xworm | hxxps://mega[.]nz/file/KBRkjBAD#D9xLsjY-5OpxqEMzZDJZot3RegtYO0b4IDCBJAqiUhk

Analysis

max time kernel
297s
max time network
286s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
04/03/2025, 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/KBRkjBAD#D9xLsjY-5OpxqEMzZDJZot3RegtYO0b4IDCBJAqiUhk

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

2kEFgb8KGBKHILDs

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Extracted

Family

xworm

127.0.0.1:7000

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023e4c-3449.dat	family_xworm
behavioral1/files/0x0008000000023e52-3459.dat	family_xworm
behavioral1/files/0x0008000000023e4b-3467.dat	family_xworm
behavioral1/memory/4668-3469-0x0000000000690000-0x00000000006C8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 3 IoCs

pid	Process
5212	Xworm V5.6.exe
4668	XClient.exe
4212	XClient.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
135	ip-api.com

Drops file in System32 directory 24 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh010.dat	lodctr.exe
File created	C:\Windows\system32\perfc011.dat	lodctr.exe
File created	C:\Windows\system32\perfh011.dat	lodctr.exe
File created	C:\Windows\system32\perfh007.dat	lodctr.exe
File created	C:\Windows\system32\perfc009.dat	lodctr.exe
File created	C:\Windows\system32\perfh009.dat	lodctr.exe
File created	C:\Windows\system32\perfh00A.dat	lodctr.exe
File created	C:\Windows\system32\perfc010.dat	lodctr.exe
File created	C:\Windows\system32\perfc007.dat	lodctr.exe
File created	C:\Windows\system32\perfc00A.dat	lodctr.exe
File created	C:\Windows\system32\perfc00C.dat	lodctr.exe
File created	C:\Windows\system32\perfh00C.dat	lodctr.exe
File created	C:\Windows\system32\perfc011.dat	lodctr.exe
File created	C:\Windows\system32\perfh00C.dat	lodctr.exe
File created	C:\Windows\system32\perfc010.dat	lodctr.exe
File created	C:\Windows\system32\perfc007.dat	lodctr.exe
File created	C:\Windows\system32\perfc00A.dat	lodctr.exe
File created	C:\Windows\system32\perfc00C.dat	lodctr.exe
File created	C:\Windows\system32\perfh011.dat	lodctr.exe
File created	C:\Windows\system32\perfc009.dat	lodctr.exe
File created	C:\Windows\system32\perfh00A.dat	lodctr.exe
File created	C:\Windows\system32\perfh010.dat	lodctr.exe
File created	C:\Windows\system32\perfh007.dat	lodctr.exe
File created	C:\Windows\system32\perfh009.dat	lodctr.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe

Modifies registry class 47 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 5000310000000000515af881100041646d696e003c0009000400efbe515a3678645a510e2e00000059e10100000001000000000000000000000000000000e0493800410064006d0069006e00000014000000	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 7800310000000000515a36781100557365727300640009000400efbe874f7748645a510e2e000000c70500000000010000000000000000003a00000000000a9aaa0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Pictures"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0 = 500031000000000086597169100049636f6e73003c0009000400efbe645a620e645a620e2e000000a33d02000000070000000000000000000000000000009ecd0f01490063006f006e007300000014000000	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 = 8400310000000000645a5b0e1100444f574e4c4f7e3100006c0009000400efbe515a3678645a5c0e2e00000061e10100000001000000000000000000420000000000203f6d0044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0 = 600031000000000086597169100058776f726d2d56352e360000460009000400efbe645a5b0e645a630e2e000000963d02000000070000000000000000000000000000006533f300580077006f0072006d002d00560035002e00360000001a000000	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\MRUListEx = ffffffff	Xworm V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\NodeSlot = "4"	Xworm V5.6.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
116	msedge.exe
116	msedge.exe
2512	msedge.exe
2512	msedge.exe
4424	identity_helper.exe
4424	identity_helper.exe
5820	msedge.exe
5820	msedge.exe
5212	Xworm V5.6.exe
5212	Xworm V5.6.exe
5212	Xworm V5.6.exe
5212	Xworm V5.6.exe
5212	Xworm V5.6.exe
5212	Xworm V5.6.exe
5212	Xworm V5.6.exe
5212	Xworm V5.6.exe
5212	Xworm V5.6.exe
5212	Xworm V5.6.exe
5212	Xworm V5.6.exe
5212	Xworm V5.6.exe
5212	Xworm V5.6.exe
5212	Xworm V5.6.exe
5212	Xworm V5.6.exe
5212	Xworm V5.6.exe
5212	Xworm V5.6.exe
5212	Xworm V5.6.exe
5212	Xworm V5.6.exe
5212	Xworm V5.6.exe
5212	Xworm V5.6.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5212	Xworm V5.6.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	4500	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4500	AUDIODG.EXE
Token: SeRestorePrivilege	4684	7zG.exe
Token: 35	4684	7zG.exe
Token: SeSecurityPrivilege	4684	7zG.exe
Token: SeSecurityPrivilege	4684	7zG.exe
Token: SeDebugPrivilege	4668	XClient.exe
Token: SeDebugPrivilege	4212	XClient.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
4684	7zG.exe
5212	Xworm V5.6.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
5212	Xworm V5.6.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5212	Xworm V5.6.exe
5212	Xworm V5.6.exe
5212	Xworm V5.6.exe
5212	Xworm V5.6.exe
5212	Xworm V5.6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 1552	2512	msedge.exe	85
PID 2512 wrote to memory of 1552	2512	msedge.exe	85
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 976	2512	msedge.exe	86
PID 2512 wrote to memory of 116	2512	msedge.exe	87
PID 2512 wrote to memory of 116	2512	msedge.exe	87
PID 2512 wrote to memory of 5008	2512	msedge.exe	88
PID 2512 wrote to memory of 5008	2512	msedge.exe	88
PID 2512 wrote to memory of 5008	2512	msedge.exe	88
PID 2512 wrote to memory of 5008	2512	msedge.exe	88
PID 2512 wrote to memory of 5008	2512	msedge.exe	88
PID 2512 wrote to memory of 5008	2512	msedge.exe	88
PID 2512 wrote to memory of 5008	2512	msedge.exe	88
PID 2512 wrote to memory of 5008	2512	msedge.exe	88
PID 2512 wrote to memory of 5008	2512	msedge.exe	88
PID 2512 wrote to memory of 5008	2512	msedge.exe	88
PID 2512 wrote to memory of 5008	2512	msedge.exe	88
PID 2512 wrote to memory of 5008	2512	msedge.exe	88
PID 2512 wrote to memory of 5008	2512	msedge.exe	88
PID 2512 wrote to memory of 5008	2512	msedge.exe	88
PID 2512 wrote to memory of 5008	2512	msedge.exe	88
PID 2512 wrote to memory of 5008	2512	msedge.exe	88
PID 2512 wrote to memory of 5008	2512	msedge.exe	88
PID 2512 wrote to memory of 5008	2512	msedge.exe	88
PID 2512 wrote to memory of 5008	2512	msedge.exe	88
PID 2512 wrote to memory of 5008	2512	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/KBRkjBAD#D9xLsjY-5OpxqEMzZDJZot3RegtYO0b4IDCBJAqiUhk
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9375346f8,0x7ff937534708,0x7ff937534718
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,14106787300137112311,5337106222819156618,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,14106787300137112311,5337106222819156618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,14106787300137112311,5337106222819156618,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14106787300137112311,5337106222819156618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14106787300137112311,5337106222819156618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14106787300137112311,5337106222819156618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2132,14106787300137112311,5337106222819156618,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3240 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,14106787300137112311,5337106222819156618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,14106787300137112311,5337106222819156618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14106787300137112311,5337106222819156618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:5212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14106787300137112311,5337106222819156618,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14106787300137112311,5337106222819156618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:5488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14106787300137112311,5337106222819156618,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:5496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,14106787300137112311,5337106222819156618,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6180 /prefetch:8
  2⤵
  PID:5800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14106787300137112311,5337106222819156618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
  2⤵
  PID:5808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,14106787300137112311,5337106222819156618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6324 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,14106787300137112311,5337106222819156618,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3080 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1920

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x410
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6140

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Xworm-V5.6\" -spe -an -ai#7zMap16757:82:7zEvent20614
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Xworm-V5.6\Fixer.bat" "
1⤵
PID:1628
- C:\Windows\system32\lodctr.exe
  lodctr /r
  2⤵
  - Drops file in System32 directory
  PID:5948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Xworm-V5.6\Fixer.bat"
1⤵
PID:3456
- C:\Windows\system32\lodctr.exe
  lodctr /r
  2⤵
  - Drops file in System32 directory
  PID:5800

C:\Users\Admin\Downloads\Xworm-V5.6\Xworm V5.6.exe
"C:\Users\Admin\Downloads\Xworm-V5.6\Xworm V5.6.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5212
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zczv3wz4\zczv3wz4.cmdline"
  2⤵
  PID:800
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc86D75F44AB0435BB9B6CAA5040BA1F.TMP"
    3⤵
    PID:1380

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:6112

C:\Users\Admin\Downloads\Xworm-V5.6\Icons\XClient.exe
"C:\Users\Admin\Downloads\Xworm-V5.6\Icons\XClient.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Users\Admin\Downloads\Xworm-V5.6\Icons\XClient.exe
"C:\Users\Admin\Downloads\Xworm-V5.6\Icons\XClient.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56361f50f0ee63ef0ea7c91d0c8b847a

SHA1
35227c31259df7a652efb6486b2251c4ee4b43fc

SHA256
7660beecfee70d695225795558f521c3fb2b01571c224b373d202760b02055c0

SHA512
94582035220d2a78dfea9dd3377bec3f4a1a1c82255b3b74f4e313f56eb2f7b089e36af9fceea9aa83b7c81432622c3c7f900008a1bdb6b1cd12c4073ae4b8a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0621e31d12b6e16ab28de3e74462a4ce

SHA1
0af6f056aff6edbbc961676656d8045cbe1be12b

SHA256
1fd3365fdb49f26471ce9e348ce54c9bc7b66230118302b32074029d88fb6030

SHA512
bf0aa5b97023e19013d01abd3387d074cdd5b57f98ec4b0241058b39f9255a7bbab296dce8617f3368601a3d751a6a66dc207d8dd3fc1cba9cac5f98e3127f6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
dd80f7a70f52788a070c58c836bc354b

SHA1
dba23423e10b1043ff3e426243e0e1c51fea2355

SHA256
3ec8c559ee0f6a26fae6cf8f844a7f4a360b2e30721070146b681ee4d7519a44

SHA512
bfa3d9a65d91466208512019561be4caf7da2f1a34bc0b456bff0712d46b9b4cfba754c1c6fbb076da2e0026f0d6a72d194b1144ea15f3604101b7311e786840

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
257B

MD5
ba4e2003fe7d847c86a7514b27c21c5f

SHA1
7dc5189fa073797ff6cec15cf7921146f4fa0ab5

SHA256
16d31950c2af414b5028501c261a72b6f7f125e5e35a62ad274ea4b1bd7de92a

SHA512
079550c3eed1641c8de52f55d9967e4862465835d9899fad9439580c1e66fb7cd56326be1088a8ecc10f648bcc603957c5979885909b42485733ff37b079ce5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
86ee32d6b8da099010d733e9211f7059

SHA1
bf01db66001a3c192db60fa54530cd67990ca3e4

SHA256
d9c49fa654fcf90a231020e58e2168cf66b26fd4053c370df74b9b6b40112682

SHA512
949b58f8c1debd664660d3efa44caabbb028509ac301093a6b869d197bfe6b5510ce119dcff597e92f2e4309935cd9f9bf12bd75e065cadfbd5667207ad14469

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a25798b8f187c9898334c0737bfca53c

SHA1
c60e97cbeab7061c598703ff4839c2764273d3b3

SHA256
0a76c5d2bd4032825c999999e4ec69d7206965dfd1f9f2179d64a95a3fa3a9d6

SHA512
309c4918a0110e0421f0577918bbe36418caf86625e1377ca008bd6f7108dca0cfc2236a8fb22a468c71666602bce3b6db649e7322ef9eb87fc4f7433d8cb9ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a2810a7fdfa242a1249b2d33eff0f036

SHA1
e00b66ee098c3b7ed0465a773718b501f27d4e1d

SHA256
c935761b46e262aa45b62b3f4a400a9508719747f27a86a7cab19319d5a6a504

SHA512
05a64f4628262fef9ba47c59a4b2140c6a8a3c827f42e18c19717104213e3d8510da50846b2731dbd7f29cb0ecaea6973c205f790d143674b5493156fe4f6ed5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
b9fdd60bcf63db4b1c98d40ebacb532c

SHA1
cde996c28f65293fe9729e7c43a916e25340912a

SHA256
f18a22058d73b57886c47ab02f557e6aa76f3fed1168fa5c929db33cd85657fb

SHA512
0731e95bec038b785cf759bfef227bc9daa64b37f138505dfac7728139f8766656b0b825f98998a592239638087864765893fd55170ac482c87e16e722b09760

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ebd7.TMP

Filesize
48B

MD5
4ed3b1058c830efe50f51ba2dfdd9629

SHA1
fbc2b7ac592481a0296ee67b49437915f65423d0

SHA256
d9b42c90a79a00bd37f0b82377cc8a575108874ad45105107de7fd7bba43795c

SHA512
e0d3c5ab1b56fcd0d9e031e937d7d15bf27ad60916867caf63adf496ce36c8fb225804c2437a0e50348599ced5b83cc70f8caf124cb9f4ce01873573c32e3eca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
05245599974f9004ac9acddf72a591f3

SHA1
54806ddab6897f0cd461d16a3f6be5efc0bcdc6c

SHA256
9d62f1436ebf996677a41b53759269bcca2433966450a39bfb96e3ed9b418346

SHA512
1691a920f8ed2177f57eabe66d64e1ef5b51c96c4cbbb4e684fa2504b91935194ff14479e8b78b08348b782f0b276172812ec8637973061a07a6e529d20eceb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a2974fbb7fff81bfe06ed00c38cbd2d3

SHA1
90594913cb0077ac5b8c310b901387f81f297c91

SHA256
97d75e8beac4c9bd397afe7f4c7b5ecd9e54a2354a158b7be2e8583bdc96a556

SHA512
05e019c2d2c2588877673d9412fad56e8859f3612c1b7ae0bf0ebbfc5c73721b1a2d531d3a15bf3d0891fa71661934a917065ee9bb8cab0704f8c8a462cd1f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES78CB.tmp

Filesize
1KB

MD5
7fd07f2d20324fd5e5e1836807a1c0be

SHA1
368c0bf9d4ca243ce8ac04b8bb2ab5e652f133ac

SHA256
6fcc2f0e96057d5b4ce7a3f8e9bf11dbe294ed2409998bfeecd5154725a0f4b2

SHA512
07ed642cf838db3396ed1cab017231977a47052cb18463093c7aee6f130bbe75665b8e10b0248a742ab644b8a38d26855292a849e36b34ef43556970a125b9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc86D75F44AB0435BB9B6CAA5040BA1F.TMP

Filesize
1KB

MD5
d40c58bd46211e4ffcbfbdfac7c2bb69

SHA1
c5cf88224acc284a4e81bd612369f0e39f3ac604

SHA256
01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca

SHA512
48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\zczv3wz4\zczv3wz4.0.vb

Filesize
78KB

MD5
7447e6ae3ce7d51d570b4b8b7aea5576

SHA1
1ee7bfc13e3b6d6a1ee725a1adaaa77172e04594

SHA256
9094c2a282896e4addf24817595ab229494916435a9338b5678806cbc3eb0b6a

SHA512
5ec738dab932dfb50b2f4fb3f9bd4be61bc803c7d7ecce92a7283ea57fa1c8f54e35bd79dcd5fdd077b1d3e8d6280c0e45bf42132c67e786d951b00116c3ffef

Download Submit
C:\Users\Admin\AppData\Local\Temp\zczv3wz4\zczv3wz4.cmdline

Filesize
309B

MD5
1f333c994e99dc68d31c3c9254036618

SHA1
cff1ef03a4260307cbbb682b997a592ea1dd776b

SHA256
1c8d22833169bb63f18a0491a6a018f3929087307a06ae8aa2fc626722ead4df

SHA512
997038d30bfb63d449711e86f80c035b8c05ca8515a2ae7a05af0d5b18b843212695c0c4fdd5f5ffbaf23f92cbb05d252b2598dcf2034beecac878b6aa127843

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6.rar

Filesize
20.9MB

MD5
b6b4bf93b1dc8c104f8e677c025d6684

SHA1
a438c7f82e7dab81410d3e773eb4b1b28bf63208

SHA256
7f6f449b4351b9eeecadbd7747dce56479d1ba8555f72e873b08ad18409fd357

SHA512
1ba5f644b56cc3cb5e76bea8733ca243365c84921c4c35a4df52845322ba211c045706b4096ab4407c5736fc340761e124ab0cde57a8794473e965405c98b8fa

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Fixer.bat

Filesize
122B

MD5
2dabc46ce85aaff29f22cd74ec074f86

SHA1
208ae3e48d67b94cc8be7bbfd9341d373fa8a730

SHA256
a11703fd47d16020fa099a95bb4e46247d32cf8821dc1826e77a971cdd3c4c55

SHA512
6a50b525bc5d8eb008b1b0d704f9942f72f1413e65751e3de83d2e16ef3cf02ef171b9da3fff0d2d92a81daac7f61b379fcf7a393f46e914435f6261965a53b3

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\GeoIP.dat

Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\XClient.exe

Filesize
197KB

MD5
8f8d0de17f7d8cbf53d68110012ca8f1

SHA1
85d93d9536c12d1e1a4e3d35ca0262cdba1958f5

SHA256
516efd8a645fc8dcda87433ab4304aa310b0c12775c80acc8999a2aa34fd9fb4

SHA512
d28b8858e1faad9717cc7b3dc69fbcb69790e73288e7ad3ddece76ebac23a46c13b9f76977911ce8784d8d3ac2d27b9dd22b50e210f4ce4ab9b410b3d0aaed0f

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\XClient.exe

Filesize
41KB

MD5
3d889cd779d3f75f86a33a0a9436720a

SHA1
5b670cc5a194f2d0d3edc4d71e13320320611e81

SHA256
28e180f49def54156e1a419246d49529f48e85ac9eca0aab33638f49b8e1898a

SHA512
59dd79852041e0edbb9fd94d2ee70a89a2eb33799a914400fca6fe5e825795ad1e630dd38dd7c1ec6327dd57a6fa081a417926c93f02059dc7851cdee5d42887

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (1).ico

Filesize
97KB

MD5
4f409511e9f93f175cd18187379e94cb

SHA1
598893866d60cd3a070279cc80fda49ee8c06c9b

SHA256
115f0db669b624d0a7782a7cfaf6e7c17282d88de3a287855dbd6fe0f8551a8f

SHA512
0d1f50243a3959968174aa3fd8f1a163946e9f7e743cbb2c9ef2492073f20da97949bf7d02c229096b97482ff725c08406e2e9aa72c820489535758470cf604f

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (10).ico

Filesize
115KB

MD5
ad1740cb3317527aa1acae6e7440311e

SHA1
7a0f8669ed1950db65632b01c489ed4d9aba434e

SHA256
7a97547954aaad629b0563cc78bca75e3339e8408b70da2ed67fa73b4935d878

SHA512
eee7807b78d4dd27b51cee07a6567e0d022180e007e1241266f4c53f1192c389be97332fcd9f0b8fda50627b40b8cf53027872304a68a210f4d754aa0243b0c2

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (11).ico

Filesize
9KB

MD5
1c2cea154deedc5a39daec2f1dadf991

SHA1
6b130d79f314fa9e4015758dea5f331bbe1e8997

SHA256
3b64b79e4092251ebf090164cd2c4815390f34849bbd76fb51085b6a13301b6d

SHA512
dceebc1e6fdfe67afebaef1aff11dd23eda6fae79eb6b222de16edebdfebd8e45de896e501608254fb041824080cb41c81ac972032638407efc6bfeb930bfd00

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (12).ico

Filesize
9KB

MD5
4ea9ab789f5ae96766e3f64c8a4e2480

SHA1
423cb762ce81fab3b2b4c9066fe6ea197d691770

SHA256
84b48ca52dfcd7c74171cf291d2ef1247c3c7591a56b538083834d82857fee50

SHA512
f917059b6f85e4a25909a27cad38b1ef0659161c32df54860226ff3d858127d8da592ea9072ad41d5a9986dd8c04a37e9ad34e2251883a8c2f0933e6aa201414

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (13).ico

Filesize
361KB

MD5
e6fec4185b607e01a938fa405e0a6c6c

SHA1
565e72809586e46700b74931e490e2dc1e7e3db1

SHA256
2e2f17b7dd15007192e7cbbd0019355f8be58068dc5042323123724b99ae4b44

SHA512
13daeb2bf124e573590359f18a1d962157dc635a88319c9ed1a2e8ccad6322fb081579e1e8fbe62ffe55c8286c2bc8acb251d572a4beb00641ad5009a380e513

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (14).ico

Filesize
361KB

MD5
0c24edec606abda7c6570b7dcf439298

SHA1
4478a102892e5eb4bb1da8e9c62d17724965691a

SHA256
8fc693238afc49a8098dac1762bfae891e818bb84749c6eef5f1b0c6c8ffddb2

SHA512
f8de3ffb8f9fe1394b3626ae5616213d4612b43f0635fa9053d74ac6fe536657e796289487f245b8abff74f1de8368c0df8e56bf21f540366ed86a378649ea24

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (16).ico

Filesize
97KB

MD5
14465d8d0f4688a4366c3bf163ba0a17

SHA1
9f1fa68a285db742e4834f7d670cae415ce6b3b6

SHA256
3f3c5ce486e5b9fa88dc60b60916053e8808c69167df1a11287fd3cd6db1ca6e

SHA512
01db4fac75136baf9c162265785877b21fba9c4b8d9dbe4e495191f15aa9c914e3d5baf1c4606041279a7138c7e5c8f4ccf6e64689354fc3fb3fa66ab3b1da2d

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (17).ico

Filesize
66KB

MD5
167425a3fa7114b1800aa903adc35b2a

SHA1
601e8bd872ea31aff03721a0361e65a57b299cad

SHA256
12f600b09c0db00877684a950fc14936ecc28df8f0ddc6821d68e4b82077ad92

SHA512
586ce1360eb06f1df8e95ad178abfae7c9d41cba1be55276b3d3947d0504ca09185e543b7dbf1ba72dde4942ff626859a6d2e8a1faaaf6c5daaebd8740dcf538

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (2).ico

Filesize
112KB

MD5
f1463f4e1a6ef6cc6e290d46830d2da1

SHA1
bda0d74a53c3f7aaf0da0f375d0c1b5aca2a7aaf

SHA256
142b529799268a753f5214265c53a26a7a6f8833b31640c90a69a4ff94cee5ec

SHA512
0fa93d009cc2f007d19e6fdda7ebe44c7ed77f30b49a6ef65c319133c0570ab84f2d86e8282b5069d7f2e238547722ac3966d2fa2fae4504133f0001a0387ae2

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (3).ico

Filesize
131KB

MD5
a512719efc9e6ecc5e2375abceb1669a

SHA1
51fae98edfab7cd6b6baac6df5ecbda082eeb1db

SHA256
b2f7fb22cd5b935cf19a2f58f7fef9db99db40772ff4bb331a73c345161c2574

SHA512
e0153dbc8f3fdda8d1a7082bc30a3895d7f4b3bc2982b4b4ece55653d1b4c293eba3ba6d4a0a581f0f7db95ab287d6616ef7bf03af4485904111798bf9d9e625

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (4).ico

Filesize
125KB

MD5
9c053bef57c4a7b575a0726af0e26dae

SHA1
47148d30bc9a6120a1d92617bf1f3e1ba6ca1a2c

SHA256
5bb21d6c04ed64a1368dace8f44aff855860e69f235492a5dc8b642a9ea88e41

SHA512
482d639ba60f57827d8a343f807f4f914289c45643307efaa666b584a085fe01ac7892252f41b7756fde93d215b4f3fed16e608bc45102d320d77239fa93146a

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (5).ico

Filesize
100KB

MD5
9dbdd6972e129d31568661a89c81d8f9

SHA1
747399af62062598120214cef29761c367cfd28a

SHA256
45c85bdaaf0e0c30678d8d77e2585871ea6d1298ee0d30037745bacea6338484

SHA512
e52572de3f0d57d24a24d65eca4ff638890ccc9c5aca3f213ff885eda3c40de115849eb64c341f557d601f566ce21f8fc0df25cc4b13aaad5e941449a6b7f87d

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (6).ico

Filesize
106KB

MD5
d7c9666d30936e29ce156a2e04807863

SHA1
845e805d55156372232e0110e5dc80380e2cb1e5

SHA256
6ea04cf08751a2f6bb2f0e994258a44d5183b6cdb1471a0ee285659eada045b5

SHA512
3cfd7a41f65c5a0dc23a90c6af358179efb3ae771f50534c3d76c486fe2d432ea3128a46b4b367c4714e86e8c0862a7385bd80662fe6ea82d7048f453570ed56

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (7).ico

Filesize
164KB

MD5
7891c91d1761dc8a8846d362e6e31869

SHA1
0229bb01b7b4a0fca305eb521ec5dfbaa53674ea

SHA256
29d38c75af79aa0554f34cdfecb311f88f8dd02b02facaa299b9700841806ab8

SHA512
ed14614a706da985566853dc13df0d1128a718f39ec9957320813803fe07e59de337d51033970e2f57d9f56da3546c506f5f0f3becfa91ce741576855be14ba7

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (8).ico

Filesize
108KB

MD5
af1739a9b1a1bf72e7072ad9551c6eea

SHA1
8da0a34c3a8040c4b7c67d7143c853c71b3d208d

SHA256
a65cbbdc2ca671a9edd7edac0c6737b3b116e357727e003e5fdeff163c6c21ab

SHA512
eeeac307371c38b75e256083c55a3fe4ab096c1c7520a4b7acb40fad3af5a0d6c88aaf85f2c3e418034abee422c2a3ba13731adf7ee6078016da4dd2e989b120

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (9).ico

Filesize
264KB

MD5
3e24e40b41ecc59750c9231d8f8da40b

SHA1
91a701cf25aea2984f75846b6c83865d668ccad6

SHA256
bd1c33a67244801e828035904882ec53bd2ea8a1db9265a06d1aa08cf444ca80

SHA512
fe62edddb62dd4b695f1ef40ffb7a0119d480d1c176f0254acee19a45d6433ef6c308acbe567c721018390626c71f7a0f7bcd195d59d54c19cf019f13c4f7572

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\SimpleObfuscator.dll

Filesize
1.4MB

MD5
9043d712208178c33ba8e942834ce457

SHA1
e0fa5c730bf127a33348f5d2a5673260ae3719d1

SHA256
b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c

SHA512
dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Sounds\Intro.wav

Filesize
238KB

MD5
ad3b4fae17bcabc254df49f5e76b87a6

SHA1
1683ff029eebaffdc7a4827827da7bb361c8747e

SHA256
e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf

SHA512
3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Xworm V5.6.exe.config

Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
C:\Windows\System32\perfc007.dat

Filesize
44KB

MD5
bc3d1639f16cb93350a76b95cd59108b

SHA1
47f1067b694967d71af236d5e33d31cb99741f4c

SHA256
004818827ecc581f75674919f4605d28eed27e3f2229ae051d6849129eef40e9

SHA512
fe44f3dbd009d932491af26c3615e616bc0042741dc3815ffb4d2b8d201efd8ab89f7cdd747406609393f005a596a6e9ea8e3f231bc150dc406c2adb8f806249

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
47KB

MD5
69c02ba10f3f430568e00bcb54ddf5a9

SHA1
8b95d298633e37c42ea5f96ac08d950973d6ee9d

SHA256
62e5660f9018da67d3c6727c39e9690650beb62749df0b4c00e6085f36c8e94e

SHA512
16e4d29324c2b50e1347532cd0982a149a7c67c4f27a743bbad8609ac662c3e00fa1be645b1b5f23adca3abd60c812f3f87d669f5ffb42b90ca5026dcbf2824e

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
43KB

MD5
8b4b53cf469919a32481ce37bcce203a

SHA1
58ee96630adf29e79771bfc39a400a486b4efbb0

SHA256
a7b3a2b6c67e98cf2b13684c8774113c4ed4f60cd6fc673d4c9dcb360c60ce42

SHA512
62217e68c9e4c7b077e127040318c603e2f2cbcc5517ce0cfc6189e43023f8d8a05b8e694b2a35d4b409241136a1067749b7b6e2049d6910246d8c0fa6e9e575

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
42KB

MD5
bea0a3b9b4dc8d06303d3d2f65f78b82

SHA1
361df606ee1c66a0b394716ba7253d9785a87024

SHA256
e88439ae381e57e207ce09bbf369859c34b239b08124339534dcc935a89ac927

SHA512
341132d443cd41acf0a7eaee0d6883c40d8a4db8c59e056211e898c817c2847377f0208ed3a40e0fd6f73f0196ffcc680c55754e160edafd97036739861a6c88

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
32KB

MD5
50681b748a019d0096b5df4ebe1eab74

SHA1
0fa741b445f16f05a1984813c7b07cc66097e180

SHA256
33295c7ee1b56a41e809432bc25dd745ba55b2dc91bfa97aa1f55156880cd71a

SHA512
568439b3547dcbcce28499d45663fdd0e2222f6c5c90053769ce2585f65721f679c071393328bde72c9a3f03da4c17abb84b8303897688b59598887ceb31438e

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
307KB

MD5
312d855b1d95ae830e067657cffdd28c

SHA1
8133c02adeae24916fa9c53e52b3bfe66ac3d5a3

SHA256
ca3f8056e3e2378509ab24f8b8471e5fccac403a5413be518ac35bbb42a2e2cf

SHA512
f25c1a81a582a2a5e3142bd97f425c6ee5c26f878b1155232002fff1e4a3528bc371fb962da256c281e05c6c537160a4f48e00ea1fcf3e9887097f8ca6ec2b14

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
297KB

MD5
50362589add3f92e63c918a06d664416

SHA1
e1f96e10fb0f9d3bec9ea89f07f97811ccc78182

SHA256
9a60acb9d0cb67b40154feb3ff45119f122301ee059798c87a02cc0c23e2ffce

SHA512
e21404bc7a5708ab1f4bd1df5baff4302bc31ac894d0940a38b8967b40aac46c2b3e51566d6410e66c4e867e1d8a88489adccf8bdcaec682e9ddabc0dac64468

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
347KB

MD5
49032045f6bcb9f676c7437df76c7ffa

SHA1
f1bf3ba149cd1e581fe12fb06e93d512fe3a241b

SHA256
089f30c1e60f038627531d486659fab66a8b927d65e4eca18f104d6ae4c7f641

SHA512
55b459b7787e6efacdcc17adb830dc3172a316ff8dd3b14a51bf4496a9479f513ae279a839674b472c1424170ee4aa63a5d45fc7fbd38a533a885282858c74f1

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
350KB

MD5
518020fbecea70e8fecaa0afe298a79e

SHA1
c16d691c479a05958958bd19d1cb449769602976

SHA256
9a139a16fe741593e50fa5e1e2a0c706c0eba7f4d1e1a7a91035428185fde125

SHA512
ff910efee092c2b4a3fa1114f745feb7d01a38b55b0345e0118cdc601a056f79035bd92c76b49559480b515da4cd66d2fbe789baacdde67485cab989ff009b2e

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
340KB

MD5
f9fcefdf318c60de1e79166043b85ec4

SHA1
a99d480b322c9789c161ee3a46684f030ec9ad33

SHA256
9c92309f7a11b916d0e9b99f9083f58b1a2fa7a9aad283b064f01c11781160e7

SHA512
881e112fedccc8643d872396baf726ceb7a49c5cce09489ddcb88400b5a4578dd5ee62a4082d81a6c721c74edb00d84d225e08ab892cc094976149a1a2c486d8

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
145KB

MD5
f4f62aa4c479d68f2b43f81261ffd4e3

SHA1
6fa9ff1dbb2c6983afc3d57b699bc1a9d9418daa

SHA256
c2f81f06c86bf118a97fba7772d20d2c4ba92944551cd14e9d9bab40bf22816c

SHA512
cbd94b41fc3136c05981e880e1f854a5847a18708459112ca7eb0bdcb04d0034c42af8c58501a21ae56e07a29751236af9735b0a4ded3a6b0ef57d717acd5ff3

Download Submit
C:\Windows\system32\perfc007.dat

Filesize
39KB

MD5
c6a00700213a4cdfac7b02faabc2fa10

SHA1
d1fab1803050a67c59dfce442c1f1dacb166d0dc

SHA256
987d276742eba82260ac1509adc8678651d30103162b44d4e62fbde1b2f28559

SHA512
e3c879502f91b7e4ccbd300372108ffe0cfd2e49070c54f1b27fb83d3c0a7344ea7393b619f1fd6b21314915e32c50fb93f5a1511a383098107c57f1a14faf1d

Download Submit
C:\Windows\system32\perfc009.dat

Filesize
32KB

MD5
1e60bc5e525063b96078df17fbd3c4e1

SHA1
bae8eda409cb3e016ddd420c6354aeaac2d267b9

SHA256
a0894847ca6208cf7e519d8e825458596bbcd78156a453e32872de7592ea20d8

SHA512
5758d535e4ce20cc30b9b57fea1811feffb2655ecc6eec69c942defb4b4f8c06e8e37860f85ec7cad26df9d7635ecaf131a68ec4ee291aa36e448c7ef2339652

Download Submit
C:\Windows\system32\perfc009.dat

Filesize
122KB

MD5
243bb32f23a8a2fa8113e879d73bfdf7

SHA1
2f9d0154d65d0b8979a1aeb95b6cf43384114f70

SHA256
69012c5b50e669fca5ad692dc405017da474a5a4ec876de70d9748a4f30c046c

SHA512
34f7663ef59412a12ce950eb5ab947b2fb6bb811d5cfd92d05b6a884bcb2fc31fdc880b8e152a383055ca0efee707eb23bbfe181ace8c1ca112262f2a75bf0a8

Download Submit
C:\Windows\system32\perfc00A.dat

Filesize
42KB

MD5
08728aef33bbac5884423c1597e74a29

SHA1
64d28ea3dc5c4392a0210b4d26db146b26e40f0b

SHA256
fbd64fca18300003ddcdddf3b25ad501cf224035ef5975dedc64c7d139eb69e6

SHA512
001cc1ef7a69ce59a9e37133a8cdf14cc8e7a09bc74d4678d9af25da3eaa9d99efc6fdf64fd2e301acb796cef4a988d502b63a61dcce14511568130bb1551a0c

Download Submit
C:\Windows\system32\perfc00C.dat

Filesize
39KB

MD5
9f9af8517189b0d61b2615007e071084

SHA1
a33753ca07f370b7d99f6658b32abb97eed7bbc4

SHA256
b6dc84d6c21f558e69174d3b62e13fbb8aecd5e49de0fb737f56445a9b883034

SHA512
640f51590a6f5d61e9dcb9a463a6b7aae6d88749843d1ec62f30a00c95b4a449b442281ac61058db4da464bee03e62a1f43a91b0a05914d4dbda2bce007d745d

Download Submit
C:\Windows\system32\perfc010.dat

Filesize
38KB

MD5
4f32511bd6124c1b65c8f7fcd244a82b

SHA1
6d840ddec80ee4f6ab99a1d0b55c50a568edd722

SHA256
8ceaa2e1a9cc8b7f76e6a2551bb1dfbcc64896c8c3fd5901e417f41ddff35e6d

SHA512
ca8c8103a4ec3b8f1a070ee2a3301f8af64e08cfd40b21022e5d9f54e3decfc55b7571112d186aba9d7b4c7b5720f7eb0ff3847b39366dd04b912dde386a73e3

Download Submit
C:\Windows\system32\perfc011.dat

Filesize
122KB

MD5
451fd3eea8608134ff91280fb0ff7e4b

SHA1
e81546c72260060eb757195f3702014533b527dd

SHA256
a8228c74b4dc81c755c56beaa5e91515d09c24e80f820713b3095816c4e552db

SHA512
7bf51087ea8b8a0d2ea7b2a0e3b1cff8e44e3549735b1ae757622ca7157c9391132f7d68711a91fbee7f681927759ca552cf885f5aeca4a6a005d8a27fd5f8fb

Download Submit
C:\Windows\system32\perfh007.dat

Filesize
298KB

MD5
eadd51b4e0a81aa0a1ec7392a1ce681a

SHA1
f384c3bc0f16ccb5049ebbf7df776e684da84706

SHA256
1a2fd21891c4055b2ee03ee06665f1a09a6503f7a4b57acba67820ec561d12e4

SHA512
de74112ed8f81f4723241102e9e493921419f836e7f095000a0ae34616db1886c22dff6ab4dfd5bd1ebbc9840498c3606ac0e5791f7fadac1b52c18043571ae4

Download Submit
C:\Windows\system32\perfh009.dat

Filesize
290KB

MD5
56c3b96dd714b0da77c0b9fb0d392c86

SHA1
6dfd6e883c67ea4aef8a03d28874a677441e512f

SHA256
1bc70ca290a7b4afc37049a8435c81d9b863520609d2e4f627d08cd21c07a58e

SHA512
c2036039da93d0c594b99aad74f1bb807c7230a746d749cec57a5f6012e8dfc401f9430fe1c7090280532ffdb044f7a4970e17e5cede82581793d69e9bc6d10a

Download Submit
C:\Windows\system32\perfh00A.dat

Filesize
338KB

MD5
757de55399f7c5167e7cdfa65f184108

SHA1
06876adabd18e79946cc5280861145432257d210

SHA256
e7c22cb8443fb549de7a3e826645450ed47169ce0168c740096de44addd360dd

SHA512
51977c1104108e5b5ab0042e6d10ec95195be8c62dbd547b85626cc02b35e46cb363be8804f360220ce347709da3ba1626f253477b7512cdd414f1ad96cf4571

Download Submit
C:\Windows\system32\perfh00C.dat

Filesize
342KB

MD5
9a780b14eeafa8b9a2409f02bf9d9af0

SHA1
f52c28235879e45685ee0163f97c31099baa616d

SHA256
a04ee6316af61e7a475d47ab74744ea485b419566f5e40c96ec09b400926b932

SHA512
f316652ec8dc3af06842de056329230152e74f53530c4f099a2ee73a96106f2fc3dbf244dce75c10e3131cdfbaa3b4a28d8ff116f8d6d7ae7b5553688c170d7a

Download Submit
C:\Windows\system32\perfh010.dat

Filesize
333KB

MD5
70ac53e2ebbd863ff7f319d68aed16f7

SHA1
90109a5028b07e8aa36846fe5096e04bd97839d6

SHA256
a4e35710b8277d733eec1c165459f85d9660fbe264ccabe0a624626e93763e37

SHA512
8fc6d4c665a642e86acfffa35ce6c6d7bf49c1a414de8b15fb5cda8d121f4d671914aafe0625ad11e87fd74f0bba2d40b9a71f373d1ae67a12b238b023682af1

Download Submit
C:\Windows\system32\perfh011.dat

Filesize
446KB

MD5
e5966c4fef65e8fc0f66895f4776f1ca

SHA1
2819d993e64bf032fc2a4e71d0c40f349f9639d6

SHA256
51ae507017508db59eb8cd168a2219467ed9f9e434c78216c552619ff37601e1

SHA512
3e08fb643b8a7040ff5985d666b07d852f995da282e7ee388dae5785bb0ca543f18c34815077f23e277eb44454703fc0ac369b4ceccc04f20c2be861a8b61034

Download Submit
memory/4668-3469-0x0000000000690000-0x00000000006C8000-memory.dmp

Filesize
224KB

Download
memory/5212-3444-0x000001D54B580000-0x000001D54B6E8000-memory.dmp

Filesize
1.4MB

Download
memory/5212-3383-0x000001D526E20000-0x000001D527D08000-memory.dmp

Filesize
14.9MB

Download
memory/5212-3394-0x000001D5436A0000-0x000001D543894000-memory.dmp

Filesize
2.0MB

Download