Analysis
-
max time kernel
603s -
max time network
737s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
07-07-2024 16:16
Static task
static1
Behavioral task
behavioral1
Sample
python-3.10.2-amd64.exe
Resource
win10v2004-20240704-en
General
-
Target
python-3.10.2-amd64.exe
-
Size
26.9MB
-
MD5
2b4fd1ed6e736f0e65572da64c17e020
-
SHA1
61cc3b53fe61260e1651320e67c7d64b5088ad31
-
SHA256
42b181e9b5f424472212742a187260d4edc73b7683ae83460c974508130e08ad
-
SHA512
670e830197cdf38d933b1b8d9a33c241c829947227e7b1357f7a5713c51cdd4b95012b4fbbfe1ca8db1fbef0d86db3a469dad0e73b56ffaf99674336f478446c
-
SSDEEP
786432:IooshtMGBns3zIjuid7tTgjh7W3WktiMakFa:HoIMGBnsDIy0tTd37iB
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot5602729079:AAHue5HGrezQGgwKeWyn3WQgaqOZM5nlF_c/sendMessage?chat_id=6067717150
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4756-201-0x0000000000FB0000-0x0000000000FFA000-memory.dmp family_stormkitty -
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule behavioral1/memory/1156-366-0x0000025FE87D0000-0x0000025FE8EFA000-memory.dmp net_reactor -
Drops desktop.ini file(s) 21 IoCs
Processes:
Builder.exeBuilder.exeBuilder.exedescription ioc process File created C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini Builder.exe File opened for modification C:\Users\Admin\AppData\Local\4bce81f89c3ee2eff4c7e395d6e3dc0c\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini Builder.exe File created C:\Users\Admin\AppData\Local\4bce81f89c3ee2eff4c7e395d6e3dc0c\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini Builder.exe File created C:\Users\Admin\AppData\Local\b6a1fda535893e3951eeb1fdb2c82063\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini Builder.exe File created C:\Users\Admin\AppData\Local\b6a1fda535893e3951eeb1fdb2c82063\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini Builder.exe File created C:\Users\Admin\AppData\Local\b6a1fda535893e3951eeb1fdb2c82063\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini Builder.exe File created C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini Builder.exe File created C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini Builder.exe File created C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini Builder.exe File created C:\Users\Admin\AppData\Local\4bce81f89c3ee2eff4c7e395d6e3dc0c\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini Builder.exe File created C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini Builder.exe File created C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini Builder.exe File created C:\Users\Admin\AppData\Local\4bce81f89c3ee2eff4c7e395d6e3dc0c\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini Builder.exe File created C:\Users\Admin\AppData\Local\4bce81f89c3ee2eff4c7e395d6e3dc0c\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini Builder.exe File created C:\Users\Admin\AppData\Local\4bce81f89c3ee2eff4c7e395d6e3dc0c\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini Builder.exe File opened for modification C:\Users\Admin\AppData\Local\b6a1fda535893e3951eeb1fdb2c82063\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini Builder.exe File created C:\Users\Admin\AppData\Local\b6a1fda535893e3951eeb1fdb2c82063\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini Builder.exe File created C:\Users\Admin\AppData\Local\b6a1fda535893e3951eeb1fdb2c82063\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini Builder.exe File opened for modification C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini Builder.exe File created C:\Users\Admin\AppData\Local\4bce81f89c3ee2eff4c7e395d6e3dc0c\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini Builder.exe File created C:\Users\Admin\AppData\Local\b6a1fda535893e3951eeb1fdb2c82063\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini Builder.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
Processes:
flow ioc 274 pastebin.com 286 pastebin.com 46 mediafire.com 47 mediafire.com 253 pastebin.com 269 pastebin.com 288 pastebin.com 45 mediafire.com 254 pastebin.com 260 pastebin.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 243 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory 24 IoCs
Processes:
lodctr.exelodctr.exedescription ioc process File created C:\Windows\system32\perfh007.dat lodctr.exe File created C:\Windows\system32\perfc009.dat lodctr.exe File created C:\Windows\system32\perfh00A.dat lodctr.exe File created C:\Windows\system32\perfc010.dat lodctr.exe File created C:\Windows\system32\perfh010.dat lodctr.exe File created C:\Windows\system32\perfc00C.dat lodctr.exe File created C:\Windows\system32\perfh010.dat lodctr.exe File created C:\Windows\system32\perfc007.dat lodctr.exe File created C:\Windows\system32\perfc011.dat lodctr.exe File created C:\Windows\system32\perfc010.dat lodctr.exe File created C:\Windows\system32\perfh011.dat lodctr.exe File created C:\Windows\system32\perfh00C.dat lodctr.exe File created C:\Windows\system32\perfh00C.dat lodctr.exe File created C:\Windows\system32\perfc011.dat lodctr.exe File created C:\Windows\system32\perfc00A.dat lodctr.exe File created C:\Windows\system32\perfc00C.dat lodctr.exe File created C:\Windows\system32\perfh007.dat lodctr.exe File created C:\Windows\system32\perfh009.dat lodctr.exe File created C:\Windows\system32\perfh00A.dat lodctr.exe File created C:\Windows\system32\perfh009.dat lodctr.exe File created C:\Windows\system32\perfh011.dat lodctr.exe File created C:\Windows\system32\perfc007.dat lodctr.exe File created C:\Windows\system32\perfc009.dat lodctr.exe File created C:\Windows\system32\perfc00A.dat lodctr.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Executes dropped EXE 1 IoCs
Processes:
python-3.10.2-amd64.exepid process 3940 python-3.10.2-amd64.exe -
Loads dropped DLL 1 IoCs
Processes:
python-3.10.2-amd64.exepid process 3940 python-3.10.2-amd64.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Builder.exeBuilder.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Builder.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Builder.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Builder.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Builder.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chrome.exetaskmgr.exeBuilder.exeBuilder.exepid process 4920 chrome.exe 4920 chrome.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4756 Builder.exe 4756 Builder.exe 4756 Builder.exe 4076 taskmgr.exe 4076 taskmgr.exe 4756 Builder.exe 4756 Builder.exe 4076 taskmgr.exe 4076 taskmgr.exe 4756 Builder.exe 4756 Builder.exe 4076 taskmgr.exe 4756 Builder.exe 4756 Builder.exe 4076 taskmgr.exe 4076 taskmgr.exe 4756 Builder.exe 4756 Builder.exe 4076 taskmgr.exe 4756 Builder.exe 4756 Builder.exe 4076 taskmgr.exe 4756 Builder.exe 4756 Builder.exe 4076 taskmgr.exe 4756 Builder.exe 4756 Builder.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 2552 Builder.exe 2552 Builder.exe 2552 Builder.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4756 Builder.exe 2552 Builder.exe 2552 Builder.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 2552 Builder.exe 2552 Builder.exe 4076 taskmgr.exe 2552 Builder.exe 2552 Builder.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Builder.exetaskmgr.exeBuilder.exeBuilder.exedescription pid process Token: SeDebugPrivilege 4756 Builder.exe Token: SeDebugPrivilege 4076 taskmgr.exe Token: SeSystemProfilePrivilege 4076 taskmgr.exe Token: SeCreateGlobalPrivilege 4076 taskmgr.exe Token: SeDebugPrivilege 2552 Builder.exe Token: SeDebugPrivilege 2888 Builder.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe -
Suspicious use of WriteProcessMemory 61 IoCs
Processes:
python-3.10.2-amd64.exeBuilder.execmd.execmd.execmd.exeBuilder.execmd.execmd.execmd.exeBuilder.execmd.exedescription pid process target process PID 4744 wrote to memory of 3940 4744 python-3.10.2-amd64.exe python-3.10.2-amd64.exe PID 4744 wrote to memory of 3940 4744 python-3.10.2-amd64.exe python-3.10.2-amd64.exe PID 4744 wrote to memory of 3940 4744 python-3.10.2-amd64.exe python-3.10.2-amd64.exe PID 4756 wrote to memory of 5020 4756 Builder.exe cmd.exe PID 4756 wrote to memory of 5020 4756 Builder.exe cmd.exe PID 4756 wrote to memory of 5020 4756 Builder.exe cmd.exe PID 5020 wrote to memory of 3552 5020 cmd.exe chcp.com PID 5020 wrote to memory of 3552 5020 cmd.exe chcp.com PID 5020 wrote to memory of 3552 5020 cmd.exe chcp.com PID 4440 wrote to memory of 4312 4440 cmd.exe lodctr.exe PID 4440 wrote to memory of 4312 4440 cmd.exe lodctr.exe PID 5020 wrote to memory of 696 5020 cmd.exe netsh.exe PID 5020 wrote to memory of 696 5020 cmd.exe netsh.exe PID 5020 wrote to memory of 696 5020 cmd.exe netsh.exe PID 5020 wrote to memory of 2572 5020 cmd.exe findstr.exe PID 5020 wrote to memory of 2572 5020 cmd.exe findstr.exe PID 5020 wrote to memory of 2572 5020 cmd.exe findstr.exe PID 4756 wrote to memory of 4348 4756 Builder.exe cmd.exe PID 4756 wrote to memory of 4348 4756 Builder.exe cmd.exe PID 4756 wrote to memory of 4348 4756 Builder.exe cmd.exe PID 4348 wrote to memory of 5008 4348 cmd.exe chcp.com PID 4348 wrote to memory of 5008 4348 cmd.exe chcp.com PID 4348 wrote to memory of 5008 4348 cmd.exe chcp.com PID 4348 wrote to memory of 4060 4348 cmd.exe netsh.exe PID 4348 wrote to memory of 4060 4348 cmd.exe netsh.exe PID 4348 wrote to memory of 4060 4348 cmd.exe netsh.exe PID 2552 wrote to memory of 444 2552 Builder.exe cmd.exe PID 2552 wrote to memory of 444 2552 Builder.exe cmd.exe PID 2552 wrote to memory of 444 2552 Builder.exe cmd.exe PID 444 wrote to memory of 3076 444 cmd.exe chcp.com PID 444 wrote to memory of 3076 444 cmd.exe chcp.com PID 444 wrote to memory of 3076 444 cmd.exe chcp.com PID 444 wrote to memory of 2448 444 cmd.exe netsh.exe PID 444 wrote to memory of 2448 444 cmd.exe netsh.exe PID 444 wrote to memory of 2448 444 cmd.exe netsh.exe PID 444 wrote to memory of 2360 444 cmd.exe findstr.exe PID 444 wrote to memory of 2360 444 cmd.exe findstr.exe PID 444 wrote to memory of 2360 444 cmd.exe findstr.exe PID 2552 wrote to memory of 1036 2552 Builder.exe cmd.exe PID 2552 wrote to memory of 1036 2552 Builder.exe cmd.exe PID 2552 wrote to memory of 1036 2552 Builder.exe cmd.exe PID 1036 wrote to memory of 2628 1036 cmd.exe chcp.com PID 1036 wrote to memory of 2628 1036 cmd.exe chcp.com PID 1036 wrote to memory of 2628 1036 cmd.exe chcp.com PID 1036 wrote to memory of 4012 1036 cmd.exe netsh.exe PID 1036 wrote to memory of 4012 1036 cmd.exe netsh.exe PID 1036 wrote to memory of 4012 1036 cmd.exe netsh.exe PID 1208 wrote to memory of 4716 1208 cmd.exe AUDIODG.EXE PID 1208 wrote to memory of 4716 1208 cmd.exe AUDIODG.EXE PID 2888 wrote to memory of 4604 2888 Builder.exe cmd.exe PID 2888 wrote to memory of 4604 2888 Builder.exe cmd.exe PID 2888 wrote to memory of 4604 2888 Builder.exe cmd.exe PID 4604 wrote to memory of 2112 4604 cmd.exe chcp.com PID 4604 wrote to memory of 2112 4604 cmd.exe chcp.com PID 4604 wrote to memory of 2112 4604 cmd.exe chcp.com PID 4604 wrote to memory of 2068 4604 cmd.exe netsh.exe PID 4604 wrote to memory of 2068 4604 cmd.exe netsh.exe PID 4604 wrote to memory of 2068 4604 cmd.exe netsh.exe PID 4604 wrote to memory of 4180 4604 cmd.exe findstr.exe PID 4604 wrote to memory of 4180 4604 cmd.exe findstr.exe PID 4604 wrote to memory of 4180 4604 cmd.exe findstr.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff4864ab58,0x7fff4864ab68,0x7fff4864ab781⤵
-
C:\Users\Admin\AppData\Local\Temp\python-3.10.2-amd64.exe"C:\Users\Admin\AppData\Local\Temp\python-3.10.2-amd64.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{B2C503D4-A2D5-433F-95D5-7E0D1225ECAB}\.cr\python-3.10.2-amd64.exe"C:\Windows\Temp\{B2C503D4-A2D5-433F-95D5-7E0D1225ECAB}\.cr\python-3.10.2-amd64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-3.10.2-amd64.exe" -burn.filehandle.attached=596 -burn.filehandle.self=5482⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1896 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:21⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2172 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=3116 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=3148 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=4276 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4920 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=1640 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3356 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4956 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:21⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3888,i,6959856223548986108,4217696995639198458,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --mojo-platform-channel-handle=5240 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --mojo-platform-channel-handle=2372 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4468 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4784 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=5256 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5604 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5760 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=4412 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:81⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe"C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe"1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe"C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe"1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0.exe"C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0.exe"1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Fixer.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\lodctr.exelodctr /r2⤵
- Drops file in System32 directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Fixer.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\lodctr.exelodctr /r2⤵
- Drops file in System32 directory
-
C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe"C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵
-
C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0.exe"C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0.exe"1⤵
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f8 0x49c1⤵
-
C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe"C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵
-
C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe"C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵
-
C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe"C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\0190c5cc6755edc6f533ea7377655365\Admin@FCYEIXNJ_en-US\System\Process.txtFilesize
84B
MD5c0e370d5a76db036203a0f30ecd743b2
SHA13d69ed806946920b90b81145aece57b5aa592407
SHA256e9f88dabcf6db4725d4233643fc6fc16f598341b5e95cba09791fb215530666e
SHA51294eaa163a9bd5d067f4982a50cd42946bcdbc84e1d0c4ebf988d5f8a5ef63e7acdeeea4cbc2621eeb7b72411a1f8542a1517848cd4ec9fdb25586aa039cc984b
-
C:\Users\Admin\AppData\Local\0190c5cc6755edc6f533ea7377655365\Admin@FCYEIXNJ_en-US\System\Process.txtFilesize
155B
MD5aa77db19364858bab00ce95516ccd21f
SHA1f1e10377ab570b2cdcf69b4869341e8f7ca1f447
SHA256ee8f76385501c07860a31e22ef66da9ee7f9d09ecf4e88d94d192deb6d992ff1
SHA512f65c718b0a3c3527ced9add3adb4da656e18ab0ff8dccf73ac7271f062d4f735e2249d40bf8ef913b82db2d156293abc91039974b8268c3fb0c8d29671387846
-
C:\Users\Admin\AppData\Local\0190c5cc6755edc6f533ea7377655365\Admin@FCYEIXNJ_en-US\System\Process.txtFilesize
239B
MD5d137fb9768c5ab5f6f75e13fc1855518
SHA1251ef0da55cfd8fe031a1b6320183b8b5ee710e5
SHA25689f8cd2d041dea1f375f0c3f8340f1a7ef3229e50076f93f22f115c7b21129ef
SHA512c4bd8c6f03890eb132459db1c15e0a06025857e5cbfe3a7f2583ee893047f47d653743a19a4eeaf1cbe5a7fa6f0dc6c059702637d5bbe77e3853b3b0ef23b09c
-
C:\Users\Admin\AppData\Local\0190c5cc6755edc6f533ea7377655365\Admin@FCYEIXNJ_en-US\System\Process.txtFilesize
4KB
MD587ca6ac958a4fe2a79d6921bbd84e0af
SHA17ef6c95f8303b4d1e9670a321707ed6fe048aa67
SHA2567bd3efca77acd0a79578b5b9c0fd470ef0d324c3723fc1161ba6b2cbad353b2a
SHA5120858a02ce0eae87d639e2c98a2e6d1a9937a39de786f94503c27a23c7a34828c7b19b2da601910015e33fcacb6ddd74a3c47aea876b1a3c4f2503a9ee7acf829
-
C:\Users\Admin\AppData\Local\0190c5cc6755edc6f533ea7377655365\Admin@FCYEIXNJ_en-US\System\Windows.txtFilesize
169B
MD505a814e2f721d1ca12ad0a4280719f91
SHA189c8f2bf6a20fb7b455a4b946bac024067b24041
SHA25672538c39d4c1f891d0bd5c200e2436e32713c8c81a4452f0e32c3bf832d89c61
SHA512018735405170e0f6dfada7cd30b47a7720a1665d889a33c6ece9d245c7d6138d486a1fbab14cc29605f977e36b7799591bdf5d03bd5d0055c3b356718064757f
-
C:\Users\Admin\AppData\Local\4bce81f89c3ee2eff4c7e395d6e3dc0c\Admin@FCYEIXNJ_en-US\Browsers\Firefox\Bookmarks.txtFilesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\4bce81f89c3ee2eff4c7e395d6e3dc0c\Admin@FCYEIXNJ_en-US\Browsers\Google\History.txtFilesize
948B
MD5744bc9144cc6aaa911d4f90c5b6fefae
SHA18dc7763f83f49320179bc40f2545902150f99ff5
SHA25663b26c4916a7db34254486ddd6f033ba4fc404fe5c98434972973c76cd674bcc
SHA51214ad3303ccadb84d5f42bfd3cce3bea9ccbc48be95111f8428821de0aabce0e31d79d53ba7f9560039a007560347c392b4f5c7ddedfefe2d76b16e52d305fbb4
-
C:\Users\Admin\AppData\Local\4bce81f89c3ee2eff4c7e395d6e3dc0c\Admin@FCYEIXNJ_en-US\Browsers\Google\History.txtFilesize
2KB
MD582b00ffbf76c94fad25c2eb129dccae7
SHA1c042bd8f96b623b41fbd0a4630db4af4d23ba712
SHA25694f53107a862bb02594be7e286cd3618b00e2f41329c9b0278247e257bf77448
SHA5121a9c0c4d34bb995c7ab7771f07506e364b47b2653b66a2ff3d1f3e0265f6674accf4095759af79a851e93f50ba45280b56e6ebe36199953a0ce150787df2a4fa
-
C:\Users\Admin\AppData\Local\4bce81f89c3ee2eff4c7e395d6e3dc0c\Admin@FCYEIXNJ_en-US\System\Process.txtFilesize
4KB
MD59581e464fed860ad7cb109760b93dcd1
SHA18fbd542df219d7f60a6ad86ba4d765fd4b3d2784
SHA2569263ad05905ea838e5e98658d6ac16cd09d7677479e4f5b1452828b4c4bb7709
SHA512d396f01bd439a7a9407551f3c053e084e77cecd55e5b1902446d5a90543ac6624ff1654bf5193f274410bd90ef26e9ae300ec92fab27c3d856ab9e512b15da6a
-
C:\Users\Admin\AppData\Local\5ad6d1b108ad80ef730197e1b2c85a31\Admin@FCYEIXNJ_en-US\System\Process.txtFilesize
415B
MD57ed5a8ca1ca30f47dc7de170ca7e89d9
SHA1ad3500ea5511fc60c2040530fbe5519b26e73754
SHA256e5a76d9e78053458a975b40295d0ffca17f5d75f1ec2aa2f105a0334aced5a1e
SHA5128b93ba57f92b719c24f999fe499c09b21ad5586747b79d05f8d4e8ca430885377cd3e0e7484815385a586959789910419c0ce25bcdfd7e0b9bd1675174d7b3db
-
C:\Users\Admin\AppData\Local\5ad6d1b108ad80ef730197e1b2c85a31\Admin@FCYEIXNJ_en-US\System\Process.txtFilesize
4KB
MD5f2fc47f4732c8b8eb0c1e0fff0ba6435
SHA1aeba563840c6aee404dc665f6ed569e61912f69e
SHA256bb09417f41b08627feeebb1051b420e08abdab7bbaa3bac55992bbeb57073311
SHA51204c01875225a374fb9ef3b9a1c2007e170cd9a59590a8b43320767399aefcb7bdc172082b73cbc54358d0c036b0e53e9053f5495a035dc7a2af7b47fc78c7208
-
C:\Users\Admin\AppData\Local\5ad6d1b108ad80ef730197e1b2c85a31\Admin@FCYEIXNJ_en-US\System\Windows.txtFilesize
292B
MD5c18da227c6da8ae3f0d046ae30cfe0f3
SHA1ac96d9a4060cbf343c452c614329f055f8bdccae
SHA256f11d345fe7370897c4c0e6861c3b4f680e6b3dbaf6739e2681a96003dd4bea5b
SHA512b1aded7558cb62ed845bc33e5fa95dc43e317682261406a590d15d5a0de296eae0eb8de4836267751342c835fec6813249e50c7de2ffc7e6eb29dfeb3f0f06c0
-
C:\Users\Admin\AppData\Local\5ad6d1b108ad80ef730197e1b2c85a31\Admin@FCYEIXNJ_en-US\System\Windows.txtFilesize
377B
MD5cba48aae7f8ed072c82186c8d5b434f6
SHA1990359fea82241550f330f1360795cd8dc381a96
SHA2564428a3a1c30f21dad58c46271d82fc45e6836fe52cd89acce753224117dba6b5
SHA512c69351230d4c8503ecc5aaf263802acaa66f2b5a249e66da22c6284dca67968deb73961c5c40e8b300fb05275aa0fa4cd81e9b4d9f606c5d69554d6fcefc9af4
-
C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Browsers\Google\Downloads.txtFilesize
59B
MD57a01df9067b43643c7d7878b617fb861
SHA17a8f3cf11b726b8ff38e8b8a05293f503fbb1bb8
SHA25658da8432380d3420659e3623b85315dfc56442f3f2714318279e4044741515cd
SHA5125cf36c4194d8eb2a4786c56a7b5497c930e3123163a95d5ddeb0221c30f705102f21c602eeec1a49be728bdb5284887c53fdfe63a973f1f46b6cbe13e8a6e67c
-
C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Directories\Desktop.txtFilesize
1KB
MD505ab0a474942eb2b64d5637768e43477
SHA1cc50326c277d10bbf3242e07ba3f0689c0a0eead
SHA256f941c8e261fd3b56f5ec955fcdbe9d3b0244e639dc31d4b0b6212562da4044eb
SHA5127d512f0e193804298510240e6650f7fd332d8011f39852641e4ff16c27c4eddb754ef7d0e8aaaa7a9ed3d089dffac5ee95e19cd0a30c0ae49e07304267f7100e
-
C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Directories\Documents.txtFilesize
502B
MD5f4cf79c19d4de392d1b67e5acc967a96
SHA153dcf173e601b449b059379f14d434e6353759f5
SHA256d8e2a3d78770ae4f3d27e6b19491650c871710a371e7972f92bb3dd13849735d
SHA51207307c0e295d94942d5761fd8e80c41f3a812e824c6af2f48c0ec9a55b428f41212a1cc7cc9e6a4a915019e46f4913520b891743a17f03262257ce41845128fe
-
C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Directories\Downloads.txtFilesize
721B
MD5d27923a08080758c11271c5d464fc1f8
SHA14446847164cb2ff8062084855b39773b4563d8f7
SHA2563eb198b511919296273c5b85bb3fc0861437d4100fa966836a5d8c07593996ee
SHA512cdc8d422f8d61c10e8e9b66561ad4d2127b81d41ea327679ad641416ae6fe88a29ca082ddc0d1cad331b060125f85644ebf533f304df615b282eeb845199f504
-
C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Directories\OneDrive.txtFilesize
25B
MD5966247eb3ee749e21597d73c4176bd52
SHA11e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA2568ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa
-
C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Directories\Pictures.txtFilesize
820B
MD5dd5c7754794863fb0bb811d51d30c056
SHA1b504b915558911f1d0bd87db2f929b313fc7deb8
SHA2560798eba38430df53c2d8c747a29a39f0c996e9e5bef4252242f0e7d018676acc
SHA512c7b3d546e69d8cb9f0fd57c0d4830a57ffd17af9bc0b9263f65af0840951b9ee76f3afb458d8717978b17fb951020ff3ac6cf4ca647715aa6442222bff0b502e
-
C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Directories\Startup.txtFilesize
24B
MD568c93da4981d591704cea7b71cebfb97
SHA1fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA51263455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402
-
C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Directories\Temp.txtFilesize
6KB
MD5bb88062cd0043b12b403dcb2edf708e5
SHA16a73b00c30514c285070c4d05025bb682910fc70
SHA256da17aea7a3fed2b442218c129bbbdd25c08f9442532bf2678b71470b8c994f23
SHA512e2cdee9fb906687da179195518ab6917bf5ac91bccd08e55a4cb868c6be8e1d2500ae192218612f1406bd4be20f16da77221d3dae178c4e1f292b5fa379f63f2
-
C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Directories\Videos.txtFilesize
23B
MD51fddbf1169b6c75898b86e7e24bc7c1f
SHA1d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA51220bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d
-
C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Readme.txtFilesize
235B
MD585122ad50370f9a829b6602384b1b644
SHA16d0dc94e7fe82650422a17368314da0da58af6b5
SHA256444cbc7b57b4a6198ee1474fd9623e1afcb8c7a0b180f05e961a822f4365499b
SHA512a3ccd49bc0424534ba3b5ee558709022dd31d257ca48fd2eb8d7305ec098dc9275e016da332d293b7cdbdc5e91b82c7602c15abc52c0c0c4f3c81d4126b4afd6
-
C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.iniFilesize
282B
MD59e36cc3537ee9ee1e3b10fa4e761045b
SHA17726f55012e1e26cc762c9982e7c6c54ca7bb303
SHA2564b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026
SHA5125f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790
-
C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.iniFilesize
402B
MD5ecf88f261853fe08d58e2e903220da14
SHA1f72807a9e081906654ae196605e681d5938a2e6c
SHA256cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844
SHA51282c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b
-
C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.iniFilesize
282B
MD53a37312509712d4e12d27240137ff377
SHA130ced927e23b584725cf16351394175a6d2a9577
SHA256b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3
SHA512dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05
-
C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.iniFilesize
190B
MD5d48fce44e0f298e5db52fd5894502727
SHA1fce1e65756138a3ca4eaaf8f7642867205b44897
SHA256231a08caba1f9ba9f14bd3e46834288f3c351079fcedda15e391b724ac0c7ea8
SHA512a1c0378db4e6dac9a8638586f6797bad877769d76334b976779cd90324029d755fb466260ef27bd1e7f9fdf97696cd8cd1318377970a1b5bf340efb12a4feb4a
-
C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.iniFilesize
190B
MD587a524a2f34307c674dba10708585a5e
SHA1e0508c3f1496073b9f6f9ecb2fb01cb91f9e8201
SHA256d01a7ef6233ef4ab3ea7210c0f2837931d334a20ae4d2a05ed03291e59e576c9
SHA5127cfa6d47190075e1209fb081e36ed7e50e735c9682bfb482dbf5a36746abdad0dccfdb8803ef5042e155e8c1f326770f3c8f7aa32ce66cf3b47cd13781884c38
-
C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.iniFilesize
504B
MD529eae335b77f438e05594d86a6ca22ff
SHA1d62ccc830c249de6b6532381b4c16a5f17f95d89
SHA25688856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4
SHA5125d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17
-
C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\System\Process.txtFilesize
4KB
MD5475460b147a0fd49e1537e9a11b12e8d
SHA18f28bed0c78351e3a50437db500a6db682010bb2
SHA25693b9f9a65401489e5a3f79f12ef0a81f64715684973e41ad6bdb70662a6ae468
SHA51265a8b516af67030b431d76f43162db3fe1ad448f837c1747efc4491160cc7be7e6d0d76d347222c057169327980618b0ee59910afa98e8b00bdf13d7cc701159
-
C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\System\Process.txtFilesize
6KB
MD584365d59cd1e9a334fb0c56265c78426
SHA16f88bd9d7fc4fabc1a7906b47b6a882b097202a5
SHA2567bd5b1bdc735dd463a749cb97cd1c98a3316af9d2c6cb32ead02845646725632
SHA512b19b68f19f4e8145269426cb782cc5eda0d0f06fe4795e8f2f188c5ff73acab25117743aa08e08323cbb4b45e6d49485acb7d6fa93f6cc0482d14f536ebbe5ec
-
C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\System\Process.txtFilesize
1KB
MD533b30b43675f68f4fd92b2045919cd82
SHA174f54a90dbbaf1d9c8c912233e084b38cf6a8ee5
SHA2566c4044456d35aff958293510f1ff3332f3628589f1fd6e8d84cd1c3219e0a588
SHA512ac9df2af40b7096285234592d28586793657793f9662b44e663e1aa74be0eb42cb3a7e5f1a23cba4f563ca366dbc51301c776d8523255a1e98ceaea8d070a494
-
C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\System\Process.txtFilesize
1KB
MD555252741a8a214c6bf2d08b7d85de557
SHA14ffbc2a970ee21e825da0e06df9fda68c4aa51cc
SHA256099c2e7538d9322302c23de448ba913a25f5fab6077fa6085f602396a74a0a92
SHA51255078508204f9853fddfbffe199a93b2b74cdba6c2d4a9a2754dd294d8eb46767f2c1e3125c30d38c75c75c4148f40bbad127b82a07ffe09a392e1513da33608
-
C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\System\ProductKey.txtFilesize
29B
MD571eb5479298c7afc6d126fa04d2a9bde
SHA1a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA5127c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd
-
C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\System\ScanningNetworks.txtFilesize
84B
MD558cd2334cfc77db470202487d5034610
SHA161fa242465f53c9e64b3752fe76b2adcceb1f237
SHA25659b3120c5ce1a7d1819510272a927e1c8f1c95385213fccbcdd429ff3492040d
SHA512c8f52d85ec99177c722527c306a64ba61adc3ad3a5fec6d87749fbad12da424ba6b34880ab9da627fb183412875f241e1c1864d723e62130281e44c14ad1481e
-
C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\System\WorldWind.jpgFilesize
99KB
MD56c43207fbca593e00f427a406f2926c2
SHA114af48b220d3ec9fd0f6823585f0802e35a77faf
SHA256a591dc1bfed6acc477a091fa3759b8e8a24f268290eeb8337897ea24b76a3e3e
SHA5120efb4e1fd25381007291351a57c0cb10d667bdc3694174821fdc72d1a17cae7d75107aada078d3f6dc74323dd017fa984780ba2ac839a4eed1e349b350e561c1
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
7KB
MD5ce7855ec83b35ea8e93a9e0e89139b12
SHA1c40051fd6085dea0f31785b83c268a195536563a
SHA25619009caf9ea9f4536e98ba9b999f109fc66966931e0b9ef458b227ed52ecc029
SHA512a4d71258c512b33d4b5b57eb5fa7e757b8ebef3d531317590d2d2c1b57d80601fea8df5dcbbcb42e1b7af53374ca672192ecd99f60b238cdd66102bfa4679b77
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
5KB
MD50d108c2b7cc36285696c1ddeaee45a1d
SHA12c9fd8b4ad6814b936c45e0afeb3b7cae7cd8f78
SHA2563cfc3fea82faeede5f5a996fb062236c09bd895637ede241f644450ddabb2e9a
SHA5128ac2d5578d0014930f0c490b2cdf21eb84aff372b367df593e297d20ae2b01075a2d2ef52e116d5f60a8cdd75ae70fd9c0b9942ebb786b8a5783b4fe813f910f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
5KB
MD502e21fb4e04280b9cefc7b9e7d7d8148
SHA186a906dc81b81f61af4f0bce6e47da54a8f73a19
SHA25695bd0bc5b21850c11425005b61227e6164b51227a1eac718426353a2e8fa8461
SHA5128f9caf89023277e7237e40abc8a4d39d20b3671a736d6fe4abe38882601dfca08e5f66a1c8d33c1c5172134b9b853ac15bd4426a50351da50b297a695aeab9c6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
6KB
MD5f4ca16be06a9b6a053209a29e79f80a4
SHA1d650a55542c0f55b05cc006a864663201fe6c5f8
SHA256cba1be74704d1f2fcd8baf89e0a79987ed04544296dedf77a9a088513226c8ad
SHA512179635e844560bd1f4b65ba15826ceffd94b44260ae7cec91a5b786eb0e2a30fc5252ce5b5ad3eff745046fe50ac4f6dbbb5029606b9480b05238d80610f120a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD59dfc9fa5b4c44e40bad7efe7a2ca655d
SHA1193241e6f2595f6902a8fe894bc8cb57f24e1153
SHA256582ec25d99eece83d9aed343e574eef07f77da9df377127d1c9f55189907ee64
SHA512a73a199352733ec5b41c12e6a893f173aeed06445418759d093330e382a961007c0364067c19b450c06420ebcbc877959366bbbeef95d4a9e57f7a7e0064f32a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD58c4dcdb2c74915c9cc318d38b4fcf6c0
SHA1f86e146a80b9d0f610e49e6f4c6cc36027466472
SHA256f1717b7fb2b9a12f6901951203d047e21dd98ae296072c0ec8f64f3fcfd83312
SHA512693e450760281fa505f4e4e0aa9751788ac4d2a588f98be0167663292a676c94dcfe7559b7ce1578819d1ef8bf12e0e65fac6335fc32225a96f0aa2d368ce835
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5aca8a05c575d7e6157d6c85d4483841a
SHA1b8f4ff5aa63fa2f398259999572d6c36c4fd04e4
SHA256ffde43df93a16641ae92bd683100ab095a6a3e99efbc3d8d3c23a4f00fc784c3
SHA512fab3e09db0aaffb5077dc0a4916069c116c71232a018d71ac032558fb8271efe16a00789f8a13aeaa0f3230d354f61b6c1948c5b73da666d41dc1b644b2cb7a2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5ef4e6c63a8de24979e75813899b10eb2
SHA1680efa0ac76d9a3c24823c535584af73cdf97676
SHA2567a4f4603cb188fda8dd622a4e6fe033a1abc6e835fc7e1083309d002109b59c3
SHA5123f5d7f46a962c721dfdffb558f1de3867f40e9a93eb83e72e811b104f6a000e827689f7edceed630f10665d9d20b02576707f230fa4393bac435c49ae41c448d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5747e1a56aa1271ac30c43c4bad29100f
SHA140f9fcdf35a84c0bcf0f977399ddeebcf83e73d7
SHA256c2eb39c046231da847c7c197a2b05b602655fd2c95120aae1c20fc040c3496d4
SHA51253e7ed484894a95bf2e7566750c056139b8be767617382e284b8c57ee07968857226b9f102b1ff03ad920f24b5f9163e0fe146fbd5ca14c9a6fd2e39c4de6e03
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
354B
MD5c04e12e777c07f63826803fe53e00125
SHA1fa0e803a20ae73f0502663770baa32776a0ba91d
SHA2568e5533c5da609db4a5ad375499e25819420ec8a0c7fe52676dbd42cb0b440414
SHA5122b740f655b949ad8f498b25cdc21230d756f6c7edc20046791664e9d509b22c34721d1e5b2aba91b1afb0480fcf6e39ce0079ee1286c633a9c202970e9829971
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XWorm V3.0.exe.logFilesize
1KB
MD5a9141ed1837f780cf691c7ce790db9c5
SHA186d5a6683a0031226f8477cb2d60edf65325f1ec
SHA256cf428d3c771587984baaea34a2f01139009f4493431db844f2114daff8f958f0
SHA512c573c632ab243eb226a878e67c03b328f341ccd8c8696c0f0b6ef7bf6cbc1ae72a1444fa4ac831547590b9420092b4a43528bcffc5ddeeaca071cdb951fa4bd3
-
C:\Users\Admin\AppData\Local\Temp\places.rawFilesize
5.0MB
MD546ca5e06e3f5fb88dc47ea8b952f3d27
SHA1ba8eadadca2c34c115b667781ec0cfc928819adc
SHA2569ae16bb881de7ad516bb3e3c608ed5faf53fa942f950219bcdb7c05298c0e2fc
SHA512661eda3f781c44d86c84d28f4809f8cc805bf9506a761fa7b6d1bc03ed269835f7acdce40851331a2d680425f9f07aa67213d09cd1f86fd7ccb05df91d3b42b7
-
C:\Users\Admin\AppData\Local\Temp\tmp63FA.tmp.datFilesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
C:\Users\Admin\AppData\Local\Temp\tmp643E.tmp.datFilesize
56KB
MD57872fbf0a1bb518682babda3d8dc7b4e
SHA19714d4f9f7e7c3b9a99f656b88b3a10cbd9c65e4
SHA256a821fa964b5c5273f0e4696e98815f07113c85436cc468f41f39722e7d2767c2
SHA512f91bb32e1675f822af53ebc91dc5764625b13bc2e365dcf795e1132525857e5d43a18b2f53b4bb70722aef7a0eafd5b3e4d1805f8567d325d34ae41c281832c0
-
C:\Users\Admin\AppData\Local\Temp\tmp643F.tmp.datFilesize
192KB
MD5827e1cf88899907badcfa03032cac087
SHA16e73bf6559ad16e86f77aa802ea119eae25c5a28
SHA2568e9adaa5e4db956c5d3e7f351895d077ec0c970e53df4648817940c2c8e09167
SHA512b4c9f6c134db44e9d71371ab7a9f9633448aea603b5f446d00a06bd6d04642b3f0d0ce670e06d34dd78bf046d9a247d63719cccbd54f76b2be647ba556aaf4bb
-
C:\Users\Admin\AppData\Local\Temp\tmp647F.tmp.datFilesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
C:\Users\Admin\AppData\Local\Temp\tmpC77A.tmp.datFilesize
100KB
MD5a146b07d36c77deb545345f9fe3ddd75
SHA1a0c87bf2dbe1dccdcbd2f68f2c366d273d247192
SHA256f28113548245d5faa6e48dcbd57e80a29081d017b95808697347619b89d42c9b
SHA5125cad32cef6e57d99c0e4508ae7f727055b0350a54578b65e1cf7f2fac319c07e32bb931740b4466d343be3c1178cf796067f467a2ccb56d7a60473258ff078cb
-
C:\Users\Admin\AppData\Local\Temp\tmpC7AB.tmp.datFilesize
152KB
MD5280d0d576cc8302dc483695ab2a76ef7
SHA17641333ca134b8f507046a4b92674ef48d20e4ee
SHA25615e1b6bd397772024d3bc44b6772c0780639d23ff582027e0738e1dee0e0fb14
SHA512ff8c21b7da132100b6501882f66a5b052742ae9f2b88eb2b1e8a4f09267dd64b963a1b88eb5737b3c173b0a7a83431719839a6c00c8a2aff59a0ec872be3d45f
-
C:\Users\Admin\AppData\Local\Temp\tmpC8A8.tmp.datFilesize
232KB
MD573d744a8e8033f343403358e3cad07b5
SHA1424a3f29d1794f1eda595758b0c4e01cd25d2c9b
SHA2565cf92bb56d79629edc3fe42f1e880b596e47a9ff2450e1d134dccdde8cb93731
SHA51280c6c3fea713a7797772c725d1cf464870bb4aed23b8904cdfa39f8c022882c72be0a9adc5439f7b71bd43311cd6dc1f9e19b032bac26fe40b44e3d4f3b573b4
-
C:\Users\Admin\AppData\Local\b6a1fda535893e3951eeb1fdb2c82063\Admin@FCYEIXNJ_en-US\System\Process.txtFilesize
4KB
MD52f13984ae57642e6b09fd87e8633b8e4
SHA139dfa367a4d48aaa804be1ba8779b83da8286ab7
SHA256f92bb78ee7ed227d1d03e7bc602156dd145396693b12cca861785d5cb36dbac2
SHA5124b07e8b8d4f8b101a1f2cdf30f88e3104c2e7790bb2a9c2f4ef4b521393572b68c0435b3454adce6e5d81f617efce4730a18e5a7b40ba80df289f156a18f1d06
-
C:\Users\Admin\AppData\Local\b6a1fda535893e3951eeb1fdb2c82063\msgid.datFilesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Windows\System32\perfc007.datFilesize
49KB
MD53fe48fb25091a9d13b94f8b81c1be040
SHA121f5adcd4f852b3e3a84ae7788ede8f2f26a6515
SHA256d5d9ec6461c30880496d1ee5a8d770d59ced59d1b28e015d08d44832ced60591
SHA512e02f495ee34dd013bba39a1c4a8bf22db122d54fcda84a8aa8557462a2f13a058f05d0eb13a817ba45b5527f830492e5a00365b5eb4122ed6b8f28a9ffd2d308
-
C:\Windows\System32\perfc00A.datFilesize
51KB
MD570c7ba068b82106810720fdec5406762
SHA1744c05ee14ea69e9706a07967b4ca1597298729d
SHA256f3fccee564956fd81a1bba3477a18b04197bccf5efa057713c92a77b266c7b33
SHA51214bb6e89946abcc10f640e2d553623b319c829e31ff872be0976c3d0419bc8ac656e4774333d4040df9507f064e9f92347677f4b20c66317fffaabed5bb1c4b4
-
C:\Windows\System32\perfc00C.datFilesize
47KB
MD50cfd5298e63f44351ebca47f6a491fbe
SHA1b86c08b13f0e60f664be64cb4077f915f9fc1138
SHA256562261cc16c6e5e2e3841a1ba79083293baa40330fb5d4f7f62c3553df26ccb3
SHA512549e5c28598ac2a6b11936aa90f641dfa794c04dd642309d08ef90a683d995d8f2d3a69ee2ecd74adae5beb19e9de055e71670922d738bd985657ffe75ebe235
-
C:\Windows\System32\perfc010.datFilesize
46KB
MD59c127d90b405f6e4e98e60bb83285a93
SHA1358b36827fb8dbfd9f268d7278961ae3309baaa1
SHA256878a012b076c81d7b46068109d9b9e1a86aa8527d87d0baee47b59b07502c578
SHA512bd80bb82e6f2375107153b7da67ce4a3ab3d457103a8371f93e130edece21791d8a716ab9793b74c6b5ab10166ccb52aee430bc4b63403b7e4749d7db9929e73
-
C:\Windows\System32\perfc011.datFilesize
32KB
MD550681b748a019d0096b5df4ebe1eab74
SHA10fa741b445f16f05a1984813c7b07cc66097e180
SHA25633295c7ee1b56a41e809432bc25dd745ba55b2dc91bfa97aa1f55156880cd71a
SHA512568439b3547dcbcce28499d45663fdd0e2222f6c5c90053769ce2585f65721f679c071393328bde72c9a3f03da4c17abb84b8303897688b59598887ceb31438e
-
C:\Windows\System32\perfh007.datFilesize
322KB
MD58e549f070ac8bb646d0c34569ad6d880
SHA12a9bd2f7378ef5e85831cf590d9d735e9645f49e
SHA256b08ebaa7d8ba93702ba84a59f41c0faed94273203d353c4f3cad31530d1b3751
SHA51210c3a012dc64fdcb5bb0d8fe03aa771b936e78092de33e029658ad18e8c4771cddb84e6057b79bf8e6e90a8f3972f4bb1cad16f3cc96c13527289f3477f5fbd5
-
C:\Windows\System32\perfh009.datFilesize
312KB
MD5367662b55faba4e0728f3c296daa92a7
SHA11775899bd0f1bb5cf945910db18aa3a9d4d15b7a
SHA256c2ea1af1c970468f522e354c8e47b121b66a0d0428a8400f4a5cb03216368ce1
SHA512283e9cf2bf6fe904b530bd188347641c1d30b27c95d89552e18aa33be1c7e2840f10a09868a2862ee53bb805cef2cdbb31b8db391ca140b5dda27058dcad11ce
-
C:\Windows\System32\perfh00A.datFilesize
362KB
MD5893d78f82b3994cf86b3c8c80cd7ad6a
SHA1a68cfd50ebc35eee62c84f0fd74d20d1e0bb1476
SHA256411b7581b0af88caa8c75409dc83ac8b521ba4d987d9347402438be16d31097c
SHA5127f7cc32aca4f023f34e4ab7a51fbd0ca0b0ea51fde6d79b9a4322bee9b4d55800a981b2d97007ceadfa609767b7d84e9eebd8b3e92f9cb68855625a25767f42b
-
C:\Windows\System32\perfh00C.datFilesize
365KB
MD5d5972cca5d434d4ca1742fe0a5ddd5d4
SHA1a3cdc3ad50ff9ba19722f2e2cb76f95b60bd92b2
SHA256f85cfffd1414d3e975f430a1e2f2a3b473ee8995a961dfb103fe18d5bf06e321
SHA5122ce34cf9b868fda0852e6b0d805171fcfda00c0c6cf044bf8831e6fa2aef4933ae00a8eaf757c09d67c30ae7ab58136959351f7d04d8ba6921f51fc87378565c
-
C:\Windows\System32\perfh010.datFilesize
356KB
MD54e277d7a9304103e3b68291044c7db6b
SHA1b23864c76259c674ac2bc0210dab181bfc04dedf
SHA2565dc2192236274fda886a0c0f396646f9292000ba33bd0e2061a65bc06639be16
SHA512094477571cb17d7b19f6e81ef237c579f03c944745499b2e537d77972da89f8f4baa0825c3f79993d96116aa071bbc776a96f55cf8ab3f60698c2c4e03e36957
-
C:\Windows\System32\perfh011.datFilesize
159KB
MD5394e68a48cbedf2aa4290ad4be6c1254
SHA1e9b5a4204bedd201adfee94cd4bd475f92d508a0
SHA25648dbdc9f160e51c14f7cf0f4f31856fc5c51bb5a157eefc9159612227def9d88
SHA5125b3ebefb252a4ea2b5504fdb79fba35f256ee544df6385eeb47a05be4eddd41063fe9a025d5e8393d34cc34abd431810b5c5cc21c777316200c9cfa769fcfd6c
-
C:\Windows\Temp\{1D168801-2361-41BD-B3CE-4625CC7F4813}\.ba\PythonBA.dllFilesize
663KB
MD575f826580b0fb706f7ee5f6e0724e294
SHA10a8bfd587ddef14158e2abacd1f32afda4ce1f44
SHA25666de728be20d862415dfa189526c4351305845179c65605e210961c720620251
SHA512af528020d19a6453febd11323e02a0d595639b8c73ed5a24107eed3ffc94747770d7b028d262d387e571971a45dc16c71817bc7f6ee38fa08a377e3f19f04d28
-
C:\Windows\Temp\{1D168801-2361-41BD-B3CE-4625CC7F4813}\.ba\SideBar.pngFilesize
56KB
MD5ca62a92ad5b307faeac640cd5eb460ed
SHA15edf8b5fc931648f77a2a131e4c733f1d31b548e
SHA256f3109977125d4a3a3ffa17462cfc31799589f466a51d226d1d1f87df2f267627
SHA512f7b3001a957f393298b0ff2aa08b400f8639f2f0487a34ac2a0e8d9519765ac92249185ebe45f907bc9d2f8556fdd39095c52f890330a35edf71ae49df32e27a
-
C:\Windows\Temp\{B2C503D4-A2D5-433F-95D5-7E0D1225ECAB}\.cr\python-3.10.2-amd64.exeFilesize
854KB
MD576ff12f0cd0e44ef355f1d30d1392a40
SHA17c9636454af4bba15734517d2c9fed79f137b5da
SHA2561f0f331e97c74dfa18fc7d19baef82bfe19324d9c79fab775f82ca55cc7b59cb
SHA512c2703111891e08675e74c79a3e2620fb650c4c99bbefc298e12bc948ba015e9c02ce7f4e5930c0c3f1f7b6dfaf17f385cfc994b68b7ea63f776a2f61e5741ce7
-
C:\Windows\system32\perfc009.datFilesize
32KB
MD51e60bc5e525063b96078df17fbd3c4e1
SHA1bae8eda409cb3e016ddd420c6354aeaac2d267b9
SHA256a0894847ca6208cf7e519d8e825458596bbcd78156a453e32872de7592ea20d8
SHA5125758d535e4ce20cc30b9b57fea1811feffb2655ecc6eec69c942defb4b4f8c06e8e37860f85ec7cad26df9d7635ecaf131a68ec4ee291aa36e448c7ef2339652
-
C:\Windows\system32\perfc009.datFilesize
47KB
MD56ba86043d5bb686959fccfc96b66a406
SHA11a0124b6bf961cc0b4dcb39fc0553b8b51f3bcae
SHA256ef92dae76f5fb86dc1946dd90308670a7b9b0f9a2d015dfdc5a949a9a57deff1
SHA512475dbbbe812391d0d6b51232d2fb74dd3546511fd56c8baf5b2fc11bf315e61a1bd621fd64c68ffbfc62a2cfb2695c7ecb7eb6cb68e0b0e8c69ccd7615e11341
-
C:\Windows\system32\perfc00A.datFilesize
61KB
MD58bab87294d0cc2cf5959a6c0f3018ab6
SHA158fe3d9997dfb9cf009f4eadafae81e473c317c0
SHA256426e0fc5c43c06d5b0986b27367e2faccb117a845355bb87ffef441184ab154f
SHA512e748f1efd020e754afd04aefcbb71955ed37ca4f32dd27481a38691cb386433b76eb8879d0f328f342c4e276ba7f37878ec17b230d7e8d308f115996499386c2
-
C:\Windows\system32\perfc00C.datFilesize
56KB
MD5372fe4caff0b3e4226b9b2f724c46d65
SHA1f46867fb163fde8b9f63375ec0d68341db458be0
SHA25683d5ef4c544b86a89fa179d6c8487a23867816bddd136df26be91e2bb53230ad
SHA51231cd6b936b0882884e1ecc47d46eaff86ef9cf49cb8600213d6e3c3145a85f30aeb1fa3cf5634d7ea0c5dd6af7f5e209208cb978e7f7d9424f65c469c612b9e3
-
C:\Windows\system32\perfc010.datFilesize
55KB
MD50515a1da37c05145889c952be393545b
SHA12dfd0c6c788a28de47f0074b2b63e78e973da745
SHA256445ffb36cf57e356c8a81a3b0879f664c3027fda0fe9b8b08a41a1aa51884637
SHA512a3a1acb3ebfff3a64a2a26130877c9fc9acf02d08f02c0053dd038bebff5fc5b1a25b9641c2eb003c389034455e44c7aa1d4c719a9e6e91e1acc7cee2b00f93d
-
C:\Windows\system32\perfc011.datFilesize
47KB
MD576b1f6a65baedbdbc6d058f5abf0b628
SHA1a9a30da4d3a25d148f8e6defd917bf4bbcc95882
SHA256b2b8592ae3cd9c2e2b55a8a4cdd16a34854f0d2c4f7c2e68427ecbcd19b6280a
SHA51254bee70adacfdf9881373c96ff1a7f73657c1a1a0596f95cd63d72183e6883cb396ae4e79ac26c9ac51165d25e50d916ef462bcdb3c6a4ad0ef8346e6038749c
-
C:\Windows\system32\perfh007.datFilesize
320KB
MD5b9a5000ea316ac348cf77beb0e5bc379
SHA14e666af14169eb10a0a08ac2f5ed5ecf4764df46
SHA2561b25a6879c667258cdb900683004ef007c6b3a1a933d823b124d9a6acf9de608
SHA5129fd911586a0aebec11c48e9f78de3b3f6e41c98a2770f5ac10d0a3947b4b3f326a8c5028c478c8634fb84a071186606e69a7aff83b1cf972d4728e3923503118
-
C:\Windows\system32\perfh009.datFilesize
310KB
MD51ad05e460c6fbb5f7b96e059a4ab6cef
SHA11c3e4e455fa0630aaa78a1d19537d5ff787960cf
SHA2560ae16c72ca5301b0f817e69a4bac29157369ecfbadc6c13a5a37db5901238c71
SHA512c608aa10b547003b25ff63bb1999a5fff0256aadd8b005fdd26569a9828d3591129a0f21c11ec8e5d5f390b11c49f2ef8a6e36375c9e13d547415e0ec97a398f
-
C:\Windows\system32\perfh00A.datFilesize
360KB
MD51402add2a611322eb6f624705c8a9a4e
SHA1d08b0b5e602d4587e534cf5e9c3d04c549a5aa47
SHA2560ac43c8e77edb2c1468420653fc5d505b26cdc4da06c4121ce4bbecae561e6cb
SHA512177d5ea7e77eee154042b5e064db67a5cac9435890a2ff65cd98da21433f4e7de743e9df22ac0ac61be89fc0be8655b46454ed4a930d13fc7c1dfebe5896781f
-
C:\Windows\system32\perfh00C.datFilesize
363KB
MD5d0a8d13996333367f0e1721ca8658e00
SHA1f48f432c5a0d3c425961e6ed6291ddb0f4b5a116
SHA25668a7924621a0fbc13d0ea151617d13732a991cef944aae67d44fc030740a82e9
SHA5128a68c62b5fc983975d010ae6504a1cbfdf34d5656e3277d9a09eb92929e201e27ca7bd2030740c8240a4afd56af57c223b4fd6de193bedf84ac7238777310de4
-
C:\Windows\system32\perfh010.datFilesize
353KB
MD5a5389200f9bbc7be1276d74ccd2939b4
SHA18d6f17c7d36f686e727b6e7b3a62812297228943
SHA256494db162e2ccd95e69404a34170b6e59847f444881834f3c175c6bc70d783087
SHA512fc1d1e81362d186410b4af3d6add3c8b32fdd75ea79b7e868cc16615358264af04f47170229d32dffcbf7e1ba2b841ccd2d4f27b0f8d82a0685806c22d3d0a92
-
C:\Windows\system32\perfh011.datFilesize
158KB
MD5b80ff435d9aee22369f6246d7a2d9478
SHA105a278e903c2dfdd689418c8fb3bc432581b8a82
SHA2564e14ba5f6e55a50ea95256ca14b35f0e70def0ad3505a84c593e48e9de0914a5
SHA512c63d06d1f7247a8164923d1ae4e6d457324dde2edcd31a910e5e685c10d3cf79160a9e476d521eb559dcdfdbc167e461b6d04867772b8c7f6b23556eb303ea97
-
\??\pipe\crashpad_2668_VVGTPHWLZKTYYQJRMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1156-479-0x0000025FEC8C0000-0x0000025FED3D6000-memory.dmpFilesize
11.1MB
-
memory/1156-366-0x0000025FE87D0000-0x0000025FE8EFA000-memory.dmpFilesize
7.2MB
-
memory/4076-215-0x000001E386870000-0x000001E386871000-memory.dmpFilesize
4KB
-
memory/4076-211-0x000001E386870000-0x000001E386871000-memory.dmpFilesize
4KB
-
memory/4076-214-0x000001E386870000-0x000001E386871000-memory.dmpFilesize
4KB
-
memory/4076-213-0x000001E386870000-0x000001E386871000-memory.dmpFilesize
4KB
-
memory/4076-210-0x000001E386870000-0x000001E386871000-memory.dmpFilesize
4KB
-
memory/4076-212-0x000001E386870000-0x000001E386871000-memory.dmpFilesize
4KB
-
memory/4076-204-0x000001E386870000-0x000001E386871000-memory.dmpFilesize
4KB
-
memory/4076-209-0x000001E386870000-0x000001E386871000-memory.dmpFilesize
4KB
-
memory/4076-203-0x000001E386870000-0x000001E386871000-memory.dmpFilesize
4KB
-
memory/4076-202-0x000001E386870000-0x000001E386871000-memory.dmpFilesize
4KB
-
memory/4756-205-0x00000000058A0000-0x0000000005906000-memory.dmpFilesize
408KB
-
memory/4756-506-0x0000000005D30000-0x0000000005DC2000-memory.dmpFilesize
584KB
-
memory/4756-201-0x0000000000FB0000-0x0000000000FFA000-memory.dmpFilesize
296KB
-
memory/4756-508-0x0000000006830000-0x0000000006DD4000-memory.dmpFilesize
5.6MB
-
memory/4756-1159-0x00000000060B0000-0x00000000060BA000-memory.dmpFilesize
40KB
-
memory/4756-1335-0x0000000006140000-0x0000000006152000-memory.dmpFilesize
72KB