Overview

overview

10

Static

static

10

Xworm 5.6.rar

windows10-2004-x64

10

Analysis

  • max time kernel
    323s
  • max time network
    315s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/06/2024, 17:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Xworm 5.6.rar

  • Size

    55.0MB

  • MD5

    3014877fb9671676a0f960b8a37d672a

  • SHA1

    42f11dd3ca906a82fbaa7faf13a559ad8903afac

  • SHA256

    d7bdcf71e294f58cade0a1ad97d015d9ae40ee9a8eb0043acf993c8be7d120c1

  • SHA512

    d0411925e847131b6ec5590c204928f8be45786ce5bce09332ad2724b8f02ee9e87f8f7357726cd5d9174fbf0e8840cf608d8e677443ef467665e9f80414296c

  • SSDEEP

    1572864:KAVBljTM/E3il3pn23Lsc4gBy3WA8lUf4hzt+K+p0:KAt3M/G+3pn23Lbnk3WA6zsK+a

Score
10/10
xwormdiscoverypersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:8848

Mutex

eB6jhNjbcbIfzC2v

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Uses the VBS compiler for execution 1 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 14 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 7 IoCs
  • Modifies registry class 57 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 11 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 30 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Xworm 5.6.rar"
    1⤵
    • Modifies registry class
    PID:32
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Xworm 5.6.rar"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4424
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Xworm 5.6.rar"
        3⤵
        • Checks processor information in registry
        • Modifies registry class
        • NTFS ADS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2312
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2312.0.1740775084\1620360300" -parentBuildID 20230214051806 -prefsHandle 1752 -prefMapHandle 1744 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab05e025-f98a-4fe9-bc52-19234f404f3a} 2312 "\\.\pipe\gecko-crash-server-pipe.2312" 1844 297ec10d758 gpu
          4⤵
            PID:4632
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2312.1.1541301906\1485260527" -parentBuildID 20230214051806 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 23095 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd579e06-2d92-48a3-8b54-1f857ecc0024} 2312 "\\.\pipe\gecko-crash-server-pipe.2312" 2476 297df38be58 socket
            4⤵
            • Checks processor information in registry
            PID:812
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2312.2.1070132298\1808343922" -childID 1 -isForBrowser -prefsHandle 2900 -prefMapHandle 2960 -prefsLen 23133 -prefMapSize 235121 -jsInitHandle 1236 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f17c261-528c-4f2f-bb45-a53f113afb7f} 2312 "\\.\pipe\gecko-crash-server-pipe.2312" 3140 297ef047b58 tab
            4⤵
              PID:4344
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2312.3.1917464490\1968093733" -childID 2 -isForBrowser -prefsHandle 4072 -prefMapHandle 4068 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1236 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54e4d801-dee7-4ac7-854b-c50551fd831a} 2312 "\\.\pipe\gecko-crash-server-pipe.2312" 4084 297f0989258 tab
              4⤵
                PID:780
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2312.4.724623507\1786605832" -childID 3 -isForBrowser -prefsHandle 5332 -prefMapHandle 2804 -prefsLen 27737 -prefMapSize 235121 -jsInitHandle 1236 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25d0ee17-02eb-474d-ba65-82dc7561bd05} 2312 "\\.\pipe\gecko-crash-server-pipe.2312" 5336 297eeb18d58 tab
                4⤵
                  PID:1604
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2312.5.1718107927\987449993" -childID 4 -isForBrowser -prefsHandle 5448 -prefMapHandle 5452 -prefsLen 27737 -prefMapSize 235121 -jsInitHandle 1236 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e98fc07-9cc3-4364-bc26-47274677a8a8} 2312 "\\.\pipe\gecko-crash-server-pipe.2312" 5300 297f299b358 tab
                  4⤵
                    PID:3788
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2312.6.1328041271\985372581" -childID 5 -isForBrowser -prefsHandle 5636 -prefMapHandle 5640 -prefsLen 27737 -prefMapSize 235121 -jsInitHandle 1236 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72eb21d7-e88e-4ad3-ad90-724b67f5f9e4} 2312 "\\.\pipe\gecko-crash-server-pipe.2312" 5628 297f3ed4a58 tab
                    4⤵
                      PID:464
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2312.7.2142500557\459297502" -childID 6 -isForBrowser -prefsHandle 5648 -prefMapHandle 5704 -prefsLen 27737 -prefMapSize 235121 -jsInitHandle 1236 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8754ba48-7933-42ab-bf9a-4d13a505cba5} 2312 "\\.\pipe\gecko-crash-server-pipe.2312" 5692 297f4696958 tab
                      4⤵
                        PID:1116
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2312.8.2127797853\688578236" -childID 7 -isForBrowser -prefsHandle 6352 -prefMapHandle 6368 -prefsLen 27816 -prefMapSize 235121 -jsInitHandle 1236 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa442fa5-a074-48ee-8dfb-1d42639bb2f6} 2312 "\\.\pipe\gecko-crash-server-pipe.2312" 6340 297df340c58 tab
                        4⤵
                          PID:5592
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2312.9.1175608027\651067083" -childID 8 -isForBrowser -prefsHandle 6616 -prefMapHandle 6636 -prefsLen 27816 -prefMapSize 235121 -jsInitHandle 1236 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cda76f3-2a41-443b-82df-f0d1de2bd8ed} 2312 "\\.\pipe\gecko-crash-server-pipe.2312" 6652 297df384858 tab
                          4⤵
                            PID:6024
                          • C:\Users\Admin\Downloads\7z2406-x64.exe
                            "C:\Users\Admin\Downloads\7z2406-x64.exe"
                            4⤵
                            • Executes dropped EXE
                            • Registers COM server for autorun
                            • Drops file in Program Files directory
                            • Modifies registry class
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of SetWindowsHookEx
                            PID:5408
                    • C:\Windows\System32\rundll32.exe
                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                      1⤵
                        PID:5820
                      • C:\Program Files\7-Zip\7zFM.exe
                        "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Xworm 5.6.rar"
                        1⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Suspicious behavior: GetForegroundWindowSpam
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        PID:5200
                      • C:\Users\Admin\Desktop\Xworm 5.6\Xworm V5.6.exe
                        "C:\Users\Admin\Desktop\Xworm 5.6\Xworm V5.6.exe"
                        1⤵
                        • Executes dropped EXE
                        • Checks processor information in registry
                        • Enumerates system info in registry
                        • Modifies registry class
                        PID:1860
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tydqjw12\tydqjw12.cmdline"
                          2⤵
                            PID:2352
                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7209.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1276D9CF8F1E4C34A967D75AA3716A3E.TMP"
                              3⤵
                                PID:4608
                          • C:\Windows\system32\wbem\WmiApSrv.exe
                            C:\Windows\system32\wbem\WmiApSrv.exe
                            1⤵
                              PID:3124
                            • C:\Windows\system32\AUDIODG.EXE
                              C:\Windows\system32\AUDIODG.EXE 0x2ec 0x320
                              1⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3068
                            • C:\Users\Admin\Desktop\Xworm 5.6\XClient.exe
                              "C:\Users\Admin\Desktop\Xworm 5.6\XClient.exe"
                              1⤵
                              • Executes dropped EXE
                              • Checks processor information in registry
                              • Enumerates system info in registry
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              PID:2012
                              • C:\Windows\SYSTEM32\CMD.EXE
                                "CMD.EXE"
                                2⤵
                                  PID:3752

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Program Files\7-Zip\7-zip.dll
                                Filesize

                                99KB

                                MD5

                                7ec019d8445f4dcdb91a380c9d592957

                                SHA1

                                15fd8375e2e282a90d3df14041272e5ac29e7c93

                                SHA256

                                1cc179f097ee439bb35a582059cbc727d9cea0d5c43dfaa57f9f03050cfaea03

                                SHA512

                                d71a79091fcc6a96c24d95662a18cc24145b9531145ef0bcb4e882c12f5bb5ca6c7a9b9e50024c9c0bf4cb6bf40dca7627cecbfddd637142d04a194e1956ae9b

                                Download Submit

                              • C:\Program Files\7-Zip\7z.dll
                                Filesize

                                1.8MB

                                MD5

                                1939f878ae8d0cbcc553007480a0c525

                                SHA1

                                df9255af8e398e72925309b840b14df1ae504805

                                SHA256

                                86926f78fad0d8c75c7ae01849bf5931f4484596d28d3690766f16c4fb943c19

                                SHA512

                                a5e4431f641e030df426c8f0db79d4cef81a67ee98e9253f79c1d9e41d4fc939de6f3fd5fc3a7170042842f69be2bb15187bf472eeaaf8edd55898e90b4f1ddd

                                Download Submit

                              • C:\Program Files\7-Zip\7zFM.exe
                                Filesize

                                960KB

                                MD5

                                5764deed342ca47eb4b97ae94eedc524

                                SHA1

                                e9cbefd32e5ddd0d914e98cfb0df2592bebc5987

                                SHA256

                                c5c7ad094ad71d8784c8b0990bf37a55ffc7c7ab77866286d77b7b6721943e4f

                                SHA512

                                6809130394a683c56a0245906d709b2289a631f630055d5e6161b001e216d58045d314b0148512d8c01f0c2bf5f9f16e93fa7d61ab3d24beab4f9c3d4db13c18

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\activity-stream.discovery_stream.json.tmp
                                Filesize

                                23KB

                                MD5

                                32fd082e63a907e8e11915add3b9fc3f

                                SHA1

                                9d577dd55a3f286dbbabba1949711d2a6ae61375

                                SHA256

                                28f4634308ea6c7bdc6ebf3ae6d4ded36214110fd29408e693850877d0457453

                                SHA512

                                01e89dff0ea79242bf6f581a0917739f2a35dfc83792f2ba7b22a878608d59a15ff33e27d0ee5489883d4409f69b458f91554d21702e35a303aaddcf1f7b2066

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\7zE0547C397\Xworm 5.6\ClientsFolder\0D1C4E13FC607A0E7CD9\Keylogger\KeyLogger_05-05-2024 17;37;38;245.txt
                                Filesize

                                11KB

                                MD5

                                14a33bd90ec56f273ea5b429afb3e102

                                SHA1

                                71341c47668aa5a16c00b57d291bca49a69a221f

                                SHA256

                                9b0d4dd04b0c83a459b0e47dff4520a0ff5f9836df408d34109e9940f933c171

                                SHA512

                                d776be031f2210d7f6a53a2e5ff47ec30e04dfbde7040b164cf1e6674b4f1cf545b793d3617206597cf1c3743d5516f49bb8b9161a08cb8d345170f94d59e28e

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\7zE0547C397\Xworm 5.6\ClientsFolder\600E3A065A9E303E3CF9\Recovery\DiscordToken_05-06-2024 12;42;55;702.txt
                                Filesize

                                72B

                                MD5

                                c6d06cd78f004cf7e2cbeae15c17502d

                                SHA1

                                279f08760fe10bae2be703f9acee415ea4d2c85f

                                SHA256

                                0b194a0b013d12813d06894f51a78a27856ace01c033bde2b0b95a83ba0563b2

                                SHA512

                                e7484e175c5ef9e7bb9ecc82059383c38380127a6430e88e89ed4477b7f389e2a078fbb9242993b99aebac97a1e034cabe0c3c729a1e66aa5061cc22ea7f0f70

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\7zE0547C397\Xworm 5.6\ClientsFolder\983DD433AD5F001EAE9B\Monitor\05-05-2024 10;48;41;636.jpg
                                Filesize

                                970KB

                                MD5

                                224d75da99a372dbfa87ebe656476f20

                                SHA1

                                468e7f1fed7b67f4351b80ed4b7ca9f70e077051

                                SHA256

                                48b4323c2b1c75586b5d69950f8040735bae6421928175bad9d03abe5b32597d

                                SHA512

                                e79ba5b6d3e3c5e19b6edd9a118cb8c99adc899161823e4af0e3685c9f96bca78a71c3fdfbb03c64da9895e83d72fca2f345821739fcac84e448bead7fc84819

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\7zE0547C397\Xworm 5.6\ClientsFolder\983DD433AD5F001EAE9B\Monitor\05-05-2024 10;49;35;218.jpg
                                Filesize

                                991KB

                                MD5

                                44cea42904157feb638d5cda50893d93

                                SHA1

                                c0e62797ebae4d2d8b999f7180dd438719ed67ab

                                SHA256

                                c1cfcc636f24bb2a39e2993fe58a84832cb590f41303d784686d8e64d696ecdf

                                SHA512

                                e9820f081f4a137f95cb44c2edd1c710c3aed0bf33f135bc52283e7dc2ad9712b62f20ad47e1d1afe4de12b828dc59bd351c448a77c5a9382e12e8492068f822

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\7zE0547C397\Xworm 5.6\ClientsFolder\983DD433AD5F001EAE9B\Monitor\05-05-2024 10;49;54;213.jpg
                                Filesize

                                555KB

                                MD5

                                59671b404eb04d54c868463cde531da9

                                SHA1

                                0cdaa109cdf14a142839df5c9dc84c7d55e40b6a

                                SHA256

                                b20fccec6f7f545bf13209fbbcc963e8c930cb131dd792b870ab7d125b094967

                                SHA512

                                4cd202d2a198c2b822c398d0fcef3d816d0c9b9113012e54af2a78f8a13f4608af96699187098fffd11625a7afa2e23d0490ea7ceaa2153aba6c0a4acbd550d1

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\7zE0547C397\Xworm 5.6\Icons\icon (15).ico
                                Filesize

                                361KB

                                MD5

                                e3143e8c70427a56dac73a808cba0c79

                                SHA1

                                63556c7ad9e778d5bd9092f834b5cc751e419d16

                                SHA256

                                b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

                                SHA512

                                74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\RES7209.tmp
                                Filesize

                                1KB

                                MD5

                                620e19b41abb85232c80a71d03e8b91f

                                SHA1

                                fdfde716d3104381c58c99ca96238299e01a503d

                                SHA256

                                93972304d887b8af3190b95a0404731b23304ee6fb1ff5ddf50ca925155cbbc5

                                SHA512

                                48bb3acca40bad43c98186364ba7af06a014e19fb9faadfdccfdd4da96ccb5be593e815f762f89ab7fda2bd58aeaff6bc8ac6eb20ad2dad617a31bc0ad3febb8

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\vbc1276D9CF8F1E4C34A967D75AA3716A3E.TMP
                                Filesize

                                1KB

                                MD5

                                d40c58bd46211e4ffcbfbdfac7c2bb69

                                SHA1

                                c5cf88224acc284a4e81bd612369f0e39f3ac604

                                SHA256

                                01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca

                                SHA512

                                48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.js
                                Filesize

                                6KB

                                MD5

                                bc01810bd866c5b3bb75e60212418831

                                SHA1

                                4775587dae72948e81d672a202b4fb528533d20b

                                SHA256

                                b462dda346af27b397084a8a5d1511347df91a38d0f66e765aac414ee94c776d

                                SHA512

                                ac85a17388bf34723b0dd0c7d20820988d05060a2514dee6184947d440b6261311ddf4132700f876605a7706ba993133a1cbd2c59190e6cb4a84f35eed56eb14

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.js
                                Filesize

                                7KB

                                MD5

                                82a418fb03fc86d8e216bd507830f02a

                                SHA1

                                e9eb70249134da41f5ae43088e5ef92d72843945

                                SHA256

                                e7c6383b97c8495803ba72b23594120dfcd6f5fbead118ac0c2a0930522acef3

                                SHA512

                                0038dd32a9763d570ac2a5f090e3dbc8729fe1d062b6faf5d9afeb903bde1faeb8a119165b75f85774b5c11c0054ecad5aa964257e66247dbc4a74360b0af2ca

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs.js
                                Filesize

                                6KB

                                MD5

                                dcf10f2017e42c61e77b74fdadedc5d3

                                SHA1

                                27f1b6e94e2d6a3bdb70b01560378d1cdbed556c

                                SHA256

                                9c9e0648bc5c2bb3383d74c0236b22730e551c9e2990f89da196988efb1f7552

                                SHA512

                                96e62663604a76a681aeb38aeeeb25b18808487d57121f7d13dc1ec9ffbb7df2b4687e604850ec89dfaee5c7297d64a85a3bd8e40d082b2af145392b0750b730

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4
                                Filesize

                                1KB

                                MD5

                                403f8822811f8705b5d0efe8ca1710c6

                                SHA1

                                e82cb72e520be42a1a35f8fe598ee97a6ddd67fc

                                SHA256

                                fdd10ebc97bf74399258a1813186fc63635c4bb803c2b7fd418708927e6e0df6

                                SHA512

                                a9826168e9b16225d744bfae431d9add6bd9dba95324e00033f4d1911774ee04a26af687353ec1c33126fc0b041e879682ce2a79d2c991fcf4368df23608b4f7

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore.jsonlz4
                                Filesize

                                2KB

                                MD5

                                f4210e7704a358e859dc532f27e0478d

                                SHA1

                                c5d7c4977e54d8696667af4a0318857579165bf6

                                SHA256

                                fe9d18bfcd8ea87a1937ae2b47f57e8f6936094fc76db2f8ab5729fd99db1ffc

                                SHA512

                                c841aed65f33283dbebee712c61ef835451c20dbc5de520375a2d32f413e6fa657390e855dc278490efc45d80e6c0f28168922bd1abae7c06e56d3d780e792cd

                                Download Submit

                              • C:\Users\Admin\Desktop\Xworm 5.6\XClient.exe
                                Filesize

                                32KB

                                MD5

                                d2dfbf35987ae54c1318ca8375eb3e0b

                                SHA1

                                d49eaf1c2602aacfdf6c1cf959d6a70158e3b2d7

                                SHA256

                                3f60a73775c1bc28347a023aa4dd0795707b74f2c0a9f38d489c70b59a3f97e8

                                SHA512

                                d12971933b8f111ccb1d1d62cdccf02ad12f856b2af2b76ef8d9ffddab5deb9ced7ed67b56188028c87f91b09fa9aa6f3ca815c688b0e34e25a3971645405a6e

                                Download Submit

                              • C:\Users\Admin\Desktop\Xworm 5.6\Xworm V5.6.exe
                                Filesize

                                14.9MB

                                MD5

                                56ccb739926a725e78a7acf9af52c4bb

                                SHA1

                                5b01b90137871c3c8f0d04f510c4d56b23932cbc

                                SHA256

                                90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

                                SHA512

                                2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

                                Download Submit

                              • C:\Users\Admin\Downloads\7z2406-x64.E1tDDaLJ.exe.part
                                Filesize

                                36KB

                                MD5

                                a652b5fbc7d958342aba15fee21a4412

                                SHA1

                                27f25311c4321a04b2021a2bd4ec584052115cde

                                SHA256

                                4fe687585f8361428cf3c4208dc864382097e7a9b0b3d223ad2afaaf4cde5db0

                                SHA512

                                4e853c107ef1acdfdde97d29c05336ff77fd564d6a07ee06987148b5529f78f5d0c4d2d7a8b326a3df19e1faf5d52de0b0a68e539659229a61b55792f5c5e978

                                Download Submit

                              • C:\Users\Admin\Downloads\7z2406-x64.exe
                                Filesize

                                1.5MB

                                MD5

                                d8af785ca5752bae36e8af5a2f912d81

                                SHA1

                                54da15671ad8a765f3213912cba8ebd8dac1f254

                                SHA256

                                6220bbe6c26d87fc343e0ffa4e20ccfafeca7dab2742e41963c40b56fb884807

                                SHA512

                                b635b449f49aac29234f677e662be35f72a059401ea0786d956485d07134f9dd10ed284338503f08ff7aad16833cf034eb955ca34e1faf35a8177ccad1f20c75

                                Download Submit

                              • memory/2012-964-0x00000000009D0000-0x00000000009DC000-memory.dmp

                                Filesize

                                48KB

                                Download

                              • memory/2012-954-0x0000000000A30000-0x0000000000A3C000-memory.dmp

                                Filesize

                                48KB

                                Download

                              • memory/2012-949-0x00000000000F0000-0x00000000000FE000-memory.dmp

                                Filesize

                                56KB

                                Download

                              • memory/2012-965-0x000000001CD70000-0x000000001D298000-memory.dmp

                                Filesize

                                5.2MB

                                Download

                              • memory/2012-970-0x000000001BD30000-0x000000001BD9A000-memory.dmp

                                Filesize

                                424KB

                                Download

                              • memory/2012-979-0x000000001BB30000-0x000000001BBE0000-memory.dmp

                                Filesize

                                704KB

                                Download

                              • memory/2012-982-0x000000001B3D0000-0x000000001B3DA000-memory.dmp

                                Filesize

                                40KB

                                Download

                              • memory/2012-985-0x000000001B730000-0x000000001B73A000-memory.dmp

                                Filesize

                                40KB

                                Download

                              • memory/2012-988-0x000000001B740000-0x000000001B74A000-memory.dmp

                                Filesize

                                40KB

                                Download

                              • memory/2012-998-0x0000000000900000-0x000000000090E000-memory.dmp

                                Filesize

                                56KB

                                Download