Analysis

  • max time kernel
    603s
  • max time network
    737s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-07-2024 16:16

General

  • Target

    python-3.10.2-amd64.exe

  • Size

    26.9MB

  • MD5

    2b4fd1ed6e736f0e65572da64c17e020

  • SHA1

    61cc3b53fe61260e1651320e67c7d64b5088ad31

  • SHA256

    42b181e9b5f424472212742a187260d4edc73b7683ae83460c974508130e08ad

  • SHA512

    670e830197cdf38d933b1b8d9a33c241c829947227e7b1357f7a5713c51cdd4b95012b4fbbfe1ca8db1fbef0d86db3a469dad0e73b56ffaf99674336f478446c

  • SSDEEP

    786432:IooshtMGBns3zIjuid7tTgjh7W3WktiMakFa:HoIMGBnsDIy0tTd37iB

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot5602729079:AAHue5HGrezQGgwKeWyn3WQgaqOZM5nlF_c/sendMessage?chat_id=6067717150

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Drops desktop.ini file(s) 21 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in System32 directory 24 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff4864ab58,0x7fff4864ab68,0x7fff4864ab78
    1⤵
      PID:2708
    • C:\Users\Admin\AppData\Local\Temp\python-3.10.2-amd64.exe
      "C:\Users\Admin\AppData\Local\Temp\python-3.10.2-amd64.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4744
      • C:\Windows\Temp\{B2C503D4-A2D5-433F-95D5-7E0D1225ECAB}\.cr\python-3.10.2-amd64.exe
        "C:\Windows\Temp\{B2C503D4-A2D5-433F-95D5-7E0D1225ECAB}\.cr\python-3.10.2-amd64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-3.10.2-amd64.exe" -burn.filehandle.attached=596 -burn.filehandle.self=548
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:3940
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1896 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:2
      1⤵
        PID:3164
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:8
        1⤵
          PID:984
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2172 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:8
          1⤵
            PID:1072
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=3116 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:1
            1⤵
              PID:1224
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=3148 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:1
              1⤵
                PID:720
              • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                1⤵
                  PID:4444
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=4276 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:1
                  1⤵
                    PID:1336
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4920 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:8
                    1⤵
                      PID:1316
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:8
                      1⤵
                        PID:1344
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:8
                        1⤵
                          PID:4188
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=1640 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:1
                          1⤵
                            PID:4932
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3356 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:8
                            1⤵
                              PID:1064
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4956 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:2
                              1⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:4920
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3888,i,6959856223548986108,4217696995639198458,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:8
                              1⤵
                                PID:5028
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --mojo-platform-channel-handle=5240 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:1
                                1⤵
                                  PID:3972
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:8
                                  1⤵
                                    PID:1864
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --mojo-platform-channel-handle=2372 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:1
                                    1⤵
                                      PID:3188
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4468 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:1
                                      1⤵
                                        PID:3640
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4784 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:1
                                        1⤵
                                          PID:4000
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=5256 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:1
                                          1⤵
                                            PID:1128
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5604 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:1
                                            1⤵
                                              PID:4356
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:8
                                              1⤵
                                                PID:4132
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5760 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:1
                                                1⤵
                                                  PID:980
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=4412 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:1
                                                  1⤵
                                                    PID:4164
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:8
                                                    1⤵
                                                      PID:2084
                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:8
                                                      1⤵
                                                        PID:4884
                                                      • C:\Windows\System32\rundll32.exe
                                                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                        1⤵
                                                          PID:948
                                                        • C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe
                                                          "C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe"
                                                          1⤵
                                                          • Drops desktop.ini file(s)
                                                          • Checks processor information in registry
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • Suspicious use of WriteProcessMemory
                                                          PID:4756
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                                                            2⤵
                                                            • Suspicious use of WriteProcessMemory
                                                            PID:5020
                                                            • C:\Windows\SysWOW64\chcp.com
                                                              chcp 65001
                                                              3⤵
                                                                PID:3552
                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                netsh wlan show profile
                                                                3⤵
                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                PID:696
                                                              • C:\Windows\SysWOW64\findstr.exe
                                                                findstr All
                                                                3⤵
                                                                  PID:2572
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                                                                2⤵
                                                                • Suspicious use of WriteProcessMemory
                                                                PID:4348
                                                                • C:\Windows\SysWOW64\chcp.com
                                                                  chcp 65001
                                                                  3⤵
                                                                    PID:5008
                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                    netsh wlan show networks mode=bssid
                                                                    3⤵
                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                    PID:4060
                                                              • C:\Windows\system32\taskmgr.exe
                                                                "C:\Windows\system32\taskmgr.exe" /4
                                                                1⤵
                                                                • Checks SCSI registry key(s)
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                • Suspicious use of FindShellTrayWindow
                                                                • Suspicious use of SendNotifyMessage
                                                                PID:4076
                                                              • C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe
                                                                "C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe"
                                                                1⤵
                                                                • Drops desktop.ini file(s)
                                                                • Checks processor information in registry
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                • Suspicious use of WriteProcessMemory
                                                                PID:2552
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                                                                  2⤵
                                                                  • Suspicious use of WriteProcessMemory
                                                                  PID:444
                                                                  • C:\Windows\SysWOW64\chcp.com
                                                                    chcp 65001
                                                                    3⤵
                                                                      PID:3076
                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                      netsh wlan show profile
                                                                      3⤵
                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                      PID:2448
                                                                    • C:\Windows\SysWOW64\findstr.exe
                                                                      findstr All
                                                                      3⤵
                                                                        PID:2360
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                                                                      2⤵
                                                                      • Suspicious use of WriteProcessMemory
                                                                      PID:1036
                                                                      • C:\Windows\SysWOW64\chcp.com
                                                                        chcp 65001
                                                                        3⤵
                                                                          PID:2628
                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                          netsh wlan show networks mode=bssid
                                                                          3⤵
                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                          PID:4012
                                                                    • C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0.exe
                                                                      "C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0.exe"
                                                                      1⤵
                                                                        PID:1156
                                                                      • C:\Windows\system32\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Fixer.bat" "
                                                                        1⤵
                                                                        • Suspicious use of WriteProcessMemory
                                                                        PID:4440
                                                                        • C:\Windows\system32\lodctr.exe
                                                                          lodctr /r
                                                                          2⤵
                                                                          • Drops file in System32 directory
                                                                          PID:4312
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Fixer.bat"
                                                                        1⤵
                                                                        • Suspicious use of WriteProcessMemory
                                                                        PID:1208
                                                                        • C:\Windows\system32\lodctr.exe
                                                                          lodctr /r
                                                                          2⤵
                                                                          • Drops file in System32 directory
                                                                          PID:4716
                                                                      • C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe
                                                                        "C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe"
                                                                        1⤵
                                                                        • Drops desktop.ini file(s)
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        • Suspicious use of WriteProcessMemory
                                                                        PID:2888
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                                                                          2⤵
                                                                          • Suspicious use of WriteProcessMemory
                                                                          PID:4604
                                                                          • C:\Windows\SysWOW64\chcp.com
                                                                            chcp 65001
                                                                            3⤵
                                                                              PID:2112
                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                              netsh wlan show profile
                                                                              3⤵
                                                                              • Event Triggered Execution: Netsh Helper DLL
                                                                              PID:2068
                                                                            • C:\Windows\SysWOW64\findstr.exe
                                                                              findstr All
                                                                              3⤵
                                                                                PID:4180
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                                                                              2⤵
                                                                                PID:3896
                                                                                • C:\Windows\SysWOW64\chcp.com
                                                                                  chcp 65001
                                                                                  3⤵
                                                                                    PID:5008
                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                    netsh wlan show networks mode=bssid
                                                                                    3⤵
                                                                                      PID:1308
                                                                                • C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0.exe
                                                                                  "C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0.exe"
                                                                                  1⤵
                                                                                    PID:4380
                                                                                  • C:\Windows\system32\wbem\WmiApSrv.exe
                                                                                    C:\Windows\system32\wbem\WmiApSrv.exe
                                                                                    1⤵
                                                                                      PID:3608
                                                                                    • C:\Windows\system32\AUDIODG.EXE
                                                                                      C:\Windows\system32\AUDIODG.EXE 0x4f8 0x49c
                                                                                      1⤵
                                                                                        PID:4716
                                                                                      • C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe
                                                                                        "C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe"
                                                                                        1⤵
                                                                                          PID:4820
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                                                                                            2⤵
                                                                                              PID:1708
                                                                                              • C:\Windows\SysWOW64\chcp.com
                                                                                                chcp 65001
                                                                                                3⤵
                                                                                                  PID:3640
                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                  netsh wlan show profile
                                                                                                  3⤵
                                                                                                    PID:3576
                                                                                                  • C:\Windows\SysWOW64\findstr.exe
                                                                                                    findstr All
                                                                                                    3⤵
                                                                                                      PID:4372
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                                                                                                    2⤵
                                                                                                      PID:2932
                                                                                                      • C:\Windows\SysWOW64\chcp.com
                                                                                                        chcp 65001
                                                                                                        3⤵
                                                                                                          PID:1612
                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                          netsh wlan show networks mode=bssid
                                                                                                          3⤵
                                                                                                            PID:3596
                                                                                                      • C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe
                                                                                                        "C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe"
                                                                                                        1⤵
                                                                                                          PID:3552
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                                                                                                            2⤵
                                                                                                              PID:3452
                                                                                                              • C:\Windows\SysWOW64\chcp.com
                                                                                                                chcp 65001
                                                                                                                3⤵
                                                                                                                  PID:2164
                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                  netsh wlan show profile
                                                                                                                  3⤵
                                                                                                                    PID:1848
                                                                                                                  • C:\Windows\SysWOW64\findstr.exe
                                                                                                                    findstr All
                                                                                                                    3⤵
                                                                                                                      PID:1696
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                                                                                                                    2⤵
                                                                                                                      PID:1648
                                                                                                                      • C:\Windows\SysWOW64\chcp.com
                                                                                                                        chcp 65001
                                                                                                                        3⤵
                                                                                                                          PID:2008
                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                          netsh wlan show networks mode=bssid
                                                                                                                          3⤵
                                                                                                                            PID:1708
                                                                                                                      • C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe
                                                                                                                        "C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe"
                                                                                                                        1⤵
                                                                                                                          PID:1000
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                                                                                                                            2⤵
                                                                                                                              PID:4604
                                                                                                                              • C:\Windows\SysWOW64\chcp.com
                                                                                                                                chcp 65001
                                                                                                                                3⤵
                                                                                                                                  PID:4992
                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                  netsh wlan show profile
                                                                                                                                  3⤵
                                                                                                                                    PID:4696
                                                                                                                                  • C:\Windows\SysWOW64\findstr.exe
                                                                                                                                    findstr All
                                                                                                                                    3⤵
                                                                                                                                      PID:4228
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                                                                                                                                    2⤵
                                                                                                                                      PID:2452
                                                                                                                                      • C:\Windows\SysWOW64\chcp.com
                                                                                                                                        chcp 65001
                                                                                                                                        3⤵
                                                                                                                                          PID:2196
                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                          netsh wlan show networks mode=bssid
                                                                                                                                          3⤵
                                                                                                                                            PID:4988

                                                                                                                                      Network

                                                                                                                                      MITRE ATT&CK Matrix ATT&CK v13

                                                                                                                                      Persistence

                                                                                                                                      Event Triggered Execution

                                                                                                                                      1
                                                                                                                                      T1546

                                                                                                                                      Netsh Helper DLL

                                                                                                                                      1
                                                                                                                                      T1546.007

                                                                                                                                      Privilege Escalation

                                                                                                                                      Event Triggered Execution

                                                                                                                                      1
                                                                                                                                      T1546

                                                                                                                                      Netsh Helper DLL

                                                                                                                                      1
                                                                                                                                      T1546.007

                                                                                                                                      Discovery

                                                                                                                                      Query Registry

                                                                                                                                      3
                                                                                                                                      T1012

                                                                                                                                      Peripheral Device Discovery

                                                                                                                                      1
                                                                                                                                      T1120

                                                                                                                                      System Information Discovery

                                                                                                                                      2
                                                                                                                                      T1082

                                                                                                                                      Command and Control

                                                                                                                                      Web Service

                                                                                                                                      1
                                                                                                                                      T1102

                                                                                                                                      Replay Monitor

                                                                                                                                      Loading Replay Monitor...

                                                                                                                                      Downloads

                                                                                                                                      • C:\Users\Admin\AppData\Local\0190c5cc6755edc6f533ea7377655365\Admin@FCYEIXNJ_en-US\System\Process.txt
                                                                                                                                        Filesize

                                                                                                                                        84B

                                                                                                                                        MD5

                                                                                                                                        c0e370d5a76db036203a0f30ecd743b2

                                                                                                                                        SHA1

                                                                                                                                        3d69ed806946920b90b81145aece57b5aa592407

                                                                                                                                        SHA256

                                                                                                                                        e9f88dabcf6db4725d4233643fc6fc16f598341b5e95cba09791fb215530666e

                                                                                                                                        SHA512

                                                                                                                                        94eaa163a9bd5d067f4982a50cd42946bcdbc84e1d0c4ebf988d5f8a5ef63e7acdeeea4cbc2621eeb7b72411a1f8542a1517848cd4ec9fdb25586aa039cc984b

                                                                                                                                      • C:\Users\Admin\AppData\Local\0190c5cc6755edc6f533ea7377655365\Admin@FCYEIXNJ_en-US\System\Process.txt
                                                                                                                                        Filesize

                                                                                                                                        155B

                                                                                                                                        MD5

                                                                                                                                        aa77db19364858bab00ce95516ccd21f

                                                                                                                                        SHA1

                                                                                                                                        f1e10377ab570b2cdcf69b4869341e8f7ca1f447

                                                                                                                                        SHA256

                                                                                                                                        ee8f76385501c07860a31e22ef66da9ee7f9d09ecf4e88d94d192deb6d992ff1

                                                                                                                                        SHA512

                                                                                                                                        f65c718b0a3c3527ced9add3adb4da656e18ab0ff8dccf73ac7271f062d4f735e2249d40bf8ef913b82db2d156293abc91039974b8268c3fb0c8d29671387846

                                                                                                                                      • C:\Users\Admin\AppData\Local\0190c5cc6755edc6f533ea7377655365\Admin@FCYEIXNJ_en-US\System\Process.txt
                                                                                                                                        Filesize

                                                                                                                                        239B

                                                                                                                                        MD5

                                                                                                                                        d137fb9768c5ab5f6f75e13fc1855518

                                                                                                                                        SHA1

                                                                                                                                        251ef0da55cfd8fe031a1b6320183b8b5ee710e5

                                                                                                                                        SHA256

                                                                                                                                        89f8cd2d041dea1f375f0c3f8340f1a7ef3229e50076f93f22f115c7b21129ef

                                                                                                                                        SHA512

                                                                                                                                        c4bd8c6f03890eb132459db1c15e0a06025857e5cbfe3a7f2583ee893047f47d653743a19a4eeaf1cbe5a7fa6f0dc6c059702637d5bbe77e3853b3b0ef23b09c

                                                                                                                                      • C:\Users\Admin\AppData\Local\0190c5cc6755edc6f533ea7377655365\Admin@FCYEIXNJ_en-US\System\Process.txt
                                                                                                                                        Filesize

                                                                                                                                        4KB

                                                                                                                                        MD5

                                                                                                                                        87ca6ac958a4fe2a79d6921bbd84e0af

                                                                                                                                        SHA1

                                                                                                                                        7ef6c95f8303b4d1e9670a321707ed6fe048aa67

                                                                                                                                        SHA256

                                                                                                                                        7bd3efca77acd0a79578b5b9c0fd470ef0d324c3723fc1161ba6b2cbad353b2a

                                                                                                                                        SHA512

                                                                                                                                        0858a02ce0eae87d639e2c98a2e6d1a9937a39de786f94503c27a23c7a34828c7b19b2da601910015e33fcacb6ddd74a3c47aea876b1a3c4f2503a9ee7acf829

                                                                                                                                      • C:\Users\Admin\AppData\Local\0190c5cc6755edc6f533ea7377655365\Admin@FCYEIXNJ_en-US\System\Windows.txt
                                                                                                                                        Filesize

                                                                                                                                        169B

                                                                                                                                        MD5

                                                                                                                                        05a814e2f721d1ca12ad0a4280719f91

                                                                                                                                        SHA1

                                                                                                                                        89c8f2bf6a20fb7b455a4b946bac024067b24041

                                                                                                                                        SHA256

                                                                                                                                        72538c39d4c1f891d0bd5c200e2436e32713c8c81a4452f0e32c3bf832d89c61

                                                                                                                                        SHA512

                                                                                                                                        018735405170e0f6dfada7cd30b47a7720a1665d889a33c6ece9d245c7d6138d486a1fbab14cc29605f977e36b7799591bdf5d03bd5d0055c3b356718064757f

                                                                                                                                      • C:\Users\Admin\AppData\Local\4bce81f89c3ee2eff4c7e395d6e3dc0c\Admin@FCYEIXNJ_en-US\Browsers\Firefox\Bookmarks.txt
                                                                                                                                        Filesize

                                                                                                                                        105B

                                                                                                                                        MD5

                                                                                                                                        2e9d094dda5cdc3ce6519f75943a4ff4

                                                                                                                                        SHA1

                                                                                                                                        5d989b4ac8b699781681fe75ed9ef98191a5096c

                                                                                                                                        SHA256

                                                                                                                                        c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

                                                                                                                                        SHA512

                                                                                                                                        d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

                                                                                                                                      • C:\Users\Admin\AppData\Local\4bce81f89c3ee2eff4c7e395d6e3dc0c\Admin@FCYEIXNJ_en-US\Browsers\Google\History.txt
                                                                                                                                        Filesize

                                                                                                                                        948B

                                                                                                                                        MD5

                                                                                                                                        744bc9144cc6aaa911d4f90c5b6fefae

                                                                                                                                        SHA1

                                                                                                                                        8dc7763f83f49320179bc40f2545902150f99ff5

                                                                                                                                        SHA256

                                                                                                                                        63b26c4916a7db34254486ddd6f033ba4fc404fe5c98434972973c76cd674bcc

                                                                                                                                        SHA512

                                                                                                                                        14ad3303ccadb84d5f42bfd3cce3bea9ccbc48be95111f8428821de0aabce0e31d79d53ba7f9560039a007560347c392b4f5c7ddedfefe2d76b16e52d305fbb4

                                                                                                                                      • C:\Users\Admin\AppData\Local\4bce81f89c3ee2eff4c7e395d6e3dc0c\Admin@FCYEIXNJ_en-US\Browsers\Google\History.txt
                                                                                                                                        Filesize

                                                                                                                                        2KB

                                                                                                                                        MD5

                                                                                                                                        82b00ffbf76c94fad25c2eb129dccae7

                                                                                                                                        SHA1

                                                                                                                                        c042bd8f96b623b41fbd0a4630db4af4d23ba712

                                                                                                                                        SHA256

                                                                                                                                        94f53107a862bb02594be7e286cd3618b00e2f41329c9b0278247e257bf77448

                                                                                                                                        SHA512

                                                                                                                                        1a9c0c4d34bb995c7ab7771f07506e364b47b2653b66a2ff3d1f3e0265f6674accf4095759af79a851e93f50ba45280b56e6ebe36199953a0ce150787df2a4fa

                                                                                                                                      • C:\Users\Admin\AppData\Local\4bce81f89c3ee2eff4c7e395d6e3dc0c\Admin@FCYEIXNJ_en-US\System\Process.txt
                                                                                                                                        Filesize

                                                                                                                                        4KB

                                                                                                                                        MD5

                                                                                                                                        9581e464fed860ad7cb109760b93dcd1

                                                                                                                                        SHA1

                                                                                                                                        8fbd542df219d7f60a6ad86ba4d765fd4b3d2784

                                                                                                                                        SHA256

                                                                                                                                        9263ad05905ea838e5e98658d6ac16cd09d7677479e4f5b1452828b4c4bb7709

                                                                                                                                        SHA512

                                                                                                                                        d396f01bd439a7a9407551f3c053e084e77cecd55e5b1902446d5a90543ac6624ff1654bf5193f274410bd90ef26e9ae300ec92fab27c3d856ab9e512b15da6a

                                                                                                                                      • C:\Users\Admin\AppData\Local\5ad6d1b108ad80ef730197e1b2c85a31\Admin@FCYEIXNJ_en-US\System\Process.txt
                                                                                                                                        Filesize

                                                                                                                                        415B

                                                                                                                                        MD5

                                                                                                                                        7ed5a8ca1ca30f47dc7de170ca7e89d9

                                                                                                                                        SHA1

                                                                                                                                        ad3500ea5511fc60c2040530fbe5519b26e73754

                                                                                                                                        SHA256

                                                                                                                                        e5a76d9e78053458a975b40295d0ffca17f5d75f1ec2aa2f105a0334aced5a1e

                                                                                                                                        SHA512

                                                                                                                                        8b93ba57f92b719c24f999fe499c09b21ad5586747b79d05f8d4e8ca430885377cd3e0e7484815385a586959789910419c0ce25bcdfd7e0b9bd1675174d7b3db

                                                                                                                                      • C:\Users\Admin\AppData\Local\5ad6d1b108ad80ef730197e1b2c85a31\Admin@FCYEIXNJ_en-US\System\Process.txt
                                                                                                                                        Filesize

                                                                                                                                        4KB

                                                                                                                                        MD5

                                                                                                                                        f2fc47f4732c8b8eb0c1e0fff0ba6435

                                                                                                                                        SHA1

                                                                                                                                        aeba563840c6aee404dc665f6ed569e61912f69e

                                                                                                                                        SHA256

                                                                                                                                        bb09417f41b08627feeebb1051b420e08abdab7bbaa3bac55992bbeb57073311

                                                                                                                                        SHA512

                                                                                                                                        04c01875225a374fb9ef3b9a1c2007e170cd9a59590a8b43320767399aefcb7bdc172082b73cbc54358d0c036b0e53e9053f5495a035dc7a2af7b47fc78c7208

                                                                                                                                      • C:\Users\Admin\AppData\Local\5ad6d1b108ad80ef730197e1b2c85a31\Admin@FCYEIXNJ_en-US\System\Windows.txt
                                                                                                                                        Filesize

                                                                                                                                        292B

                                                                                                                                        MD5

                                                                                                                                        c18da227c6da8ae3f0d046ae30cfe0f3

                                                                                                                                        SHA1

                                                                                                                                        ac96d9a4060cbf343c452c614329f055f8bdccae

                                                                                                                                        SHA256

                                                                                                                                        f11d345fe7370897c4c0e6861c3b4f680e6b3dbaf6739e2681a96003dd4bea5b

                                                                                                                                        SHA512

                                                                                                                                        b1aded7558cb62ed845bc33e5fa95dc43e317682261406a590d15d5a0de296eae0eb8de4836267751342c835fec6813249e50c7de2ffc7e6eb29dfeb3f0f06c0

                                                                                                                                      • C:\Users\Admin\AppData\Local\5ad6d1b108ad80ef730197e1b2c85a31\Admin@FCYEIXNJ_en-US\System\Windows.txt
                                                                                                                                        Filesize

                                                                                                                                        377B

                                                                                                                                        MD5

                                                                                                                                        cba48aae7f8ed072c82186c8d5b434f6

                                                                                                                                        SHA1

                                                                                                                                        990359fea82241550f330f1360795cd8dc381a96

                                                                                                                                        SHA256

                                                                                                                                        4428a3a1c30f21dad58c46271d82fc45e6836fe52cd89acce753224117dba6b5

                                                                                                                                        SHA512

                                                                                                                                        c69351230d4c8503ecc5aaf263802acaa66f2b5a249e66da22c6284dca67968deb73961c5c40e8b300fb05275aa0fa4cd81e9b4d9f606c5d69554d6fcefc9af4

                                                                                                                                      • C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Browsers\Google\Downloads.txt
                                                                                                                                        Filesize

                                                                                                                                        59B

                                                                                                                                        MD5

                                                                                                                                        7a01df9067b43643c7d7878b617fb861

                                                                                                                                        SHA1

                                                                                                                                        7a8f3cf11b726b8ff38e8b8a05293f503fbb1bb8

                                                                                                                                        SHA256

                                                                                                                                        58da8432380d3420659e3623b85315dfc56442f3f2714318279e4044741515cd

                                                                                                                                        SHA512

                                                                                                                                        5cf36c4194d8eb2a4786c56a7b5497c930e3123163a95d5ddeb0221c30f705102f21c602eeec1a49be728bdb5284887c53fdfe63a973f1f46b6cbe13e8a6e67c

                                                                                                                                      • C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Directories\Desktop.txt
                                                                                                                                        Filesize

                                                                                                                                        1KB

                                                                                                                                        MD5

                                                                                                                                        05ab0a474942eb2b64d5637768e43477

                                                                                                                                        SHA1

                                                                                                                                        cc50326c277d10bbf3242e07ba3f0689c0a0eead

                                                                                                                                        SHA256

                                                                                                                                        f941c8e261fd3b56f5ec955fcdbe9d3b0244e639dc31d4b0b6212562da4044eb

                                                                                                                                        SHA512

                                                                                                                                        7d512f0e193804298510240e6650f7fd332d8011f39852641e4ff16c27c4eddb754ef7d0e8aaaa7a9ed3d089dffac5ee95e19cd0a30c0ae49e07304267f7100e

                                                                                                                                      • C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Directories\Documents.txt
                                                                                                                                        Filesize

                                                                                                                                        502B

                                                                                                                                        MD5

                                                                                                                                        f4cf79c19d4de392d1b67e5acc967a96

                                                                                                                                        SHA1

                                                                                                                                        53dcf173e601b449b059379f14d434e6353759f5

                                                                                                                                        SHA256

                                                                                                                                        d8e2a3d78770ae4f3d27e6b19491650c871710a371e7972f92bb3dd13849735d

                                                                                                                                        SHA512

                                                                                                                                        07307c0e295d94942d5761fd8e80c41f3a812e824c6af2f48c0ec9a55b428f41212a1cc7cc9e6a4a915019e46f4913520b891743a17f03262257ce41845128fe

                                                                                                                                      • C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Directories\Downloads.txt
                                                                                                                                        Filesize

                                                                                                                                        721B

                                                                                                                                        MD5

                                                                                                                                        d27923a08080758c11271c5d464fc1f8

                                                                                                                                        SHA1

                                                                                                                                        4446847164cb2ff8062084855b39773b4563d8f7

                                                                                                                                        SHA256

                                                                                                                                        3eb198b511919296273c5b85bb3fc0861437d4100fa966836a5d8c07593996ee

                                                                                                                                        SHA512

                                                                                                                                        cdc8d422f8d61c10e8e9b66561ad4d2127b81d41ea327679ad641416ae6fe88a29ca082ddc0d1cad331b060125f85644ebf533f304df615b282eeb845199f504

                                                                                                                                      • C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Directories\OneDrive.txt
                                                                                                                                        Filesize

                                                                                                                                        25B

                                                                                                                                        MD5

                                                                                                                                        966247eb3ee749e21597d73c4176bd52

                                                                                                                                        SHA1

                                                                                                                                        1e9e63c2872cef8f015d4b888eb9f81b00a35c79

                                                                                                                                        SHA256

                                                                                                                                        8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e

                                                                                                                                        SHA512

                                                                                                                                        bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

                                                                                                                                      • C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Directories\Pictures.txt
                                                                                                                                        Filesize

                                                                                                                                        820B

                                                                                                                                        MD5

                                                                                                                                        dd5c7754794863fb0bb811d51d30c056

                                                                                                                                        SHA1

                                                                                                                                        b504b915558911f1d0bd87db2f929b313fc7deb8

                                                                                                                                        SHA256

                                                                                                                                        0798eba38430df53c2d8c747a29a39f0c996e9e5bef4252242f0e7d018676acc

                                                                                                                                        SHA512

                                                                                                                                        c7b3d546e69d8cb9f0fd57c0d4830a57ffd17af9bc0b9263f65af0840951b9ee76f3afb458d8717978b17fb951020ff3ac6cf4ca647715aa6442222bff0b502e

                                                                                                                                      • C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Directories\Startup.txt
                                                                                                                                        Filesize

                                                                                                                                        24B

                                                                                                                                        MD5

                                                                                                                                        68c93da4981d591704cea7b71cebfb97

                                                                                                                                        SHA1

                                                                                                                                        fd0f8d97463cd33892cc828b4ad04e03fc014fa6

                                                                                                                                        SHA256

                                                                                                                                        889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

                                                                                                                                        SHA512

                                                                                                                                        63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

                                                                                                                                      • C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Directories\Temp.txt
                                                                                                                                        Filesize

                                                                                                                                        6KB

                                                                                                                                        MD5

                                                                                                                                        bb88062cd0043b12b403dcb2edf708e5

                                                                                                                                        SHA1

                                                                                                                                        6a73b00c30514c285070c4d05025bb682910fc70

                                                                                                                                        SHA256

                                                                                                                                        da17aea7a3fed2b442218c129bbbdd25c08f9442532bf2678b71470b8c994f23

                                                                                                                                        SHA512

                                                                                                                                        e2cdee9fb906687da179195518ab6917bf5ac91bccd08e55a4cb868c6be8e1d2500ae192218612f1406bd4be20f16da77221d3dae178c4e1f292b5fa379f63f2

                                                                                                                                      • C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Directories\Videos.txt
                                                                                                                                        Filesize

                                                                                                                                        23B

                                                                                                                                        MD5

                                                                                                                                        1fddbf1169b6c75898b86e7e24bc7c1f

                                                                                                                                        SHA1

                                                                                                                                        d2091060cb5191ff70eb99c0088c182e80c20f8c

                                                                                                                                        SHA256

                                                                                                                                        a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

                                                                                                                                        SHA512

                                                                                                                                        20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

                                                                                                                                      • C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Readme.txt
                                                                                                                                        Filesize

                                                                                                                                        235B

                                                                                                                                        MD5

                                                                                                                                        85122ad50370f9a829b6602384b1b644

                                                                                                                                        SHA1

                                                                                                                                        6d0dc94e7fe82650422a17368314da0da58af6b5

                                                                                                                                        SHA256

                                                                                                                                        444cbc7b57b4a6198ee1474fd9623e1afcb8c7a0b180f05e961a822f4365499b

                                                                                                                                        SHA512

                                                                                                                                        a3ccd49bc0424534ba3b5ee558709022dd31d257ca48fd2eb8d7305ec098dc9275e016da332d293b7cdbdc5e91b82c7602c15abc52c0c0c4f3c81d4126b4afd6

                                                                                                                                      • C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini
                                                                                                                                        Filesize

                                                                                                                                        282B

                                                                                                                                        MD5

                                                                                                                                        9e36cc3537ee9ee1e3b10fa4e761045b

                                                                                                                                        SHA1

                                                                                                                                        7726f55012e1e26cc762c9982e7c6c54ca7bb303

                                                                                                                                        SHA256

                                                                                                                                        4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

                                                                                                                                        SHA512

                                                                                                                                        5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

                                                                                                                                      • C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini
                                                                                                                                        Filesize

                                                                                                                                        402B

                                                                                                                                        MD5

                                                                                                                                        ecf88f261853fe08d58e2e903220da14

                                                                                                                                        SHA1

                                                                                                                                        f72807a9e081906654ae196605e681d5938a2e6c

                                                                                                                                        SHA256

                                                                                                                                        cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

                                                                                                                                        SHA512

                                                                                                                                        82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

                                                                                                                                      • C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini
                                                                                                                                        Filesize

                                                                                                                                        282B

                                                                                                                                        MD5

                                                                                                                                        3a37312509712d4e12d27240137ff377

                                                                                                                                        SHA1

                                                                                                                                        30ced927e23b584725cf16351394175a6d2a9577

                                                                                                                                        SHA256

                                                                                                                                        b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

                                                                                                                                        SHA512

                                                                                                                                        dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

                                                                                                                                      • C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini
                                                                                                                                        Filesize

                                                                                                                                        190B

                                                                                                                                        MD5

                                                                                                                                        d48fce44e0f298e5db52fd5894502727

                                                                                                                                        SHA1

                                                                                                                                        fce1e65756138a3ca4eaaf8f7642867205b44897

                                                                                                                                        SHA256

                                                                                                                                        231a08caba1f9ba9f14bd3e46834288f3c351079fcedda15e391b724ac0c7ea8

                                                                                                                                        SHA512

                                                                                                                                        a1c0378db4e6dac9a8638586f6797bad877769d76334b976779cd90324029d755fb466260ef27bd1e7f9fdf97696cd8cd1318377970a1b5bf340efb12a4feb4a

                                                                                                                                      • C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini
                                                                                                                                        Filesize

                                                                                                                                        190B

                                                                                                                                        MD5

                                                                                                                                        87a524a2f34307c674dba10708585a5e

                                                                                                                                        SHA1

                                                                                                                                        e0508c3f1496073b9f6f9ecb2fb01cb91f9e8201

                                                                                                                                        SHA256

                                                                                                                                        d01a7ef6233ef4ab3ea7210c0f2837931d334a20ae4d2a05ed03291e59e576c9

                                                                                                                                        SHA512

                                                                                                                                        7cfa6d47190075e1209fb081e36ed7e50e735c9682bfb482dbf5a36746abdad0dccfdb8803ef5042e155e8c1f326770f3c8f7aa32ce66cf3b47cd13781884c38

                                                                                                                                      • C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini
                                                                                                                                        Filesize

                                                                                                                                        504B

                                                                                                                                        MD5

                                                                                                                                        29eae335b77f438e05594d86a6ca22ff

                                                                                                                                        SHA1

                                                                                                                                        d62ccc830c249de6b6532381b4c16a5f17f95d89

                                                                                                                                        SHA256

                                                                                                                                        88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

                                                                                                                                        SHA512

                                                                                                                                        5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

                                                                                                                                      • C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\System\Process.txt
                                                                                                                                        Filesize

                                                                                                                                        4KB

                                                                                                                                        MD5

                                                                                                                                        475460b147a0fd49e1537e9a11b12e8d

                                                                                                                                        SHA1

                                                                                                                                        8f28bed0c78351e3a50437db500a6db682010bb2

                                                                                                                                        SHA256

                                                                                                                                        93b9f9a65401489e5a3f79f12ef0a81f64715684973e41ad6bdb70662a6ae468

                                                                                                                                        SHA512

                                                                                                                                        65a8b516af67030b431d76f43162db3fe1ad448f837c1747efc4491160cc7be7e6d0d76d347222c057169327980618b0ee59910afa98e8b00bdf13d7cc701159

                                                                                                                                      • C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\System\Process.txt
                                                                                                                                        Filesize

                                                                                                                                        6KB

                                                                                                                                        MD5

                                                                                                                                        84365d59cd1e9a334fb0c56265c78426

                                                                                                                                        SHA1

                                                                                                                                        6f88bd9d7fc4fabc1a7906b47b6a882b097202a5

                                                                                                                                        SHA256

                                                                                                                                        7bd5b1bdc735dd463a749cb97cd1c98a3316af9d2c6cb32ead02845646725632

                                                                                                                                        SHA512

                                                                                                                                        b19b68f19f4e8145269426cb782cc5eda0d0f06fe4795e8f2f188c5ff73acab25117743aa08e08323cbb4b45e6d49485acb7d6fa93f6cc0482d14f536ebbe5ec

                                                                                                                                      • C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\System\Process.txt
                                                                                                                                        Filesize

                                                                                                                                        1KB

                                                                                                                                        MD5

                                                                                                                                        33b30b43675f68f4fd92b2045919cd82

                                                                                                                                        SHA1

                                                                                                                                        74f54a90dbbaf1d9c8c912233e084b38cf6a8ee5

                                                                                                                                        SHA256

                                                                                                                                        6c4044456d35aff958293510f1ff3332f3628589f1fd6e8d84cd1c3219e0a588

                                                                                                                                        SHA512

                                                                                                                                        ac9df2af40b7096285234592d28586793657793f9662b44e663e1aa74be0eb42cb3a7e5f1a23cba4f563ca366dbc51301c776d8523255a1e98ceaea8d070a494

                                                                                                                                      • C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\System\Process.txt
                                                                                                                                        Filesize

                                                                                                                                        1KB

                                                                                                                                        MD5

                                                                                                                                        55252741a8a214c6bf2d08b7d85de557

                                                                                                                                        SHA1

                                                                                                                                        4ffbc2a970ee21e825da0e06df9fda68c4aa51cc

                                                                                                                                        SHA256

                                                                                                                                        099c2e7538d9322302c23de448ba913a25f5fab6077fa6085f602396a74a0a92

                                                                                                                                        SHA512

                                                                                                                                        55078508204f9853fddfbffe199a93b2b74cdba6c2d4a9a2754dd294d8eb46767f2c1e3125c30d38c75c75c4148f40bbad127b82a07ffe09a392e1513da33608

                                                                                                                                      • C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\System\ProductKey.txt
                                                                                                                                        Filesize

                                                                                                                                        29B

                                                                                                                                        MD5

                                                                                                                                        71eb5479298c7afc6d126fa04d2a9bde

                                                                                                                                        SHA1

                                                                                                                                        a9b3d5505cf9f84bb6c2be2acece53cb40075113

                                                                                                                                        SHA256

                                                                                                                                        f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3

                                                                                                                                        SHA512

                                                                                                                                        7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

                                                                                                                                      • C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\System\ScanningNetworks.txt
                                                                                                                                        Filesize

                                                                                                                                        84B

                                                                                                                                        MD5

                                                                                                                                        58cd2334cfc77db470202487d5034610

                                                                                                                                        SHA1

                                                                                                                                        61fa242465f53c9e64b3752fe76b2adcceb1f237

                                                                                                                                        SHA256

                                                                                                                                        59b3120c5ce1a7d1819510272a927e1c8f1c95385213fccbcdd429ff3492040d

                                                                                                                                        SHA512

                                                                                                                                        c8f52d85ec99177c722527c306a64ba61adc3ad3a5fec6d87749fbad12da424ba6b34880ab9da627fb183412875f241e1c1864d723e62130281e44c14ad1481e

                                                                                                                                      • C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\System\WorldWind.jpg
                                                                                                                                        Filesize

                                                                                                                                        99KB

                                                                                                                                        MD5

                                                                                                                                        6c43207fbca593e00f427a406f2926c2

                                                                                                                                        SHA1

                                                                                                                                        14af48b220d3ec9fd0f6823585f0802e35a77faf

                                                                                                                                        SHA256

                                                                                                                                        a591dc1bfed6acc477a091fa3759b8e8a24f268290eeb8337897ea24b76a3e3e

                                                                                                                                        SHA512

                                                                                                                                        0efb4e1fd25381007291351a57c0cb10d667bdc3694174821fdc72d1a17cae7d75107aada078d3f6dc74323dd017fa984780ba2ac839a4eed1e349b350e561c1

                                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                                                                                                                                        Filesize

                                                                                                                                        7KB

                                                                                                                                        MD5

                                                                                                                                        ce7855ec83b35ea8e93a9e0e89139b12

                                                                                                                                        SHA1

                                                                                                                                        c40051fd6085dea0f31785b83c268a195536563a

                                                                                                                                        SHA256

                                                                                                                                        19009caf9ea9f4536e98ba9b999f109fc66966931e0b9ef458b227ed52ecc029

                                                                                                                                        SHA512

                                                                                                                                        a4d71258c512b33d4b5b57eb5fa7e757b8ebef3d531317590d2d2c1b57d80601fea8df5dcbbcb42e1b7af53374ca672192ecd99f60b238cdd66102bfa4679b77

                                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                                                                                                                                        Filesize

                                                                                                                                        5KB

                                                                                                                                        MD5

                                                                                                                                        0d108c2b7cc36285696c1ddeaee45a1d

                                                                                                                                        SHA1

                                                                                                                                        2c9fd8b4ad6814b936c45e0afeb3b7cae7cd8f78

                                                                                                                                        SHA256

                                                                                                                                        3cfc3fea82faeede5f5a996fb062236c09bd895637ede241f644450ddabb2e9a

                                                                                                                                        SHA512

                                                                                                                                        8ac2d5578d0014930f0c490b2cdf21eb84aff372b367df593e297d20ae2b01075a2d2ef52e116d5f60a8cdd75ae70fd9c0b9942ebb786b8a5783b4fe813f910f

                                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                                                                                                                                        Filesize

                                                                                                                                        5KB

                                                                                                                                        MD5

                                                                                                                                        02e21fb4e04280b9cefc7b9e7d7d8148

                                                                                                                                        SHA1

                                                                                                                                        86a906dc81b81f61af4f0bce6e47da54a8f73a19

                                                                                                                                        SHA256

                                                                                                                                        95bd0bc5b21850c11425005b61227e6164b51227a1eac718426353a2e8fa8461

                                                                                                                                        SHA512

                                                                                                                                        8f9caf89023277e7237e40abc8a4d39d20b3671a736d6fe4abe38882601dfca08e5f66a1c8d33c1c5172134b9b853ac15bd4426a50351da50b297a695aeab9c6

                                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                                                                                                                                        Filesize

                                                                                                                                        6KB

                                                                                                                                        MD5

                                                                                                                                        f4ca16be06a9b6a053209a29e79f80a4

                                                                                                                                        SHA1

                                                                                                                                        d650a55542c0f55b05cc006a864663201fe6c5f8

                                                                                                                                        SHA256

                                                                                                                                        cba1be74704d1f2fcd8baf89e0a79987ed04544296dedf77a9a088513226c8ad

                                                                                                                                        SHA512

                                                                                                                                        179635e844560bd1f4b65ba15826ceffd94b44260ae7cec91a5b786eb0e2a30fc5252ce5b5ad3eff745046fe50ac4f6dbbb5029606b9480b05238d80610f120a

                                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                                                                                                                        Filesize

                                                                                                                                        2B

                                                                                                                                        MD5

                                                                                                                                        d751713988987e9331980363e24189ce

                                                                                                                                        SHA1

                                                                                                                                        97d170e1550eee4afc0af065b78cda302a97674c

                                                                                                                                        SHA256

                                                                                                                                        4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                                                                                        SHA512

                                                                                                                                        b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                                                                                                                        Filesize

                                                                                                                                        1KB

                                                                                                                                        MD5

                                                                                                                                        9dfc9fa5b4c44e40bad7efe7a2ca655d

                                                                                                                                        SHA1

                                                                                                                                        193241e6f2595f6902a8fe894bc8cb57f24e1153

                                                                                                                                        SHA256

                                                                                                                                        582ec25d99eece83d9aed343e574eef07f77da9df377127d1c9f55189907ee64

                                                                                                                                        SHA512

                                                                                                                                        a73a199352733ec5b41c12e6a893f173aeed06445418759d093330e382a961007c0364067c19b450c06420ebcbc877959366bbbeef95d4a9e57f7a7e0064f32a

                                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                                                                                                                        Filesize

                                                                                                                                        1KB

                                                                                                                                        MD5

                                                                                                                                        8c4dcdb2c74915c9cc318d38b4fcf6c0

                                                                                                                                        SHA1

                                                                                                                                        f86e146a80b9d0f610e49e6f4c6cc36027466472

                                                                                                                                        SHA256

                                                                                                                                        f1717b7fb2b9a12f6901951203d047e21dd98ae296072c0ec8f64f3fcfd83312

                                                                                                                                        SHA512

                                                                                                                                        693e450760281fa505f4e4e0aa9751788ac4d2a588f98be0167663292a676c94dcfe7559b7ce1578819d1ef8bf12e0e65fac6335fc32225a96f0aa2d368ce835

                                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                                                                                                                        Filesize

                                                                                                                                        1KB

                                                                                                                                        MD5

                                                                                                                                        aca8a05c575d7e6157d6c85d4483841a

                                                                                                                                        SHA1

                                                                                                                                        b8f4ff5aa63fa2f398259999572d6c36c4fd04e4

                                                                                                                                        SHA256

                                                                                                                                        ffde43df93a16641ae92bd683100ab095a6a3e99efbc3d8d3c23a4f00fc784c3

                                                                                                                                        SHA512

                                                                                                                                        fab3e09db0aaffb5077dc0a4916069c116c71232a018d71ac032558fb8271efe16a00789f8a13aeaa0f3230d354f61b6c1948c5b73da666d41dc1b644b2cb7a2

                                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                                                                                                                        Filesize

                                                                                                                                        1KB

                                                                                                                                        MD5

                                                                                                                                        ef4e6c63a8de24979e75813899b10eb2

                                                                                                                                        SHA1

                                                                                                                                        680efa0ac76d9a3c24823c535584af73cdf97676

                                                                                                                                        SHA256

                                                                                                                                        7a4f4603cb188fda8dd622a4e6fe033a1abc6e835fc7e1083309d002109b59c3

                                                                                                                                        SHA512

                                                                                                                                        3f5d7f46a962c721dfdffb558f1de3867f40e9a93eb83e72e811b104f6a000e827689f7edceed630f10665d9d20b02576707f230fa4393bac435c49ae41c448d

                                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                                                                                                                        Filesize

                                                                                                                                        1KB

                                                                                                                                        MD5

                                                                                                                                        747e1a56aa1271ac30c43c4bad29100f

                                                                                                                                        SHA1

                                                                                                                                        40f9fcdf35a84c0bcf0f977399ddeebcf83e73d7

                                                                                                                                        SHA256

                                                                                                                                        c2eb39c046231da847c7c197a2b05b602655fd2c95120aae1c20fc040c3496d4

                                                                                                                                        SHA512

                                                                                                                                        53e7ed484894a95bf2e7566750c056139b8be767617382e284b8c57ee07968857226b9f102b1ff03ad920f24b5f9163e0fe146fbd5ca14c9a6fd2e39c4de6e03

                                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                                                                                                                        Filesize

                                                                                                                                        354B

                                                                                                                                        MD5

                                                                                                                                        c04e12e777c07f63826803fe53e00125

                                                                                                                                        SHA1

                                                                                                                                        fa0e803a20ae73f0502663770baa32776a0ba91d

                                                                                                                                        SHA256

                                                                                                                                        8e5533c5da609db4a5ad375499e25819420ec8a0c7fe52676dbd42cb0b440414

                                                                                                                                        SHA512

                                                                                                                                        2b740f655b949ad8f498b25cdc21230d756f6c7edc20046791664e9d509b22c34721d1e5b2aba91b1afb0480fcf6e39ce0079ee1286c633a9c202970e9829971

                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XWorm V3.0.exe.log
                                                                                                                                        Filesize

                                                                                                                                        1KB

                                                                                                                                        MD5

                                                                                                                                        a9141ed1837f780cf691c7ce790db9c5

                                                                                                                                        SHA1

                                                                                                                                        86d5a6683a0031226f8477cb2d60edf65325f1ec

                                                                                                                                        SHA256

                                                                                                                                        cf428d3c771587984baaea34a2f01139009f4493431db844f2114daff8f958f0

                                                                                                                                        SHA512

                                                                                                                                        c573c632ab243eb226a878e67c03b328f341ccd8c8696c0f0b6ef7bf6cbc1ae72a1444fa4ac831547590b9420092b4a43528bcffc5ddeeaca071cdb951fa4bd3

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\places.raw
                                                                                                                                        Filesize

                                                                                                                                        5.0MB

                                                                                                                                        MD5

                                                                                                                                        46ca5e06e3f5fb88dc47ea8b952f3d27

                                                                                                                                        SHA1

                                                                                                                                        ba8eadadca2c34c115b667781ec0cfc928819adc

                                                                                                                                        SHA256

                                                                                                                                        9ae16bb881de7ad516bb3e3c608ed5faf53fa942f950219bcdb7c05298c0e2fc

                                                                                                                                        SHA512

                                                                                                                                        661eda3f781c44d86c84d28f4809f8cc805bf9506a761fa7b6d1bc03ed269835f7acdce40851331a2d680425f9f07aa67213d09cd1f86fd7ccb05df91d3b42b7

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp63FA.tmp.dat
                                                                                                                                        Filesize

                                                                                                                                        46KB

                                                                                                                                        MD5

                                                                                                                                        8f5942354d3809f865f9767eddf51314

                                                                                                                                        SHA1

                                                                                                                                        20be11c0d42fc0cef53931ea9152b55082d1a11e

                                                                                                                                        SHA256

                                                                                                                                        776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

                                                                                                                                        SHA512

                                                                                                                                        fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp643E.tmp.dat
                                                                                                                                        Filesize

                                                                                                                                        56KB

                                                                                                                                        MD5

                                                                                                                                        7872fbf0a1bb518682babda3d8dc7b4e

                                                                                                                                        SHA1

                                                                                                                                        9714d4f9f7e7c3b9a99f656b88b3a10cbd9c65e4

                                                                                                                                        SHA256

                                                                                                                                        a821fa964b5c5273f0e4696e98815f07113c85436cc468f41f39722e7d2767c2

                                                                                                                                        SHA512

                                                                                                                                        f91bb32e1675f822af53ebc91dc5764625b13bc2e365dcf795e1132525857e5d43a18b2f53b4bb70722aef7a0eafd5b3e4d1805f8567d325d34ae41c281832c0

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp643F.tmp.dat
                                                                                                                                        Filesize

                                                                                                                                        192KB

                                                                                                                                        MD5

                                                                                                                                        827e1cf88899907badcfa03032cac087

                                                                                                                                        SHA1

                                                                                                                                        6e73bf6559ad16e86f77aa802ea119eae25c5a28

                                                                                                                                        SHA256

                                                                                                                                        8e9adaa5e4db956c5d3e7f351895d077ec0c970e53df4648817940c2c8e09167

                                                                                                                                        SHA512

                                                                                                                                        b4c9f6c134db44e9d71371ab7a9f9633448aea603b5f446d00a06bd6d04642b3f0d0ce670e06d34dd78bf046d9a247d63719cccbd54f76b2be647ba556aaf4bb

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp647F.tmp.dat
                                                                                                                                        Filesize

                                                                                                                                        96KB

                                                                                                                                        MD5

                                                                                                                                        d367ddfda80fdcf578726bc3b0bc3e3c

                                                                                                                                        SHA1

                                                                                                                                        23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

                                                                                                                                        SHA256

                                                                                                                                        0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

                                                                                                                                        SHA512

                                                                                                                                        40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\tmpC77A.tmp.dat
                                                                                                                                        Filesize

                                                                                                                                        100KB

                                                                                                                                        MD5

                                                                                                                                        a146b07d36c77deb545345f9fe3ddd75

                                                                                                                                        SHA1

                                                                                                                                        a0c87bf2dbe1dccdcbd2f68f2c366d273d247192

                                                                                                                                        SHA256

                                                                                                                                        f28113548245d5faa6e48dcbd57e80a29081d017b95808697347619b89d42c9b

                                                                                                                                        SHA512

                                                                                                                                        5cad32cef6e57d99c0e4508ae7f727055b0350a54578b65e1cf7f2fac319c07e32bb931740b4466d343be3c1178cf796067f467a2ccb56d7a60473258ff078cb

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\tmpC7AB.tmp.dat
                                                                                                                                        Filesize

                                                                                                                                        152KB

                                                                                                                                        MD5

                                                                                                                                        280d0d576cc8302dc483695ab2a76ef7

                                                                                                                                        SHA1

                                                                                                                                        7641333ca134b8f507046a4b92674ef48d20e4ee

                                                                                                                                        SHA256

                                                                                                                                        15e1b6bd397772024d3bc44b6772c0780639d23ff582027e0738e1dee0e0fb14

                                                                                                                                        SHA512

                                                                                                                                        ff8c21b7da132100b6501882f66a5b052742ae9f2b88eb2b1e8a4f09267dd64b963a1b88eb5737b3c173b0a7a83431719839a6c00c8a2aff59a0ec872be3d45f

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\tmpC8A8.tmp.dat
                                                                                                                                        Filesize

                                                                                                                                        232KB

                                                                                                                                        MD5

                                                                                                                                        73d744a8e8033f343403358e3cad07b5

                                                                                                                                        SHA1

                                                                                                                                        424a3f29d1794f1eda595758b0c4e01cd25d2c9b

                                                                                                                                        SHA256

                                                                                                                                        5cf92bb56d79629edc3fe42f1e880b596e47a9ff2450e1d134dccdde8cb93731

                                                                                                                                        SHA512

                                                                                                                                        80c6c3fea713a7797772c725d1cf464870bb4aed23b8904cdfa39f8c022882c72be0a9adc5439f7b71bd43311cd6dc1f9e19b032bac26fe40b44e3d4f3b573b4

                                                                                                                                      • C:\Users\Admin\AppData\Local\b6a1fda535893e3951eeb1fdb2c82063\Admin@FCYEIXNJ_en-US\System\Process.txt
                                                                                                                                        Filesize

                                                                                                                                        4KB

                                                                                                                                        MD5

                                                                                                                                        2f13984ae57642e6b09fd87e8633b8e4

                                                                                                                                        SHA1

                                                                                                                                        39dfa367a4d48aaa804be1ba8779b83da8286ab7

                                                                                                                                        SHA256

                                                                                                                                        f92bb78ee7ed227d1d03e7bc602156dd145396693b12cca861785d5cb36dbac2

                                                                                                                                        SHA512

                                                                                                                                        4b07e8b8d4f8b101a1f2cdf30f88e3104c2e7790bb2a9c2f4ef4b521393572b68c0435b3454adce6e5d81f617efce4730a18e5a7b40ba80df289f156a18f1d06

                                                                                                                                      • C:\Users\Admin\AppData\Local\b6a1fda535893e3951eeb1fdb2c82063\msgid.dat
                                                                                                                                        Filesize

                                                                                                                                        1B

                                                                                                                                        MD5

                                                                                                                                        cfcd208495d565ef66e7dff9f98764da

                                                                                                                                        SHA1

                                                                                                                                        b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                                                                                                                        SHA256

                                                                                                                                        5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                                                                                                                        SHA512

                                                                                                                                        31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                                                                                                                      • C:\Windows\System32\perfc007.dat
                                                                                                                                        Filesize

                                                                                                                                        49KB

                                                                                                                                        MD5

                                                                                                                                        3fe48fb25091a9d13b94f8b81c1be040

                                                                                                                                        SHA1

                                                                                                                                        21f5adcd4f852b3e3a84ae7788ede8f2f26a6515

                                                                                                                                        SHA256

                                                                                                                                        d5d9ec6461c30880496d1ee5a8d770d59ced59d1b28e015d08d44832ced60591

                                                                                                                                        SHA512

                                                                                                                                        e02f495ee34dd013bba39a1c4a8bf22db122d54fcda84a8aa8557462a2f13a058f05d0eb13a817ba45b5527f830492e5a00365b5eb4122ed6b8f28a9ffd2d308

                                                                                                                                      • C:\Windows\System32\perfc00A.dat
                                                                                                                                        Filesize

                                                                                                                                        51KB

                                                                                                                                        MD5

                                                                                                                                        70c7ba068b82106810720fdec5406762

                                                                                                                                        SHA1

                                                                                                                                        744c05ee14ea69e9706a07967b4ca1597298729d

                                                                                                                                        SHA256

                                                                                                                                        f3fccee564956fd81a1bba3477a18b04197bccf5efa057713c92a77b266c7b33

                                                                                                                                        SHA512

                                                                                                                                        14bb6e89946abcc10f640e2d553623b319c829e31ff872be0976c3d0419bc8ac656e4774333d4040df9507f064e9f92347677f4b20c66317fffaabed5bb1c4b4

                                                                                                                                      • C:\Windows\System32\perfc00C.dat
                                                                                                                                        Filesize

                                                                                                                                        47KB

                                                                                                                                        MD5

                                                                                                                                        0cfd5298e63f44351ebca47f6a491fbe

                                                                                                                                        SHA1

                                                                                                                                        b86c08b13f0e60f664be64cb4077f915f9fc1138

                                                                                                                                        SHA256

                                                                                                                                        562261cc16c6e5e2e3841a1ba79083293baa40330fb5d4f7f62c3553df26ccb3

                                                                                                                                        SHA512

                                                                                                                                        549e5c28598ac2a6b11936aa90f641dfa794c04dd642309d08ef90a683d995d8f2d3a69ee2ecd74adae5beb19e9de055e71670922d738bd985657ffe75ebe235

                                                                                                                                      • C:\Windows\System32\perfc010.dat
                                                                                                                                        Filesize

                                                                                                                                        46KB

                                                                                                                                        MD5

                                                                                                                                        9c127d90b405f6e4e98e60bb83285a93

                                                                                                                                        SHA1

                                                                                                                                        358b36827fb8dbfd9f268d7278961ae3309baaa1

                                                                                                                                        SHA256

                                                                                                                                        878a012b076c81d7b46068109d9b9e1a86aa8527d87d0baee47b59b07502c578

                                                                                                                                        SHA512

                                                                                                                                        bd80bb82e6f2375107153b7da67ce4a3ab3d457103a8371f93e130edece21791d8a716ab9793b74c6b5ab10166ccb52aee430bc4b63403b7e4749d7db9929e73

                                                                                                                                      • C:\Windows\System32\perfc011.dat
                                                                                                                                        Filesize

                                                                                                                                        32KB

                                                                                                                                        MD5

                                                                                                                                        50681b748a019d0096b5df4ebe1eab74

                                                                                                                                        SHA1

                                                                                                                                        0fa741b445f16f05a1984813c7b07cc66097e180

                                                                                                                                        SHA256

                                                                                                                                        33295c7ee1b56a41e809432bc25dd745ba55b2dc91bfa97aa1f55156880cd71a

                                                                                                                                        SHA512

                                                                                                                                        568439b3547dcbcce28499d45663fdd0e2222f6c5c90053769ce2585f65721f679c071393328bde72c9a3f03da4c17abb84b8303897688b59598887ceb31438e

                                                                                                                                      • C:\Windows\System32\perfh007.dat
                                                                                                                                        Filesize

                                                                                                                                        322KB

                                                                                                                                        MD5

                                                                                                                                        8e549f070ac8bb646d0c34569ad6d880

                                                                                                                                        SHA1

                                                                                                                                        2a9bd2f7378ef5e85831cf590d9d735e9645f49e

                                                                                                                                        SHA256

                                                                                                                                        b08ebaa7d8ba93702ba84a59f41c0faed94273203d353c4f3cad31530d1b3751

                                                                                                                                        SHA512

                                                                                                                                        10c3a012dc64fdcb5bb0d8fe03aa771b936e78092de33e029658ad18e8c4771cddb84e6057b79bf8e6e90a8f3972f4bb1cad16f3cc96c13527289f3477f5fbd5

                                                                                                                                      • C:\Windows\System32\perfh009.dat
                                                                                                                                        Filesize

                                                                                                                                        312KB

                                                                                                                                        MD5

                                                                                                                                        367662b55faba4e0728f3c296daa92a7

                                                                                                                                        SHA1

                                                                                                                                        1775899bd0f1bb5cf945910db18aa3a9d4d15b7a

                                                                                                                                        SHA256

                                                                                                                                        c2ea1af1c970468f522e354c8e47b121b66a0d0428a8400f4a5cb03216368ce1

                                                                                                                                        SHA512

                                                                                                                                        283e9cf2bf6fe904b530bd188347641c1d30b27c95d89552e18aa33be1c7e2840f10a09868a2862ee53bb805cef2cdbb31b8db391ca140b5dda27058dcad11ce

                                                                                                                                      • C:\Windows\System32\perfh00A.dat
                                                                                                                                        Filesize

                                                                                                                                        362KB

                                                                                                                                        MD5

                                                                                                                                        893d78f82b3994cf86b3c8c80cd7ad6a

                                                                                                                                        SHA1

                                                                                                                                        a68cfd50ebc35eee62c84f0fd74d20d1e0bb1476

                                                                                                                                        SHA256

                                                                                                                                        411b7581b0af88caa8c75409dc83ac8b521ba4d987d9347402438be16d31097c

                                                                                                                                        SHA512

                                                                                                                                        7f7cc32aca4f023f34e4ab7a51fbd0ca0b0ea51fde6d79b9a4322bee9b4d55800a981b2d97007ceadfa609767b7d84e9eebd8b3e92f9cb68855625a25767f42b

                                                                                                                                      • C:\Windows\System32\perfh00C.dat
                                                                                                                                        Filesize

                                                                                                                                        365KB

                                                                                                                                        MD5

                                                                                                                                        d5972cca5d434d4ca1742fe0a5ddd5d4

                                                                                                                                        SHA1

                                                                                                                                        a3cdc3ad50ff9ba19722f2e2cb76f95b60bd92b2

                                                                                                                                        SHA256

                                                                                                                                        f85cfffd1414d3e975f430a1e2f2a3b473ee8995a961dfb103fe18d5bf06e321

                                                                                                                                        SHA512

                                                                                                                                        2ce34cf9b868fda0852e6b0d805171fcfda00c0c6cf044bf8831e6fa2aef4933ae00a8eaf757c09d67c30ae7ab58136959351f7d04d8ba6921f51fc87378565c

                                                                                                                                      • C:\Windows\System32\perfh010.dat
                                                                                                                                        Filesize

                                                                                                                                        356KB

                                                                                                                                        MD5

                                                                                                                                        4e277d7a9304103e3b68291044c7db6b

                                                                                                                                        SHA1

                                                                                                                                        b23864c76259c674ac2bc0210dab181bfc04dedf

                                                                                                                                        SHA256

                                                                                                                                        5dc2192236274fda886a0c0f396646f9292000ba33bd0e2061a65bc06639be16

                                                                                                                                        SHA512

                                                                                                                                        094477571cb17d7b19f6e81ef237c579f03c944745499b2e537d77972da89f8f4baa0825c3f79993d96116aa071bbc776a96f55cf8ab3f60698c2c4e03e36957

                                                                                                                                      • C:\Windows\System32\perfh011.dat
                                                                                                                                        Filesize

                                                                                                                                        159KB

                                                                                                                                        MD5

                                                                                                                                        394e68a48cbedf2aa4290ad4be6c1254

                                                                                                                                        SHA1

                                                                                                                                        e9b5a4204bedd201adfee94cd4bd475f92d508a0

                                                                                                                                        SHA256

                                                                                                                                        48dbdc9f160e51c14f7cf0f4f31856fc5c51bb5a157eefc9159612227def9d88

                                                                                                                                        SHA512

                                                                                                                                        5b3ebefb252a4ea2b5504fdb79fba35f256ee544df6385eeb47a05be4eddd41063fe9a025d5e8393d34cc34abd431810b5c5cc21c777316200c9cfa769fcfd6c

                                                                                                                                      • C:\Windows\Temp\{1D168801-2361-41BD-B3CE-4625CC7F4813}\.ba\PythonBA.dll
                                                                                                                                        Filesize

                                                                                                                                        663KB

                                                                                                                                        MD5

                                                                                                                                        75f826580b0fb706f7ee5f6e0724e294

                                                                                                                                        SHA1

                                                                                                                                        0a8bfd587ddef14158e2abacd1f32afda4ce1f44

                                                                                                                                        SHA256

                                                                                                                                        66de728be20d862415dfa189526c4351305845179c65605e210961c720620251

                                                                                                                                        SHA512

                                                                                                                                        af528020d19a6453febd11323e02a0d595639b8c73ed5a24107eed3ffc94747770d7b028d262d387e571971a45dc16c71817bc7f6ee38fa08a377e3f19f04d28

                                                                                                                                      • C:\Windows\Temp\{1D168801-2361-41BD-B3CE-4625CC7F4813}\.ba\SideBar.png
                                                                                                                                        Filesize

                                                                                                                                        56KB

                                                                                                                                        MD5

                                                                                                                                        ca62a92ad5b307faeac640cd5eb460ed

                                                                                                                                        SHA1

                                                                                                                                        5edf8b5fc931648f77a2a131e4c733f1d31b548e

                                                                                                                                        SHA256

                                                                                                                                        f3109977125d4a3a3ffa17462cfc31799589f466a51d226d1d1f87df2f267627

                                                                                                                                        SHA512

                                                                                                                                        f7b3001a957f393298b0ff2aa08b400f8639f2f0487a34ac2a0e8d9519765ac92249185ebe45f907bc9d2f8556fdd39095c52f890330a35edf71ae49df32e27a

                                                                                                                                      • C:\Windows\Temp\{B2C503D4-A2D5-433F-95D5-7E0D1225ECAB}\.cr\python-3.10.2-amd64.exe
                                                                                                                                        Filesize

                                                                                                                                        854KB

                                                                                                                                        MD5

                                                                                                                                        76ff12f0cd0e44ef355f1d30d1392a40

                                                                                                                                        SHA1

                                                                                                                                        7c9636454af4bba15734517d2c9fed79f137b5da

                                                                                                                                        SHA256

                                                                                                                                        1f0f331e97c74dfa18fc7d19baef82bfe19324d9c79fab775f82ca55cc7b59cb

                                                                                                                                        SHA512

                                                                                                                                        c2703111891e08675e74c79a3e2620fb650c4c99bbefc298e12bc948ba015e9c02ce7f4e5930c0c3f1f7b6dfaf17f385cfc994b68b7ea63f776a2f61e5741ce7

                                                                                                                                      • C:\Windows\system32\perfc009.dat
                                                                                                                                        Filesize

                                                                                                                                        32KB

                                                                                                                                        MD5

                                                                                                                                        1e60bc5e525063b96078df17fbd3c4e1

                                                                                                                                        SHA1

                                                                                                                                        bae8eda409cb3e016ddd420c6354aeaac2d267b9

                                                                                                                                        SHA256

                                                                                                                                        a0894847ca6208cf7e519d8e825458596bbcd78156a453e32872de7592ea20d8

                                                                                                                                        SHA512

                                                                                                                                        5758d535e4ce20cc30b9b57fea1811feffb2655ecc6eec69c942defb4b4f8c06e8e37860f85ec7cad26df9d7635ecaf131a68ec4ee291aa36e448c7ef2339652

                                                                                                                                      • C:\Windows\system32\perfc009.dat
                                                                                                                                        Filesize

                                                                                                                                        47KB

                                                                                                                                        MD5

                                                                                                                                        6ba86043d5bb686959fccfc96b66a406

                                                                                                                                        SHA1

                                                                                                                                        1a0124b6bf961cc0b4dcb39fc0553b8b51f3bcae

                                                                                                                                        SHA256

                                                                                                                                        ef92dae76f5fb86dc1946dd90308670a7b9b0f9a2d015dfdc5a949a9a57deff1

                                                                                                                                        SHA512

                                                                                                                                        475dbbbe812391d0d6b51232d2fb74dd3546511fd56c8baf5b2fc11bf315e61a1bd621fd64c68ffbfc62a2cfb2695c7ecb7eb6cb68e0b0e8c69ccd7615e11341

                                                                                                                                      • C:\Windows\system32\perfc00A.dat
                                                                                                                                        Filesize

                                                                                                                                        61KB

                                                                                                                                        MD5

                                                                                                                                        8bab87294d0cc2cf5959a6c0f3018ab6

                                                                                                                                        SHA1

                                                                                                                                        58fe3d9997dfb9cf009f4eadafae81e473c317c0

                                                                                                                                        SHA256

                                                                                                                                        426e0fc5c43c06d5b0986b27367e2faccb117a845355bb87ffef441184ab154f

                                                                                                                                        SHA512

                                                                                                                                        e748f1efd020e754afd04aefcbb71955ed37ca4f32dd27481a38691cb386433b76eb8879d0f328f342c4e276ba7f37878ec17b230d7e8d308f115996499386c2

                                                                                                                                      • C:\Windows\system32\perfc00C.dat
                                                                                                                                        Filesize

                                                                                                                                        56KB

                                                                                                                                        MD5

                                                                                                                                        372fe4caff0b3e4226b9b2f724c46d65

                                                                                                                                        SHA1

                                                                                                                                        f46867fb163fde8b9f63375ec0d68341db458be0

                                                                                                                                        SHA256

                                                                                                                                        83d5ef4c544b86a89fa179d6c8487a23867816bddd136df26be91e2bb53230ad

                                                                                                                                        SHA512

                                                                                                                                        31cd6b936b0882884e1ecc47d46eaff86ef9cf49cb8600213d6e3c3145a85f30aeb1fa3cf5634d7ea0c5dd6af7f5e209208cb978e7f7d9424f65c469c612b9e3

                                                                                                                                      • C:\Windows\system32\perfc010.dat
                                                                                                                                        Filesize

                                                                                                                                        55KB

                                                                                                                                        MD5

                                                                                                                                        0515a1da37c05145889c952be393545b

                                                                                                                                        SHA1

                                                                                                                                        2dfd0c6c788a28de47f0074b2b63e78e973da745

                                                                                                                                        SHA256

                                                                                                                                        445ffb36cf57e356c8a81a3b0879f664c3027fda0fe9b8b08a41a1aa51884637

                                                                                                                                        SHA512

                                                                                                                                        a3a1acb3ebfff3a64a2a26130877c9fc9acf02d08f02c0053dd038bebff5fc5b1a25b9641c2eb003c389034455e44c7aa1d4c719a9e6e91e1acc7cee2b00f93d

                                                                                                                                      • C:\Windows\system32\perfc011.dat
                                                                                                                                        Filesize

                                                                                                                                        47KB

                                                                                                                                        MD5

                                                                                                                                        76b1f6a65baedbdbc6d058f5abf0b628

                                                                                                                                        SHA1

                                                                                                                                        a9a30da4d3a25d148f8e6defd917bf4bbcc95882

                                                                                                                                        SHA256

                                                                                                                                        b2b8592ae3cd9c2e2b55a8a4cdd16a34854f0d2c4f7c2e68427ecbcd19b6280a

                                                                                                                                        SHA512

                                                                                                                                        54bee70adacfdf9881373c96ff1a7f73657c1a1a0596f95cd63d72183e6883cb396ae4e79ac26c9ac51165d25e50d916ef462bcdb3c6a4ad0ef8346e6038749c

                                                                                                                                      • C:\Windows\system32\perfh007.dat
                                                                                                                                        Filesize

                                                                                                                                        320KB

                                                                                                                                        MD5

                                                                                                                                        b9a5000ea316ac348cf77beb0e5bc379

                                                                                                                                        SHA1

                                                                                                                                        4e666af14169eb10a0a08ac2f5ed5ecf4764df46

                                                                                                                                        SHA256

                                                                                                                                        1b25a6879c667258cdb900683004ef007c6b3a1a933d823b124d9a6acf9de608

                                                                                                                                        SHA512

                                                                                                                                        9fd911586a0aebec11c48e9f78de3b3f6e41c98a2770f5ac10d0a3947b4b3f326a8c5028c478c8634fb84a071186606e69a7aff83b1cf972d4728e3923503118

                                                                                                                                      • C:\Windows\system32\perfh009.dat
                                                                                                                                        Filesize

                                                                                                                                        310KB

                                                                                                                                        MD5

                                                                                                                                        1ad05e460c6fbb5f7b96e059a4ab6cef

                                                                                                                                        SHA1

                                                                                                                                        1c3e4e455fa0630aaa78a1d19537d5ff787960cf

                                                                                                                                        SHA256

                                                                                                                                        0ae16c72ca5301b0f817e69a4bac29157369ecfbadc6c13a5a37db5901238c71

                                                                                                                                        SHA512

                                                                                                                                        c608aa10b547003b25ff63bb1999a5fff0256aadd8b005fdd26569a9828d3591129a0f21c11ec8e5d5f390b11c49f2ef8a6e36375c9e13d547415e0ec97a398f

                                                                                                                                      • C:\Windows\system32\perfh00A.dat
                                                                                                                                        Filesize

                                                                                                                                        360KB

                                                                                                                                        MD5

                                                                                                                                        1402add2a611322eb6f624705c8a9a4e

                                                                                                                                        SHA1

                                                                                                                                        d08b0b5e602d4587e534cf5e9c3d04c549a5aa47

                                                                                                                                        SHA256

                                                                                                                                        0ac43c8e77edb2c1468420653fc5d505b26cdc4da06c4121ce4bbecae561e6cb

                                                                                                                                        SHA512

                                                                                                                                        177d5ea7e77eee154042b5e064db67a5cac9435890a2ff65cd98da21433f4e7de743e9df22ac0ac61be89fc0be8655b46454ed4a930d13fc7c1dfebe5896781f

                                                                                                                                      • C:\Windows\system32\perfh00C.dat
                                                                                                                                        Filesize

                                                                                                                                        363KB

                                                                                                                                        MD5

                                                                                                                                        d0a8d13996333367f0e1721ca8658e00

                                                                                                                                        SHA1

                                                                                                                                        f48f432c5a0d3c425961e6ed6291ddb0f4b5a116

                                                                                                                                        SHA256

                                                                                                                                        68a7924621a0fbc13d0ea151617d13732a991cef944aae67d44fc030740a82e9

                                                                                                                                        SHA512

                                                                                                                                        8a68c62b5fc983975d010ae6504a1cbfdf34d5656e3277d9a09eb92929e201e27ca7bd2030740c8240a4afd56af57c223b4fd6de193bedf84ac7238777310de4

                                                                                                                                      • C:\Windows\system32\perfh010.dat
                                                                                                                                        Filesize

                                                                                                                                        353KB

                                                                                                                                        MD5

                                                                                                                                        a5389200f9bbc7be1276d74ccd2939b4

                                                                                                                                        SHA1

                                                                                                                                        8d6f17c7d36f686e727b6e7b3a62812297228943

                                                                                                                                        SHA256

                                                                                                                                        494db162e2ccd95e69404a34170b6e59847f444881834f3c175c6bc70d783087

                                                                                                                                        SHA512

                                                                                                                                        fc1d1e81362d186410b4af3d6add3c8b32fdd75ea79b7e868cc16615358264af04f47170229d32dffcbf7e1ba2b841ccd2d4f27b0f8d82a0685806c22d3d0a92

                                                                                                                                      • C:\Windows\system32\perfh011.dat
                                                                                                                                        Filesize

                                                                                                                                        158KB

                                                                                                                                        MD5

                                                                                                                                        b80ff435d9aee22369f6246d7a2d9478

                                                                                                                                        SHA1

                                                                                                                                        05a278e903c2dfdd689418c8fb3bc432581b8a82

                                                                                                                                        SHA256

                                                                                                                                        4e14ba5f6e55a50ea95256ca14b35f0e70def0ad3505a84c593e48e9de0914a5

                                                                                                                                        SHA512

                                                                                                                                        c63d06d1f7247a8164923d1ae4e6d457324dde2edcd31a910e5e685c10d3cf79160a9e476d521eb559dcdfdbc167e461b6d04867772b8c7f6b23556eb303ea97

                                                                                                                                      • \??\pipe\crashpad_2668_VVGTPHWLZKTYYQJR
                                                                                                                                        MD5

                                                                                                                                        d41d8cd98f00b204e9800998ecf8427e

                                                                                                                                        SHA1

                                                                                                                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                                        SHA256

                                                                                                                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                                        SHA512

                                                                                                                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                                      • memory/1156-479-0x0000025FEC8C0000-0x0000025FED3D6000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        11.1MB

                                                                                                                                      • memory/1156-366-0x0000025FE87D0000-0x0000025FE8EFA000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        7.2MB

                                                                                                                                      • memory/4076-215-0x000001E386870000-0x000001E386871000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        4KB

                                                                                                                                      • memory/4076-211-0x000001E386870000-0x000001E386871000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        4KB

                                                                                                                                      • memory/4076-214-0x000001E386870000-0x000001E386871000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        4KB

                                                                                                                                      • memory/4076-213-0x000001E386870000-0x000001E386871000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        4KB

                                                                                                                                      • memory/4076-210-0x000001E386870000-0x000001E386871000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        4KB

                                                                                                                                      • memory/4076-212-0x000001E386870000-0x000001E386871000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        4KB

                                                                                                                                      • memory/4076-204-0x000001E386870000-0x000001E386871000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        4KB

                                                                                                                                      • memory/4076-209-0x000001E386870000-0x000001E386871000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        4KB

                                                                                                                                      • memory/4076-203-0x000001E386870000-0x000001E386871000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        4KB

                                                                                                                                      • memory/4076-202-0x000001E386870000-0x000001E386871000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        4KB

                                                                                                                                      • memory/4756-205-0x00000000058A0000-0x0000000005906000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        408KB

                                                                                                                                      • memory/4756-506-0x0000000005D30000-0x0000000005DC2000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        584KB

                                                                                                                                      • memory/4756-201-0x0000000000FB0000-0x0000000000FFA000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        296KB

                                                                                                                                      • memory/4756-508-0x0000000006830000-0x0000000006DD4000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        5.6MB

                                                                                                                                      • memory/4756-1159-0x00000000060B0000-0x00000000060BA000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        40KB

                                                                                                                                      • memory/4756-1335-0x0000000006140000-0x0000000006152000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        72KB