xworm | 7bc75b4fd38a6cdcdf9deb8796f34a908a1d0681352f3738842aba2bb8c81132

Analysis

max time kernel
409s
max time network
416s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2025, 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

73KB
MD5

f53c0108cf257163f41415363c03d562
SHA1

881e7d0e3d6049369ee313bc538e932a78b690cd
SHA256

7bc75b4fd38a6cdcdf9deb8796f34a908a1d0681352f3738842aba2bb8c81132
SHA512

8f3cd3be86f46678943b5f12d8d48020d402db4880b54fe0ff0c1bc4e5698e52ae727764f71cb3d2a247a72a5f3ad815120346477a585f93163759b770d4d499
SSDEEP

1536:2zR9VkSMBBXtbEHBbWRn5uIOE6U0QgOMTwZBmW:2CSMBB9bEhbWR5cHOMg0W

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

hour-amplifier.gl.at.ply.gg:49054

Attributes

Install_directory
%Temp%
install_file
svhost.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/3664-827-0x000000001BDE0000-0x000000001BDEE000-memory.dmp	disable_win_def

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3664-1-0x00000000009D0000-0x00000000009E8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2552	powershell.exe
2540	powershell.exe
996	powershell.exe
4060	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	XClient.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	XClient.exe

Loads dropped DLL 1 IoCs

pid	Process
3664	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe"	XClient.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	XClient.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	XClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133859272304960104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1479699283-3000499823-2337359760-1000\{28E6636C-492E-4CCD-B6C5-4E5178C0D5A4}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2552	powershell.exe
2552	powershell.exe
2540	powershell.exe
2540	powershell.exe
996	powershell.exe
996	powershell.exe
4060	powershell.exe
4060	powershell.exe
3664	XClient.exe
1032	chrome.exe
1032	chrome.exe
3664	XClient.exe
3664	XClient.exe
3664	XClient.exe
3664	XClient.exe
3664	XClient.exe
3664	XClient.exe
3664	XClient.exe
3664	XClient.exe
3664	XClient.exe
3664	XClient.exe
3664	XClient.exe
3664	XClient.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
3664	XClient.exe
3664	XClient.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3664	XClient.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3664	XClient.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	3664	XClient.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe
5100	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3664	XClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3664 wrote to memory of 2552	3664	XClient.exe	90
PID 3664 wrote to memory of 2552	3664	XClient.exe	90
PID 3664 wrote to memory of 2540	3664	XClient.exe	94
PID 3664 wrote to memory of 2540	3664	XClient.exe	94
PID 3664 wrote to memory of 996	3664	XClient.exe	96
PID 3664 wrote to memory of 996	3664	XClient.exe	96
PID 3664 wrote to memory of 4060	3664	XClient.exe	98
PID 3664 wrote to memory of 4060	3664	XClient.exe	98
PID 1032 wrote to memory of 3980	1032	chrome.exe	103
PID 1032 wrote to memory of 3980	1032	chrome.exe	103
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 4968	1032	chrome.exe	106
PID 1032 wrote to memory of 384	1032	chrome.exe	107
PID 1032 wrote to memory of 384	1032	chrome.exe	107
PID 1032 wrote to memory of 528	1032	chrome.exe	108
PID 1032 wrote to memory of 528	1032	chrome.exe	108
PID 1032 wrote to memory of 528	1032	chrome.exe	108
PID 1032 wrote to memory of 528	1032	chrome.exe	108
PID 1032 wrote to memory of 528	1032	chrome.exe	108
PID 1032 wrote to memory of 528	1032	chrome.exe	108
PID 1032 wrote to memory of 528	1032	chrome.exe	108
PID 1032 wrote to memory of 528	1032	chrome.exe	108
PID 1032 wrote to memory of 528	1032	chrome.exe	108
PID 1032 wrote to memory of 528	1032	chrome.exe	108
PID 1032 wrote to memory of 528	1032	chrome.exe	108
PID 1032 wrote to memory of 528	1032	chrome.exe	108
PID 1032 wrote to memory of 528	1032	chrome.exe	108
PID 1032 wrote to memory of 528	1032	chrome.exe	108
PID 1032 wrote to memory of 528	1032	chrome.exe	108
PID 1032 wrote to memory of 528	1032	chrome.exe	108
PID 1032 wrote to memory of 528	1032	chrome.exe	108
PID 1032 wrote to memory of 528	1032	chrome.exe	108
PID 1032 wrote to memory of 528	1032	chrome.exe	108
PID 1032 wrote to memory of 528	1032	chrome.exe	108
PID 1032 wrote to memory of 528	1032	chrome.exe	108
PID 1032 wrote to memory of 528	1032	chrome.exe	108

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4060
- C:\Windows\SYSTEM32\CMD.EXE
  "CMD.EXE"
  2⤵
  PID:5280
- C:\Windows\SYSTEM32\MsiExec.exe
  MsiExec.exe /X{E634F316-BEB6-4FB3-A612-F7102F576165}
  2⤵
  PID:4212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa9167cc40,0x7ffa9167cc4c,0x7ffa9167cc58
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1864,i,4327988904709676706,1302089708243103977,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1856 /prefetch:2
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2168,i,4327988904709676706,1302089708243103977,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  PID:384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1764,i,4327988904709676706,1302089708243103977,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2468 /prefetch:8
  2⤵
  PID:528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,4327988904709676706,1302089708243103977,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,4327988904709676706,1302089708243103977,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4492,i,4327988904709676706,1302089708243103977,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4688,i,4327988904709676706,1302089708243103977,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4684 /prefetch:8
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3712,i,4327988904709676706,1302089708243103977,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4996,i,4327988904709676706,1302089708243103977,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4792,i,4327988904709676706,1302089708243103977,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5076,i,4327988904709676706,1302089708243103977,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4824,i,4327988904709676706,1302089708243103977,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4724,i,4327988904709676706,1302089708243103977,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5476,i,4327988904709676706,1302089708243103977,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5508,i,4327988904709676706,1302089708243103977,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5264,i,4327988904709676706,1302089708243103977,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5040,i,4327988904709676706,1302089708243103977,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5576 /prefetch:2
  2⤵
  PID:5608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4756,i,4327988904709676706,1302089708243103977,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5580

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3720

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5100

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:404

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4864

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4028

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3284

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1176

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
36614131e7d219481f6732e91c9f8eeb

SHA1
1019465753971aa2bfbc3fb0bb359d5cf7486070

SHA256
f7024fc4b0221b897a567d0cdd17096887adb04e42cb3747bb61bf7b602d2166

SHA512
2749cdc6fbfbbd3adcef2dd4dfd3f6094ceeeb74ee98abbe6e63a8b5c8f4ff91f8536acb53554203bbf81adf6225154f95b0a56779bf1f0107830d6866a543b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
9b9e5a7f6f7e1fc9c64b17b161b55d07

SHA1
ee8ea4755bc037c6f12386401800d5de4d7cd838

SHA256
183f03cecf7a507b053dbb5395093512c0125347d08d4df59781621c57d49ec6

SHA512
07e70484755bda0861fa7c857c053b08f2108a1a9e656de395656538f36a4f19daef61074f0625485f701b128c2754bc52681ddc1abcda50244cb57b4a2d3065

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
959b5baebc6c08177bb00a40d0a7bad6

SHA1
355886b12bf1bd88ad673f9e9347496ce45a6d5a

SHA256
e57f623c2bacbd59e1b5aa46f3ddaeead2676dce8bb878f6ab6c97d3ff5d46ae

SHA512
a5e200127a8253afad06cb69f41d36f6972376db56d6b341a6e7f5d43af29d73aad0c4f76a86f9ba5a5aca584fe871ae0b08680b8c7a927b149403a75ec78c46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
6bde2054fea61a044e3c5bb051f88d64

SHA1
19525315d50dd865a8dd4b5b8b9bbeec796f6975

SHA256
6aadb5b057d60f69725fcf6778d78b644b917d4bec2b18c5c12a374295a008c1

SHA512
d0e7035f9f8e4fac521fb303edf96fcd6ef8e58f6a0232d23755ab0d5814bddfdaf55e879bbcee5aac22ff01680fc174cebc2829ad019bf19e0fbe5903635de1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
cadc4d6cee7512e13744ea8eba6c33cc

SHA1
60ad3921c77df0a766fecf475a510fa1aea80a32

SHA256
f248f4629e0db23563a743932a56a15366f13988e44dd7d4bfc9e417ffa9f7dd

SHA512
4c8de0b1659e96b3d6fbd2fdb510872e80c8a8c9ec3f75a4aea21e6221ba0868c879d7377e3e225638558a0c1712388f29549c53fc687e23de4c20bb2a05ffdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7ea7bb706d8892c3b79502831eb4575c

SHA1
8003255810149d6e33f086326a3ab0a4e21c7a56

SHA256
58d1a30fe17977e0c026b32dd7535e23cea0e7bd132c77bcba2c732f83982eb3

SHA512
3ff68b419c890e0e8afba57dad34288fc297628a4e9dd7472be27926291b5735d3644dc12924fe594e366fdaf0aaf5d133153bee9f531ea990ed5f724a076b51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
9d2521146c3c318744365f953e2d6cb3

SHA1
f3045c37f1d49777bf6084dbf3d8f842b23df92e

SHA256
9c36c0aa1a97389fef1c1927facd1bc4a85d3822a7dcba7f520ee6ac73bd4f7b

SHA512
a33fca70188b9d389ce213fb75d788a11f97ac5ca005cee957afad8b8f90b750abf577ae21ba6a218d443d977b4b3fe9a9d18e1624e5149af8bfcbf5cc628abd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
95141b8d1b0084979a1a6dd420aff1a1

SHA1
e6bd07443de8cdadde8c2bc7aeabc8053830ae34

SHA256
32e2ff753e1b8ba17586eeee2c9f7d5b118d436d5dc113076b9e5364f695d6f4

SHA512
e6a09e99c3f75795055e261cada06c5fa82d8ecd60c7e593245f35a99591031859e105269da04c3b4d10e5eb39b468b3818875893ef778fcfdb27aa69059e84f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e074d2ecb7c3dca9734150c1e80fbecc

SHA1
8450f7a1d2029fa33118ebbfe935d45ec6d09d4f

SHA256
13321d02d686e78cc6431370f5736555e52ebbd83462fb6755a2ef8020e00530

SHA512
8232c5b5c5cabe65ad9a0d721fb024776af1418f58e44a0a7d73809e636de514ca49fe9a32c756bda7ae44ad72a965cf03e4c1e747ee097017745663cfa49476

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
356ef563b78a242de37f55ca43c04ced

SHA1
f89de42b2395cfac6790921e9d445a819a661347

SHA256
0b0d4d1b5f9932abd19bedc224d42645df5af3b245e86d10e087908c4450ceb5

SHA512
c1d38c2a2128779c46722f8d47ab6b6b063b1820c9015871614b81cac495b5885bbc347c40daffd08742e652378960b03f6b04b0bac817a4794fb759dc941831

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
17704ff2f7c52959146ecd396af95f21

SHA1
f22b1ad876f3de0fff3216a3e8afb160adf6e33d

SHA256
0f4edd33e27bb5b3bc22e3ceb45c877414995797bdf0f8a8a72ac436737e40ba

SHA512
ea85b966e6d736819b89f8478a10efe863ddec0b39dd75a277e80e6dc6b77a91243ac0fd71f8ff85e5bef02776b2f3dcbf64ef2d5381a181ccf04f47e9af97ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
25fe906efa1da302584950c7ce8e51dd

SHA1
0cf7984deff0b683ae09ff451f57feec5c8ea586

SHA256
6482309a154dfee40abf9a468cbc8d212e5936501c325751dee7a261c2b1a28d

SHA512
48055246546ef658d3c3296bb0a698a40d5793b7cc05c7593bd9a55597a67a104c6488da907799daeea876197657b3d7f43cda02124cad136efd31ee1c76f772

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b1f2cbf6711146d7c80eb2adf5264391

SHA1
4c9a7d03b1f53bebf989456fdb2136c1723d5c8b

SHA256
683f511b356ce0669283125c8dce2e5c96732c6755472b91b2ee77d073190bcc

SHA512
74e940aa3de97440b2252a57313bca4e90caef26dfcedfcbe996ea4d25ba48253df861fc73aaa59d6206592ccc4ef00325c7f9b9ff369b8bcfc54cf0916b05e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a1c8336a6d213c13ac24e36beb1210f6

SHA1
7becb2e8695c867eabc2b84abb1f4465dd0a9a11

SHA256
6e88b0488f0651b150d271f83de8b6e8a296d7d7981a25a3fb69814dd98493de

SHA512
969c9d433f03743eb1dff8e90a5e6b5d7aa702606089ebdc3500da58a1b4ae407c739d206f4d2830174af8ba59b8b274384977379646473a4034d0deb0af3d82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
311b6daac542704ff47057e1f0e252f8

SHA1
c861915fdd4305e2eb9dcfc1692b70a62a8e3159

SHA256
5c5866bf09920af6c57c3527aa67b7b722c327ec8e498a2deeb2ff608b31f28e

SHA512
81de7b0fab4bfd201f05e16d332d895e08eb784fba7214940a44ddb90bf1c646704493ed6d60634b87bc80532820279d935f6a35e4bef0a424fdfb7232531d1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
10ce341fbdfabbf33f957af538c1502a

SHA1
e6a91a6a6c09655d1a59bdb36364862fc0b4d9e0

SHA256
ccaf6c18e82cc54860ea3fa720250a5e7e3669f1abe7f494ccdee3796e16f3f3

SHA512
b76836c7897c049e94a700961041a1f613d10e6b761c254a499c5e51013818efa5d20da3ef3c35a6c76b62c8614bc238b54bf0f0e344b84d95b1d50d382fba17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fc38026e3cee5436e39fad03a3b33c2b

SHA1
1d0b388b2b49094b5e2632c57f05822e69accb73

SHA256
013d6b99e79bb7b10d834fc26695128888b29ee073c002ac930d896ac694ccae

SHA512
ba6939c7a026af770b051a402d9ac18c4a0c1d92da64e0040b017792224f6627d5df511b01ec8325f8d9e3210b0848d1914ecc509610305ace54b26560a2b6a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ff65c9cc5bf5db7eceb5432101f7dc1b

SHA1
094ae1760c244a986d3e26def8943f6fef389165

SHA256
7db47567a43c8ebaaf7862cc4fd1d8eb82f8776e807cc33cdc94000404d15b58

SHA512
81de8ecc01cc89795b4d7812a0ef725b85107bf030ceaee8b64b74dd426f1d0d277f3dbeca1079c471e7ab3e0361d7242b9e7c48456b1c8b469de6c38b539fb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b9f4f1fb64c486072f64f719e4921173

SHA1
6cdbb050c053aedf03c8dfe23c98762f8690b132

SHA256
4b00a7f72f0078e0458097197ef3244f1a370f781183bd47048059cf5effdee0

SHA512
48d114e3bf95c7bd140da84574c891611b12b794486f3516fc484b93105da98936c60ac2dfabdbbb803224da2fbe73648d5ee548831ffc8b4c26f0eb88bf708e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1e55853cb84ae431fa1ee2da6a7bfdcb

SHA1
d0df614024e603a04e0c7bbc77bbdf28f10d7898

SHA256
bdf427a73f97207c2ef26c72b8ccbed5f8ba660712b1df66b1ea16a32cbcce07

SHA512
a86d304202789165ff9d5e3de090bae536def6258bf8baadafbe2f7c10b575fed33d3da279a87b27249a6d8ad1f5e46af9d8906794d580c32da09b6b4b3e727e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
38416a084b092726d8eeecacd61d629a

SHA1
c09731fc94c1ded07e33986ddb9482de39635008

SHA256
395cd544a0341bab770f6ea7d3830b560d65446517ff9a9052bef5193bea9a0f

SHA512
d08eb5570184104c9457088b6481f138d6597360a2130ffbffb0b9eb17419ddfbeb2399bd37c01b3a7d17bc0b6143f8eefdd5351e97f48241de5d966381a73e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ae01b13f1a7942f25bc6f8e5512e2f85

SHA1
bd5ecb562c4f55e9e413432c3401028b9a61a1e5

SHA256
fdd03cc6ebe2c309cfbda33bca3008d2c4077dcc596257535133c676e4275550

SHA512
60d2189f3d0dca9fd532878534443182785fdd5552b6274759a5829799d8d60c9651147bc5cbdd6cea776cc2e3e7035c7f96f6dab29f823c897425c6a61d3c2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f0e845d45e55130a9437200417231e41

SHA1
fa4a87442700058427c8fcb15b5aaf5c4256be01

SHA256
2ee86ec16dde3a4827aca76f0e50e19afe0ec7e2d70a1a431cfa4d5c10095774

SHA512
8a384d5ed17c92b793abb17bfecb715a579e91d4eb416bb19e1e7956444e7113496f561231b07335eb716862aae363805b66d6bc026ef1b19ed97b5ab57cc09a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7d3e51afe786c6009969e8c004dc2e32

SHA1
46546125330ef3fee4d29b1b507dd7b4a562cb52

SHA256
09964cbc7ef82d2a42f52fa98dad31adbec0948f0145e520ff6422b0d630b699

SHA512
d23e40da785eb748edb12123097ecd28b662cbddb3c90db402947ee5d81da456a123913906ab57a2fc77714b0c4e954e7f3ee30cced1160cc577d2dc860cd1cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f77a7adafe87d9052c1fc3a6044afd00

SHA1
6e9e266b4ab67b35e8f203416cfb4ca9e1846ceb

SHA256
6b8dfa387a45d5b36d627eeacc4bb08e084664f8df3c237bf357e1a4cef2ebec

SHA512
d9e51afe15d187be721f15e2fdd938970c51370fac28e651299f9b816e14bd4096224d5e7d621b6be2daa151ca0cc5849fddbe9abaa9ca3c28c2fc26620f93c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
5e84f1978c69910c0227d919895f6f18

SHA1
7b09af37fa4e8262b8545a5764dee0a94458fd6f

SHA256
bbc8433f942f9db3e2120aa8d529889a2c29ed44aca12e1309ae930db7e83d87

SHA512
afa4ec716d6ce9389d104fd14b3634bfa8501ddece155bc1531fcfc382b8ea1a9415d86822f0c961cb5a8ffe25b2afd28e1c927c97c0d424ed0c0333f98de0af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
e7e6c2ee4c9201ed60c75adabdfc2669

SHA1
d9e9e8cf69acb63948242932e05cf212d52a256f

SHA256
f98cb464980ae932bed8f2087133b7c911863b7c08852169ab8f116cfa122112

SHA512
6583375fd93a753239650c109597f9013f6c2cef39d245b0df2059fbce1f75e6a9ba730ba876afe73887b816d55342f927f42fc1a3c2a7c9e2ad10f5773a576c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
246KB

MD5
f62c1c9dbc1770ce743b99cab62ba4c1

SHA1
51fcb998a25941c25e85f2df3c447d39d0bca86c

SHA256
7501e1c2e62c5ae2cf2a730145ff0f49078e38b2b6f54873555bc2a123bb8cdf

SHA512
39b1e787c1b9030cde4e7946f32a6aea9570f7ceba8f866128843ca2c1cfde1c014f960a0def1713b441a67cc73f353724533920578f14e36cb22aa0e66e7cb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
246KB

MD5
f95fba0d4005829c3fe73093cc0303ee

SHA1
874c210d4bc509169dd7823c38cbcd776d31723c

SHA256
5693b175b860f989dadd26430077476982d0169367a67e7fbc842cf946716371

SHA512
fa2048a2866f964e9f044b9c6bc59d3b7d8b40fb616b5a6ec0fe8280705f55529a37470f2bc96c57372d22ea08b8437ef9d2eb7ef63f0fc9370e14344fa5fd14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
246KB

MD5
1d239753785067a61eb3b8784ffc1093

SHA1
c75c82b49db520c152ed52c435179ce4baaade04

SHA256
7188fcb97f76f1bcb56015bdfde52bc135f2b5cf3e3c2bdec87e99abf11c63a4

SHA512
96c320209d4b58bc31506d18d34c883262df4c23d04a03bd2f9deabb410b6a02911de85987a200fd774009019b4ee61d82b6fc37010d7927cff9cb14a46e1e0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
71f0e090d65b6fefff8889d5819e2b41

SHA1
88c8d0b5e28cce1741072a55d2ef8263733fde63

SHA256
4a06b1ccf7ebbdd4e83a7df9d851fd42bccf25ed2c54a43039cd4d797ad7cd1d

SHA512
62357a39111a6f41f694f23ea12f69ba62ec3cf865680527a5631cb3a3bc7ba19ce7ad1a493af5001fe44bb7a2bfa5b7feaa5d9b5882ed3c33b5dcf93572d3f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133859276308055903.txt

Filesize
75KB

MD5
ee6edb4c0f54612c6a53547846bba540

SHA1
8b5e44b26b2cbb2529591118d57ad10b302238ab

SHA256
b932714fd9bca2692aae6037dd964581ad1b602b6abd98a5f43ee020f29fc93f

SHA512
4f1894fd01b250ac803012d4bf0fd85bd47e0a4f4a5923690963f5463e2c11a13a1b31ac088b49fdcb8fd8e32dc01f3ff743999612a1d4f97ad7c8d1ffe3c4a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lwssq1b3.z5q.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1032_1342661098\740e33e9-d71c-4aa4-bbe6-b16fd8f33da1.tmp

Filesize
150KB

MD5
eae462c55eba847a1a8b58e58976b253

SHA1
4d7c9d59d6ae64eb852bd60b48c161125c820673

SHA256
ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad

SHA512
494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1032_1342661098\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp919C.tmp

Filesize
100KB

MD5
1b942faa8e8b1008a8c3c1004ba57349

SHA1
cd99977f6c1819b12b33240b784ca816dfe2cb91

SHA256
555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

SHA512
5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

Download Submit
memory/1912-838-0x0000024DAD740000-0x0000024DAD840000-memory.dmp

Filesize
1024KB

Download
memory/1912-854-0x0000024DAE730000-0x0000024DAE750000-memory.dmp

Filesize
128KB

Download
memory/1912-839-0x0000024DAD740000-0x0000024DAD840000-memory.dmp

Filesize
1024KB

Download
memory/1912-866-0x0000024DAEB40000-0x0000024DAEB60000-memory.dmp

Filesize
128KB

Download
memory/1912-843-0x0000024DAE770000-0x0000024DAE790000-memory.dmp

Filesize
128KB

Download
memory/2552-17-0x00007FFA97880000-0x00007FFA98341000-memory.dmp

Filesize
10.8MB

Download
memory/2552-11-0x000001DD9C9E0000-0x000001DD9CA02000-memory.dmp

Filesize
136KB

Download
memory/2552-12-0x00007FFA97880000-0x00007FFA98341000-memory.dmp

Filesize
10.8MB

Download
memory/2552-13-0x00007FFA97880000-0x00007FFA98341000-memory.dmp

Filesize
10.8MB

Download
memory/2552-14-0x00007FFA97880000-0x00007FFA98341000-memory.dmp

Filesize
10.8MB

Download
memory/3284-837-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/3664-667-0x00000000012C0000-0x00000000012CA000-memory.dmp

Filesize
40KB

Download
memory/3664-0-0x00007FFA97883000-0x00007FFA97885000-memory.dmp

Filesize
8KB

Download
memory/3664-57-0x00007FFA97883000-0x00007FFA97885000-memory.dmp

Filesize
8KB

Download
memory/3664-697-0x000000001F270000-0x000000001F798000-memory.dmp

Filesize
5.2MB

Download
memory/3664-696-0x000000001BDB0000-0x000000001BDBC000-memory.dmp

Filesize
48KB

Download
memory/3664-827-0x000000001BDE0000-0x000000001BDEE000-memory.dmp

Filesize
56KB

Download
memory/3664-695-0x000000001BDA0000-0x000000001BDAA000-memory.dmp

Filesize
40KB

Download
memory/3664-56-0x00007FFA97880000-0x00007FFA98341000-memory.dmp

Filesize
10.8MB

Download
memory/3664-591-0x0000000001230000-0x000000000123C000-memory.dmp

Filesize
48KB

Download
memory/3664-491-0x00007FFA97880000-0x00007FFA98341000-memory.dmp

Filesize
10.8MB

Download
memory/3664-512-0x0000000002B70000-0x0000000002B7C000-memory.dmp

Filesize
48KB

Download
memory/3664-553-0x00000000011E0000-0x000000000121A000-memory.dmp

Filesize
232KB

Download
memory/3664-639-0x00000000012A0000-0x00000000012AA000-memory.dmp

Filesize
40KB

Download
memory/3664-638-0x0000000001240000-0x000000000124A000-memory.dmp

Filesize
40KB

Download
memory/3664-1-0x00000000009D0000-0x00000000009E8000-memory.dmp

Filesize
96KB

Download