f26803b764a54a90852b7fd274d5ced7a8a58f1715d3ab4b96900ad4f9dd0410

Analysis

max time kernel
186s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2024 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm.V5.3.Optimized.Bin.7z
Size

29.5MB
MD5

187b25b9e02c2b5d01a70d9d1855dd7c
SHA1

d0c7d39012ad0507239a3b060ea42cc13b22eb65
SHA256

f26803b764a54a90852b7fd274d5ced7a8a58f1715d3ab4b96900ad4f9dd0410
SHA512

bea5cec59d0ebee26a71c78dc38da47a25ea7932d119868caf82b5e4bbbcecd8969abea80ad41b65352f264ced33c457a041c0d9f321c272a8f913802ee254ed
SSDEEP

786432:ILW4dBG6KKNtxT6xewFcJbnYrFWNbqjnZ5M5od:3wT6xhqRsubq15bd

Score

7^/10

agilenet discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
832	XWormLoader 5.2 x64.exe

Loads dropped DLL 1 IoCs

pid	Process
832	XWormLoader 5.2 x64.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x0007000000023c90-187.dat	agile_net
behavioral1/memory/832-188-0x000001C7AE8B0000-0x000001C7AF68E000-memory.dmp	agile_net

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWormLoader 5.2 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWormLoader 5.2 x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWormLoader 5.2 x64.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2112	msedge.exe
2112	msedge.exe
1448	msedge.exe
1448	msedge.exe
2424	identity_helper.exe
2424	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
464	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	464	7zFM.exe
Token: 35	464	7zFM.exe
Token: SeSecurityPrivilege	464	7zFM.exe
Token: SeDebugPrivilege	832	XWormLoader 5.2 x64.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
464	7zFM.exe
464	7zFM.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 1448	832	XWormLoader 5.2 x64.exe	111
PID 832 wrote to memory of 1448	832	XWormLoader 5.2 x64.exe	111
PID 1448 wrote to memory of 4692	1448	msedge.exe	112
PID 1448 wrote to memory of 4692	1448	msedge.exe	112
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2064	1448	msedge.exe	113
PID 1448 wrote to memory of 2112	1448	msedge.exe	114
PID 1448 wrote to memory of 2112	1448	msedge.exe	114
PID 1448 wrote to memory of 1028	1448	msedge.exe	115
PID 1448 wrote to memory of 1028	1448	msedge.exe	115
PID 1448 wrote to memory of 1028	1448	msedge.exe	115
PID 1448 wrote to memory of 1028	1448	msedge.exe	115
PID 1448 wrote to memory of 1028	1448	msedge.exe	115
PID 1448 wrote to memory of 1028	1448	msedge.exe	115
PID 1448 wrote to memory of 1028	1448	msedge.exe	115
PID 1448 wrote to memory of 1028	1448	msedge.exe	115
PID 1448 wrote to memory of 1028	1448	msedge.exe	115
PID 1448 wrote to memory of 1028	1448	msedge.exe	115
PID 1448 wrote to memory of 1028	1448	msedge.exe	115
PID 1448 wrote to memory of 1028	1448	msedge.exe	115
PID 1448 wrote to memory of 1028	1448	msedge.exe	115
PID 1448 wrote to memory of 1028	1448	msedge.exe	115
PID 1448 wrote to memory of 1028	1448	msedge.exe	115
PID 1448 wrote to memory of 1028	1448	msedge.exe	115
PID 1448 wrote to memory of 1028	1448	msedge.exe	115
PID 1448 wrote to memory of 1028	1448	msedge.exe	115

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm.V5.3.Optimized.Bin.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1736

C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb3b7e46f8,0x7ffb3b7e4708,0x7ffb3b7e4718
    3⤵
    PID:4692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,13288727569810491260,13453019720019788132,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
    3⤵
    PID:2064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,13288727569810491260,13453019720019788132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,13288727569810491260,13453019720019788132,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
    3⤵
    PID:1028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13288727569810491260,13453019720019788132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
    3⤵
    PID:4280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13288727569810491260,13453019720019788132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
    3⤵
    PID:3184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13288727569810491260,13453019720019788132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
    3⤵
    PID:4328
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,13288727569810491260,13453019720019788132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4276 /prefetch:8
    3⤵
    PID:5116
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,13288727569810491260,13453019720019788132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4276 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13288727569810491260,13453019720019788132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
    3⤵
    PID:2644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13288727569810491260,13453019720019788132,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
    3⤵
    PID:3028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13288727569810491260,13453019720019788132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
    3⤵
    PID:5492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13288727569810491260,13453019720019788132,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
    3⤵
    PID:5500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,13288727569810491260,13453019720019788132,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2828 /prefetch:8
    3⤵
    PID:5976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
3343d3961680d206050ecdd4eda5a985

SHA1
1f1d8ce986d599568baad1be2fc8e897262170cf

SHA256
f55a580ac041625d7a0902ba85a5b6ee6c5bfb5c8a534aa8ed25565d7adf046b

SHA512
b8325e94fd016d1521276c00361c96eff2e8a23e68fc09e1fc233c085f1a9c05be52e1b02feab09f186ec3ccb9d6ea475a146c083a2555639536cc7bbaf162d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
442B

MD5
afc561229cccaa299dade763bd7cab3b

SHA1
15a5a5aa1c9fc984c625523725232c0b6dbd59a3

SHA256
1e5f8505876e9bada405f0889a7a52df7270b318e698e05d4faa564188555e26

SHA512
87b57af37290b9b9f7cdd41a30d0017c93e6b15e92cdccf163ad44126394923a714c589330ec01e03ad791f7d22c13b84c838212b33dbfe5e6dfcf8ce653cbe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
45f6ef187acd9d4a526270f2ec8e2000

SHA1
12d9d0088f5a9572fa9619d162c27e04acff0c18

SHA256
f107ee3992c5ee35ea69f724e5f02bcd7e3f119b98bc7ac7113487632c8c8baf

SHA512
ee54b735b53c6bfb5b7d7eef836a0d3b02d74c6defa81148c3890d0f31b08875303382dd3ee2c582d292404feb6b257f521f9c897502eee7c19772810d9520e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c546509fd5b944eec6a35bc0bda5c00a

SHA1
1d08fba15c0ae7460c4acc30970bb2bf833c9b5a

SHA256
817ff6f3e5879cbf7b868f190a60d95148919078b36050c8f59bad7de940aece

SHA512
3bc9e8d4b407edf5a82d289f6338736d4d040784b458cf730221ab97d41f0a650d7e7229fdd481b5ba53af6232d89fe3e220d5a13100b57709e48a41008aee08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1aa15d84187e0861b99630dd5c4d40b8

SHA1
d4b37c9887509af045cd30784c2f33334a0345ca

SHA256
a8435cf1947214ac43041179a0611004b0ba21f795e19e5aee6d85cdfde8a55d

SHA512
e949a29a6c34aaab70e1b475ecafc49006c3472d01a7d55bc58aca96075c15b175d08f90ab4b2f0d6b22d74220e5ba16aaa345fc13edeb788097c0b63dcb336c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
885db2631b633e16b3a8ab99d1e9262d

SHA1
c079a28bbf1fea8621f45807abd2c73ebade7ca1

SHA256
78b321e7d05e02964021139d36ce1c15bcdae658b8eb2717ef6ab0a695cde410

SHA512
2327bda067afa8c6e08205e5f9fa7ed30080e2b6ef46cd89157187d7985d2467c2e1a7835e55076bfc77cbf57a0fb89ddc55d59ee3b93f67fcadd8a3b40b9b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE0D13FCA7\XWorm V5.3 Optimized Bin\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFZzY\RFZzY.dll

Filesize
112KB

MD5
2f1a50031dcf5c87d92e8b2491fdcea6

SHA1
71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f

SHA256
47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed

SHA512
1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\GeoIP.dat

Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\Mono.Cecil.dll

Filesize
350KB

MD5
de69bb29d6a9dfb615a90df3580d63b1

SHA1
74446b4dcc146ce61e5216bf7efac186adf7849b

SHA256
f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc

SHA512
6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\MonoMod.Backports.dll

Filesize
138KB

MD5
dd43356f07fc0ce082db4e2f102747a2

SHA1
aa0782732e2d60fa668b0aadbf3447ef70b6a619

SHA256
e375b83a3e242212a2ed9478e1f0b8383c1bf1fdfab5a1cf766df740b631afd6

SHA512
284d64b99931ed1f2e839a7b19ee8389eefaf6c72bac556468a01f3eb17000252613c01dbae88923e9a02f3c84bcab02296659648fad727123f63d0ac38d258e

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\MonoMod.Core.dll

Filesize
216KB

MD5
b808181453b17f3fc1ab153bf11be197

SHA1
bce86080b7eb76783940d1ff277e2b46f231efe9

SHA256
da00cdfab411f8f535f17258981ec51d1af9b0bfcee3a360cbd0cb6f692dbcdd

SHA512
a2d941c6e69972f99707ade5c5325eb50b0ec4c5abf6a189eb11a46606fed8076be44c839d83cf310b67e66471e0ea3f6597857a8e2c7e2a7ad6de60c314f7d3

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\MonoMod.ILHelpers.dll

Filesize
6KB

MD5
6512e89e0cb92514ef24be43f0bf4500

SHA1
a039c51f89656d9d5c584f063b2b675a9ff44b8e

SHA256
1411e4858412ded195f0e65544a4ec8e8249118b76375050a35c076940826cd0

SHA512
9ffb2ff050cce82dbfbbb0e85ab5f976fcd81086b3d8695502c5221c23d14080f0e494a33e0092b4feb2eda12e2130a2f02df3125733c2f5ec31356e92dea00b

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\MonoMod.Utils.dll

Filesize
319KB

MD5
79f1c4c312fdbb9258c2cdde3772271f

SHA1
a143434883e4ef2c0190407602b030f5c4fdf96f

SHA256
f22a4fa1e8b1b70286ecf07effb15d2184454fa88325ce4c0f31ffadb4bef50a

SHA512
b28ed3c063ae3a15cd52e625a860bbb65f6cd38ccad458657a163cd927c74ebf498fb12f1e578e869bcea00c6cd3f47ede10866e34a48c133c5ac26b902ae5d9

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\RVGLib.dll

Filesize
241KB

MD5
d34c13128c6c7c93af2000a45196df81

SHA1
664c821c9d2ed234aea31d8b4f17d987e4b386f1

SHA256
aaf9fb0158bd40ab562a4212c2a795cb40ef6864042dc12f3a2415f2446ba1c7

SHA512
91f4e0e795f359b03595b01cbf29188a2a0b52ab9d64eadd8fb8b3508e417b8c7a70be439940975bf5bdf26493ea161aa45025beb83bc95076ed269e82d39689

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\XWorm V5.2.exe

Filesize
13.8MB

MD5
897201dc6254281404ab74aa27790a71

SHA1
9409ddf7e72b7869f4d689c88f9bbc1bc241a56e

SHA256
f41828bd13a3a85fdf7a1d688b21ce33d2015c3c5f46b4d92ab6ea8ea019e03a

SHA512
2673cd7b927ffc22f3a4b4fbfcb1b4f576c416d67168e486e6d79fdd132129c9e244e36d7b7883a4a1ed51e993cc4384bf24f2fa3129584f2bd43fd16042de20

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe

Filesize
109KB

MD5
e6a20535b636d6402164a8e2d871ef6d

SHA1
981cb1fd9361ca58f8985104e00132d1836a8736

SHA256
b461c985b53de4f6921d83925b3c2a62de3bbc5b8f9c02eecd27926f0197fae2

SHA512
35856a0268ed9d17b1570d5392833ed168c8515d73fac9f150cf63cc1aea61c096aa2e6b3c8e091a1058ba062f9333f6767e323a37dfb6f4fa7e508a2a138a30

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe.config

Filesize
187B

MD5
15c8c4ba1aa574c0c00fd45bb9cce1ab

SHA1
0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8

SHA256
f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15

SHA512
52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4

Download Submit
memory/832-197-0x00007FFB40420000-0x00007FFB40EE1000-memory.dmp

Filesize
10.8MB

Download
memory/832-210-0x00007FFB40420000-0x00007FFB40EE1000-memory.dmp

Filesize
10.8MB

Download
memory/832-188-0x000001C7AE8B0000-0x000001C7AF68E000-memory.dmp

Filesize
13.9MB

Download
memory/832-198-0x000001C7AFE90000-0x000001C7B0A7C000-memory.dmp

Filesize
11.9MB

Download
memory/832-186-0x000001C795060000-0x000001C79507A000-memory.dmp

Filesize
104KB

Download
memory/832-200-0x000001C7AE3C0000-0x000001C7AE5B4000-memory.dmp

Filesize
2.0MB

Download
memory/832-201-0x00007FFB40420000-0x00007FFB40EE1000-memory.dmp

Filesize
10.8MB

Download
memory/832-202-0x00007FFB40420000-0x00007FFB40EE1000-memory.dmp

Filesize
10.8MB

Download
memory/832-203-0x00007FFB40423000-0x00007FFB40425000-memory.dmp

Filesize
8KB

Download
memory/832-204-0x00007FFB40420000-0x00007FFB40EE1000-memory.dmp

Filesize
10.8MB

Download
memory/832-205-0x00007FFB40420000-0x00007FFB40EE1000-memory.dmp

Filesize
10.8MB

Download
memory/832-206-0x00007FFB40420000-0x00007FFB40EE1000-memory.dmp

Filesize
10.8MB

Download
memory/832-207-0x00007FFB40420000-0x00007FFB40EE1000-memory.dmp

Filesize
10.8MB

Download
memory/832-185-0x000001C795200000-0x000001C79523C000-memory.dmp

Filesize
240KB

Download
memory/832-209-0x00007FFB40420000-0x00007FFB40EE1000-memory.dmp

Filesize
10.8MB

Download
memory/832-189-0x00007FFB40420000-0x00007FFB40EE1000-memory.dmp

Filesize
10.8MB

Download
memory/832-211-0x00007FFB40420000-0x00007FFB40EE1000-memory.dmp

Filesize
10.8MB

Download
memory/832-183-0x000001C793700000-0x000001C793706000-memory.dmp

Filesize
24KB

Download
memory/832-182-0x000001C7936F0000-0x000001C7936F6000-memory.dmp

Filesize
24KB

Download
memory/832-181-0x00007FFB40420000-0x00007FFB40EE1000-memory.dmp

Filesize
10.8MB

Download
memory/832-180-0x000001C7AD990000-0x000001C7AD9E6000-memory.dmp

Filesize
344KB

Download
memory/832-249-0x00007FFB40420000-0x00007FFB40EE1000-memory.dmp

Filesize
10.8MB

Download
memory/832-178-0x000001C7AD930000-0x000001C7AD98E000-memory.dmp

Filesize
376KB

Download
memory/832-176-0x000001C794FF0000-0x000001C794FF6000-memory.dmp

Filesize
24KB

Download
memory/832-174-0x000001C795010000-0x000001C795038000-memory.dmp

Filesize
160KB

Download
memory/832-281-0x00007FFB40420000-0x00007FFB40EE1000-memory.dmp

Filesize
10.8MB

Download
memory/832-172-0x000001C7936A0000-0x000001C7936E2000-memory.dmp

Filesize
264KB

Download
memory/832-170-0x0000000000B00000-0x0000000000B20000-memory.dmp

Filesize
128KB

Download
memory/832-169-0x00007FFB40423000-0x00007FFB40425000-memory.dmp

Filesize
8KB

Download