd9b744188b1d47b0

SHA512
7ef489f286a7e5220907794d46b472ccc72bafc3074f5cacbd0eee4b8fc8b6a53b08e6510081d9cf6d9dc95dae5bda7882b031e57eba2731b45ac4aa4b5e2e46

Download Submit
C:\Users\Admin\Desktop\SubmitApprove.dwfx

Filesize
297KB

MD5
eb2a9c87ae33865ab65839278762a683

SHA1
d4c6a6f549d17edc1dcde0e09ad1af1c8a0b9d8b

SHA256
07eabcbfc0e2eed5dcd0f7464e0ab6465783990a1cbc8ac0406f6d62059eb35f

SHA512
3bcab6f3c32109a26cd521fb0a13cc829018889eb83840a1017d82b7c7ed99c415a7759b849904f40854573506cf3b2672b045577713b2926f14d554e13b60dd

Download Submit
C:\Users\Admin\Desktop\TestUninstall.rmi

Filesize
333KB

MD5
6aa3deefac67ac20991b20649643326a

SHA1
431f77ec4dbdc85e5d715a140f962193e9f720e5

SHA256
bccac0de77639684969c0220103116c1e89cdfc2a5799ae2d475b62e11ac1c0f

SHA512
001949cc0db46ec78681056ce88e28065fb378eb7f630f9637088a2de760a0db43e63865079da6805f620b3da314224a100beb5fcb5f756b8205ec29570c0ac7

Download Submit
C:\Users\Admin\Desktop\TraceConfirm.3gp

Filesize
567KB

MD5
f7076b2eab835a28f2bbf585ae563cd1

SHA1
38b012ac7e26d8623320e6d4e81134ec5e7aaaa5

SHA256
4763f8ff6bc3c2b24a7650ad6827f7b5472c4a426674a67123d544f4fe85b4d9

SHA512
0083cf2d1f5675ea92ee1187acaa485f5a3dbff94c9520f8bc14bb48abcf35b991953f5267293b17ee60a7490c3a4d9abb7cfea91d86b40a3020a5ef98c21060

Download Submit
C:\Users\Admin\Desktop\TraceShow.xlsx

Filesize
13KB

MD5
c521a90da51447358f971ff1bbc6ac94

SHA1
3f10b5c216b0c3d4fc07c1a0956292e540a904eb

SHA256
c83d824463002fb93a18ebfc6afad1768d132bba7375f414bd67bd1cc6b99abd

SHA512
1c8205e81c89d1067fff5da0ac07dcfbb86c47d5e54e70a3512f679d1af1ed7d73b7113a3bb9b11f1ea561ecf6c3984813b0155b1e5ea1adaa6dab58994b9524

Download Submit
C:\Users\Admin\Desktop\UndoSplit.xlsb

Filesize
405KB

MD5
1449f303b3db233432bee38016d28887

SHA1
4050b788950f49910b71acce4ec743d5ddd44679

SHA256
daa015bcc499e6389785aef5fc8ee01f08f3d6aa0523232ed12e06819f6cafd1

SHA512
3ba316d947b825ff14cd1d676e7ccfdb94323abffe7e79a02b620a6b196706ba1bce1f2bf3c07c8000637f1bbfd8c9bc53cbe25f0034781ec76abb9828a3ebbc

Download Submit
C:\Users\Admin\Desktop\UnlockDebug.vssx

Filesize
549KB

MD5
0b2dd43922c13bdac2c6168b9f49f1b8

SHA1
f604b781af0aa53efebd4957f8aa6693d86d15a5

SHA256
6e2881cc92911b4cbb97bb5343ae3ebd9d048342d603f0325f4a11900a76b107

SHA512
45e2769e3812bf8698cafe10edc3b3d804344c9e19ca7969bcd083b51fbcfdf883ddaa55eeb1cea6bcdec00f980b4de0f3b8f535ed859312be701ebe5c1fab73

Download Submit
C:\Users\Admin\Desktop\UseEdit.mpa

Filesize
279KB

MD5
4900f06cc54e4ff56d2f1e26c0a4c979

SHA1
7863c111a5e21d316851f35079cd0987a2fd1dc8

SHA256
4ca095aca316f4531dcb93f3656cda6a6452427e8c0d60476236112666c8eb92

SHA512
379e37326259cfb3b283e8500ed3f9413648c8192fc3e310d4eedc14b1dad29b03f6389a30e63443d79b64bb1e3b91d74f626f53d2caa2109ea9759af765df29

Download Submit
C:\Users\Admin\Desktop\pearlism.github.io-main\Client-built.exe

Filesize
3.1MB

MD5
430cd5b10b3c11edb85c072395b692ac

SHA1
bee64636f53c2a5097bf0d3993c7a4451296f587

SHA256
ba6d0cbc2e7d577064206ceb69e58cd5af64bd579085de681583450b9f3f5618

SHA512
ea14b416af4b017b7e0833364cfbc5a1d6abe644d60a303a6c0ff6937eeb3474f8ec0f710365a182f9c81ba1cb2b9e26407b65470c6c1b8a2a9b572002ea7f3e

Download Submit
C:\Users\Admin\Desktop\pearlism.github.io-main\Map.exe

Filesize
136KB

MD5
002be1ccc5d4c01961ddf54acde453d6

SHA1
8dc401c774c57de7b7dc467de2ca6b9ac4c6b379

SHA256
cd3e95f36444732d3a335911a2bfb829f9be8d6027b5c91e37593f06dc16b42e

SHA512
a3f8b3190cd40392dda7cc64126ebf2f16bb43d6d2a584f7e612090f3e44079a7468de31760eb69e76a93d6376398098c45db8c483537f6ed616d73d49145aa2

Download Submit
C:\Users\Admin\Desktop\pearlism.github.io-main\build\icon.png

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Users\Admin\Desktop\pearlism.github.io-main\chair.exe

Filesize
4.3MB

MD5
76d9635ce986e0acbba31d23c18f4730

SHA1
2131e1b8aeb8c3cc67c97f7c2a1bc81bde8716da

SHA256
9f28c3e5f94d1016958c2771b8a102ae3fe46ed4a6ffd17cfe8aeaefd0a3cc99

SHA512
ea480f644652c18bda3704c4b4bf6aebe6476e060ae90e538d332b33a21eafce7c3c8124e2e769309dfdaad2f330cdcddb5345a03e7962098eb647e8909c7961

Download Submit
C:\Users\Admin\Desktop\pearlism.github.io-main\die4cross.exe

Filesize
254KB

MD5
d51eeaad0056ac9c6fb9921d42c2961c

SHA1
c575c213fe13bd48431db3e1117263f41a2560f3

SHA256
910dd5add80a233a68f6926dcf71c21cb59c100f545059fe9fa208c6a2c6c840

SHA512
930fdbeaa6e7e134f8096e55d1a5a12aa82e926f1b0675a211fb2b03a3deb8c95dc66b5cf72cd426dc460816b203a3062e6c3d0fbe3020188f03a266e7ee5465

Download Submit
C:\Users\Admin\Desktop\pearlism.github.io-main\noxar Services.exe

Filesize
856KB

MD5
74f95af2057b2da54260e33d67c1c7fe

SHA1
68b2db20605e6a9e19651812ef84c1e49cd78e03

SHA256
ab5ff9a7752a847c8cef1a1b0acbd4b9d415b77eb032ca1e5de7ad2af459b49e

SHA512
75379df94dc4cfcc6615c9f885001da97c7b68af854ead4b0abb542a4768c65e2b9c2d5e82939036795eed96f8738589ca6e4abdeb130ff9d6e04a4375b1b9ef

Download Submit
C:\Users\Admin\Desktop\pearlism.github.io-main\noxar.exe

Filesize
856KB

MD5
d0b0da9b2b892946f3439db4f5f32a55

SHA1
93c5f4fcf9ca8fd9e177230f4620e2bdea7b80b1

SHA256
2a42545a199ff76fa8ffe1e50d27558ed3a9ad9f2445b6a104dab93f68171bdf

SHA512
6cdb59f8ca249509a9bc9ea500b50473abd3c51c533ff072508382a96067b84f2f5f9cb04279a9f4cf3b6f1c45cf8eba0295aecce4ac620390831bad30199e2a

Download Submit
C:\Users\Admin\Desktop\pearlism.github.io-main\quantum.dev.exe

Filesize
3.0MB

MD5
780d9c3ce01829270f13ed24af838654

SHA1
84b270cd797ff5fd5b33cbd628ae978f90cb2138

SHA256
98fc309fbc2a0976c35a9c8f145eb914333b85fef3fedc34b70e38d7f6704674

SHA512
d526ee9cb9cd22c1a5e2d3b75c972234828212995991e8c4beaf0a12e84b6db2d7b97091347d1f135af43394e77c4940074917a4bf09f6c5f653c1f58e930c21

Download Submit
C:\Users\Admin\Downloads\pearlism.github.io-main.zip.crdownload

Filesize
9.7MB

MD5
e6583bcbc1799352a3200c1d7068e390

SHA1
08a29cb24a4441ec7a32bd9c08987f75c75695ee

SHA256
240ff7fd09e547398d6aa2aed56285e3d61360f2e99a64c86c472abddfd0fbc8

SHA512
66836e35280b7bf61cb733bed38e3d1262f283aaa7dc646bea990866d7a0622b31e7c4da1429d0e10f29e869c4010757eb4239ff8c2210828a12c19694599e19

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
9dedf97c7d493572f410d79acb614db5

SHA1
f2df18b8d5e993c83a7072ea53d437f7ece6ff51

SHA256
5a57a4be1500bd99d4e6130525277a5ce094d5b39a6dfed6256a7e53adde912f

SHA512
beabfe28b446209cd6041b532cdd1b8e733ef28e3281301e351b57f64d5a1b3331ba38ac04a602c12fc634d5c5be03e4715e809306140817bf1a7d10e07dc4fd

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1KB

MD5
be919a6c8edc06f97e08a598a89305ef

SHA1
e0f68a0ad61722d8ca7f0e784c49b3b6a1e6ae53

SHA256
f5c90477bc0c634ca2b86433ccc01969be390e4fe57ffae3613e90e15d006efa

SHA512
bf8960c400a5f23379b731a4081ee79b7eba2ca9d97b9ead30e3b05a734e7b3c2aa530bf3505dcb80a36ea51b5e876a19b0961485bd6893e21e3dd735aadd57b

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
2b7d07a1ec1dd47536ad6b717b676fcc

SHA1
1b2628fd1370c48b9d60896c32ceb3176cfffe18

SHA256
f77aed8267cb9a80aa6c7e1a5785915cfbe7716ca7b1a5eb8c0e568bfa0bc5ee

SHA512
868f362608c9c0f90a3fa550513ac82967a3093512af2603e423e221bb99242fcb4a55bda2f50ad2e2767b1ac1ceca6282f8ae85ef2557a1055c9aec8aee8ecf

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
023601dae87dd343c79337fc3f2bb726

SHA1
969000ddc1cade9e69094fa329492f077e6b7ba2

SHA256
9126dc3c7609bec3388262379cdf9fdd41dd9a92d783166d998df3ec1b8fae1d

SHA512
722debc61ae7b100a32471b591581ba19c5f5423579beed8c4884989163346e675bd083263b28fa55005e65a26c6899ee6a0e6f255cdf44c4a7a81683bd431ed

Download Submit
memory/2584-663-0x0000000000B30000-0x0000000000E54000-memory.dmp

Filesize
3.1MB

Download
memory/5360-670-0x000000001BD80000-0x000000001BE32000-memory.dmp

Filesize
712KB

Download
memory/5360-669-0x000000001BC70000-0x000000001BCC0000-memory.dmp

Filesize
320KB

Download
memory/5632-685-0x00007FF7FB160000-0x00007FF7FB21A000-memory.dmp

Filesize
744KB

Download