agenttesla | d7bdcf71e294f58cade0a1ad97d015d9ae40ee9a8eb0043acf993c8be7d120c1

Analysis

max time kernel
318s
max time network
320s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xworm 5.6.rar
Size

55.0MB
MD5

3014877fb9671676a0f960b8a37d672a
SHA1

42f11dd3ca906a82fbaa7faf13a559ad8903afac
SHA256

d7bdcf71e294f58cade0a1ad97d015d9ae40ee9a8eb0043acf993c8be7d120c1
SHA512

d0411925e847131b6ec5590c204928f8be45786ce5bce09332ad2724b8f02ee9e87f8f7357726cd5d9174fbf0e8840cf608d8e677443ef467665e9f80414296c
SSDEEP

1572864:KAVBljTM/E3il3pn23Lsc4gBy3WA8lUf4hzt+K+p0:KAt3M/G+3pn23Lbnk3WA6zsK+a

Score

10^/10

agenttesla discovery keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/5012-2505-0x000002969F0C0000-0x000002969F2B4000-memory.dmp	family_agenttesla

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
2600	7z2405-x64.exe
2988	7zFM.exe
5012	Xworm V5.6.exe
5904	playit.exe

Loads dropped DLL 3 IoCs

pid	Process
3476	Process not Found
3476	Process not Found
2988	7zFM.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2405-x64.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
260	1108	msiexec.exe
262	1108	msiexec.exe
264	1108	msiexec.exe
266	1108	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc010.dat	lodctr.exe
File created	C:\Windows\system32\perfh010.dat	lodctr.exe
File created	C:\Windows\system32\perfc007.dat	lodctr.exe
File created	C:\Windows\system32\perfc00C.dat	lodctr.exe
File created	C:\Windows\system32\perfh00C.dat	lodctr.exe
File created	C:\Windows\system32\perfc00A.dat	lodctr.exe
File created	C:\Windows\system32\perfh00A.dat	lodctr.exe
File created	C:\Windows\system32\perfc011.dat	lodctr.exe
File created	C:\Windows\system32\perfh011.dat	lodctr.exe
File created	C:\Windows\system32\perfh007.dat	lodctr.exe
File created	C:\Windows\system32\perfc009.dat	lodctr.exe
File created	C:\Windows\system32\perfh009.dat	lodctr.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	7z2405-x64.exe
File created	C:\Program Files\playit_gg\bin\playit.exe	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	7z2405-x64.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5b9ff6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5b9ff6.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{CCD2B416-4517-4AC6-89F2-364C9A5BF2C5}	msiexec.exe
File created	C:\Windows\Installer\{CCD2B416-4517-4AC6-89F2-364C9A5BF2C5}\ProductICO	msiexec.exe
File created	C:\Windows\Installer\e5b9ff8.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA0A1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{CCD2B416-4517-4AC6-89F2-364C9A5BF2C5}\ProductICO	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000d9d47eb9a1a06eb40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000d9d47eb90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900d9d47eb9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dd9d47eb9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000d9d47eb900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe

Modifies registry class 49 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\614B2DCC71546CA4982F63C4A9B52F5C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2405-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\SourceList\Media\1 = ";CD-ROM #1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\ProductName = "playit"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\PackageCode = "CCDE5D5A893E22040BC73EAC637B5429"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\SourceList\PackageName = "playit-windows-x86_64-signed.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2405-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\SourceList\Media\DiskPrompt = "Playit Installation"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2405-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2405-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2405-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\Version = "983053"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4AEF046202130BD4399AB6404AFE7E2D	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2405-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4AEF046202130BD4399AB6404AFE7E2D\614B2DCC71546CA4982F63C4A9B52F5C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\614B2DCC71546CA4982F63C4A9B52F5C\Binaries	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2405-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2405-x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\ProductIcon = "C:\\Windows\\Installer\\{CCD2B416-4517-4AC6-89F2-364C9A5BF2C5}\\ProductICO"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2405-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\614B2DCC71546CA4982F63C4A9B52F5C\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\614B2DCC71546CA4982F63C4A9B52F5C\Environment = "Binaries"	msiexec.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\7z2405-x64.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\playit-windows-x86_64-signed.msi:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
5012	Xworm V5.6.exe
5012	Xworm V5.6.exe
5012	Xworm V5.6.exe
5012	Xworm V5.6.exe
5012	Xworm V5.6.exe
5012	Xworm V5.6.exe
5012	Xworm V5.6.exe
5012	Xworm V5.6.exe
5012	Xworm V5.6.exe
5012	Xworm V5.6.exe
5012	Xworm V5.6.exe
5012	Xworm V5.6.exe
5012	Xworm V5.6.exe
5012	Xworm V5.6.exe
5012	Xworm V5.6.exe
5012	Xworm V5.6.exe
5012	Xworm V5.6.exe
5012	Xworm V5.6.exe
3504	msiexec.exe
3504	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1420	OpenWith.exe
2988	7zFM.exe
5012	Xworm V5.6.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3108	firefox.exe
Token: SeDebugPrivilege	3108	firefox.exe
Token: SeDebugPrivilege	3108	firefox.exe
Token: SeDebugPrivilege	3012	firefox.exe
Token: SeDebugPrivilege	3012	firefox.exe
Token: SeDebugPrivilege	2600	7z2405-x64.exe
Token: SeDebugPrivilege	2600	7z2405-x64.exe
Token: SeDebugPrivilege	2600	7z2405-x64.exe
Token: SeDebugPrivilege	2600	7z2405-x64.exe
Token: SeDebugPrivilege	2600	7z2405-x64.exe
Token: SeRestorePrivilege	2988	7zFM.exe
Token: 35	2988	7zFM.exe
Token: SeSecurityPrivilege	2988	7zFM.exe
Token: SeSecurityPrivilege	2988	7zFM.exe
Token: SeDebugPrivilege	3012	firefox.exe
Token: SeDebugPrivilege	3012	firefox.exe
Token: SeDebugPrivilege	3012	firefox.exe
Token: 33	2344	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2344	AUDIODG.EXE
Token: SeDebugPrivilege	3012	firefox.exe
Token: SeShutdownPrivilege	1108	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1108	msiexec.exe
Token: SeSecurityPrivilege	3504	msiexec.exe
Token: SeCreateTokenPrivilege	1108	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1108	msiexec.exe
Token: SeLockMemoryPrivilege	1108	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1108	msiexec.exe
Token: SeMachineAccountPrivilege	1108	msiexec.exe
Token: SeTcbPrivilege	1108	msiexec.exe
Token: SeSecurityPrivilege	1108	msiexec.exe
Token: SeTakeOwnershipPrivilege	1108	msiexec.exe
Token: SeLoadDriverPrivilege	1108	msiexec.exe
Token: SeSystemProfilePrivilege	1108	msiexec.exe
Token: SeSystemtimePrivilege	1108	msiexec.exe
Token: SeProfSingleProcessPrivilege	1108	msiexec.exe
Token: SeIncBasePriorityPrivilege	1108	msiexec.exe
Token: SeCreatePagefilePrivilege	1108	msiexec.exe
Token: SeCreatePermanentPrivilege	1108	msiexec.exe
Token: SeBackupPrivilege	1108	msiexec.exe
Token: SeRestorePrivilege	1108	msiexec.exe
Token: SeShutdownPrivilege	1108	msiexec.exe
Token: SeDebugPrivilege	1108	msiexec.exe
Token: SeAuditPrivilege	1108	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1108	msiexec.exe
Token: SeChangeNotifyPrivilege	1108	msiexec.exe
Token: SeRemoteShutdownPrivilege	1108	msiexec.exe
Token: SeUndockPrivilege	1108	msiexec.exe
Token: SeSyncAgentPrivilege	1108	msiexec.exe
Token: SeEnableDelegationPrivilege	1108	msiexec.exe
Token: SeManageVolumePrivilege	1108	msiexec.exe
Token: SeImpersonatePrivilege	1108	msiexec.exe
Token: SeCreateGlobalPrivilege	1108	msiexec.exe
Token: SeDebugPrivilege	3012	firefox.exe
Token: SeBackupPrivilege	5104	vssvc.exe
Token: SeRestorePrivilege	5104	vssvc.exe
Token: SeAuditPrivilege	5104	vssvc.exe
Token: SeBackupPrivilege	3504	msiexec.exe
Token: SeRestorePrivilege	3504	msiexec.exe
Token: SeRestorePrivilege	3504	msiexec.exe
Token: SeTakeOwnershipPrivilege	3504	msiexec.exe
Token: SeRestorePrivilege	3504	msiexec.exe
Token: SeTakeOwnershipPrivilege	3504	msiexec.exe
Token: SeRestorePrivilege	3504	msiexec.exe
Token: SeTakeOwnershipPrivilege	3504	msiexec.exe

Suspicious use of FindShellTrayWindow 20 IoCs

pid	Process
3108	firefox.exe
3108	firefox.exe
3108	firefox.exe
3108	firefox.exe
3012	firefox.exe
3012	firefox.exe
3012	firefox.exe
3012	firefox.exe
3012	firefox.exe
2988	7zFM.exe
2988	7zFM.exe
2988	7zFM.exe
5012	Xworm V5.6.exe
3012	firefox.exe
3012	firefox.exe
1108	msiexec.exe
1108	msiexec.exe
3012	firefox.exe
3012	firefox.exe
3012	firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3108	firefox.exe
3108	firefox.exe
3108	firefox.exe
3012	firefox.exe
3012	firefox.exe
3012	firefox.exe
3012	firefox.exe
5012	Xworm V5.6.exe
3012	firefox.exe
3012	firefox.exe
3012	firefox.exe
3012	firefox.exe

Suspicious use of SetWindowsHookEx 63 IoCs

pid	Process
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
1420	OpenWith.exe
3108	firefox.exe
3108	firefox.exe
3108	firefox.exe
3108	firefox.exe
3012	firefox.exe
3012	firefox.exe
3012	firefox.exe
3012	firefox.exe
2600	7z2405-x64.exe
3012	firefox.exe
3012	firefox.exe
3012	firefox.exe
3012	firefox.exe
3012	firefox.exe
3012	firefox.exe
3012	firefox.exe
3012	firefox.exe
3012	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 636	1420	OpenWith.exe	91
PID 1420 wrote to memory of 636	1420	OpenWith.exe	91
PID 636 wrote to memory of 3108	636	firefox.exe	93
PID 636 wrote to memory of 3108	636	firefox.exe	93
PID 636 wrote to memory of 3108	636	firefox.exe	93
PID 636 wrote to memory of 3108	636	firefox.exe	93
PID 636 wrote to memory of 3108	636	firefox.exe	93
PID 636 wrote to memory of 3108	636	firefox.exe	93
PID 636 wrote to memory of 3108	636	firefox.exe	93
PID 636 wrote to memory of 3108	636	firefox.exe	93
PID 636 wrote to memory of 3108	636	firefox.exe	93
PID 636 wrote to memory of 3108	636	firefox.exe	93
PID 636 wrote to memory of 3108	636	firefox.exe	93
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 3024	3108	firefox.exe	94
PID 3108 wrote to memory of 1744	3108	firefox.exe	96
PID 3108 wrote to memory of 1744	3108	firefox.exe	96
PID 3108 wrote to memory of 1744	3108	firefox.exe	96
PID 3108 wrote to memory of 1744	3108	firefox.exe	96
PID 3108 wrote to memory of 1744	3108	firefox.exe	96
PID 3108 wrote to memory of 1744	3108	firefox.exe	96
PID 3108 wrote to memory of 1744	3108	firefox.exe	96
PID 3108 wrote to memory of 1744	3108	firefox.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Xworm 5.6.rar"
1⤵
- Modifies registry class
PID:4908

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Xworm 5.6.rar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Xworm 5.6.rar"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3108
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3108.0.703175378\859876691" -parentBuildID 20230214051806 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {70d84248-e9b1-4dc9-a209-0702af109714} 3108 "\\.\pipe\gecko-crash-server-pipe.3108" 1852 1f94550b858 gpu
      4⤵
      PID:3024
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3108.1.2024589535\588391930" -parentBuildID 20230214051806 -prefsHandle 2416 -prefMapHandle 2412 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39ae9193-7cb3-4fd7-a3ca-fa3d171a2b46} 3108 "\\.\pipe\gecko-crash-server-pipe.3108" 2400 1f93878a058 socket
      4⤵
      Checks processor information in registry
      PID:1744
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3108.2.1998307977\1390339620" -childID 1 -isForBrowser -prefsHandle 3224 -prefMapHandle 3220 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5af72224-4fe5-4a48-9412-03ac64704d00} 3108 "\\.\pipe\gecko-crash-server-pipe.3108" 3236 1f944495a58 tab
      4⤵
      PID:2128
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3108.3.1126852285\1242646197" -childID 2 -isForBrowser -prefsHandle 3192 -prefMapHandle 3560 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbdd876f-95c7-4acf-a46a-31f0a8e69ee0} 3108 "\\.\pipe\gecko-crash-server-pipe.3108" 3620 1f93877be58 tab
      4⤵
      PID:1772
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3108.4.1372785271\1958613421" -childID 3 -isForBrowser -prefsHandle 5180 -prefMapHandle 5296 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8643821f-7bb7-4212-b6d7-a0534b6dd2a0} 3108 "\\.\pipe\gecko-crash-server-pipe.3108" 5284 1f94a19b658 tab
      4⤵
      PID:5012
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3108.5.1455313270\869238814" -childID 4 -isForBrowser -prefsHandle 5416 -prefMapHandle 5420 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fe08d48-528a-44c4-9eb8-53eb42159775} 3108 "\\.\pipe\gecko-crash-server-pipe.3108" 5408 1f94b3e3858 tab
      4⤵
      PID:4300
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3108.6.833914681\2108978915" -childID 5 -isForBrowser -prefsHandle 5616 -prefMapHandle 5624 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f465f90-50c2-4681-b816-3bc8b3fc1548} 3108 "\\.\pipe\gecko-crash-server-pipe.3108" 5608 1f94b3e2c58 tab
      4⤵
      PID:1840
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3108.7.1828450832\527409282" -childID 6 -isForBrowser -prefsHandle 3308 -prefMapHandle 3324 -prefsLen 27816 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24719a32-e00c-47cb-8ed5-30e7db41cd2e} 3108 "\\.\pipe\gecko-crash-server-pipe.3108" 3296 1f94a85de58 tab
      4⤵
      PID:1828

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4476
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3012.0.751864691\1196570640" -parentBuildID 20230214051806 -prefsHandle 1776 -prefMapHandle 1768 -prefsLen 22341 -prefMapSize 235208 -appDir "C:\Program Files\Mozilla Firefox\browser" - {38075161-55f7-4e3f-ac9d-004a4d113fe4} 3012 "\\.\pipe\gecko-crash-server-pipe.3012" 1852 1ce15e2f558 gpu
    3⤵
    PID:2376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3012.1.930926327\2029963832" -parentBuildID 20230214051806 -prefsHandle 2312 -prefMapHandle 2308 -prefsLen 22341 -prefMapSize 235208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e7c674b-ddf9-4568-810b-389f7e1c3704} 3012 "\\.\pipe\gecko-crash-server-pipe.3012" 2324 1ce09388d58 socket
    3⤵
    PID:1304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3012.2.922577338\690882168" -childID 1 -isForBrowser -prefsHandle 3068 -prefMapHandle 3064 -prefsLen 22737 -prefMapSize 235208 -jsInitHandle 1408 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3f3ee6c-3175-4de5-b5d7-6c79ff637d44} 3012 "\\.\pipe\gecko-crash-server-pipe.3012" 3084 1ce19c2cd58 tab
    3⤵
    PID:1852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3012.3.434630368\775573902" -childID 2 -isForBrowser -prefsHandle 3676 -prefMapHandle 3672 -prefsLen 28203 -prefMapSize 235208 -jsInitHandle 1408 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbf89ff8-56a1-4b70-8c9c-35323be557ae} 3012 "\\.\pipe\gecko-crash-server-pipe.3012" 3688 1ce1b170558 tab
    3⤵
    PID:5032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3012.4.447808257\1980093159" -childID 3 -isForBrowser -prefsHandle 4948 -prefMapHandle 5000 -prefsLen 28203 -prefMapSize 235208 -jsInitHandle 1408 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {144c7e54-5605-4f35-8588-7416a3d7866c} 3012 "\\.\pipe\gecko-crash-server-pipe.3012" 5060 1ce1d379058 tab
    3⤵
    PID:1956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3012.5.1563659830\359804755" -childID 4 -isForBrowser -prefsHandle 5208 -prefMapHandle 5212 -prefsLen 28203 -prefMapSize 235208 -jsInitHandle 1408 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24a77272-807f-4590-8fab-2900ec61660b} 3012 "\\.\pipe\gecko-crash-server-pipe.3012" 5196 1ce1d379658 tab
    3⤵
    PID:2584
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3012.6.1401640667\1767712729" -childID 5 -isForBrowser -prefsHandle 5484 -prefMapHandle 5480 -prefsLen 28203 -prefMapSize 235208 -jsInitHandle 1408 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {396d83c9-165a-4e2a-a541-e46bac5d2908} 3012 "\\.\pipe\gecko-crash-server-pipe.3012" 5492 1ce1d37ab58 tab
    3⤵
    PID:1244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3012.7.373778356\948377971" -childID 6 -isForBrowser -prefsHandle 5016 -prefMapHandle 5728 -prefsLen 28203 -prefMapSize 235208 -jsInitHandle 1408 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eac3d73a-d08e-40bb-afd4-89c1aefe5466} 3012 "\\.\pipe\gecko-crash-server-pipe.3012" 5744 1ce20193a58 tab
    3⤵
    PID:4032
- - C:\Users\Admin\Downloads\7z2405-x64.exe
    "C:\Users\Admin\Downloads\7z2405-x64.exe"
    3⤵
    - Executes dropped EXE
    - Registers COM server for autorun
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3012.8.1685460235\2098707258" -childID 7 -isForBrowser -prefsHandle 7052 -prefMapHandle 7072 -prefsLen 31481 -prefMapSize 235208 -jsInitHandle 1408 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c97c0e3c-6318-4b3b-90ee-d1133433128e} 3012 "\\.\pipe\gecko-crash-server-pipe.3012" 6800 1ce24195058 tab
    3⤵
    PID:1916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3012.9.229491737\1234065892" -childID 8 -isForBrowser -prefsHandle 5200 -prefMapHandle 5468 -prefsLen 31481 -prefMapSize 235208 -jsInitHandle 1408 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b5947cc-2e0c-40cd-85a7-fc7f6e9aaea5} 3012 "\\.\pipe\gecko-crash-server-pipe.3012" 6944 1ce2827b658 tab
    3⤵
    PID:2444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3012.10.1437890126\1626093740" -childID 9 -isForBrowser -prefsHandle 7420 -prefMapHandle 7448 -prefsLen 31546 -prefMapSize 235208 -jsInitHandle 1408 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c0b3b0f-47c5-498a-93ce-2b1b44a50b80} 3012 "\\.\pipe\gecko-crash-server-pipe.3012" 7436 1ce1b16d858 tab
    3⤵
    PID:3864

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4436

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Xworm 5.6.rar"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Xworm 5.6\Fixer.bat" "
1⤵
PID:3152
- C:\Windows\system32\lodctr.exe
  lodctr /r
  2⤵
  - Drops file in System32 directory
  PID:1592

C:\Users\Admin\Desktop\Xworm 5.6\Xworm V5.6.exe
"C:\Users\Admin\Desktop\Xworm 5.6\Xworm V5.6.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5012

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2260

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x51c 0x534
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\playit-windows-x86_64-signed.msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1108

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3504
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3644

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Program Files\playit_gg\bin\playit.exe
"C:\Program Files\playit_gg\bin\playit.exe"
1⤵
- Executes dropped EXE
PID:5904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5b9ff7.rbs

Filesize
9KB

MD5
7da4ed2d871110afd5cf400b5f1b6ba3

SHA1
e5dac4dccdb1e3e003235b71fc3bd9999779a045

SHA256
ca1d01fdb4af2066770476a8d0dc15ec8a5196a55eeccd42a24329700f704b27

SHA512
72946b3000ba4ebd3f617af52a11c9f7781fbd99580cfd32a8ba23903ddf0c9e8b023a8b26a421e0e9dcefe5022fc08c2d34df00c233feac1e9a155cee052041

Download Submit
C:\Program Files\7-Zip\7-zip.dll

Filesize
99KB

MD5
3428b9967f63c00213d6dbdb27973996

SHA1
1cf56abc2e0b71f5a927ea230c8cca073d20fc97

SHA256
56008756553ea5876fb8aad98f6f5dbca1ba14c5e53f4fa9ec318e355e146a7e

SHA512
b876b39d030818ce7879eb9bb5ff4375712cf145b7457a815880bf010215bd9dcde539e7d0877c56558e0d23a310bc75bfb9d315f9966cbda4ae02a7821980cc

Download Submit
C:\Program Files\7-Zip\7z.dll

Filesize
1.8MB

MD5
2537a4ba91cb5ad22293b506ad873500

SHA1
ce3f4a90278206b33f037eaf664a5fbc39089ec4

SHA256
5529fdc4e6385ad95106a4e6da1d2792046a71c9d7452ee6cbc8012b4eb8f3f4

SHA512
7c02445d8a9c239d31f1c14933d75b3e731ed4c5f21a0ecf32d1395be0302e50aab5eb2df3057f3e9668f4b8ec0ccbed533cd54bc36ee1ada4cc5098cc0cfb14

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
960KB

MD5
b161d842906239bf2f32ad158bea57f1

SHA1
4a125d6cbeae9658e862c637aba8f8b9f3bf5cf7

SHA256
3345c48505e0906f1352499ba7cbd439ac0c509a33f04c7d678e2c960c8b9f03

SHA512
0d14c75c8e80af8246ddf122052190f5ffb1f81ffd5b752990747b7efcb566b49842219d9b26df9dbe267c9a3876d7b60158c9f08d295d0926b60dbbebc1fa3c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\activity-stream.discovery_stream.json.tmp

Filesize
28KB

MD5
a1b0e6486453ba687daac859909cc4c3

SHA1
58543578182b87e898ee3409dcec3988a09c188c

SHA256
5546e88bc4e1d4db3b5b8ebda621d38ad18476ca519f607dbcb8233f027007d6

SHA512
7348ec2ce1e43d355e9b4a2ad0d535bac9044f486aa3d9c2294cc87e27d98487822996c6601e2e6694f42dae888bb75a4c5cb189a2e85fa966e4a582d524496f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C913

Filesize
9KB

MD5
2f7d4d77ecbb4edfc2adcbec6a51c026

SHA1
5d523800244aa44ee94c57181fb2148aa9e9da81

SHA256
81d36c50d29491f5cfdc41776315df36da191b4b6912081f5b2682d24364b235

SHA512
8e5d2cf3558d1d295921ee0772507c1b25af7267412d7b828495086e3929910f3483f41b1945357ae81926b79df9f0ce55b294f4530a4f373122f71529cc4ac1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\099EB2BF8827A4F91EAB3E38B14650D0205226F2

Filesize
16KB

MD5
bd1c52b1e6946f8d3c862a4ff695780f

SHA1
a1705e21031b21823d1214950eda40159f4a32a1

SHA256
c3195e3492dafaba63e331de55b6ebdd9006b6e23f6ccb5b078daec1368d4ef4

SHA512
293eadf30153015f9381be11bf1506b492539c6a19973aaca10b46f8067dffddccdc559d714eef6e8202d4b7f6d0db3f516289235212581462429530de93c4de

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\1602714F6548D0900DF486DC8E1488C33AB30599

Filesize
12KB

MD5
b06c5c83cdd6ce9ff9b2860fbae3852f

SHA1
65964915c2d82e4be3e045965fad34a92dd021c6

SHA256
5a1819f1fa7b17aaf6d5179208e33cc12477c23139096e6f74304b3b228992b7

SHA512
a1394c0b9022c50969ab4b1b034ea3a83a318201e993d4b13284538e689a302fb11f78f8dbb20febe20c70b41943530e7c215fd6255aac9aab593d780f4a3a7b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\24EDD654CC1CF0FA4E4BF49B9B266DE4464D3D21

Filesize
10KB

MD5
eb41a3a04039d65aaac9ed3f551db394

SHA1
b15327284e437baae8c05ecd157cd51e69b3cdcb

SHA256
c3039388815ffccfc80b0cfcb0e8d232966bbd4cda89ce67e141477e62e1e24f

SHA512
63c4041e39a8348fc18611b5722b58e2240d4c66b1aae3e8eaed416293dc74be4f3579713f52c5c4effd039b848ddb13bace4dd6852d124c9706d279d2d5fa4b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

Filesize
9KB

MD5
6e0359f7fa262902026363572136bad5

SHA1
f60fbbc12e324678bf0cf520c8a519db0c3418b7

SHA256
1cc35e211a3ee97d0a5a020a0f471aa45e939103016707213e74577e1ef6eb2c

SHA512
5c5755b4b40cee3e5aba55b31eb9deef35ddf61079b7056876843bc08247d81e89a8553b5781bedb1fd5ba59aee393b393f8280af68bd7974996599eeb228ab9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\35EA397043C119CBF08DFBA484E8F353465043BD

Filesize
15KB

MD5
e87cdf977e6bf96ebdd7e990d124d4b6

SHA1
757f41f94750ac092fa29eff417f3c6c9a12b659

SHA256
c0070d1bc3a5db282070e6db08384dfdd6733ec88a502addceb981d5b614ff76

SHA512
d3c740a19539f4ac7ce7e47c44ba07f6617c057fffbba2eee5daa23888a80299d7dbe30cc7aa1239b986be01655ba3092d41ef4a6eafc2e229551ed3ddee0a4a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\3B5A1847C53DA009363FAB1F94DBE637AE397E19

Filesize
20KB

MD5
ad51dc92032b581fb2b90177c5f962f1

SHA1
8c99dd5e40eb29d99dd85f4f48a6f39252387eb8

SHA256
52666baec2ef94dff44b26ae8a1d8a8e79a29cfa881d0d78c44d8b5629fdd5db

SHA512
cdbd4d23798ccabc9b112091088a7b58a041cca9fa30dcedff51c154672e6f3f7339c3f6bf7e6f96a3cca33edd0501baf55edeceaab7e0cf197bd6408494b248

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
11KB

MD5
35e15e6be852fe5c1148c356e3961f03

SHA1
a26eb9498aee42527802449e21c6f496a2aac293

SHA256
c10df21c7bf98a55e4d292cdda4ed400dad7d3bfb445a10679c6d2efe30b5566

SHA512
232d3bdd855b3c83734f4b00db494476a26297cdfe255ced642c891be2cc432ad19905021136a4fd6865bbf3e718b17288c381502b02da64638afe8c6d9a28d7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\7DEABB98080B97238B6EDD3960FC69AF88DF65F4

Filesize
22KB

MD5
3d6920071be5c789ae6efa05c81ecb29

SHA1
eed52f1bf6601b4839fd6e9efbb4c35bda7cd416

SHA256
19ad5212bf65a0bbeb3dc05fd4a1d9d5d158eb4ab7d391c327ccb4c17b86ecca

SHA512
cb8e95160961be52790fd8e55df714f345fdec28a4daf1f0e74d1cd0f8a6fe06623da1aba66624ccdda99ee283f353aee1cc28406c1c8d6fc9b4903684a505e5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\7E79B45CE06D3D367B515EF5B966EE29EF4F6445

Filesize
44KB

MD5
4f5fbb20ee51ee9c11d4609dc78126a0

SHA1
b574640f704f8c33278ae3bab2e57fe964e524fa

SHA256
512999f1220f4fa60de76ba6b296981d06ec13498223a546a8f813abed55655a

SHA512
8c6dc0342563d4bd68519e54c421a86a0ac2a676124b5e716bda5dab1a523deed1fda1b93d5e671b23cb7cf3e211f6281cf7226baac884cae0adb7ea17480700

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\81C830FCDF8B2792A7B39A36AFC73927AC261D1C

Filesize
17KB

MD5
0f40baaa4463933425f238a4ad89840e

SHA1
6ecbba2cabe9af9940a60453400e833d06bd4f51

SHA256
a286732266bc7bae7675f23bbad69699927156bca84bcf794ae5d5aba5a5af53

SHA512
fcea50f19a9210d6315414e89325787f54f7f8a0f9a81839b0cd4b6501b7e48ca5e6b869ac55ce48972623859ee4b3551580e1e00c08cb996ea9af537d867f50

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\83E9220200E1571B8A9D3BD22F093A31723DBB86

Filesize
2.1MB

MD5
a420d05575aebd1405ee81bad2c4de3f

SHA1
c80377719e02c09a2cc359ebee56c08a84f615ab

SHA256
288854752d39106828134921b213cc487fd70920498b104284107d13ca6687d8

SHA512
9df239a99d6dae3d5d2b78f27aa6236298c31d8820e0e154ecff286bbdb95fd5af2ed787bb4f7bee8c268e0894917fb82b534a21cabe28310ac451e996b2cdb3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\8540EC873F08CBAD5DF5121BD3BABF95624B4A14

Filesize
16KB

MD5
0323339d798638cadf69adc53f1d4075

SHA1
c0195e6e425fe0c2c9abd2de6584b4eceb5e14ee

SHA256
4cefa3465e334bcf8c6024ad9635972e25c7495c3ed66ca245b7aa559af1c26b

SHA512
2b0a453e5dcce94d8b5b49294570f562ad8f186c7959e922789c88f5059e3cb5e4000311df2c7a7d3ec728afad3cda50a3bcc1904712586d3d2b6922aaaf58ed

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\87D67C6F210D892C8AD5FA8385689269C6AC95CA

Filesize
55KB

MD5
89a875af9990010425243fa82f9df1ca

SHA1
b224d811096d4029299f0777f1fc040cad4f294d

SHA256
aba4d4cdf2107443ecb1dffe7201b636bd6c7e3dffe71083ddfc7c0ac79404fc

SHA512
40accdabd69b53089da9f83b80e6ba04a028aec7b0d89eebb26120ae0e5d56730b12b0a62c139a4b629ce1f1494fd9b46d006167c6a8eaad7c84c04ea8fcb375

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\93C5BBD679142CB9AAEE0D9E9C3258B679D772CE

Filesize
20KB

MD5
4780cf99a7298f11d5e5792ec9aa09c2

SHA1
9278e077c709e4d3a28b3f7dbbb6204b4e070b53

SHA256
8329e7751a5f6dab08ef5acd766c3da8282626e1f445534ffa2e6cc055d42cd9

SHA512
ec1d7185bbef9cfc75b6024d0d62364cef7d983b4c279701c6966013fec08e5d6d8330e267d1f4b094a939246296769d5883c529fc6ac54006b492b055080c1d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\94F72B6F2D0DC3ED340D601AFA278D214906FBC5

Filesize
9KB

MD5
f76c455be4536f5010fa9084ef67317f

SHA1
5e3fb9d9cd9ceb5f3b15e5646f3d2b3d46382212

SHA256
b800ea9fc07350712f369997bd50e4afd7226755e39bbbb5f9df7128bd211439

SHA512
6c833b5ea1bd9b8f8e3878c43031d586bed6b120902cef5cb203ef2d1e3579d743307b3ff8a1c8961c91b3ad1763074dd7656c9005c211cd32e5e2b47395b654

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\9902E140B540D26CF6D9EBAA6901D21E045AD01B

Filesize
215KB

MD5
6a769507f3e63a9eb685e774d248ed9e

SHA1
3282598b52e41bcc279297bda8b38ef6623f5654

SHA256
a91a44c01fd098140f84bd83bccfcbcdc38293ee3f265d2dac0149809ba9be05

SHA512
317b0027e910db6b7fa0e5478011c2a656269be66c31ec62eae5a642d4702e89abcfd37bdef502fcea2e2ab9cdd84d441db4b6eb86c5d63748436cb605efb68e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\9D67DE63BC05FC8C2BB415AE05CD43D50B4A1D70

Filesize
22KB

MD5
a6d4e05c58aa3c65ef841e366c363676

SHA1
f61364f4387654ca43906e68d763ee693934b3bb

SHA256
f3dc7704ffe7175b7660fb815c13030c4972a6aaf4cd1e6b28a5f9fe60f0986b

SHA512
4a1a7218bdb7ca3425c0e91a9c237c5a74c57e45d36a599592272aacca0276810cab4bdcff0c414585d69dacb29deea58af6895497acf0b16ffcaff92d3447ed

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\9FC8C85689D31525EACE26158B83B464F43A027B

Filesize
24KB

MD5
7424e63cf7a8b3d837a818246f7ed6fa

SHA1
313eba38b2c3d7cb10862cc93cdc584ed13bb69f

SHA256
28344b561cf104de3fbe8878e018d407f0a309b8277ab6e8f95d302d53ddf531

SHA512
55ae32e3244b31b4ad27be9fd8c40e75d90514e9933bc120746290852935083dd60fb764bed482b9da1d5f451721af9232900b71852f4e3aea21ad375d181f0a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\A752BE816C32A166B4212612D41570FEFDA0B4E8

Filesize
24KB

MD5
a194de22a51b040ffc030b5db9bd27d3

SHA1
1e265a44dad94e9681a66740724da87f61873f6d

SHA256
41d1bb9e64e6bfe045495f64547ae5c3481d1709a1be80fb60df47cdc70959a8

SHA512
02e2911d9837089379e131156954380b8dea308bc74b479989d3b31afe4abf012e66f0396e1c3d4219f237b1b73f405a7f874a2c5c34681b3ed1532681a3efe4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\A9FB5E6047697568641592A7A75CA6ED3DBF5590

Filesize
9KB

MD5
d8d4dbf4451353d9624ad997befa1f6c

SHA1
a7d7bd0e8b9187a1d52205a36187a2bb615f6230

SHA256
5cddf7290fc1e282ecfdf16dad8b4be6071838fab20f5a03a04cfc0217006861

SHA512
e0d1a294aa4fa3e4e7d7d745bfe91fdbd548b3979bb460ccc836a22023f56cf90ac42601d8dc0107edb06217cd0b5cf0018eb7b02c38b5a28f336385af612006

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\AFD94D4E74D0CEE6E8CA79C8C81AA7E21F4E85E2

Filesize
33KB

MD5
7173d26ff19d098d8ddae1d7f714b16c

SHA1
f63ad06a73de541f7304488735572c72233e960d

SHA256
3cac37015e99b3ef8d7c8aa3795f513129dbf4cc830b0672a3cd10664869127a

SHA512
acc321b5c54b30a1c80ef91a38acb2166643ffd210c029946de01b6a4c44324156448020afdf811346233fe09c1eae3d82e56c790d8d5a50db2d7debdb8f5082

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\C37D2E28BE7C94DAC7149322C49B38FD809E2F1A

Filesize
20KB

MD5
7f3ef573ff8e15f72c946cc421b686fb

SHA1
8232de3c0cb9cfcc27d74dc3a5f01890fdb9f9c2

SHA256
5423860a97ead9efbd09fae826c16660e2d7b261b57106b184e25960be89c128

SHA512
7e713ecad2b79aba171c4ba434dfb4015e7d1b87bee7c1132f11f0eefeb9bdee5d76992490792b4893d81461806647a1451448eefcde7b817cc556630da7439a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\CC9AFF3BE02AD27708D587AE49B3DC68644172BA

Filesize
13KB

MD5
ae1cabd84663fab6880d64b9205eb815

SHA1
4c6930fc712625032bbaa3ce9701678c4d666880

SHA256
1a06b37c407d59a593e7bb671d8af076d3353c640e14fbcf07ed1670538f3271

SHA512
5aa76484cb23e32dcce182179ac183d3ca96d5da859662b02e93243c656cc7273f93554ee2020e2273a500cf04fdb6a07d302d38442d9e46480553e836b37eb0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\CE30F9E7CB4E0D8AEB054228E581960CC2812E48

Filesize
15KB

MD5
cb8299b93f8d22360d6c98915a468e01

SHA1
365c1cf7a904cae12c1b62386949ff7c5b0322e8

SHA256
ec468d8c4f07736d38eb0d89af604399ece0cae54bfca85534177f86605a5e85

SHA512
b31973abe355362d2d038a1f031672d95f3d9bad14facf5ad782db1ba322d6c252aa9be493211b8328d2f1db0bcd75c89fb7eaa83c5af43900de628148b81840

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\D8C2CFE0485DFC922614553B1999E8CE09530D68

Filesize
24KB

MD5
8817e6b2cd8da0e1bba6370bd4818f57

SHA1
9c1ba368cbda305f34cbb81c7c9f6767c4603efd

SHA256
903850d50c67c5083cf9b3fa878f8c9b56cf801f466062a412e2646a96559f8e

SHA512
dbfad03b71ecb848f2b533959f15e17374b12cbf650bcba88fbd4ad45c7720527784910315a8c7c1e55e4612ab9b98fb1fed28b60a4179b1330bf56daa9984af

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\F18D85F52EBBBA2AB081EF739ED0D6E8A76D497C

Filesize
298B

MD5
2e554aee08cb8d997f0efe8efb7eba47

SHA1
9f7aae2ec79f821cacd578a62159111cfde298dd

SHA256
be8d41cb5ca057c027bce3a83eff3afe64d76ead9bb70995e57a30c101b08a2e

SHA512
29a93c3e004b0a5080df77845362c6ebc2f344137d7a6ab1955d76bcb68cc8c48c3f3f45022548ebff72493a8bd03397e14dc7a64781b5c6f66cd7deb9b384b2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\F210D48319A1879FD1C5213FA010C613B99BA085

Filesize
11KB

MD5
de265f17ad12931a34bb67d130902b5b

SHA1
770bfcb5f7df0138f134f2d5ef5d7f07df0509b4

SHA256
3bd36f0fd063f3c3e02c378c0497d7ee8380d72ba8d9a0c5fc3268acb6c0e2e5

SHA512
f6834c24aaeb11ad9a887e073b1e9a5225178762c4b5410bdcde7831fc3f3b7c0d4c6bb1c3413f290ddc1e7cb77bb9940330f511afbad372c4c80c74a09837b6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\F21F53293B85556D4D7282B4E507DC37E6D6037D

Filesize
9KB

MD5
80ff2db362bd800704a48f941b7db286

SHA1
c756d13899a511d5d113d21bb0b69ae80a96902b

SHA256
60c33c648f3c2eb02c1ed65445daefd248d61ab779c43202cf3fd1801b2bd472

SHA512
8dc1d073362e0828073b7c6a60eec0cbd2cd916e33f6b2d3c97463048fd5af815bc501104fcd63161820a5f741c4498144e5042635fec6b4852cc143a048656c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649

Filesize
13KB

MD5
fd0bac9c293be08b7b4a24a5221385f7

SHA1
0ca68689b7de79885c119852f64dc0b1033db8ba

SHA256
44c4fa43c6d649b5c863334a0068f92b110b3a81ae1faceafd3ea3a4913efa22

SHA512
8829face72fab651136d60375c96b63e1ebb819c9e1b47d6c07ea52f0db439d318cc0d0e73eebc4cb4432cc57399050f7cba5fa793cdde48cfc9a863b692745c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649

Filesize
13KB

MD5
9442456b06cc145745ed27a8d5bcec2a

SHA1
c0ea7978225d0908461a8baf6239d0baff2884c5

SHA256
7111d63997b54144731a3f6bae9e279aa2d75cd6f5c0e2b9b3d5370bd4b700a4

SHA512
be9d8d0be5bdfe6ba951a261161146e56810e98fc62d5fa962e68003483d0d1b37fe17046f41b991f81b49cc1b3fdb61be410d8cdd9fd1114b6660663a9b9da8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\FD3C8B7B2C5FC530AE8D3FC8050677579C3D2E17

Filesize
11KB

MD5
175fc086bf6eaa5843bd77fff58723ae

SHA1
4905880298883e4983b62486fef69dc74c939904

SHA256
dd38dc4ca3a3da7f7de884f58d85dbdad9bc4a8a206e182568037504e4a5c0e6

SHA512
3041fa67c64b707e2c000dacdb10bb8299d090ca56e9623de9bac8806099908e5194ac696ac72d7fba87e0b9a3e61e5348a7d21eb28701beabdb63a0a8e76760

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\startupCache\scriptCache-child.bin

Filesize
490KB

MD5
1f030b7e64a9890f187a28b19df12c37

SHA1
f7f847f936b799f059d9a9c0e241bb58a914e577

SHA256
28b67443d960d02d35058db05ac5bc8ce805bd82a803331dbc890ac0371d514b

SHA512
d219c356dde0e03f00e5916c024b140eadb65bd00e6f0c3279c8ed368e9bb434e4ac4c6f1f96bbe2b3567630e3042ec3c9186b3062d34ed9c45378e4cf7b893b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\startupCache\scriptCache.bin

Filesize
8.2MB

MD5
56d25d5d800bc01761fd1fad845027c0

SHA1
c1bc59ff02dccc5b593c792af711b204151778ca

SHA256
7161237e0254ba97b3a09dd619e8ccebe347781b1d8ccf025e1ee86772197ffe

SHA512
ee0ed4afe27a2ddd635d61d61fd0c44cf39e390d271cc773e10c7d9af02e0cda8c00245b1695c3e07f6d77f0a5c4f2107e03194f92a4d4fb87eaf4c71625c361

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\startupCache\urlCache.bin

Filesize
2KB

MD5
afa2214a8fb67d9010d83445ef40c814

SHA1
d7da103aff0977db43b6f8c6d09aa3bc91512b88

SHA256
060e1c65bdfab3b2b585a073d181272ce8476f3c4a3f96bd23806e41ced2a738

SHA512
ce7fc2bec05b89c2faedf5bcfc9c365bf0a127c7769880169db45afb0ee7d290ab1a6606eb07006d7858e2fc7e21f371951bfa68bd2d5f1bdf3e2e9975e25673

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\thumbnails\11a0d7a384f03035b5800c657ab995dd.png

Filesize
15KB

MD5
383a201427de94354853767aa03c15d6

SHA1
5b623559b787ff9a8e8905d424e81cf353a16360

SHA256
3d1cc86a75c0c1ce636d8e52447b910e8565f6ed5634a0617cfed303f00247d0

SHA512
e43e5bd968cfd1cffb111bcea7d9ec00933802a9a4a7153e3d8aba990ae16a198bfca5f3cbde85d94e2fc71bb57dfe82d17933dd412cd272e25c877162db38bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zECAB63678\Xworm 5.6\ClientsFolder\0D1C4E13FC607A0E7CD9\Keylogger\KeyLogger_05-05-2024 17;37;38;245.txt

Filesize
11KB

MD5
14a33bd90ec56f273ea5b429afb3e102

SHA1
71341c47668aa5a16c00b57d291bca49a69a221f

SHA256
9b0d4dd04b0c83a459b0e47dff4520a0ff5f9836df408d34109e9940f933c171

SHA512
d776be031f2210d7f6a53a2e5ff47ec30e04dfbde7040b164cf1e6674b4f1cf545b793d3617206597cf1c3743d5516f49bb8b9161a08cb8d345170f94d59e28e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zECAB63678\Xworm 5.6\ClientsFolder\600E3A065A9E303E3CF9\Recovery\DiscordToken_05-06-2024 12;42;55;702.txt

Filesize
72B

MD5
c6d06cd78f004cf7e2cbeae15c17502d

SHA1
279f08760fe10bae2be703f9acee415ea4d2c85f

SHA256
0b194a0b013d12813d06894f51a78a27856ace01c033bde2b0b95a83ba0563b2

SHA512
e7484e175c5ef9e7bb9ecc82059383c38380127a6430e88e89ed4477b7f389e2a078fbb9242993b99aebac97a1e034cabe0c3c729a1e66aa5061cc22ea7f0f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zECAB63678\Xworm 5.6\ClientsFolder\983DD433AD5F001EAE9B\Monitor\05-05-2024 10;48;41;636.jpg

Filesize
970KB

MD5
224d75da99a372dbfa87ebe656476f20

SHA1
468e7f1fed7b67f4351b80ed4b7ca9f70e077051

SHA256
48b4323c2b1c75586b5d69950f8040735bae6421928175bad9d03abe5b32597d

SHA512
e79ba5b6d3e3c5e19b6edd9a118cb8c99adc899161823e4af0e3685c9f96bca78a71c3fdfbb03c64da9895e83d72fca2f345821739fcac84e448bead7fc84819

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zECAB63678\Xworm 5.6\ClientsFolder\983DD433AD5F001EAE9B\Monitor\05-05-2024 10;49;35;218.jpg

Filesize
991KB

MD5
44cea42904157feb638d5cda50893d93

SHA1
c0e62797ebae4d2d8b999f7180dd438719ed67ab

SHA256
c1cfcc636f24bb2a39e2993fe58a84832cb590f41303d784686d8e64d696ecdf

SHA512
e9820f081f4a137f95cb44c2edd1c710c3aed0bf33f135bc52283e7dc2ad9712b62f20ad47e1d1afe4de12b828dc59bd351c448a77c5a9382e12e8492068f822

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zECAB63678\Xworm 5.6\ClientsFolder\983DD433AD5F001EAE9B\Monitor\05-05-2024 10;49;54;213.jpg

Filesize
555KB

MD5
59671b404eb04d54c868463cde531da9

SHA1
0cdaa109cdf14a142839df5c9dc84c7d55e40b6a

SHA256
b20fccec6f7f545bf13209fbbcc963e8c930cb131dd792b870ab7d125b094967

SHA512
4cd202d2a198c2b822c398d0fcef3d816d0c9b9113012e54af2a78f8a13f4608af96699187098fffd11625a7afa2e23d0490ea7ceaa2153aba6c0a4acbd550d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zECAB63678\Xworm 5.6\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
14KB

MD5
a61b797267190dac8ce6f23b7d893492

SHA1
81fde23760bf8adca914f249c985709333567a66

SHA256
cdbc2ac9a5345ec2a3537f293d4aba272ffc78ad48c3e8542fc3b5c69cd36136

SHA512
1be43a774af69eb067fd7741b84cf383a2d1a3ab615dd01854c7a60dc17033d1af979fc980f34ce80e9f56066f5f2609b3cde09b57b8490ca3d6ae2f8589e4cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
c9fc926bbde28edf8cf2ae79b4d2626e

SHA1
12ff9aecb9e367b2c90c83a178a50276921f7d30

SHA256
256297f3fdb06eb5e58451a3134e4ffa730cfdaa3b9d67a6f4d7b3376b6df2ad

SHA512
014771887f2d99657a55393894fbfb035e9decec30799cfa22733789c84b1bb29a37da42a8a91fa2f088901398f304b62ea3e2f0a81d914e75f1f730db4ba591

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\AlternateServices.txt

Filesize
1KB

MD5
71fa16ea21e7b9cd8ca770451e099e48

SHA1
18233f07f0c4801a9ee592fbd689b7d2ae0cdbe2

SHA256
d7c6cee57e858ab3066aabee8c5a44106cb534e0ac7d38a607aff77d094d8590

SHA512
5d0d217c339ee45372d97b49fdbdb0339e5eba1e34b3e34db871e280cc6df4578cadecc6b65f676a037ebbe3b54e0b392c387998f454b260a2a8447c41b4bc6f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\SiteSecurityServiceState.txt

Filesize
347B

MD5
2d6d2af3e2e097474c2849fc288a9e52

SHA1
74ae86e3b2a03da412025aa2d53893c394138696

SHA256
e5010ef565d649e0b725778a7a8b8a7b9fd3fde175d379b38c43609b82da9df3

SHA512
05d693e21e06d4c226e9778f19025e82a7f0cd0fefda9b3ef94987d0a7d3f8db382bd63070bb44c72db920c34d2149aa929c108e7dd9edb6a5873a436c2c7910

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cert9.db

Filesize
224KB

MD5
2abe7c988e23ab0c3ee37b4942c04ffd

SHA1
fd2365e7a161ad09286cc72fda59c8bacbdd4eb5

SHA256
916079ceb8a54b8160b6b70614838c7dcf7ca0a0d05e3b63e4cf874c3fc6f8bb

SHA512
05cad604f2bcd255afa89c98becc823b321ea1d3d0e80ee9c879283ae05f3510144467ff88d5373dba8c2cc27488d0d3bf205ea423b017a38fff1846cb84c313

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cookies.sqlite

Filesize
512KB

MD5
b561002ecb5eb44ea9ce33299021b438

SHA1
fb97391244fe7ec8f16621f404915e07f853026a

SHA256
f5a9c5a5f469630df68df23b5450b5c87fca77cd1b52c9c61057bc520c48ff92

SHA512
27da3a7026287782f959e672791194200abf785a49acbf133663f5bb96a87073e62a9e00113cdcd1e1e9da8c52b80574f75368e388d81d9bc6cf3f36df420ab6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\datareporting\glean\db\data.safe.bin

Filesize
182B

MD5
b1c8aa9861b461806c9e738511edd6ae

SHA1
fe13c1bbc7e323845cbe6a1bb89259cbd05595f8

SHA256
7cea48e7add3340b36f47ba4ea2ded8d6cb0423ffc2a64b44d7e86e0507d6b70

SHA512
841a0f8c98dd04dc9a4be2f05c34ecd511388c76d08ca0f415bfb6056166d9a521b8bc2c46b74697f3ecdac5141d1fe6af76dd0689350caca14e9f849ee75a8b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\datareporting\glean\db\data.safe.bin

Filesize
182B

MD5
c58234a092f9d899f0a623e28a4ab9db

SHA1
7398261b70453661c8b84df12e2bde7cbc07474b

SHA256
eaec709a98b57cd9c054a205f9bfa76c7424db2845c077822804f31e16ac134c

SHA512
ae2724fc45a8d9d26e43d86bcc7e20f398d8ab4e251e89550087ace1311c4d2571392f2f0bed78da211fcb28766779c1853b80742faa69f722b2c44c283569fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\favicons.sqlite

Filesize
5.0MB

MD5
a21eda8b55a2ebdde9cd1a04494b58df

SHA1
69c29e6ef4a606c95313aa797e6ac9ac81897225

SHA256
4a62b53d969418f49ab153851c98ddfac9e9566e92882872a820e0af2b515222

SHA512
2633aba409972ec2d7ccab3abd19bc3ba66c70ccb1cf7796105cec1d2f6264c0cb0e2f783a3f01f02b080182e8d27e79d567308d7bb80d2fda4b8816b85ba9fc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\permissions.sqlite

Filesize
96KB

MD5
96cec4bccb842e36ada7df6f467ff1f0

SHA1
483fdb5949a41ecb3f8613ecdcb9884979aa1418

SHA256
1f520e9d941ba1c52592184d8f98c6b480fd9f13e2ee1a70c3adfaa5249ad0bb

SHA512
993b7c551a6d40fb2a43243c99c96b5aea88b3b965dae3c29ac3794691cf68aeeeb4facf369541a5a3ef01f48b7a9908381ea48dde6b174a1ead83a04a64b389

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\places.sqlite

Filesize
5.0MB

MD5
27111c924a889ce4418d611f21690101

SHA1
34a9708f397f468a264951d5be2ca4f18231093a

SHA256
26b3d8dd8f5973f0343b00d2720cb15d980007a6d891b6f57668efeccb14a987

SHA512
26628cf7b29564f2992ce9e838aedb1d95e7e6d3842c85eae7baf498aef657523fba27cf34e304474450f82b9d277c038d119a3d0431f819654c6fa32e2f4178

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\prefs-1.js

Filesize
6KB

MD5
891e7d8402090caa6b7660d32359a55c

SHA1
0b767f45c91d534641da24c1abe6ab770a741298

SHA256
247aea8c30b680df5baa6fdcc1f73924dcc292e4e5033429e2e55192c979038b

SHA512
3f0fe8a1e2f930dfb5b716a4f983148aba4fe6db149a2e77aa5fbec4ffe2218d1aae103e44300690ff76205985d4ef118f4527a68752837d2e3aace5e25b2e94

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\prefs-1.js

Filesize
7KB

MD5
14bd40e42b73143bb8edcb8dea9df55e

SHA1
ff2a2e2113f70244b97638f92bdd2bdc7993d989

SHA256
dd7bf96b5fdf9eb8ed75cb95ee490054a0d081b37ba5bd46d4819c5bf57d687d

SHA512
ece515564345b2b730a35e63aebdf31effc7756c4cd193c068e3c566b2b243dc77dc7d91b0b74634c98ee869c71ce269ba1ccee5686897360a9ba1719a36f2df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\prefs-1.js

Filesize
8KB

MD5
8e60b0552d6094f3ccff424ae7888317

SHA1
0de1a663dcf7bca9c021d72e4d247a11b8ab59a7

SHA256
1a2e875d3920953c976dd88b0fb8fe5314b6735d3d1f39de8c4f875bef109863

SHA512
83531d326952e3668c8b3962da23feb8a4f3ef2b9caa4ec6bf6b9916406fbc7ca16450248fecdba0708ae061ed23242f3169a2c795c84cd9c75d71ea4f37a93c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\prefs-1.js

Filesize
7KB

MD5
b94b31074209772caaaeaa9017189e4f

SHA1
126c8b4b703a8f6c122637c53a771437d8b6b0ce

SHA256
9ff47669a07b8415f8af5badd1c17d7891de0c5b1fe58e141df3656158a97adf

SHA512
e4b8834238cd978bf3364b0a9c75371cb463829b708b31824898c8addc0a24f8c1f2f3987b81d9641d5aca9a3f9183033bfe21a3e5b5584e4e1993f777b9f7d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\prefs-1.js

Filesize
7KB

MD5
b5aa604fb3ea0155b41d44398607c5df

SHA1
f0b49e30aa4594b66e45a35ee64ce58a65a9c490

SHA256
531d20e958e5beed3962b30536010a0f1eabbdd974f652295063ecac1edf49cf

SHA512
b9b5ad76cfd43a763c3ec68db0db19c8604c0ff9697082d40cc1e53320329c633fa3e48c8213bf8742f4c4cc3ebd852f626ae46deb3d3bc92125025cfcabe3a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\prefs.js

Filesize
7KB

MD5
1e5b9900b5fc278ecd32d695bae8ef47

SHA1
7ccfc759a359f2e5b980ab4423f5b4937030b43d

SHA256
e9a3381f6dbe2bdc4173e666584f8568421929aa35975893da9be1fa1965f88c

SHA512
b23b55581b4ba28504a212835837450084874c56fbdd82420618b47fa83d9351cfc820283498e270fb82fde89ce6c137788f32fcde2fce0482bb25fb9b0b5c9d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\prefs.js

Filesize
6KB

MD5
5cfc3410787028f5b18cf498308675e1

SHA1
f29f3f5ca71158c02ef7678c1f341deb23136d0f

SHA256
9ac50441d1d7f0bc12838a53442db46eb4384bf0cdc2ecbbcc2291b4f7e50076

SHA512
b166954a26e041f8dd94dacbbcaa78e15d5513c78cf79c6cb1803ec0a799b77b7b2e0d43165ca62903832d146984760edb45109b8163c5964bf02f7cc8d229c3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\protections.sqlite

Filesize
64KB

MD5
49397db0486dc59d607907a086f40c9b

SHA1
08742ce9db9569062def08e99eea8470702feb7d

SHA256
890033ea279f13478e655150a823a5f84176d2f8f2ec3724dc61dfec775707c4

SHA512
fc8dad1ae2215cd96c41bb3e683670bb9138467677da46c19d1e58972775842a995b70123c22ea1efb659d043f5116d0c9dca422035a6646b35f81033c9f5f53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionCheckpoints.json

Filesize
288B

MD5
948a7403e323297c6bb8a5c791b42866

SHA1
88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

SHA256
2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

SHA512
17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionCheckpoints.json

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionCheckpoints.json.tmp

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
b6cce5f9447794a10cea652f19154347

SHA1
a56f1a37052fde52963e763991ee3624c91d5a6d

SHA256
447637bedb1e78461d18f171043dd29095351a371ddd8895db913dbcba221e51

SHA512
b4e7429a3cc0934bc1d9fa01db92560578f94d83245f1a3dff439a1d4c5f77a7b8c5acbf88fd1553db267b85c073f44af94e098f6ae78befa19da1a8ea236340

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
10KB

MD5
752cbb701715b6e9f33b9a9d952f9d26

SHA1
db21cc3d80b97188b0fe6f624130d70c1e3f3119

SHA256
b0c84e9502cc94f3cf6c09e9a64a0831dc1eceea60f31b8ffd09ebee0cbd35c4

SHA512
8c9257960319b250c7e1dbbd02233333300c28b5e7070a1ce7eb99f3e6ba430afb4e692d4330256eef71b8d2b57407bb216e69ab35bbd3a3bd39a64f56cfa4a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
bd92079bc9819f5601108fcefcdaa3e2

SHA1
69577eb2dc62945d8280e8c1ddac8df7a6541ef3

SHA256
76fd9a69394a0c2595aff3df7e76b266c09a5abda2681892aea15a7217224c71

SHA512
a1e6ae12ce2ef345896489261fc635e036cfaa1dcfe354c86c7cdcd10cacc9a9158daa926d7dec1d985278a72ea795edd41bb3bac21e05e35215e135ee5ed4c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
12KB

MD5
f4a2c8695b8f357529103b27b2a70e0c

SHA1
162e4ba1974eb5a4774df615db2b81210a6a6c51

SHA256
14a985d6000ee8e09167492c48f1b9dd8667c8e96407d1bfabf852051449c717

SHA512
fb4c93e8a758f9bc8ac52e9f30e5727e06a3c1f46b650b2c2a5392745181f6e40e98a62d396f29498fdc8656f736305210916138940e6fc0490828938fccb48d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
c60fcb9dc1264347167f4265ce5e7453

SHA1
72d2d80fc34ed56280dfa2f29300bc502718f29c

SHA256
52178a97f9ba7729386eedb16549491733cdb6f8d4ddf9c8f16043b80024c3c6

SHA512
d607b00d7b76d94cc69339469d7c7dfb710e1399ed360ee8ec2c1a6e66d2d810efb95a1c4b20e9424fa55cba60f625cfa487af8bdcbd5aab45ba2120c21212db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
797e956d3ac0f602476007bda7454f15

SHA1
48e310f037818a63d8c2880a5b4202bb9193c09e

SHA256
fd9dff3041c1bed789d514880dd6005e68a20393677dc914012554dc373847ed

SHA512
8f0f2ad8d027eaf1fe3170750730f49799625b83865e7d64a44b459ae623279e4114bd613b9191f6e010f070d64550d791c90400abb55a86fbc4b0f5deeb256b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
7e076a9455f1269b1e31af52a85b440e

SHA1
dced64e8f5606fb084fbe1d4c06f4ed7249853a2

SHA256
45f104949ca0aa24edaa6549823b3dca138e833a2b3e6fa1be25b612f54accb3

SHA512
d54c514d862767b821b71d7a881cb5a7b02804e5284f80267d61c0f76b8de9120cc98a05d66e131330c1b50cea78462d95f55c06031881915598b83ff80a157b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
a383fe9044b15f50a36d1d05fe2ad002

SHA1
e75e36a14d639f40f1e7b908057d2e635d7c4e36

SHA256
214caa9418b49710e3aa0763dba7d2fe9a201dc08e30d73e31588d7b5e1c3db0

SHA512
babb05bb86d4bcb3cb1fcb15be47cedc1192779bbecc625c6207f6f82eded09a0965c6f2d9eb939ee36974daecd33d5173705a68f45e3c09a15e029c6998e9b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
4b061e48b9ae7b74abc34c896225924d

SHA1
a90cb74f99760d0a7d7a4db2725a1269f95bb120

SHA256
ed60f12ba35dc985518aaf2d2e2562180e2a861f9279a6a0bdf21d1aca97ec4c

SHA512
87dcb44cdfd4449efcbad12d0fa01dd8e5e672da8097e25dc04315b42bfbcb25c4e430a67c59654a6ea874403301027a473e22b1d0aebd2806cd01dff9c9de2d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore.jsonlz4

Filesize
4KB

MD5
cac6529d3dd557681cdcc605099fdb9f

SHA1
0a9ab8858af126354a17548918b1d061acb2f190

SHA256
aac3c8f24463f2328fa406d22fb4b43aa1b599e61bb207e85dc1cbe72daaf43b

SHA512
0ff2aaebf6ee81715f8964e5f8fa71ef2249ec90d032f160d6eb753491ae04d27e37c9bd0d857be203cd592eae3c30ef7e4051e88288bd40edc91d0d5d10b0b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\storage.sqlite

Filesize
4KB

MD5
e95a0245dc9bc47e459b3ab9c9914958

SHA1
ded47b2cb74511c0e721b7a72a4bbdbe71d28f37

SHA256
1f8611bc131b2720aabce94193fc0fea570d1bf934803c5279714ef200fb01df

SHA512
26f68d8d494977a74434443e45f0cf43ef94df470cde5942a9951a575406e55dcb53b0b010baa57dbc529eaaeb6d451f4c619a9dd6b94fd2d41809f88b698fde

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

Filesize
48KB

MD5
978aaf9ead0686a6dd516e17786567a1

SHA1
b50614ade616d39e5af87ccec6d1f844c124772e

SHA256
fdd2087607237b64846c1f9c1bb30730dbbc755324f44b2a2760f74504fa6238

SHA512
96b124f301f088f49baebfd268ac29fc1be5256569ca8ef67b16ea7a441694633d6501fc92d91b3a40785a48423cf9e9939fb8daf22e7b11b146e4f9ede1fc7e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
200KB

MD5
c1ade0bbdc5c5b64034d8264644afe24

SHA1
16e246d03c2fb186a43baac0c727ea9987aa9a40

SHA256
bd1bd9c83953a1bde76bf25107ecbb21904547e5eea240c48af9cb0879a26a13

SHA512
6aeb6a183a3273ff79552af7abde3b29431c364534af17ca433ec61fc5b1df50e5b681a31324d6774a833aa38815f80da83d9ac39967d74c257bf319c74e9dc0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\xulstore.json

Filesize
342B

MD5
9ebd4c529b87ff8c6996fd213e7663b9

SHA1
bb6b6ee7ea64f68253350aa40ba3b44f553864a1

SHA256
ed04d7730d027913641817927ad391d099ac59ba526e17f64451d67ef94c3255

SHA512
1d5ee73d765f6fe482f5afc3d64af28e1998f621caa8f13afdb5502add7665f0cbebe793bf0d07341f9789053de4573ce2b9bdc3967f9b60583e4648dd36e60d

Download Submit
C:\Users\Admin\Desktop\Xworm 5.6\Fixer.bat

Filesize
122B

MD5
2dabc46ce85aaff29f22cd74ec074f86

SHA1
208ae3e48d67b94cc8be7bbfd9341d373fa8a730

SHA256
a11703fd47d16020fa099a95bb4e46247d32cf8821dc1826e77a971cdd3c4c55

SHA512
6a50b525bc5d8eb008b1b0d704f9942f72f1413e65751e3de83d2e16ef3cf02ef171b9da3fff0d2d92a81daac7f61b379fcf7a393f46e914435f6261965a53b3

Download Submit
C:\Users\Admin\Desktop\Xworm 5.6\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\Downloads\7z2405-x64.exe

Filesize
1.5MB

MD5
c73433dd532d445d099385865f62148b

SHA1
4723c45f297cc8075eac69d2ef94e7e131d3a734

SHA256
12ef1c8127ec3465520e4cfd23605b708d81a5a2cf37ba124f018e5c094de0d9

SHA512
1211c8b67652664d6f66e248856b95ca557d4fdb4ea90d30df68208055d4c94fea0d158e7e6a965eae5915312dee33f62db882bb173faec5332a17bd2fb59447

Download Submit
C:\Users\Admin\Downloads\7z2405-x64.sDm9lx9X.exe.part

Filesize
15KB

MD5
2267c8026276dbad310dc28e4815c6e7

SHA1
9e62012c290abe4cf1313816799d75d59d99c9b6

SHA256
41f940c2612476bd018f3ab01000552e9475f613f155b202f151b18e9eb7766d

SHA512
28e5bbabce2852b40f145cd49bca9e52c22e150ec44d5bad25e101787171cc33bd523e9e7e7199ef9afb277ab5b4adf332b2689cd9d9a5c06aa7849856dbf244

Download Submit
C:\Users\Admin\Downloads\playit-windows-x86_64-signed.2SmuPQaP.msi.part

Filesize
2.3MB

MD5
93b91c8721ca2951ecceb0fc0e739cc8

SHA1
f5ac76bae778acde000f72d5630d1a8983948705

SHA256
727679568706156f635be9b786c61b8fecaf55894b902a014aa6a2a691fc3108

SHA512
3887537ef47bf8adf0d5b137a7bfe52610eb1e6f3c37d6d3e778290cd88fe4f6643e50387b2a154cd370b71def316340c62046263054ade27ff5a3df1865ab65

Download Submit
C:\Windows\System32\perfc007.dat

Filesize
48KB

MD5
54eaefa841aa52bb3580aaa0e64094d1

SHA1
2bf779d07fe707a2adec9045ea06e95f219c1d18

SHA256
783878d5cdfa9dcf40d7ff3e7b5bfcf692c70188d1bab5dd7c646735122a8870

SHA512
a539aec842b76a000a61ca00f39a2557390e26a4ab34e3722bf3b252bd580a575951f7ad72853c256e0f0f03aa3a1552178965ca74696cf372ae00328bc28f6a

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
51KB

MD5
9abcc480d2a0cede7fd7393e50c0333c

SHA1
de6d9114c9632e4683fd7a03251d0de34893f64e

SHA256
2ddbd04182af159fbd282610381b9a265ebced2338fcafccba93556ac710f09f

SHA512
4be9e6a999a89188b0bf20849f6663914a44c67acd382514fd554d87fb72bff3ca1cdc9a11e163085e5638ef8c16d35383bf9611e409aa07b249dcd9c2dfdc49

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
47KB

MD5
0cfd5298e63f44351ebca47f6a491fbe

SHA1
b86c08b13f0e60f664be64cb4077f915f9fc1138

SHA256
562261cc16c6e5e2e3841a1ba79083293baa40330fb5d4f7f62c3553df26ccb3

SHA512
549e5c28598ac2a6b11936aa90f641dfa794c04dd642309d08ef90a683d995d8f2d3a69ee2ecd74adae5beb19e9de055e71670922d738bd985657ffe75ebe235

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
46KB

MD5
afc0429d5050b0057aea0a66a565c61a

SHA1
73f4910cee7b27a049d6dfe291bb6c8a99c6dc8b

SHA256
f6847323dd961aef9230bca3409a01b7c4e5e16dcca8a2e2417c9dc750871cf6

SHA512
a33920642f3ec69c04ff61b09149a57ea91e76bb8d51f1d393a31b5079a3f83939863d6a924bf2a2982786b2825bb634e3d0c0920c7bc0bf6a91e214ef8555bd

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
35KB

MD5
17fc81a0e3f9fc02821e40166f1cb09f

SHA1
2931659b064a216371420db215b1f48de29a1858

SHA256
fe933b8ae9d8fb3283a76b42cfed31be01d02c91cd7ba742b399df613762fff2

SHA512
19a93f08124962c9826cb6794b897ddc3dd3391e2b24cebd70c2a8027aa082d2b65f2d92ba438684d6e0490f1dabb714bcb17561b951807589c5ce920f2e6031

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
322KB

MD5
8e549f070ac8bb646d0c34569ad6d880

SHA1
2a9bd2f7378ef5e85831cf590d9d735e9645f49e

SHA256
b08ebaa7d8ba93702ba84a59f41c0faed94273203d353c4f3cad31530d1b3751

SHA512
10c3a012dc64fdcb5bb0d8fe03aa771b936e78092de33e029658ad18e8c4771cddb84e6057b79bf8e6e90a8f3972f4bb1cad16f3cc96c13527289f3477f5fbd5

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
312KB

MD5
367662b55faba4e0728f3c296daa92a7

SHA1
1775899bd0f1bb5cf945910db18aa3a9d4d15b7a

SHA256
c2ea1af1c970468f522e354c8e47b121b66a0d0428a8400f4a5cb03216368ce1

SHA512
283e9cf2bf6fe904b530bd188347641c1d30b27c95d89552e18aa33be1c7e2840f10a09868a2862ee53bb805cef2cdbb31b8db391ca140b5dda27058dcad11ce

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
362KB

MD5
893d78f82b3994cf86b3c8c80cd7ad6a

SHA1
a68cfd50ebc35eee62c84f0fd74d20d1e0bb1476

SHA256
411b7581b0af88caa8c75409dc83ac8b521ba4d987d9347402438be16d31097c

SHA512
7f7cc32aca4f023f34e4ab7a51fbd0ca0b0ea51fde6d79b9a4322bee9b4d55800a981b2d97007ceadfa609767b7d84e9eebd8b3e92f9cb68855625a25767f42b

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
192KB

MD5
2870ab2c5b3a3669d190ce2a50eb28e0

SHA1
3bb55695d922812dacf0e6fa1d509f3a78923701

SHA256
a2f5b40245ae062843c23b41bfa4ea3cba402aa614bcb5cc76ae6f88fb45d3c0

SHA512
2c3e8b5c8ea4c07640ebcf7ef6e006bd8e7385707982cfb0f0f7bbc97cfbe84343bcc1e89ddf0b45a2af6bd9adb894f8604bc6ef76e9af060752169ee02eb549

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
356KB

MD5
4e277d7a9304103e3b68291044c7db6b

SHA1
b23864c76259c674ac2bc0210dab181bfc04dedf

SHA256
5dc2192236274fda886a0c0f396646f9292000ba33bd0e2061a65bc06639be16

SHA512
094477571cb17d7b19f6e81ef237c579f03c944745499b2e537d77972da89f8f4baa0825c3f79993d96116aa071bbc776a96f55cf8ab3f60698c2c4e03e36957

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
158KB

MD5
41f2dbe6f02b3bb9802d60f10b4ef7a2

SHA1
f1b03d28e5be3db3341f3a399d1cc887fe8da794

SHA256
eca01d5405d7e8af92ea60f888f891415ea2e1e6484caff15cbaf5a645700db2

SHA512
1c7b85e12050d670d48121e7670e1dab787e0a0b134e0ab314dc571c3969d0f9652ff76666bb433aac5886ca532404963a3041a1d4b4352e3051c838965fd3b1

Download Submit
memory/5012-2505-0x000002969F0C0000-0x000002969F2B4000-memory.dmp

Filesize
2.0MB

Download
memory/5012-2504-0x0000029681900000-0x00000296827E8000-memory.dmp

Filesize
14.9MB

Download