Malware Analysis Report

2024-09-23 02:51

Sample ID 240707-tq96dsveqp
Target python-3.10.2-amd64.exe
SHA256 42b181e9b5f424472212742a187260d4edc73b7683ae83460c974508130e08ad
Tags
asyncrat stormkitty default discovery persistence privilege_escalation rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

42b181e9b5f424472212742a187260d4edc73b7683ae83460c974508130e08ad

Threat Level: Known bad

The file python-3.10.2-amd64.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat stormkitty default discovery persistence privilege_escalation rat stealer

StormKitty payload

AsyncRat

StormKitty

.NET Reactor proctector

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

Drops desktop.ini file(s)

Drops file in System32 directory

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Event Triggered Execution: Netsh Helper DLL

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Checks processor information in registry

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-07 16:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-07 16:16

Reported

2024-07-07 16:29

Platform

win10v2004-20240704-en

Max time kernel

603s

Max time network

737s

Command Line

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff4864ab58,0x7fff4864ab68,0x7fff4864ab78

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\4bce81f89c3ee2eff4c7e395d6e3dc0c\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
File created C:\Users\Admin\AppData\Local\4bce81f89c3ee2eff4c7e395d6e3dc0c\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
File created C:\Users\Admin\AppData\Local\b6a1fda535893e3951eeb1fdb2c82063\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
File created C:\Users\Admin\AppData\Local\b6a1fda535893e3951eeb1fdb2c82063\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
File created C:\Users\Admin\AppData\Local\b6a1fda535893e3951eeb1fdb2c82063\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
File created C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
File created C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
File created C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
File created C:\Users\Admin\AppData\Local\4bce81f89c3ee2eff4c7e395d6e3dc0c\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
File created C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
File created C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
File created C:\Users\Admin\AppData\Local\4bce81f89c3ee2eff4c7e395d6e3dc0c\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
File created C:\Users\Admin\AppData\Local\4bce81f89c3ee2eff4c7e395d6e3dc0c\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
File created C:\Users\Admin\AppData\Local\4bce81f89c3ee2eff4c7e395d6e3dc0c\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\b6a1fda535893e3951eeb1fdb2c82063\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
File created C:\Users\Admin\AppData\Local\b6a1fda535893e3951eeb1fdb2c82063\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
File created C:\Users\Admin\AppData\Local\b6a1fda535893e3951eeb1fdb2c82063\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
File created C:\Users\Admin\AppData\Local\4bce81f89c3ee2eff4c7e395d6e3dc0c\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
File created C:\Users\Admin\AppData\Local\b6a1fda535893e3951eeb1fdb2c82063\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A mediafire.com N/A N/A
N/A mediafire.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A mediafire.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\perfh007.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc009.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh00A.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc010.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh010.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc00C.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh010.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc007.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc011.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc010.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh011.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh00C.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh00C.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc011.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc00A.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc00C.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh007.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh009.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh00A.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh009.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh011.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc007.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc009.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc00A.dat C:\Windows\system32\lodctr.exe N/A

Checks installed software on the system

discovery

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Temp\{B2C503D4-A2D5-433F-95D5-7E0D1225ECAB}\.cr\python-3.10.2-amd64.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Temp\{B2C503D4-A2D5-433F-95D5-7E0D1225ECAB}\.cr\python-3.10.2-amd64.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4744 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\python-3.10.2-amd64.exe C:\Windows\Temp\{B2C503D4-A2D5-433F-95D5-7E0D1225ECAB}\.cr\python-3.10.2-amd64.exe
PID 4744 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\python-3.10.2-amd64.exe C:\Windows\Temp\{B2C503D4-A2D5-433F-95D5-7E0D1225ECAB}\.cr\python-3.10.2-amd64.exe
PID 4744 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\python-3.10.2-amd64.exe C:\Windows\Temp\{B2C503D4-A2D5-433F-95D5-7E0D1225ECAB}\.cr\python-3.10.2-amd64.exe
PID 4756 wrote to memory of 5020 N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe C:\Windows\SysWOW64\cmd.exe
PID 4756 wrote to memory of 5020 N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe C:\Windows\SysWOW64\cmd.exe
PID 4756 wrote to memory of 5020 N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe C:\Windows\SysWOW64\cmd.exe
PID 5020 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5020 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5020 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4440 wrote to memory of 4312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\lodctr.exe
PID 4440 wrote to memory of 4312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\lodctr.exe
PID 5020 wrote to memory of 696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5020 wrote to memory of 696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5020 wrote to memory of 696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5020 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5020 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5020 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4756 wrote to memory of 4348 N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe C:\Windows\SysWOW64\cmd.exe
PID 4756 wrote to memory of 4348 N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe C:\Windows\SysWOW64\cmd.exe
PID 4756 wrote to memory of 4348 N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe C:\Windows\SysWOW64\cmd.exe
PID 4348 wrote to memory of 5008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4348 wrote to memory of 5008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4348 wrote to memory of 5008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4348 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4348 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4348 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2552 wrote to memory of 444 N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 444 N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 444 N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe C:\Windows\SysWOW64\cmd.exe
PID 444 wrote to memory of 3076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 444 wrote to memory of 3076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 444 wrote to memory of 3076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 444 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 444 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 444 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 444 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 444 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 444 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2552 wrote to memory of 1036 N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 1036 N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 1036 N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1036 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1036 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1036 wrote to memory of 4012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1036 wrote to memory of 4012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1036 wrote to memory of 4012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1208 wrote to memory of 4716 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\AUDIODG.EXE
PID 1208 wrote to memory of 4716 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\AUDIODG.EXE
PID 2888 wrote to memory of 4604 N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 4604 N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 4604 N/A C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4604 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4604 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4604 wrote to memory of 2068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4604 wrote to memory of 2068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4604 wrote to memory of 2068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4604 wrote to memory of 4180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4604 wrote to memory of 4180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4604 wrote to memory of 4180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe

Processes

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff4864ab58,0x7fff4864ab68,0x7fff4864ab78

C:\Users\Admin\AppData\Local\Temp\python-3.10.2-amd64.exe

"C:\Users\Admin\AppData\Local\Temp\python-3.10.2-amd64.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1896 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2172 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=3116 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=3148 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=4276 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:1

C:\Windows\Temp\{B2C503D4-A2D5-433F-95D5-7E0D1225ECAB}\.cr\python-3.10.2-amd64.exe

"C:\Windows\Temp\{B2C503D4-A2D5-433F-95D5-7E0D1225ECAB}\.cr\python-3.10.2-amd64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-3.10.2-amd64.exe" -burn.filehandle.attached=596 -burn.filehandle.self=548

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4920 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=1640 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3356 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4956 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3888,i,6959856223548986108,4217696995639198458,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --mojo-platform-channel-handle=5240 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --mojo-platform-channel-handle=2372 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4468 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4784 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=5256 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5604 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5760 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=4412 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 --field-trial-handle=1952,i,15610469715716752386,13520923855303157785,131072 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe

"C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe

"C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe"

C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0.exe

"C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Fixer.bat" "

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\system32\lodctr.exe

lodctr /r

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Fixer.bat"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\lodctr.exe

lodctr /r

C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe

"C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe"

C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0.exe

"C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4f8 0x49c

C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe

"C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe

"C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe"

C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe

"C:\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 172.217.16.238:443 clients2.google.com udp
GB 172.217.16.238:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 mediafire.com udp
US 104.16.113.74:443 mediafire.com tcp
US 104.16.113.74:443 mediafire.com tcp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 static.mediafire.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 ajax.googleapis.com udp
US 8.8.8.8:53 74.113.16.104.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 104.16.113.74:443 static.mediafire.com udp
US 8.8.8.8:53 cdn.amplitude.com udp
DE 18.64.79.96:443 cdn.amplitude.com tcp
US 8.8.8.8:53 72.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 96.79.64.18.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 connect.facebook.net udp
NL 157.240.247.8:443 connect.facebook.net tcp
US 8.8.8.8:53 8.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 translate.google.com udp
GB 172.217.169.46:443 translate.google.com tcp
US 8.8.8.8:53 46.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 api.amplitude.com udp
US 44.227.246.182:443 api.amplitude.com tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 142.250.200.42:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 182.246.227.44.in-addr.arpa udp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
NL 157.240.247.8:443 connect.facebook.net udp
US 8.8.8.8:53 translate.googleapis.com udp
GB 142.250.187.234:443 translate.googleapis.com tcp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.co.uk udp
US 216.239.34.36:443 region1.analytics.google.com tcp
GB 172.217.16.227:443 www.google.co.uk tcp
BE 74.125.71.155:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 155.71.125.74.in-addr.arpa udp
US 8.8.8.8:53 36.34.239.216.in-addr.arpa udp
US 8.8.8.8:53 secure.gravatar.com udp
US 8.8.8.8:53 www.facebook.com udp
US 192.0.73.2:443 secure.gravatar.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 2.73.0.192.in-addr.arpa udp
GB 142.250.200.42:443 content-autofill.googleapis.com udp
US 8.8.8.8:53 translate-pa.googleapis.com udp
BE 74.125.71.155:443 stats.g.doubleclick.net udp
GB 172.217.16.227:443 www.google.co.uk udp
US 216.239.34.36:443 region1.analytics.google.com udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 172.217.169.35:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 beacons4.gvt2.com udp
US 8.8.8.8:53 35.169.217.172.in-addr.arpa udp
US 216.239.32.116:443 beacons4.gvt2.com tcp
US 216.239.32.116:443 beacons4.gvt2.com udp
US 8.8.8.8:53 116.32.239.216.in-addr.arpa udp
GB 142.250.187.234:443 translate-pa.googleapis.com udp
US 8.8.8.8:53 www6.mediafire.com udp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 104.16.79.73:443 static.cloudflareinsights.com tcp
GB 172.217.169.46:443 translate.google.com udp
US 8.8.8.8:53 73.79.16.104.in-addr.arpa udp
GB 142.250.187.234:443 translate-pa.googleapis.com udp
US 216.239.32.116:443 beacons4.gvt2.com udp
GB 172.217.169.35:443 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 translate.googleapis.com udp
US 104.16.113.74:443 www.mediafire.com udp
GB 142.250.200.42:443 translate.googleapis.com udp
GB 142.250.200.42:443 translate.googleapis.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 upload.ee udp
DE 57.129.39.102:443 upload.ee tcp
DE 57.129.39.102:443 upload.ee tcp
US 8.8.8.8:53 www.upload.ee udp
DE 57.129.39.102:80 www.upload.ee tcp
DE 57.129.39.102:443 www.upload.ee tcp
DE 57.129.39.102:443 www.upload.ee tcp
US 8.8.8.8:53 s7.addthis.com udp
GB 2.18.109.243:443 s7.addthis.com tcp
US 8.8.8.8:53 du0pud0sdlmzf.cloudfront.net udp
GB 2.18.109.243:443 s7.addthis.com tcp
DE 54.230.55.123:443 du0pud0sdlmzf.cloudfront.net tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 pogothere.xyz udp
GB 216.58.201.98:443 googleads.g.doubleclick.net tcp
US 172.67.220.203:443 pogothere.xyz tcp
US 172.67.220.203:443 pogothere.xyz tcp
US 8.8.8.8:53 lcolumnstoodthe.info udp
US 8.8.8.8:53 deedeisasbeaut.info udp
US 8.8.8.8:53 ghabovethec.info udp
GB 18.239.236.118:443 lcolumnstoodthe.info tcp
US 8.8.8.8:53 102.39.129.57.in-addr.arpa udp
US 8.8.8.8:53 243.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 226.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 123.55.230.54.in-addr.arpa udp
US 8.8.8.8:53 supervisofosevera.com udp
US 104.21.15.106:443 deedeisasbeaut.info tcp
GB 18.244.140.100:443 ghabovethec.info tcp
US 8.8.8.8:53 getrunkhomuto.info udp
US 172.67.220.203:443 pogothere.xyz udp
GB 143.204.176.76:443 getrunkhomuto.info tcp
GB 18.172.153.27:443 supervisofosevera.com tcp
GB 18.172.153.27:443 supervisofosevera.com tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 98.201.58.216.in-addr.arpa udp
NL 157.240.247.35:443 www.facebook.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 142.250.200.42:443 content-autofill.googleapis.com udp
US 8.8.8.8:53 203.220.67.172.in-addr.arpa udp
US 8.8.8.8:53 118.236.239.18.in-addr.arpa udp
US 8.8.8.8:53 106.15.21.104.in-addr.arpa udp
US 8.8.8.8:53 100.140.244.18.in-addr.arpa udp
US 8.8.8.8:53 76.176.204.143.in-addr.arpa udp
US 8.8.8.8:53 27.153.172.18.in-addr.arpa udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 104.21.15.106:443 deedeisasbeaut.info udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
BE 74.125.71.155:443 stats.g.doubleclick.net udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
GB 142.250.178.1:443 tpc.googlesyndication.com tcp
GB 18.239.236.118:443 lcolumnstoodthe.info tcp
US 8.8.8.8:53 1.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 iheru.dwhitdoedsrag.org udp
US 54.225.185.110:443 iheru.dwhitdoedsrag.org tcp
GB 142.250.178.1:443 tpc.googlesyndication.com udp
US 8.8.8.8:53 110.185.225.54.in-addr.arpa udp
US 216.239.32.36:443 region1.google-analytics.com udp
US 54.225.185.110:443 iheru.dwhitdoedsrag.org tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 241.185.16.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 104.16.185.241:80 icanhazip.com tcp
US 104.21.44.66:443 api.mylnikov.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 172.67.19.24:443 pastebin.com tcp
US 104.16.185.241:80 icanhazip.com tcp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 172.67.19.24:443 pastebin.com tcp
US 104.16.185.241:80 icanhazip.com tcp
US 104.21.44.66:443 api.mylnikov.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 172.67.19.24:443 pastebin.com tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
US 104.16.185.241:80 icanhazip.com tcp
US 104.21.44.66:443 api.mylnikov.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 104.16.185.241:80 icanhazip.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 104.21.44.66:443 api.mylnikov.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 172.67.19.24:443 pastebin.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 172.67.19.24:443 pastebin.com tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp

Files

\??\pipe\crashpad_2668_VVGTPHWLZKTYYQJR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Windows\Temp\{B2C503D4-A2D5-433F-95D5-7E0D1225ECAB}\.cr\python-3.10.2-amd64.exe

MD5 76ff12f0cd0e44ef355f1d30d1392a40
SHA1 7c9636454af4bba15734517d2c9fed79f137b5da
SHA256 1f0f331e97c74dfa18fc7d19baef82bfe19324d9c79fab775f82ca55cc7b59cb
SHA512 c2703111891e08675e74c79a3e2620fb650c4c99bbefc298e12bc948ba015e9c02ce7f4e5930c0c3f1f7b6dfaf17f385cfc994b68b7ea63f776a2f61e5741ce7

C:\Windows\Temp\{1D168801-2361-41BD-B3CE-4625CC7F4813}\.ba\PythonBA.dll

MD5 75f826580b0fb706f7ee5f6e0724e294
SHA1 0a8bfd587ddef14158e2abacd1f32afda4ce1f44
SHA256 66de728be20d862415dfa189526c4351305845179c65605e210961c720620251
SHA512 af528020d19a6453febd11323e02a0d595639b8c73ed5a24107eed3ffc94747770d7b028d262d387e571971a45dc16c71817bc7f6ee38fa08a377e3f19f04d28

C:\Windows\Temp\{1D168801-2361-41BD-B3CE-4625CC7F4813}\.ba\SideBar.png

MD5 ca62a92ad5b307faeac640cd5eb460ed
SHA1 5edf8b5fc931648f77a2a131e4c733f1d31b548e
SHA256 f3109977125d4a3a3ffa17462cfc31799589f466a51d226d1d1f87df2f267627
SHA512 f7b3001a957f393298b0ff2aa08b400f8639f2f0487a34ac2a0e8d9519765ac92249185ebe45f907bc9d2f8556fdd39095c52f890330a35edf71ae49df32e27a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 c04e12e777c07f63826803fe53e00125
SHA1 fa0e803a20ae73f0502663770baa32776a0ba91d
SHA256 8e5533c5da609db4a5ad375499e25819420ec8a0c7fe52676dbd42cb0b440414
SHA512 2b740f655b949ad8f498b25cdc21230d756f6c7edc20046791664e9d509b22c34721d1e5b2aba91b1afb0480fcf6e39ce0079ee1286c633a9c202970e9829971

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 8c4dcdb2c74915c9cc318d38b4fcf6c0
SHA1 f86e146a80b9d0f610e49e6f4c6cc36027466472
SHA256 f1717b7fb2b9a12f6901951203d047e21dd98ae296072c0ec8f64f3fcfd83312
SHA512 693e450760281fa505f4e4e0aa9751788ac4d2a588f98be0167663292a676c94dcfe7559b7ce1578819d1ef8bf12e0e65fac6335fc32225a96f0aa2d368ce835

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 aca8a05c575d7e6157d6c85d4483841a
SHA1 b8f4ff5aa63fa2f398259999572d6c36c4fd04e4
SHA256 ffde43df93a16641ae92bd683100ab095a6a3e99efbc3d8d3c23a4f00fc784c3
SHA512 fab3e09db0aaffb5077dc0a4916069c116c71232a018d71ac032558fb8271efe16a00789f8a13aeaa0f3230d354f61b6c1948c5b73da666d41dc1b644b2cb7a2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 0d108c2b7cc36285696c1ddeaee45a1d
SHA1 2c9fd8b4ad6814b936c45e0afeb3b7cae7cd8f78
SHA256 3cfc3fea82faeede5f5a996fb062236c09bd895637ede241f644450ddabb2e9a
SHA512 8ac2d5578d0014930f0c490b2cdf21eb84aff372b367df593e297d20ae2b01075a2d2ef52e116d5f60a8cdd75ae70fd9c0b9942ebb786b8a5783b4fe813f910f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 9dfc9fa5b4c44e40bad7efe7a2ca655d
SHA1 193241e6f2595f6902a8fe894bc8cb57f24e1153
SHA256 582ec25d99eece83d9aed343e574eef07f77da9df377127d1c9f55189907ee64
SHA512 a73a199352733ec5b41c12e6a893f173aeed06445418759d093330e382a961007c0364067c19b450c06420ebcbc877959366bbbeef95d4a9e57f7a7e0064f32a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 02e21fb4e04280b9cefc7b9e7d7d8148
SHA1 86a906dc81b81f61af4f0bce6e47da54a8f73a19
SHA256 95bd0bc5b21850c11425005b61227e6164b51227a1eac718426353a2e8fa8461
SHA512 8f9caf89023277e7237e40abc8a4d39d20b3671a736d6fe4abe38882601dfca08e5f66a1c8d33c1c5172134b9b853ac15bd4426a50351da50b297a695aeab9c6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 f4ca16be06a9b6a053209a29e79f80a4
SHA1 d650a55542c0f55b05cc006a864663201fe6c5f8
SHA256 cba1be74704d1f2fcd8baf89e0a79987ed04544296dedf77a9a088513226c8ad
SHA512 179635e844560bd1f4b65ba15826ceffd94b44260ae7cec91a5b786eb0e2a30fc5252ce5b5ad3eff745046fe50ac4f6dbbb5029606b9480b05238d80610f120a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 747e1a56aa1271ac30c43c4bad29100f
SHA1 40f9fcdf35a84c0bcf0f977399ddeebcf83e73d7
SHA256 c2eb39c046231da847c7c197a2b05b602655fd2c95120aae1c20fc040c3496d4
SHA512 53e7ed484894a95bf2e7566750c056139b8be767617382e284b8c57ee07968857226b9f102b1ff03ad920f24b5f9163e0fe146fbd5ca14c9a6fd2e39c4de6e03

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 ef4e6c63a8de24979e75813899b10eb2
SHA1 680efa0ac76d9a3c24823c535584af73cdf97676
SHA256 7a4f4603cb188fda8dd622a4e6fe033a1abc6e835fc7e1083309d002109b59c3
SHA512 3f5d7f46a962c721dfdffb558f1de3867f40e9a93eb83e72e811b104f6a000e827689f7edceed630f10665d9d20b02576707f230fa4393bac435c49ae41c448d

memory/4756-201-0x0000000000FB0000-0x0000000000FFA000-memory.dmp

memory/4076-204-0x000001E386870000-0x000001E386871000-memory.dmp

memory/4076-203-0x000001E386870000-0x000001E386871000-memory.dmp

memory/4076-202-0x000001E386870000-0x000001E386871000-memory.dmp

memory/4756-205-0x00000000058A0000-0x0000000005906000-memory.dmp

memory/4076-211-0x000001E386870000-0x000001E386871000-memory.dmp

memory/4076-215-0x000001E386870000-0x000001E386871000-memory.dmp

memory/4076-212-0x000001E386870000-0x000001E386871000-memory.dmp

memory/4076-210-0x000001E386870000-0x000001E386871000-memory.dmp

memory/4076-214-0x000001E386870000-0x000001E386871000-memory.dmp

memory/4076-209-0x000001E386870000-0x000001E386871000-memory.dmp

memory/4076-213-0x000001E386870000-0x000001E386871000-memory.dmp

C:\Users\Admin\AppData\Local\4bce81f89c3ee2eff4c7e395d6e3dc0c\Admin@FCYEIXNJ_en-US\Browsers\Google\History.txt

MD5 744bc9144cc6aaa911d4f90c5b6fefae
SHA1 8dc7763f83f49320179bc40f2545902150f99ff5
SHA256 63b26c4916a7db34254486ddd6f033ba4fc404fe5c98434972973c76cd674bcc
SHA512 14ad3303ccadb84d5f42bfd3cce3bea9ccbc48be95111f8428821de0aabce0e31d79d53ba7f9560039a007560347c392b4f5c7ddedfefe2d76b16e52d305fbb4

C:\Users\Admin\AppData\Local\4bce81f89c3ee2eff4c7e395d6e3dc0c\Admin@FCYEIXNJ_en-US\Browsers\Google\History.txt

MD5 82b00ffbf76c94fad25c2eb129dccae7
SHA1 c042bd8f96b623b41fbd0a4630db4af4d23ba712
SHA256 94f53107a862bb02594be7e286cd3618b00e2f41329c9b0278247e257bf77448
SHA512 1a9c0c4d34bb995c7ab7771f07506e364b47b2653b66a2ff3d1f3e0265f6674accf4095759af79a851e93f50ba45280b56e6ebe36199953a0ce150787df2a4fa

C:\Users\Admin\AppData\Local\4bce81f89c3ee2eff4c7e395d6e3dc0c\Admin@FCYEIXNJ_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 ce7855ec83b35ea8e93a9e0e89139b12
SHA1 c40051fd6085dea0f31785b83c268a195536563a
SHA256 19009caf9ea9f4536e98ba9b999f109fc66966931e0b9ef458b227ed52ecc029
SHA512 a4d71258c512b33d4b5b57eb5fa7e757b8ebef3d531317590d2d2c1b57d80601fea8df5dcbbcb42e1b7af53374ca672192ecd99f60b238cdd66102bfa4679b77

C:\Users\Admin\AppData\Local\4bce81f89c3ee2eff4c7e395d6e3dc0c\Admin@FCYEIXNJ_en-US\System\Process.txt

MD5 9581e464fed860ad7cb109760b93dcd1
SHA1 8fbd542df219d7f60a6ad86ba4d765fd4b3d2784
SHA256 9263ad05905ea838e5e98658d6ac16cd09d7677479e4f5b1452828b4c4bb7709
SHA512 d396f01bd439a7a9407551f3c053e084e77cecd55e5b1902446d5a90543ac6624ff1654bf5193f274410bd90ef26e9ae300ec92fab27c3d856ab9e512b15da6a

memory/1156-366-0x0000025FE87D0000-0x0000025FE8EFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC77A.tmp.dat

MD5 a146b07d36c77deb545345f9fe3ddd75
SHA1 a0c87bf2dbe1dccdcbd2f68f2c366d273d247192
SHA256 f28113548245d5faa6e48dcbd57e80a29081d017b95808697347619b89d42c9b
SHA512 5cad32cef6e57d99c0e4508ae7f727055b0350a54578b65e1cf7f2fac319c07e32bb931740b4466d343be3c1178cf796067f467a2ccb56d7a60473258ff078cb

C:\Users\Admin\AppData\Local\Temp\tmpC7AB.tmp.dat

MD5 280d0d576cc8302dc483695ab2a76ef7
SHA1 7641333ca134b8f507046a4b92674ef48d20e4ee
SHA256 15e1b6bd397772024d3bc44b6772c0780639d23ff582027e0738e1dee0e0fb14
SHA512 ff8c21b7da132100b6501882f66a5b052742ae9f2b88eb2b1e8a4f09267dd64b963a1b88eb5737b3c173b0a7a83431719839a6c00c8a2aff59a0ec872be3d45f

C:\Users\Admin\AppData\Local\Temp\tmpC8A8.tmp.dat

MD5 73d744a8e8033f343403358e3cad07b5
SHA1 424a3f29d1794f1eda595758b0c4e01cd25d2c9b
SHA256 5cf92bb56d79629edc3fe42f1e880b596e47a9ff2450e1d134dccdde8cb93731
SHA512 80c6c3fea713a7797772c725d1cf464870bb4aed23b8904cdfa39f8c022882c72be0a9adc5439f7b71bd43311cd6dc1f9e19b032bac26fe40b44e3d4f3b573b4

C:\Users\Admin\AppData\Local\Temp\places.raw

MD5 46ca5e06e3f5fb88dc47ea8b952f3d27
SHA1 ba8eadadca2c34c115b667781ec0cfc928819adc
SHA256 9ae16bb881de7ad516bb3e3c608ed5faf53fa942f950219bcdb7c05298c0e2fc
SHA512 661eda3f781c44d86c84d28f4809f8cc805bf9506a761fa7b6d1bc03ed269835f7acdce40851331a2d680425f9f07aa67213d09cd1f86fd7ccb05df91d3b42b7

memory/1156-479-0x0000025FEC8C0000-0x0000025FED3D6000-memory.dmp

memory/4756-506-0x0000000005D30000-0x0000000005DC2000-memory.dmp

memory/4756-508-0x0000000006830000-0x0000000006DD4000-memory.dmp

C:\Windows\System32\perfc011.dat

MD5 50681b748a019d0096b5df4ebe1eab74
SHA1 0fa741b445f16f05a1984813c7b07cc66097e180
SHA256 33295c7ee1b56a41e809432bc25dd745ba55b2dc91bfa97aa1f55156880cd71a
SHA512 568439b3547dcbcce28499d45663fdd0e2222f6c5c90053769ce2585f65721f679c071393328bde72c9a3f03da4c17abb84b8303897688b59598887ceb31438e

C:\Windows\System32\perfh007.dat

MD5 8e549f070ac8bb646d0c34569ad6d880
SHA1 2a9bd2f7378ef5e85831cf590d9d735e9645f49e
SHA256 b08ebaa7d8ba93702ba84a59f41c0faed94273203d353c4f3cad31530d1b3751
SHA512 10c3a012dc64fdcb5bb0d8fe03aa771b936e78092de33e029658ad18e8c4771cddb84e6057b79bf8e6e90a8f3972f4bb1cad16f3cc96c13527289f3477f5fbd5

C:\Windows\System32\perfh009.dat

MD5 367662b55faba4e0728f3c296daa92a7
SHA1 1775899bd0f1bb5cf945910db18aa3a9d4d15b7a
SHA256 c2ea1af1c970468f522e354c8e47b121b66a0d0428a8400f4a5cb03216368ce1
SHA512 283e9cf2bf6fe904b530bd188347641c1d30b27c95d89552e18aa33be1c7e2840f10a09868a2862ee53bb805cef2cdbb31b8db391ca140b5dda27058dcad11ce

C:\Windows\System32\perfc00A.dat

MD5 70c7ba068b82106810720fdec5406762
SHA1 744c05ee14ea69e9706a07967b4ca1597298729d
SHA256 f3fccee564956fd81a1bba3477a18b04197bccf5efa057713c92a77b266c7b33
SHA512 14bb6e89946abcc10f640e2d553623b319c829e31ff872be0976c3d0419bc8ac656e4774333d4040df9507f064e9f92347677f4b20c66317fffaabed5bb1c4b4

C:\Windows\System32\perfh011.dat

MD5 394e68a48cbedf2aa4290ad4be6c1254
SHA1 e9b5a4204bedd201adfee94cd4bd475f92d508a0
SHA256 48dbdc9f160e51c14f7cf0f4f31856fc5c51bb5a157eefc9159612227def9d88
SHA512 5b3ebefb252a4ea2b5504fdb79fba35f256ee544df6385eeb47a05be4eddd41063fe9a025d5e8393d34cc34abd431810b5c5cc21c777316200c9cfa769fcfd6c

C:\Windows\System32\perfc007.dat

MD5 3fe48fb25091a9d13b94f8b81c1be040
SHA1 21f5adcd4f852b3e3a84ae7788ede8f2f26a6515
SHA256 d5d9ec6461c30880496d1ee5a8d770d59ced59d1b28e015d08d44832ced60591
SHA512 e02f495ee34dd013bba39a1c4a8bf22db122d54fcda84a8aa8557462a2f13a058f05d0eb13a817ba45b5527f830492e5a00365b5eb4122ed6b8f28a9ffd2d308

C:\Windows\System32\perfc010.dat

MD5 9c127d90b405f6e4e98e60bb83285a93
SHA1 358b36827fb8dbfd9f268d7278961ae3309baaa1
SHA256 878a012b076c81d7b46068109d9b9e1a86aa8527d87d0baee47b59b07502c578
SHA512 bd80bb82e6f2375107153b7da67ce4a3ab3d457103a8371f93e130edece21791d8a716ab9793b74c6b5ab10166ccb52aee430bc4b63403b7e4749d7db9929e73

C:\Windows\System32\perfh010.dat

MD5 4e277d7a9304103e3b68291044c7db6b
SHA1 b23864c76259c674ac2bc0210dab181bfc04dedf
SHA256 5dc2192236274fda886a0c0f396646f9292000ba33bd0e2061a65bc06639be16
SHA512 094477571cb17d7b19f6e81ef237c579f03c944745499b2e537d77972da89f8f4baa0825c3f79993d96116aa071bbc776a96f55cf8ab3f60698c2c4e03e36957

C:\Windows\System32\perfc00C.dat

MD5 0cfd5298e63f44351ebca47f6a491fbe
SHA1 b86c08b13f0e60f664be64cb4077f915f9fc1138
SHA256 562261cc16c6e5e2e3841a1ba79083293baa40330fb5d4f7f62c3553df26ccb3
SHA512 549e5c28598ac2a6b11936aa90f641dfa794c04dd642309d08ef90a683d995d8f2d3a69ee2ecd74adae5beb19e9de055e71670922d738bd985657ffe75ebe235

C:\Windows\System32\perfh00C.dat

MD5 d5972cca5d434d4ca1742fe0a5ddd5d4
SHA1 a3cdc3ad50ff9ba19722f2e2cb76f95b60bd92b2
SHA256 f85cfffd1414d3e975f430a1e2f2a3b473ee8995a961dfb103fe18d5bf06e321
SHA512 2ce34cf9b868fda0852e6b0d805171fcfda00c0c6cf044bf8831e6fa2aef4933ae00a8eaf757c09d67c30ae7ab58136959351f7d04d8ba6921f51fc87378565c

C:\Windows\System32\perfh00A.dat

MD5 893d78f82b3994cf86b3c8c80cd7ad6a
SHA1 a68cfd50ebc35eee62c84f0fd74d20d1e0bb1476
SHA256 411b7581b0af88caa8c75409dc83ac8b521ba4d987d9347402438be16d31097c
SHA512 7f7cc32aca4f023f34e4ab7a51fbd0ca0b0ea51fde6d79b9a4322bee9b4d55800a981b2d97007ceadfa609767b7d84e9eebd8b3e92f9cb68855625a25767f42b

C:\Users\Admin\AppData\Local\b6a1fda535893e3951eeb1fdb2c82063\Admin@FCYEIXNJ_en-US\System\Process.txt

MD5 2f13984ae57642e6b09fd87e8633b8e4
SHA1 39dfa367a4d48aaa804be1ba8779b83da8286ab7
SHA256 f92bb78ee7ed227d1d03e7bc602156dd145396693b12cca861785d5cb36dbac2
SHA512 4b07e8b8d4f8b101a1f2cdf30f88e3104c2e7790bb2a9c2f4ef4b521393572b68c0435b3454adce6e5d81f617efce4730a18e5a7b40ba80df289f156a18f1d06

memory/4756-1159-0x00000000060B0000-0x00000000060BA000-memory.dmp

C:\Windows\system32\perfh007.dat

MD5 b9a5000ea316ac348cf77beb0e5bc379
SHA1 4e666af14169eb10a0a08ac2f5ed5ecf4764df46
SHA256 1b25a6879c667258cdb900683004ef007c6b3a1a933d823b124d9a6acf9de608
SHA512 9fd911586a0aebec11c48e9f78de3b3f6e41c98a2770f5ac10d0a3947b4b3f326a8c5028c478c8634fb84a071186606e69a7aff83b1cf972d4728e3923503118

C:\Windows\system32\perfc010.dat

MD5 0515a1da37c05145889c952be393545b
SHA1 2dfd0c6c788a28de47f0074b2b63e78e973da745
SHA256 445ffb36cf57e356c8a81a3b0879f664c3027fda0fe9b8b08a41a1aa51884637
SHA512 a3a1acb3ebfff3a64a2a26130877c9fc9acf02d08f02c0053dd038bebff5fc5b1a25b9641c2eb003c389034455e44c7aa1d4c719a9e6e91e1acc7cee2b00f93d

C:\Windows\system32\perfh010.dat

MD5 a5389200f9bbc7be1276d74ccd2939b4
SHA1 8d6f17c7d36f686e727b6e7b3a62812297228943
SHA256 494db162e2ccd95e69404a34170b6e59847f444881834f3c175c6bc70d783087
SHA512 fc1d1e81362d186410b4af3d6add3c8b32fdd75ea79b7e868cc16615358264af04f47170229d32dffcbf7e1ba2b841ccd2d4f27b0f8d82a0685806c22d3d0a92

C:\Windows\system32\perfh00C.dat

MD5 d0a8d13996333367f0e1721ca8658e00
SHA1 f48f432c5a0d3c425961e6ed6291ddb0f4b5a116
SHA256 68a7924621a0fbc13d0ea151617d13732a991cef944aae67d44fc030740a82e9
SHA512 8a68c62b5fc983975d010ae6504a1cbfdf34d5656e3277d9a09eb92929e201e27ca7bd2030740c8240a4afd56af57c223b4fd6de193bedf84ac7238777310de4

C:\Windows\system32\perfc00C.dat

MD5 372fe4caff0b3e4226b9b2f724c46d65
SHA1 f46867fb163fde8b9f63375ec0d68341db458be0
SHA256 83d5ef4c544b86a89fa179d6c8487a23867816bddd136df26be91e2bb53230ad
SHA512 31cd6b936b0882884e1ecc47d46eaff86ef9cf49cb8600213d6e3c3145a85f30aeb1fa3cf5634d7ea0c5dd6af7f5e209208cb978e7f7d9424f65c469c612b9e3

C:\Windows\system32\perfh00A.dat

MD5 1402add2a611322eb6f624705c8a9a4e
SHA1 d08b0b5e602d4587e534cf5e9c3d04c549a5aa47
SHA256 0ac43c8e77edb2c1468420653fc5d505b26cdc4da06c4121ce4bbecae561e6cb
SHA512 177d5ea7e77eee154042b5e064db67a5cac9435890a2ff65cd98da21433f4e7de743e9df22ac0ac61be89fc0be8655b46454ed4a930d13fc7c1dfebe5896781f

memory/4756-1335-0x0000000006140000-0x0000000006152000-memory.dmp

C:\Users\Admin\AppData\Local\b6a1fda535893e3951eeb1fdb2c82063\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

C:\Windows\system32\perfc00A.dat

MD5 8bab87294d0cc2cf5959a6c0f3018ab6
SHA1 58fe3d9997dfb9cf009f4eadafae81e473c317c0
SHA256 426e0fc5c43c06d5b0986b27367e2faccb117a845355bb87ffef441184ab154f
SHA512 e748f1efd020e754afd04aefcbb71955ed37ca4f32dd27481a38691cb386433b76eb8879d0f328f342c4e276ba7f37878ec17b230d7e8d308f115996499386c2

C:\Windows\system32\perfh009.dat

MD5 1ad05e460c6fbb5f7b96e059a4ab6cef
SHA1 1c3e4e455fa0630aaa78a1d19537d5ff787960cf
SHA256 0ae16c72ca5301b0f817e69a4bac29157369ecfbadc6c13a5a37db5901238c71
SHA512 c608aa10b547003b25ff63bb1999a5fff0256aadd8b005fdd26569a9828d3591129a0f21c11ec8e5d5f390b11c49f2ef8a6e36375c9e13d547415e0ec97a398f

C:\Windows\system32\perfc009.dat

MD5 1e60bc5e525063b96078df17fbd3c4e1
SHA1 bae8eda409cb3e016ddd420c6354aeaac2d267b9
SHA256 a0894847ca6208cf7e519d8e825458596bbcd78156a453e32872de7592ea20d8
SHA512 5758d535e4ce20cc30b9b57fea1811feffb2655ecc6eec69c942defb4b4f8c06e8e37860f85ec7cad26df9d7635ecaf131a68ec4ee291aa36e448c7ef2339652

C:\Windows\system32\perfh011.dat

MD5 b80ff435d9aee22369f6246d7a2d9478
SHA1 05a278e903c2dfdd689418c8fb3bc432581b8a82
SHA256 4e14ba5f6e55a50ea95256ca14b35f0e70def0ad3505a84c593e48e9de0914a5
SHA512 c63d06d1f7247a8164923d1ae4e6d457324dde2edcd31a910e5e685c10d3cf79160a9e476d521eb559dcdfdbc167e461b6d04867772b8c7f6b23556eb303ea97

C:\Windows\system32\perfc011.dat

MD5 76b1f6a65baedbdbc6d058f5abf0b628
SHA1 a9a30da4d3a25d148f8e6defd917bf4bbcc95882
SHA256 b2b8592ae3cd9c2e2b55a8a4cdd16a34854f0d2c4f7c2e68427ecbcd19b6280a
SHA512 54bee70adacfdf9881373c96ff1a7f73657c1a1a0596f95cd63d72183e6883cb396ae4e79ac26c9ac51165d25e50d916ef462bcdb3c6a4ad0ef8346e6038749c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XWorm V3.0.exe.log

MD5 a9141ed1837f780cf691c7ce790db9c5
SHA1 86d5a6683a0031226f8477cb2d60edf65325f1ec
SHA256 cf428d3c771587984baaea34a2f01139009f4493431db844f2114daff8f958f0
SHA512 c573c632ab243eb226a878e67c03b328f341ccd8c8696c0f0b6ef7bf6cbc1ae72a1444fa4ac831547590b9420092b4a43528bcffc5ddeeaca071cdb951fa4bd3

C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Readme.txt

MD5 85122ad50370f9a829b6602384b1b644
SHA1 6d0dc94e7fe82650422a17368314da0da58af6b5
SHA256 444cbc7b57b4a6198ee1474fd9623e1afcb8c7a0b180f05e961a822f4365499b
SHA512 a3ccd49bc0424534ba3b5ee558709022dd31d257ca48fd2eb8d7305ec098dc9275e016da332d293b7cdbdc5e91b82c7602c15abc52c0c0c4f3c81d4126b4afd6

C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini

MD5 9e36cc3537ee9ee1e3b10fa4e761045b
SHA1 7726f55012e1e26cc762c9982e7c6c54ca7bb303
SHA256 4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026
SHA512 5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini

MD5 d48fce44e0f298e5db52fd5894502727
SHA1 fce1e65756138a3ca4eaaf8f7642867205b44897
SHA256 231a08caba1f9ba9f14bd3e46834288f3c351079fcedda15e391b724ac0c7ea8
SHA512 a1c0378db4e6dac9a8638586f6797bad877769d76334b976779cd90324029d755fb466260ef27bd1e7f9fdf97696cd8cd1318377970a1b5bf340efb12a4feb4a

C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini

MD5 29eae335b77f438e05594d86a6ca22ff
SHA1 d62ccc830c249de6b6532381b4c16a5f17f95d89
SHA256 88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4
SHA512 5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini

MD5 87a524a2f34307c674dba10708585a5e
SHA1 e0508c3f1496073b9f6f9ecb2fb01cb91f9e8201
SHA256 d01a7ef6233ef4ab3ea7210c0f2837931d334a20ae4d2a05ed03291e59e576c9
SHA512 7cfa6d47190075e1209fb081e36ed7e50e735c9682bfb482dbf5a36746abdad0dccfdb8803ef5042e155e8c1f326770f3c8f7aa32ce66cf3b47cd13781884c38

C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini

MD5 3a37312509712d4e12d27240137ff377
SHA1 30ced927e23b584725cf16351394175a6d2a9577
SHA256 b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3
SHA512 dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini

MD5 ecf88f261853fe08d58e2e903220da14
SHA1 f72807a9e081906654ae196605e681d5938a2e6c
SHA256 cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844
SHA512 82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Browsers\Google\Downloads.txt

MD5 7a01df9067b43643c7d7878b617fb861
SHA1 7a8f3cf11b726b8ff38e8b8a05293f503fbb1bb8
SHA256 58da8432380d3420659e3623b85315dfc56442f3f2714318279e4044741515cd
SHA512 5cf36c4194d8eb2a4786c56a7b5497c930e3123163a95d5ddeb0221c30f705102f21c602eeec1a49be728bdb5284887c53fdfe63a973f1f46b6cbe13e8a6e67c

C:\Users\Admin\AppData\Local\Temp\tmp63FA.tmp.dat

MD5 8f5942354d3809f865f9767eddf51314
SHA1 20be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512 fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

C:\Users\Admin\AppData\Local\Temp\tmp647F.tmp.dat

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Temp\tmp643F.tmp.dat

MD5 827e1cf88899907badcfa03032cac087
SHA1 6e73bf6559ad16e86f77aa802ea119eae25c5a28
SHA256 8e9adaa5e4db956c5d3e7f351895d077ec0c970e53df4648817940c2c8e09167
SHA512 b4c9f6c134db44e9d71371ab7a9f9633448aea603b5f446d00a06bd6d04642b3f0d0ce670e06d34dd78bf046d9a247d63719cccbd54f76b2be647ba556aaf4bb

C:\Users\Admin\AppData\Local\Temp\tmp643E.tmp.dat

MD5 7872fbf0a1bb518682babda3d8dc7b4e
SHA1 9714d4f9f7e7c3b9a99f656b88b3a10cbd9c65e4
SHA256 a821fa964b5c5273f0e4696e98815f07113c85436cc468f41f39722e7d2767c2
SHA512 f91bb32e1675f822af53ebc91dc5764625b13bc2e365dcf795e1132525857e5d43a18b2f53b4bb70722aef7a0eafd5b3e4d1805f8567d325d34ae41c281832c0

C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Directories\Documents.txt

MD5 f4cf79c19d4de392d1b67e5acc967a96
SHA1 53dcf173e601b449b059379f14d434e6353759f5
SHA256 d8e2a3d78770ae4f3d27e6b19491650c871710a371e7972f92bb3dd13849735d
SHA512 07307c0e295d94942d5761fd8e80c41f3a812e824c6af2f48c0ec9a55b428f41212a1cc7cc9e6a4a915019e46f4913520b891743a17f03262257ce41845128fe

C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Directories\Desktop.txt

MD5 05ab0a474942eb2b64d5637768e43477
SHA1 cc50326c277d10bbf3242e07ba3f0689c0a0eead
SHA256 f941c8e261fd3b56f5ec955fcdbe9d3b0244e639dc31d4b0b6212562da4044eb
SHA512 7d512f0e193804298510240e6650f7fd332d8011f39852641e4ff16c27c4eddb754ef7d0e8aaaa7a9ed3d089dffac5ee95e19cd0a30c0ae49e07304267f7100e

C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Directories\Videos.txt

MD5 1fddbf1169b6c75898b86e7e24bc7c1f
SHA1 d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256 a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA512 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Directories\Downloads.txt

MD5 d27923a08080758c11271c5d464fc1f8
SHA1 4446847164cb2ff8062084855b39773b4563d8f7
SHA256 3eb198b511919296273c5b85bb3fc0861437d4100fa966836a5d8c07593996ee
SHA512 cdc8d422f8d61c10e8e9b66561ad4d2127b81d41ea327679ad641416ae6fe88a29ca082ddc0d1cad331b060125f85644ebf533f304df615b282eeb845199f504

C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Directories\Temp.txt

MD5 bb88062cd0043b12b403dcb2edf708e5
SHA1 6a73b00c30514c285070c4d05025bb682910fc70
SHA256 da17aea7a3fed2b442218c129bbbdd25c08f9442532bf2678b71470b8c994f23
SHA512 e2cdee9fb906687da179195518ab6917bf5ac91bccd08e55a4cb868c6be8e1d2500ae192218612f1406bd4be20f16da77221d3dae178c4e1f292b5fa379f63f2

C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Directories\OneDrive.txt

MD5 966247eb3ee749e21597d73c4176bd52
SHA1 1e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA256 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512 bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Directories\Startup.txt

MD5 68c93da4981d591704cea7b71cebfb97
SHA1 fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256 889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA512 63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\Directories\Pictures.txt

MD5 dd5c7754794863fb0bb811d51d30c056
SHA1 b504b915558911f1d0bd87db2f929b313fc7deb8
SHA256 0798eba38430df53c2d8c747a29a39f0c996e9e5bef4252242f0e7d018676acc
SHA512 c7b3d546e69d8cb9f0fd57c0d4830a57ffd17af9bc0b9263f65af0840951b9ee76f3afb458d8717978b17fb951020ff3ac6cf4ca647715aa6442222bff0b502e

C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\System\Process.txt

MD5 475460b147a0fd49e1537e9a11b12e8d
SHA1 8f28bed0c78351e3a50437db500a6db682010bb2
SHA256 93b9f9a65401489e5a3f79f12ef0a81f64715684973e41ad6bdb70662a6ae468
SHA512 65a8b516af67030b431d76f43162db3fe1ad448f837c1747efc4491160cc7be7e6d0d76d347222c057169327980618b0ee59910afa98e8b00bdf13d7cc701159

C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\System\WorldWind.jpg

MD5 6c43207fbca593e00f427a406f2926c2
SHA1 14af48b220d3ec9fd0f6823585f0802e35a77faf
SHA256 a591dc1bfed6acc477a091fa3759b8e8a24f268290eeb8337897ea24b76a3e3e
SHA512 0efb4e1fd25381007291351a57c0cb10d667bdc3694174821fdc72d1a17cae7d75107aada078d3f6dc74323dd017fa984780ba2ac839a4eed1e349b350e561c1

C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\System\ScanningNetworks.txt

MD5 58cd2334cfc77db470202487d5034610
SHA1 61fa242465f53c9e64b3752fe76b2adcceb1f237
SHA256 59b3120c5ce1a7d1819510272a927e1c8f1c95385213fccbcdd429ff3492040d
SHA512 c8f52d85ec99177c722527c306a64ba61adc3ad3a5fec6d87749fbad12da424ba6b34880ab9da627fb183412875f241e1c1864d723e62130281e44c14ad1481e

C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\System\ProductKey.txt

MD5 71eb5479298c7afc6d126fa04d2a9bde
SHA1 a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256 f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA512 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

C:\Windows\system32\perfc009.dat

MD5 6ba86043d5bb686959fccfc96b66a406
SHA1 1a0124b6bf961cc0b4dcb39fc0553b8b51f3bcae
SHA256 ef92dae76f5fb86dc1946dd90308670a7b9b0f9a2d015dfdc5a949a9a57deff1
SHA512 475dbbbe812391d0d6b51232d2fb74dd3546511fd56c8baf5b2fc11bf315e61a1bd621fd64c68ffbfc62a2cfb2695c7ecb7eb6cb68e0b0e8c69ccd7615e11341

C:\Users\Admin\AppData\Local\5ad6d1b108ad80ef730197e1b2c85a31\Admin@FCYEIXNJ_en-US\System\Process.txt

MD5 7ed5a8ca1ca30f47dc7de170ca7e89d9
SHA1 ad3500ea5511fc60c2040530fbe5519b26e73754
SHA256 e5a76d9e78053458a975b40295d0ffca17f5d75f1ec2aa2f105a0334aced5a1e
SHA512 8b93ba57f92b719c24f999fe499c09b21ad5586747b79d05f8d4e8ca430885377cd3e0e7484815385a586959789910419c0ce25bcdfd7e0b9bd1675174d7b3db

C:\Users\Admin\AppData\Local\5ad6d1b108ad80ef730197e1b2c85a31\Admin@FCYEIXNJ_en-US\System\Process.txt

MD5 f2fc47f4732c8b8eb0c1e0fff0ba6435
SHA1 aeba563840c6aee404dc665f6ed569e61912f69e
SHA256 bb09417f41b08627feeebb1051b420e08abdab7bbaa3bac55992bbeb57073311
SHA512 04c01875225a374fb9ef3b9a1c2007e170cd9a59590a8b43320767399aefcb7bdc172082b73cbc54358d0c036b0e53e9053f5495a035dc7a2af7b47fc78c7208

C:\Users\Admin\AppData\Local\5ad6d1b108ad80ef730197e1b2c85a31\Admin@FCYEIXNJ_en-US\System\Windows.txt

MD5 c18da227c6da8ae3f0d046ae30cfe0f3
SHA1 ac96d9a4060cbf343c452c614329f055f8bdccae
SHA256 f11d345fe7370897c4c0e6861c3b4f680e6b3dbaf6739e2681a96003dd4bea5b
SHA512 b1aded7558cb62ed845bc33e5fa95dc43e317682261406a590d15d5a0de296eae0eb8de4836267751342c835fec6813249e50c7de2ffc7e6eb29dfeb3f0f06c0

C:\Users\Admin\AppData\Local\5ad6d1b108ad80ef730197e1b2c85a31\Admin@FCYEIXNJ_en-US\System\Windows.txt

MD5 cba48aae7f8ed072c82186c8d5b434f6
SHA1 990359fea82241550f330f1360795cd8dc381a96
SHA256 4428a3a1c30f21dad58c46271d82fc45e6836fe52cd89acce753224117dba6b5
SHA512 c69351230d4c8503ecc5aaf263802acaa66f2b5a249e66da22c6284dca67968deb73961c5c40e8b300fb05275aa0fa4cd81e9b4d9f606c5d69554d6fcefc9af4

C:\Users\Admin\AppData\Local\0190c5cc6755edc6f533ea7377655365\Admin@FCYEIXNJ_en-US\System\Process.txt

MD5 c0e370d5a76db036203a0f30ecd743b2
SHA1 3d69ed806946920b90b81145aece57b5aa592407
SHA256 e9f88dabcf6db4725d4233643fc6fc16f598341b5e95cba09791fb215530666e
SHA512 94eaa163a9bd5d067f4982a50cd42946bcdbc84e1d0c4ebf988d5f8a5ef63e7acdeeea4cbc2621eeb7b72411a1f8542a1517848cd4ec9fdb25586aa039cc984b

C:\Users\Admin\AppData\Local\0190c5cc6755edc6f533ea7377655365\Admin@FCYEIXNJ_en-US\System\Process.txt

MD5 aa77db19364858bab00ce95516ccd21f
SHA1 f1e10377ab570b2cdcf69b4869341e8f7ca1f447
SHA256 ee8f76385501c07860a31e22ef66da9ee7f9d09ecf4e88d94d192deb6d992ff1
SHA512 f65c718b0a3c3527ced9add3adb4da656e18ab0ff8dccf73ac7271f062d4f735e2249d40bf8ef913b82db2d156293abc91039974b8268c3fb0c8d29671387846

C:\Users\Admin\AppData\Local\0190c5cc6755edc6f533ea7377655365\Admin@FCYEIXNJ_en-US\System\Process.txt

MD5 d137fb9768c5ab5f6f75e13fc1855518
SHA1 251ef0da55cfd8fe031a1b6320183b8b5ee710e5
SHA256 89f8cd2d041dea1f375f0c3f8340f1a7ef3229e50076f93f22f115c7b21129ef
SHA512 c4bd8c6f03890eb132459db1c15e0a06025857e5cbfe3a7f2583ee893047f47d653743a19a4eeaf1cbe5a7fa6f0dc6c059702637d5bbe77e3853b3b0ef23b09c

C:\Users\Admin\AppData\Local\0190c5cc6755edc6f533ea7377655365\Admin@FCYEIXNJ_en-US\System\Process.txt

MD5 87ca6ac958a4fe2a79d6921bbd84e0af
SHA1 7ef6c95f8303b4d1e9670a321707ed6fe048aa67
SHA256 7bd3efca77acd0a79578b5b9c0fd470ef0d324c3723fc1161ba6b2cbad353b2a
SHA512 0858a02ce0eae87d639e2c98a2e6d1a9937a39de786f94503c27a23c7a34828c7b19b2da601910015e33fcacb6ddd74a3c47aea876b1a3c4f2503a9ee7acf829

C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\System\Process.txt

MD5 84365d59cd1e9a334fb0c56265c78426
SHA1 6f88bd9d7fc4fabc1a7906b47b6a882b097202a5
SHA256 7bd5b1bdc735dd463a749cb97cd1c98a3316af9d2c6cb32ead02845646725632
SHA512 b19b68f19f4e8145269426cb782cc5eda0d0f06fe4795e8f2f188c5ff73acab25117743aa08e08323cbb4b45e6d49485acb7d6fa93f6cc0482d14f536ebbe5ec

C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\System\Process.txt

MD5 33b30b43675f68f4fd92b2045919cd82
SHA1 74f54a90dbbaf1d9c8c912233e084b38cf6a8ee5
SHA256 6c4044456d35aff958293510f1ff3332f3628589f1fd6e8d84cd1c3219e0a588
SHA512 ac9df2af40b7096285234592d28586793657793f9662b44e663e1aa74be0eb42cb3a7e5f1a23cba4f563ca366dbc51301c776d8523255a1e98ceaea8d070a494

C:\Users\Admin\AppData\Local\6a4443820b599dd34591c67474587ad8\Admin@FCYEIXNJ_en-US\System\Process.txt

MD5 55252741a8a214c6bf2d08b7d85de557
SHA1 4ffbc2a970ee21e825da0e06df9fda68c4aa51cc
SHA256 099c2e7538d9322302c23de448ba913a25f5fab6077fa6085f602396a74a0a92
SHA512 55078508204f9853fddfbffe199a93b2b74cdba6c2d4a9a2754dd294d8eb46767f2c1e3125c30d38c75c75c4148f40bbad127b82a07ffe09a392e1513da33608

C:\Users\Admin\AppData\Local\0190c5cc6755edc6f533ea7377655365\Admin@FCYEIXNJ_en-US\System\Windows.txt

MD5 05a814e2f721d1ca12ad0a4280719f91
SHA1 89c8f2bf6a20fb7b455a4b946bac024067b24041
SHA256 72538c39d4c1f891d0bd5c200e2436e32713c8c81a4452f0e32c3bf832d89c61
SHA512 018735405170e0f6dfada7cd30b47a7720a1665d889a33c6ece9d245c7d6138d486a1fbab14cc29605f977e36b7799591bdf5d03bd5d0055c3b356718064757f