Analysis Overview
SHA256
719fe9d0e6787ec225258d6ad79654cc90fd923f0f402965640efd7c132f3f72
Threat Level: Known bad
The file 701bd4943357734318ee825bf2c0bec0N was found to be: Known bad.
Malicious Activity Summary
Netwire
NetWire RAT payload
Netwire family
WarzoneRat, AveMaria
Warzone RAT payload
Drops file in Drivers directory
Downloads MZ/PE file
Unexpected DNS network traffic destination
Checks computer location settings
Impair Defenses: Safe Mode Boot
Reads user/profile data of web browsers
Executes dropped EXE
Checks installed software on the system
Enumerates connected drives
AutoIT Executable
Suspicious use of SetThreadContext
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
System Location Discovery: System Language Discovery
Browser Information Discovery
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
NTFS ADS
Suspicious behavior: LoadsDriver
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-26 23:57
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Netwire family
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-26 23:57
Reported
2024-09-27 00:00
Platform
win10v2004-20240802-en
Max time kernel
117s
Max time network
164s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\hitmanpro37.sys | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\hitmanpro37.sys | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Blasthost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Blasthost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Blasthost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HitmanPro_x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\hitmanpro37 | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\hitmanpro37.sys | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 185.228.168.9 | N/A | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4344 set thread context of 2824 | N/A | C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe | C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe |
| PID 1680 set thread context of 4460 | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe |
| PID 5880 set thread context of 3624 | N/A | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Blasthost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{18BD9A6E-DA3F-45E2-805F-11EF6B906D07} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 996975.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe
"C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe"
C:\Users\Admin\AppData\Roaming\Blasthost.exe
"C:\Users\Admin\AppData\Roaming\Blasthost.exe"
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"
C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe
"C:\Users\Admin\AppData\Local\Temp\701bd4943357734318ee825bf2c0bec0N.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\Blasthost.exe
"C:\Users\Admin\AppData\Roaming\Blasthost.exe"
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd762546f8,0x7ffd76254708,0x7ffd76254718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5648 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5624 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3568 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6552 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,2247033664530187367,17583025150413184481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6872 /prefetch:8
C:\Users\Admin\Downloads\HitmanPro_x64.exe
"C:\Users\Admin\Downloads\HitmanPro_x64.exe"
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\Blasthost.exe
"C:\Users\Admin\AppData\Roaming\Blasthost.exe"
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
C:\Users\Admin\AppData\Local\Temp\HitmanPro_x64.exe
"C:\Users\Admin\AppData\Local\Temp\HitmanPro_x64.exe" /update:"C:\Users\Admin\Downloads\HitmanPro_x64.exe"
C:\Users\Admin\Downloads\HitmanPro_x64.exe
"C:\Users\Admin\Downloads\HitmanPro_x64.exe" /updated:"C:\Users\Admin\AppData\Local\Temp\HitmanPro_x64.exe"
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\Blasthost.exe
"C:\Users\Admin\AppData\Roaming\Blasthost.exe"
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| GB | 92.123.128.167:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 167.128.123.92.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| GB | 92.123.128.146:443 | th.bing.com | tcp |
| GB | 92.123.128.169:443 | th.bing.com | tcp |
| GB | 92.123.128.169:443 | th.bing.com | tcp |
| GB | 92.123.128.146:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | bing.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | 146.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| NL | 40.126.32.133:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | services.bingapis.com | udp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 8.8.8.8:53 | 80.5.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | www.hitmanpro.com | udp |
| GB | 2.18.63.58:443 | www.hitmanpro.com | tcp |
| GB | 2.18.63.58:443 | www.hitmanpro.com | tcp |
| US | 8.8.8.8:53 | cdn.cookielaw.org | udp |
| US | 104.18.87.42:443 | cdn.cookielaw.org | tcp |
| US | 104.18.87.42:443 | cdn.cookielaw.org | tcp |
| US | 104.18.87.42:443 | cdn.cookielaw.org | tcp |
| US | 8.8.8.8:53 | pricingapi.cleverbridge.com | udp |
| US | 8.8.8.8:53 | geolocation.onetrust.com | udp |
| US | 172.64.155.119:443 | geolocation.onetrust.com | tcp |
| US | 104.16.243.229:443 | pricingapi.cleverbridge.com | tcp |
| GB | 2.18.63.58:443 | www.hitmanpro.com | tcp |
| US | 8.8.8.8:53 | 58.63.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.87.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.155.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.243.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | sophos-privacy.my.onetrust.com | udp |
| US | 172.64.155.119:443 | sophos-privacy.my.onetrust.com | tcp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | download.sophos.com | udp |
| GB | 2.23.221.234:443 | download.sophos.com | tcp |
| GB | 2.23.221.234:443 | download.sophos.com | tcp |
| US | 8.8.8.8:53 | 234.221.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | files.surfright.nl | udp |
| US | 8.8.8.8:53 | scan.hitmanpro.com | udp |
| NL | 52.174.35.5:80 | scan.hitmanpro.com | tcp |
| NL | 185.105.204.28:80 | files.surfright.nl | tcp |
| US | 8.8.8.8:53 | 5.35.174.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.204.105.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| NL | 52.174.35.5:80 | scan.hitmanpro.com | tcp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | remnants.hitmanpro.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.97.160.56:443 | remnants.hitmanpro.com | tcp |
| US | 185.228.168.9:53 | 8.8.8.8.zen.spamhaus.org | udp |
| US | 8.8.8.8:53 | 56.160.97.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.168.228.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | hash.hitmanpro.com | udp |
| NL | 23.97.160.56:443 | hash.hitmanpro.com | tcp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | scan.hitmanpro.com | udp |
| NL | 52.174.35.5:443 | scan.hitmanpro.com | tcp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| NL | 52.174.35.5:443 | scan.hitmanpro.com | tcp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
| US | 8.8.8.8:53 | wealth.warzonedns.com | udp |
| US | 8.8.8.8:53 | wealthyme.ddns.net | udp |
| US | 8.8.8.8:53 | Wealthy2019.com.strangled.net | udp |
Files
memory/4344-0-0x0000000000A80000-0x0000000000BEB000-memory.dmp
C:\Users\Admin\AppData\Roaming\Blasthost.exe
| MD5 | 6087bf6af59b9c531f2c9bb421d5e902 |
| SHA1 | 8bc0f1596c986179b82585c703bacae6d2a00316 |
| SHA256 | 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c |
| SHA512 | c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292 |
memory/1708-12-0x0000000000400000-0x000000000042C000-memory.dmp
memory/4344-14-0x00000000024C0000-0x00000000024C1000-memory.dmp
memory/2824-15-0x0000000000BF0000-0x0000000000C0D000-memory.dmp
memory/2824-23-0x0000000000BF0000-0x0000000000C0D000-memory.dmp
memory/4344-25-0x0000000000A80000-0x0000000000BEB000-memory.dmp
memory/1068-26-0x00000000007F0000-0x00000000007F1000-memory.dmp
memory/2524-28-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
| MD5 | 9bf6045169b192244cfeb2b320b8a468 |
| SHA1 | b94874bf2c49fa87a7cb97a08f82b40d7001f8e5 |
| SHA256 | 7a96508f95b934d8aebacdb9ee6a77331396d70740ef01f929eb71dcd8683575 |
| SHA512 | 02897d51ec2457b1c3d380568be06a5f28460ae0cbabd5a8c2eaa957f3824eff8e4dc602ac11a2d3c95ce8d19afba883af17a9aecef045407ce58c6a3a430258 |
memory/1680-30-0x0000000000BB0000-0x0000000000D1B000-memory.dmp
memory/4460-39-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4460-47-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1680-48-0x0000000000BB0000-0x0000000000D1B000-memory.dmp
memory/1948-49-0x0000000000EB0000-0x0000000000EB1000-memory.dmp
memory/3204-53-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Users\Admin\Desktop\BlockClose.vstm
| MD5 | 3406c7cebc35f54f82f43333de6c13ef |
| SHA1 | 3089ceeb736bdec890fadb395e9e38c59b214c24 |
| SHA256 | 0ff1144aa931e1a2b35b602f14836eee6c696ab16579d6dba63ff88ebad00800 |
| SHA512 | 708be022c19f89276d82ad170dc540e0ddd2d4b56eff8dc750c4226517ea0e3dd7c7ff1570221b98a7cc87e10efcc1b359a241760af0114b02c8267cc7c7761d |
C:\Users\Admin\Desktop\ConnectExit.csv
| MD5 | ec45b8b4d2b2f340281a09513945433e |
| SHA1 | c91b0a7a1a881a2ac6b6f7bfa6158b36b166ff88 |
| SHA256 | 19d060a7b68c5d7e751bc555d11bc198d9199dea6b0f1793fd989f1bbf67e4cb |
| SHA512 | cab4f7d5b09ea8cbb67b3ded1a98cfa340c0ee479c2210b433b941aa137f391dd91c8ee710b438bf7c86fa4bf3324b6fdb270e3073b75c6c94a22651432becab |
C:\Users\Admin\Desktop\CloseMerge.vb
| MD5 | 7f5b1fe4684ec687fd5d69981b2f482b |
| SHA1 | f2d6db70108893f03b4a6232bdd079b303c2fc3e |
| SHA256 | b92faeef9750705b29b6f4bd2f77d38fe787a9a8c557f05ffe368a307f90911b |
| SHA512 | af10acad281f99a1efefba3c3ea2504f4fa44812eb0cb854204cbd266ca24e60c940c36367e9351f0e32ea33cd0648a3441f49782a60d1beea571dc2c3131429 |
C:\Users\Admin\Desktop\CheckpointEnter.rtf
| MD5 | ad0a983f6478af5396fcbe0a98039ffa |
| SHA1 | 1296a5d84d835dbbf3dbe2be02b77305b01b2f5f |
| SHA256 | 3928de7e8a41a69509c03702bc9737d93c9f23694cc7880518ccdfed3d814820 |
| SHA512 | e6d5c89527f14ed40b73c3a2d7229c7f61fb7fdf8e7187cc9eb8dd8cf29cb3e566ccb591837fc81ea59b0011b636e6ec9b9f2a3c3a4ee57491bf94d4f9c3f837 |
C:\Users\Admin\Desktop\FormatRestore.css
| MD5 | 86b57ec464c2c20a202a1f3872b098c5 |
| SHA1 | 8b1a0330c0f6fc5c00d4886b0a3a880feeb92eb6 |
| SHA256 | 56720e9beac72c6d33efe0e1841b346fb7f8c05bb0dbcca298cecfa605f8c736 |
| SHA512 | 1937f9163f9212b55c3ad24678bfcf6cd7a95e27ae408ea5499b2b871359d739bc1ec731f9b310f75a4d2af2b649b61cb5b46433454f29bd21aad9f4955d2080 |
C:\Users\Admin\Desktop\MountWrite.xml
| MD5 | 159f9418bf39f66d13481c80ab70a173 |
| SHA1 | 3fb48295657e0b918291b044ef0701ecba302f21 |
| SHA256 | 6b77f7245f878a72fde93b72501a9e2e7200d5b0bfa0f6f5564946d937d48494 |
| SHA512 | 9908d3bc97a89952bb308cb6a6651038cb3c3941017fd69bdbd1be747339963ce900b2b9e1fe7e1f920c094f54756dd7efcc4afb9feacb15f564cba010de6e57 |
C:\Users\Admin\Desktop\MoveInstall.lock
| MD5 | 115587c87a12e6798ba15427cb072a46 |
| SHA1 | bc0de5a9301fab7d1ded26517119b1642a46bfd1 |
| SHA256 | d770fd84671946b383d84b39859303128ef1a8dfae3399924164e6ff1d438343 |
| SHA512 | c4a7e4c7f6ef2a00929b56d71a95941e9f97ebd5342e4c068f88b62b6f70fbafafb2fb15db04edf7741dae83bb3aa6d062ea14b96428ee65f68e5f2c065118e1 |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 862c7426195575dcfbff667b86dbcaee |
| SHA1 | a8886cd4da791f2bd92784a0233e1ae5977e8986 |
| SHA256 | ee99a6882046192fe8d7f9921690c9a776fbd2391b25506a12c6e3f7e1515b79 |
| SHA512 | 04cf882bb9eb212e3ff2960857b6914b6ea97ed97700c1617f95235ba293d802d71220b9a873aa274acc6cec038abe4f630293260b896027d888f96d23acaf3d |
C:\Users\Admin\Desktop\LimitApprove.xlsx
| MD5 | a0e73abe6a2b7418ae5d2df82b0cf60f |
| SHA1 | 50362d542b057a8c60132e06ea5eb83f827d3397 |
| SHA256 | 24bf6a4f40b1399676ffaff2c57390810a56c7f2f1c160fbe5fce0e0d6873664 |
| SHA512 | 8a7fdafeade7144503a4e40ffd2de130f0242c3cc0b56cb19d02f4f6a1462cdc1d5ed3bacbc09ea651ae39696f9266a4444ba060e262caf4cfe5ad420940a425 |
C:\Users\Admin\Desktop\FindStop.ram
| MD5 | 25242825ae96de46045ef8991d124206 |
| SHA1 | bd774d6b28a544fd81ff816f816ca89196118c9b |
| SHA256 | 112fb2ac947640ab56fbb7f65ab0649001d5b07f8e990a346c01628fd9f043c9 |
| SHA512 | a4040e0edf635501742da7d083c5cf8c5ac9cade690629a6f2461e452cab2037c8fe83d9fe877aba46a0c6fc58f843911d8ac4845806c6dbdfca07c6c7c4229a |
C:\Users\Admin\Desktop\EnterTest.crw
| MD5 | 73721781a4e0230db424100fc455fb7d |
| SHA1 | ff6ae2d42759442a5fceded2acd3f9c6c8ac3aa5 |
| SHA256 | dad10b0de687177cefb30ba556ec276be0d0a3c0547a551164819761c4afb87f |
| SHA512 | 850a118b138cf342c919ec86f7b3e9f403b37c2006a22150f4351a90cc3a8d21ba8b61defb9b050a7c2d9c207d5949c24861178323f8ec1ede68f3eaa627deec |
C:\Users\Admin\Desktop\CopyStep.wdp
| MD5 | 34e2736badde18eeb9f894636d5ea88c |
| SHA1 | c94126644e187dc15a7c7aa23c568bcfe8f30bf1 |
| SHA256 | 48dae745dcfc10c7e90b0b8c5a25b0802fa7d29a91617a01adadb6a7348394c4 |
| SHA512 | 904d57d36f81aaa3d2b7b665ad58eead1bae62c46b92b2d70b3836ba8d5e7c8e02fdd4b4da00642f449629f16949cc6407a23f390287aed665c0510ea9a155b7 |
C:\Users\Admin\Desktop\ConvertFromInitialize.mpp
| MD5 | ccf1d102a79fbd794321a8a72b918750 |
| SHA1 | f714225a35d120fb01f1bbd734ad4902c0334bba |
| SHA256 | 73d02b77d6ed7af54749eb0cc782406c4727f251baf3132b9452a9437af6c73b |
| SHA512 | 093a6cd73be38697e402e0bcc341489e146e78b637cf9aa2630d7d272d2de753841417050dfe29315498b063e2b077adee348a75a8d2329c735a1003da16a012 |
C:\Users\Admin\Desktop\NewPing.xlsx
| MD5 | e037dd87bec8a0fdf3636b3e4fb72c40 |
| SHA1 | 72019ee9c2ebaf0f7a7688782f6a2b3b7b915690 |
| SHA256 | a5dc12d32df8ce4e06832ab570d741120b8e73276456755c853c5a720a226d82 |
| SHA512 | 5da877836dc2cc06088d1d9bc5361288a204b516ffa4c9016c5ca37feb7383c1d35dfba2946ef63c77f9fe72f647090a0ecd9d085efb8280f3defd081038cda0 |
C:\Users\Admin\Desktop\PublishImport.gif
| MD5 | 99a315ff18f82cb2da291828b804eb31 |
| SHA1 | a99a5a7a3c6370e6906261442871ca101c5cae01 |
| SHA256 | abe3fde16758aaefe0775f04fc0373ac1f88b26a4d792f263fc2c9a07d39e879 |
| SHA512 | 90f1ee40e94a82f0fc8137e4e65efafb89b4c2b5117d4ef45b163e213a4ee7736ab087db38e7564d58d883ee3e773fa1f3bbdd5213b5dd598a5c6d7dd76f3b34 |
C:\Users\Admin\Desktop\OpenUninstall.zip
| MD5 | 961b5fbf6e3769554697089fa17d9fd0 |
| SHA1 | b661a5b71024c5ad1f686bade903d106f64f7095 |
| SHA256 | ae6fc9ba508dba59506048d36a3b69975cd96c26867c072a0ed257884eb6b983 |
| SHA512 | 3a7f865a0839fd71305ecf8e3fb8ffdd1db0c5aa69e0fa832eb2223cef2a1fa2cf213a4e22e71bf4d021933b5b6de358675994a4671add44ac63dcd89bf962a1 |
C:\Users\Admin\Desktop\RemoveNew.docx
| MD5 | fed4c26259a893764af311fd8b175d59 |
| SHA1 | a4b315e1207c3cbc967e661cc92c50592c2c3243 |
| SHA256 | 5384f56a6ffa9d3ccbb4bef93a90d9d88753cda08348a3cf2125f6cb4de7b028 |
| SHA512 | cfdb3d2bd923555c0b436a8759b2ca0507365402ab63f82e05c6e7e66201a8cc79095eca93b65b0e6f0d978d181e4a51baa2ea26777ffa44a23e1718956c81d5 |
C:\Users\Admin\Desktop\RemoveOpen.docx
| MD5 | e1109a46dd58685a9eb905806c617926 |
| SHA1 | 5ff1fe5382974997ea72c8bfb1f5f20b21962ade |
| SHA256 | 6289568fe75b551141a9041039fa1848876df142434b15a961407e9a91ff6e77 |
| SHA512 | 473136abe10abb9f2df54c1e336d98608a39eaac3b28d8bd1dc8789417eb9745952f76216456d2fcad4521bf370d85b8c08f82dd263c20101028e68bfaa57a4c |
C:\Users\Admin\Desktop\SearchDismount.M2V
| MD5 | db2ff7f90c5f0fc4ebed237099e9884f |
| SHA1 | a53f370519b401b0a0408ebee2bbbb2441716222 |
| SHA256 | e7154a19b4ae09f87b256f1fd48197bd2c45e891ac6154b9a0b26e5c0adfedd8 |
| SHA512 | 0231844d5203e0e2582e2692f1d386a665e9d05496e768bc5baa68f436bc2328f7c175d94e091c0edf2ee6e24c6ca4cb0c6f81cac1454049c29d360a3ca7ebdc |
C:\Users\Admin\Desktop\RequestRead.dib
| MD5 | 63daf045d10ca8be4ddbd049dce4144a |
| SHA1 | 5ed28490c3e0c3657ee0e5cf96cb481435d9f8d1 |
| SHA256 | eb2c73b68740d68a682e3818f6d633b7dc0344b77163b6f89f494a9061824380 |
| SHA512 | f1f0f9ccf3faa632517c123780acafce5e1f98eed83cb42b10ff438d66f44fd42219c1d718b93c185f4c93ba3a2d89f124610fa595fdc9acef50d9bb37cef4ee |
C:\Users\Admin\Desktop\TraceConvertFrom.mid
| MD5 | 2d1cc53a8179b93288e56efceb95a10c |
| SHA1 | 95ff23c3d0a36185317a675b1aee0a624bc17ae6 |
| SHA256 | 1b3ee306adc01cbf1fd2f0587d7090c31962854d0387ff015e16ada5a2562bca |
| SHA512 | 432a1f24d46772eb54c92b3288b2f0161e67080238e29d7d52633e011bda1824cac5ce9ea849352f15f16456f87c33e2737e0ea33a3a0a3b383c7b91be43135c |
C:\Users\Admin\Desktop\SkipShow.mpeg
| MD5 | b8b8d8d67fe7e7ac243aec27239e51ca |
| SHA1 | f5bcd5b56063a2bb44a32fab1b54b52f773eb2d9 |
| SHA256 | 86be6866568779bb96e091999172ee6b842e301d60db45ccc79379a523692af3 |
| SHA512 | 5cd04e2cd3ecd097fe4383de610c50a739dafb6dbe75eaf8bf04efd374b455a51676a7de7f4d5b9751a5efab9fe67afe913819c66c71b34a3197d192f2cd82d5 |
C:\Users\Admin\Desktop\ShowConnect.3gp
| MD5 | 3ac91d9bbf47f4189305045a9d00a054 |
| SHA1 | 3c9beca4ad3027ca3d6128d8e11551a9b3192b79 |
| SHA256 | 0ff9659d69df16308c46e536bb3da89e05a97b937cb06fa9e7d7f56becac41dc |
| SHA512 | 3f257cc4a9e3e7d0c9142212064b79acec2e07f333cc84cd2f09c300634317d4f21d1795ead7751e6347d69937aff844026c0d39f2af79b61abc4652d9df0b68 |
C:\Users\Admin\Desktop\UninstallClose.vsdm
| MD5 | 5b811122432495dc85997a59a7e92ef8 |
| SHA1 | 91552d2014c7d2fb9735493769d6e3d26f562ad3 |
| SHA256 | a8d3ee7f005b048a6bd9f7e4389919dcaabd2ca1295f289561c15f2a5677be33 |
| SHA512 | 2bcf87fa4134db71fb8fa3f5b6a448b524f76a66bf9dd580761f09681169742c57502906b0714df8024a083917882a3ad877266b28b84d9218141258a5fa5a8c |
C:\Users\Public\Desktop\Acrobat Reader DC.lnk
| MD5 | fd3bd2500165d2f2db06370b88a453e5 |
| SHA1 | d82940e0b9f1a78be043ec441e5caf9c12a8340d |
| SHA256 | 6a3438794bf73866af5a6b0cef0e8c7b84e6785098a259509b57a77a11924c0a |
| SHA512 | da7080f10468d951ec2f9257557c3cb229f23824402266a376b23b3bfce77209e75ef5aeadbd35e026fe458a27cbe64c0f3037a0a05d1fef9b8f8e06229c6150 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 976de81f2f2f14c82d8a9c5ab655a645 |
| SHA1 | 5237deacda986d2a055573b1bab441914048cfd9 |
| SHA256 | 491813b4059ea0cdec176a67e95f91b3aced2065385be58ddfc85a402283d7b6 |
| SHA512 | 98422ce189b874cfe646428f2695cd403f97b789f8b90e6ea86f8e4ae28be46d419be9b81e1d72e2ef20d9e7f624afd73bba70b96db19da8795a3d3418d56d11 |
C:\Users\Admin\Desktop\AddOptimize.mhtml
| MD5 | 85764d07c788d853680d854019f7a310 |
| SHA1 | d0413e9c874b57e168c227df1ff02d1762904c8e |
| SHA256 | a13602d12f3c36eea583d7e94deca9234b3c70293811c3c2592127eb809be3d0 |
| SHA512 | a5e41148a2bd51773e1e07be5b6c1be581139a8f07fb2a4ec6a9cad3ee8a8a33eb458a43a16633d163fd2c2c24a08a69be0e62502764c2caf18e232d361fbbf0 |
C:\Users\Public\Desktop\Firefox.lnk
| MD5 | 5117bb8a1d3215b6284bff00feb2fecb |
| SHA1 | 70228bccaf8f55a30cbd8e42ae9beee4e50ba8b4 |
| SHA256 | bb770b1670ad29abc714bc57abb4cf67591a1d4960a874627fbb536fc36e8581 |
| SHA512 | 4e86d019431bbb1976a233d1632febd812f06c25a11552fede0a194fb1ac8c7d98dab60fa5f524d9aa20b4dd2f2bd4a277cd537b82202991bd8ba35f4743ed2f |
C:\Users\Public\Desktop\VLC media player.lnk
| MD5 | ac04d7ed49ce7f6eef13946688933598 |
| SHA1 | 10f6326694b3ee0b9af7f289b22ccc09ef565bfd |
| SHA256 | df36313782e7a80f740655864721e9b2a1d4dfc1118e4b8e7a9c3c084f7456b5 |
| SHA512 | ea7d77d7d479a2319fca1ccb31aac305776144cf464bdb81c098f2ee6bba20e97d8ce833213e5f3977c20be5a8c925f2d072993dca44fedb4e4dca696f11cb8e |
C:\Users\Admin\Desktop\SendSync.pptx
| MD5 | c68cd01ed3f0899ab903d147f49e62ac |
| SHA1 | 6e0a72ab95a8c7ab76b59c003ee0d41b63d849f4 |
| SHA256 | a4b335cd48f864e189d51b083164a55bc779f44fad43971e1d471921b4d37178 |
| SHA512 | 54ba9b7a62841cb5fb7468cab18175412b7dd2b3a8855a98ac8c524d32841452be3e8c2b91734b9dc12444c55cfe896914cecbc8e05b9ab60786988b4a112664 |
C:\Users\Admin\Desktop\SearchExit.xhtml
| MD5 | c89b94a4534e311d48c1a5292fb5e9de |
| SHA1 | 00dc4f499c9d1dbf85a221859d92d41c1bcaf018 |
| SHA256 | e139b92e65bdefe53296442b08420208037b42770dee67612e38d07a203efc07 |
| SHA512 | 8b1157a80686f08877225aeff6b776d1872fddea422eca02917a2ad9fc20968010a786f007aa5c2fa33274ea5850dc81995bd430c1fc3997f41cf9a66e27ed31 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 27304926d60324abe74d7a4b571c35ea |
| SHA1 | 78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1 |
| SHA256 | 7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de |
| SHA512 | f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd |
\??\pipe\LOCAL\crashpad_2528_ETLHWLBTXDBZXWFF
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1f7131824a46e1b9e9957be09d80fdea |
| SHA1 | 15349d9c55bbf168c05c17372c88cf4a13df8c2f |
| SHA256 | 87e33359fff43bb770190e32bb6069f6e9f01bcc0a72f819416e28a7f6bce677 |
| SHA512 | 4e35ba65099b82c23adb25e05a99ea74c0a54963347e953e8f8a6b5e995b56b88c4eefccfef42eb35029d039b8a5a29a7412c663f1eb1a3054f8500e3f52098b |
memory/3204-111-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2524-117-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c0ce97f05f285e97eb2fad3d2bbda86b |
| SHA1 | 970d483eb7732b10f420c0e210463fb5efe307a6 |
| SHA256 | f148af03a8da5fb022167bed3b7b362bada90045353ca73e7342bef0207d3f64 |
| SHA512 | b9636f1bb27413b6d1dfbf88b341b7b63452b5aa63e5c7613826b86bce1d778ae600868bedced7218993d5f229fcc282ecc2b217779afca01909bb199202dbaa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 29ba4d407d128b5fa19029e044ab12ca |
| SHA1 | 6676c2ed5f76223c4719311932b67e16b60e9f83 |
| SHA256 | 02559044cc29177340a4ec1eba6d9e96ab150925ef31ed415011a09349bd308a |
| SHA512 | 28711accaf3e7f2a505021a15bc6f791a5ec98f0d8eb5ebc86fae1f3b2daee22125f91a6c574a59751a7359a2879bbe992ba9785021b8450a3a5b714e9381f80 |
memory/3204-262-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2524-288-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9c3026e7be6ec093a48b66bb31565a45 |
| SHA1 | 7cfa8f64cca20e6d9572e516fabe3491726e6c4b |
| SHA256 | ce0835db7ebe17aa2663c7e0c82b2c80ad8db12a52004f9db2ebdff943dfcb95 |
| SHA512 | 141e195dfa0a503bd360ed1e6abe600e38d085b5cae295122243567b8fbc3d838f7279372e2a6e43a427d99b1895e5ab277b60e325765108fa3e2ae04c9d3be1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | a9370d99c45bdab86ef98f564b561b26 |
| SHA1 | ede5e5e6fa67d1ed98b6457e5787c12cd1ce8b5c |
| SHA256 | 5ccae665187415ba69deae38a12e07b804018382e1814f6e58d4bf43d3e17a62 |
| SHA512 | 37aa45620c2a59cbdbdfe1d1480e196d981340681e9f6811018f3dac151f2b9bdfc328b625a21a37c49ebac1fb11c96abd56d5662d2fa1412c18d7b52e776f47 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589b41.TMP
| MD5 | bef098829e8f487ea1c92fd113824fae |
| SHA1 | df4050bdd572d50ddc007e08c1f1242161004f92 |
| SHA256 | 5dee0aed1987e6dbe1ef42d2601399c6fd58b86cdbe7525ebcea211f691ef33f |
| SHA512 | c0ad7ef01cc9ad19f9336ee0b63d0d1050aa3dba2889be6bc97918535bdc32ed12cb748c3c9fc451fdfa8f9ed73f5b6cb2fd93bd4be1123751e9e805270c9e08 |
C:\Users\Admin\Downloads\Unconfirmed 996975.crdownload
| MD5 | 57ae72bca137c9ec15470087d2a4c378 |
| SHA1 | e4dd10c770a7ec7993ed47a37d1f7182e907e3ed |
| SHA256 | cfeea4ea5121d1e6b1edbd5ca6e575830a0a4cbaf63120bc36639c44e1b89781 |
| SHA512 | f80d6732e86a8d38db1ff43c0c5058013bd456c4b86b87018166ca073bc84fb8e7676b55371ae9cec668a77d198e1e7f6854a9a93581ed21a32167e3b9533f6e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | accc3cf2286657e5e89ee0d2e79035c0 |
| SHA1 | 2ffc0d1b23f087f279a58f85b9295c6a0030398c |
| SHA256 | 08e3eff1ec1211c0cb7da089d9d5eebbc0799ad122cc401dc303d71f40981ea8 |
| SHA512 | ea83d115278c8d32c299652f40a700734320477737b059f516534f285db94f6f9084cb164254ab301f6cbbc0b8e0a82c64d55296df803a0e472a7edb7e3a29d4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 9e3fc58a8fb86c93d19e1500b873ef6f |
| SHA1 | c6aae5f4e26f5570db5e14bba8d5061867a33b56 |
| SHA256 | 828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4 |
| SHA512 | e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 3f0dc50db9c3c7155608399345c16725 |
| SHA1 | 894018944d51d3696b19328fb9b34434f533b8f3 |
| SHA256 | 9cf46ca3d54d28193b5c124467040ed5d48b1c5e59ac6f0848024de4889f89f1 |
| SHA512 | 2a277b1a2048770ffb08c0a24cd7880cb2d4c975ca3a6bafd88ca92abaedbaf8077eab483cefa4139f323d86cbab81f229c7cc2225a84af02c1114ca88f90298 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d40b36c95e973cc343d6df9b3d8c23f8 |
| SHA1 | 4d3f45e6b4e50c4dc381b297cab43c4a49150688 |
| SHA256 | 36e9c2435836ef549659c0033bc2576f8a8db80d8642818b2d9894fd2cd97d54 |
| SHA512 | f63d10f7c70291b54639bbdc460080b2338715dceac23efc163236e2b2d6029173fc410a4e9446032f6b549525265620c99fa67386c1f5ac3e215bd1684300d3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | cae22c9f47bcd008b482425dbbfe0491 |
| SHA1 | 98b0e2eb68aa51937ae7516fe2b742bebbc42fdc |
| SHA256 | 81f599fd5df57dd25cdcc9cdfd04c9250ab18db31197f17935549988072a01ed |
| SHA512 | f9ae6e6ef32835dcfe4d83b7bd04e51fe873e54f5c12dbfe0a340a1e769b79951a65cfa7d00fdb000ac25739fb2b73069be72099310a34ec8fefe271fd75d370 |
memory/5880-502-0x0000000000BB0000-0x0000000000D1B000-memory.dmp
memory/5880-511-0x0000000000BB0000-0x0000000000D1B000-memory.dmp
memory/5504-512-0x0000000001060000-0x0000000001061000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HitmanPro_x64.exe
| MD5 | 10dc710dd495e9078ce79b26e18591e0 |
| SHA1 | aef434d6b77158dd2accd746bbc727bbc3367adc |
| SHA256 | be5389a28e952d7ab2d9447c1bdb8eb7d11b24cb02e4b18da367715c2acfdd15 |
| SHA512 | 959c5cb47b9d1c21ddfe2eaac14e0c99c758aab85036705c072525e70255957abc97412ab0ceadd2adbebc1b176699614f71bf50689cf9ff97891e6216a15dc5 |
memory/4884-521-0x00000264FE6E0000-0x00000264FEE1F000-memory.dmp
memory/5904-527-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Windows\System32\drivers\hitmanpro37.sys
| MD5 | 55b9678f6281ff7cb41b8994dabf9e67 |
| SHA1 | 95a6a9742b4279a5a81bef3f6e994e22493bbf9f |
| SHA256 | eb5d9df12ae2770d0e5558e8264cbb1867c618217d10b5115690ab4dcfe893c6 |
| SHA512 | d2270c13dc8212b568361f9d7d10210970b313d8cd2b944f63a626f6e7f2feb19671d3fcdbdf35e593652427521c7c18050c1181dc4c114da96db2675814ab40 |
memory/3972-548-0x000001C377A90000-0x000001C3781CF000-memory.dmp
memory/3204-561-0x0000000000400000-0x000000000042C000-memory.dmp
memory/5296-575-0x0000000000BB0000-0x0000000000D1B000-memory.dmp