xworm | hxxps://mega[.]nz/file/KBRkjBAD#D9xLsjY-5OpxqEMzZDJZot3RegtYO0b4IDCBJAqiUhk

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
04/03/2025, 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/KBRkjBAD#D9xLsjY-5OpxqEMzZDJZot3RegtYO0b4IDCBJAqiUhk

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

K9KSBgnGacIgu49F

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Extracted

Family

xworm

127.0.0.1:7000

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023e2c-1983.dat	family_xworm
behavioral1/files/0x0008000000023e32-1993.dat	family_xworm
behavioral1/files/0x0008000000023e2b-1998.dat	family_xworm
behavioral1/memory/4572-2000-0x0000000000BD0000-0x0000000000C02000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1308	powershell.exe
5696	powershell.exe
5460	powershell.exe
4956	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	Chrome.exe

Executes dropped EXE 2 IoCs

pid	Process
6104	Xworm V5.6.exe
4572	Chrome.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh007.dat	lodctr.exe
File created	C:\Windows\system32\perfc009.dat	lodctr.exe
File created	C:\Windows\system32\perfc00C.dat	lodctr.exe
File created	C:\Windows\system32\perfh010.dat	lodctr.exe
File created	C:\Windows\system32\perfc011.dat	lodctr.exe
File created	C:\Windows\system32\perfh011.dat	lodctr.exe
File created	C:\Windows\system32\perfc007.dat	lodctr.exe
File created	C:\Windows\system32\perfh009.dat	lodctr.exe
File created	C:\Windows\system32\perfc00A.dat	lodctr.exe
File created	C:\Windows\system32\perfh00A.dat	lodctr.exe
File created	C:\Windows\system32\perfh00C.dat	lodctr.exe
File created	C:\Windows\system32\perfc010.dat	lodctr.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 47 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 = 8400310000000000645a1a0f1100444f574e4c4f7e3100006c0009000400efbe515a3778645a1a0f2e00000061e10100000001000000000000000000420000000000da5f090144006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\MRUListEx = ffffffff	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Pictures"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\NodeSlot = "4"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 7800310000000000515a37781100557365727300640009000400efbe874f7748645a050f2e000000c70500000000010000000000000000003a0000000000601d5a0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0 = 600031000000000086597169100058776f726d2d56352e360000460009000400efbe645a1a0f645a1c0f2e000000c2e601000000070000000000000000000000000000006533f300580077006f0072006d002d00560035002e00360000001a000000	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0 = 500031000000000086597169100049636f6e73003c0009000400efbe645a1c0f645a1c0f2e0000008e3b02000000090000000000000000000000000000009ecd0f01490063006f006e007300000014000000	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 5000310000000000515ad280100041646d696e003c0009000400efbe515a3778645a050f2e00000059e101000000010000000000000000000000000000001149c800410064006d0069006e00000014000000	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	Xworm V5.6.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
3956	msedge.exe
3956	msedge.exe
680	msedge.exe
680	msedge.exe
3520	identity_helper.exe
3520	identity_helper.exe
5360	msedge.exe
5360	msedge.exe
6104	Xworm V5.6.exe
6104	Xworm V5.6.exe
6104	Xworm V5.6.exe
6104	Xworm V5.6.exe
6104	Xworm V5.6.exe
6104	Xworm V5.6.exe
6104	Xworm V5.6.exe
6104	Xworm V5.6.exe
6104	Xworm V5.6.exe
6104	Xworm V5.6.exe
6104	Xworm V5.6.exe
6104	Xworm V5.6.exe
6104	Xworm V5.6.exe
6104	Xworm V5.6.exe
6104	Xworm V5.6.exe
6104	Xworm V5.6.exe
6104	Xworm V5.6.exe
6104	Xworm V5.6.exe
6104	Xworm V5.6.exe
6104	Xworm V5.6.exe
6104	Xworm V5.6.exe
5696	msedge.exe
5696	msedge.exe
5696	msedge.exe
5696	msedge.exe
5460	powershell.exe
5460	powershell.exe
5460	powershell.exe
4956	powershell.exe
4956	powershell.exe
4956	powershell.exe
1308	powershell.exe
1308	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6104	Xworm V5.6.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 33	4668	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4668	AUDIODG.EXE
Token: SeRestorePrivilege	2232	7zG.exe
Token: 35	2232	7zG.exe
Token: SeSecurityPrivilege	2232	7zG.exe
Token: SeSecurityPrivilege	2232	7zG.exe
Token: SeDebugPrivilege	4572	Chrome.exe
Token: SeDebugPrivilege	5460	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
2232	7zG.exe
6104	Xworm V5.6.exe
6104	Xworm V5.6.exe
6104	Xworm V5.6.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
680	msedge.exe
6104	Xworm V5.6.exe
6104	Xworm V5.6.exe
6104	Xworm V5.6.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
6104	Xworm V5.6.exe
6104	Xworm V5.6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 680 wrote to memory of 1048	680	msedge.exe	85
PID 680 wrote to memory of 1048	680	msedge.exe	85
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 4032	680	msedge.exe	86
PID 680 wrote to memory of 3956	680	msedge.exe	87
PID 680 wrote to memory of 3956	680	msedge.exe	87
PID 680 wrote to memory of 3160	680	msedge.exe	88
PID 680 wrote to memory of 3160	680	msedge.exe	88
PID 680 wrote to memory of 3160	680	msedge.exe	88
PID 680 wrote to memory of 3160	680	msedge.exe	88
PID 680 wrote to memory of 3160	680	msedge.exe	88
PID 680 wrote to memory of 3160	680	msedge.exe	88
PID 680 wrote to memory of 3160	680	msedge.exe	88
PID 680 wrote to memory of 3160	680	msedge.exe	88
PID 680 wrote to memory of 3160	680	msedge.exe	88
PID 680 wrote to memory of 3160	680	msedge.exe	88
PID 680 wrote to memory of 3160	680	msedge.exe	88
PID 680 wrote to memory of 3160	680	msedge.exe	88
PID 680 wrote to memory of 3160	680	msedge.exe	88
PID 680 wrote to memory of 3160	680	msedge.exe	88
PID 680 wrote to memory of 3160	680	msedge.exe	88
PID 680 wrote to memory of 3160	680	msedge.exe	88
PID 680 wrote to memory of 3160	680	msedge.exe	88
PID 680 wrote to memory of 3160	680	msedge.exe	88
PID 680 wrote to memory of 3160	680	msedge.exe	88
PID 680 wrote to memory of 3160	680	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/KBRkjBAD#D9xLsjY-5OpxqEMzZDJZot3RegtYO0b4IDCBJAqiUhk
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb9b9346f8,0x7ffb9b934708,0x7ffb9b934718
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,7343513066810029582,8794702035450105333,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,7343513066810029582,8794702035450105333,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,7343513066810029582,8794702035450105333,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7343513066810029582,8794702035450105333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7343513066810029582,8794702035450105333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7343513066810029582,8794702035450105333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,7343513066810029582,8794702035450105333,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,7343513066810029582,8794702035450105333,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7343513066810029582,8794702035450105333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7343513066810029582,8794702035450105333,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7343513066810029582,8794702035450105333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7343513066810029582,8794702035450105333,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2092,7343513066810029582,8794702035450105333,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4764 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,7343513066810029582,8794702035450105333,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7343513066810029582,8794702035450105333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,7343513066810029582,8794702035450105333,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6104 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,7343513066810029582,8794702035450105333,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4836 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:684

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4bc 0x474
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5768

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Xworm-V5.6\" -spe -an -ai#7zMap13664:82:7zEvent7999
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2232

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Xworm-V5.6\Fixer.bat"
1⤵
PID:5888
- C:\Windows\system32\lodctr.exe
  lodctr /r
  2⤵
  - Drops file in System32 directory
  PID:5188

C:\Users\Admin\Downloads\Xworm-V5.6\Xworm V5.6.exe
"C:\Users\Admin\Downloads\Xworm-V5.6\Xworm V5.6.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:6104
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bumknxxs\bumknxxs.cmdline"
  2⤵
  PID:4904
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC3D3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDF5FA276BFE84FE2A0759623CB668D26.TMP"
    3⤵
    PID:5396

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5420

C:\Users\Admin\Downloads\Xworm-V5.6\Icons\Chrome.exe
"C:\Users\Admin\Downloads\Xworm-V5.6\Icons\Chrome.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Xworm-V5.6\Icons\Chrome.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
39c51e5592e99966d676c729e840107b

SHA1
e2dd9be0ffe54508a904d314b3cf0782a9a508b7

SHA256
29f29a3495976b65de3df2d537628d260bc005da5956b262ff35e9f61d3d9ed3

SHA512
b20532d0131b12603410c3cb425cb5df0ddc740f34e688455eff757802ffc854be771b30c3ff196e56b396c6fe53928a1577c8330b00f3f7b849fcf625e51bf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
39e376ee2f541e6b1ed0bca701e8fb59

SHA1
bfe3cc2eed8721339d433533aef6e18e0a13a9a3

SHA256
80eda1e4d8c05e257ff17ef734d606e67d8ab70b3e351430b2b231631eed5e04

SHA512
a3f082c32857db0e3dec24394a259fff85e21b6a7b057ef55933504c23ec38cbb3237eb519d38385fc53cbc584c52aaf66291f44231245d9afee509a108a3350

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
9f5a26985f054d814092ec91edf6e82b

SHA1
8e2456b32961a536e0e800f9eb25e4eb628eaa2b

SHA256
14c32167b79f7b972e5d879a190059d85ab2e5582845392e977b12d24532cca8

SHA512
6d3bcfb467ee5a8e0befecc706dc435aab37bb212537c7263a4bf562302b3a280ab77c0fb237218d051bbca0627011bd03ca9ae9a52012c020e8c57482a41dab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
257B

MD5
ba4e2003fe7d847c86a7514b27c21c5f

SHA1
7dc5189fa073797ff6cec15cf7921146f4fa0ab5

SHA256
16d31950c2af414b5028501c261a72b6f7f125e5e35a62ad274ea4b1bd7de92a

SHA512
079550c3eed1641c8de52f55d9967e4862465835d9899fad9439580c1e66fb7cd56326be1088a8ecc10f648bcc603957c5979885909b42485733ff37b079ce5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5c2bb31dd508f298a5176bc3ec1683ad

SHA1
7477565d75e37445c03fb961ebfab24ce312b51c

SHA256
6a1343ed7bc732af937e79dbcaf13a4567f75c2acb393bdb203639909c065ebf

SHA512
82e7a52fb41b9e4fd16f4350a81f0446a4fe1b607ce623e1e76f5683444d3750fea4a13f0e6b56d7b338aaf47d8374e7e9104e8deeb99e0786ec4ab59dc52197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8b22d47260e9d91087354c2a269ce41a

SHA1
90191a0d4004b42dc0fcda59ce8cf2a45e1c04ab

SHA256
4bebb6ba45443f26fd5569077714b896668845f6c7333711a64223becbb16939

SHA512
b9e879c4c3348dfc8d6849a3875e84eb9224660028852370b3c8eb24f1832d2b8b3a93589ab2303467843754b01723549fe213eb76eb4f712ea55805a55d2170

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
412eed0685d31959b560b9ad1fa2a164

SHA1
42f6858a5a94b522922b8041e257648bf005c44e

SHA256
55f4a58f9faf203f7e3a5f821655fa2360886933940b727d6ab34fe409d72d08

SHA512
972db2af4c5fb7695f7ad0d0505b3608104528b2d1c05c5efd9e0b591f78c24c6a26307d5295492677cb9134b798c7582bd22b8006c553a9d2c0780769d9d927

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
bcb60d8108392aaff80caefe51e8eede

SHA1
102b3b68c719bb30e4944864ff388aad9a4a5e7d

SHA256
72312dff01b863c11c21eb66924429c5b46a6472b77768ff9de3abdc4648f199

SHA512
74a48c584506726ed37dfe62f33f6339bed7bd68aa21d9c808d80bfba468f5dc03ce03335abf47a67334874c6bfbfda2d66f076efbb2d2a7838d69f9db486832

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe580a2c.TMP

Filesize
48B

MD5
851d66c0e28e1a15b54849cf734220b3

SHA1
b0539e8df7ae59f256a3a81d0adc4a83b1a7f443

SHA256
a765e471d0eb4cf112db50b86a77c3b3a4be9afa7f82ce8b5dcf69b23aab8cd8

SHA512
021ae59f30b82433c647e2fbe4e0f457bde80a7af3ab2124538382d14c3cb291b5a115403367171d4581685394ebbca170e8af67e94d19dc284ce795d626da86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
88d10d45adf991a9598a8852c5978cf9

SHA1
97384a13994316b9024bf88dc42b2365297b76d3

SHA256
09c50868f1519051b059ec72f04b19f79255a4328fd99cac46ae48a21fc3afcf

SHA512
7c3a25cba1845116476a5160f9d7f0fba47b233392bfd6ef278002d62a0ed2c8cd653f7bbd3040d358440f05f0e5ac27858dd9d9908930a4a4f96733953f957a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1ee40bd45cfc247a2b483910ee37c699

SHA1
42d5db99e3c3950123e5c77b1f4c0795bb7859a9

SHA256
cadfc68cfa8807c211e770fdbfdad6e704ae9897ae6b66505e60d801faa004e2

SHA512
362c675269bcba2d68267e6765257cabd95b2dc56b5b5e1fd9dbf04899fdbc42612e15cbfffcb36ed646ef70be38c1c9e7607b22e7e1ec02c6105f313608b594

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
73af4f2170e957d2e0a17b3969478aae

SHA1
0cf6ed9f94648debd2f23f4b4563a07a4d8ab8b5

SHA256
b157a020262f6ab70c58265ad703ab2ed3db6baff07a471519c8d3b682c5f329

SHA512
56d2da128397e463ed742cfc06f0e8e20bd87d439b3e164dde82da163195ac55e3fa532a427de5f3546878e2bb5532f588ea84790ca3a0e3c5cf6b242ea8572d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e60eb305a7b2d9907488068b7065abd3

SHA1
1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

SHA256
ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

SHA512
95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC3D3.tmp

Filesize
1KB

MD5
f4048178746cf45f96fa7945ec2d631a

SHA1
b8abd877e4b9d680effe4db285c574fdcce042f1

SHA256
8fe43f561b4d1a2d8102352a66ecdddda906ad52713119936048d5d039c732d1

SHA512
9afc3797cdd7e7c2b490bb43845d600432354c23269118a3f10c33dde180264f84b01aea51c415cb11f9b68f3d344a8af6cc986d6ae4a4caba3efaed2e8328bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vj0jjd5p.fn3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bumknxxs\bumknxxs.0.vb

Filesize
78KB

MD5
a0fcea6b293096bce6c411d2f2119e74

SHA1
6e55c05d7777b364dbe399d5e9313341f92ab120

SHA256
f4958c619ed6416ea225990ebdc7a3812468e421d81656256d8d3db373486ecc

SHA512
eb535b2c16f63530eaf64715cab2020600ff478ef9ae6ee8370695bfd2de9e956892846dde1582d51828c05292297fc0a9620be81d23c0001527918fcf064823

Download Submit
C:\Users\Admin\AppData\Local\Temp\bumknxxs\bumknxxs.cmdline

Filesize
308B

MD5
1a0a53f48dc8418b4ad2fdea0f9b6716

SHA1
8e68872426177f5f45622b1e74370bda75addc1a

SHA256
fd28ff9fbed89af4e9079217f7bf804373b5e87cc24a184c4beb4a15dce8e356

SHA512
eb79bc51f77a6608d832c7052a770335ead24745b094a492a75a8f5ead7ff209379a305cf336b17a349cdd3eedc4a1415429094ed949a6b5f019160e324c2abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDF5FA276BFE84FE2A0759623CB668D26.TMP

Filesize
1KB

MD5
8181b7a853860c7d2aa3dfe1e3ddd231

SHA1
f414cb11fe6fc3a58bc436e7ce9f189c599eb68d

SHA256
f5ad30919c5808728f55fc2c25041c6b6a39b680de392b3922985849d43e8eac

SHA512
17827c94fe0f8092f1e8ce1e4b3900b8a2fe64e869a19b99c6f7016532fc1a72962d9a68e774c9c872da6bcb88f6594f5ac6a0bb2d92513d1675e61157d0c907

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6.rar

Filesize
20.9MB

MD5
b6b4bf93b1dc8c104f8e677c025d6684

SHA1
a438c7f82e7dab81410d3e773eb4b1b28bf63208

SHA256
7f6f449b4351b9eeecadbd7747dce56479d1ba8555f72e873b08ad18409fd357

SHA512
1ba5f644b56cc3cb5e76bea8733ca243365c84921c4c35a4df52845322ba211c045706b4096ab4407c5736fc340761e124ab0cde57a8794473e965405c98b8fa

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Fixer.bat

Filesize
122B

MD5
2dabc46ce85aaff29f22cd74ec074f86

SHA1
208ae3e48d67b94cc8be7bbfd9341d373fa8a730

SHA256
a11703fd47d16020fa099a95bb4e46247d32cf8821dc1826e77a971cdd3c4c55

SHA512
6a50b525bc5d8eb008b1b0d704f9942f72f1413e65751e3de83d2e16ef3cf02ef171b9da3fff0d2d92a81daac7f61b379fcf7a393f46e914435f6261965a53b3

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\GeoIP.dat

Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\Chrome.exe

Filesize
179KB

MD5
921bf8eb63850aceb5ba56e17d6998a5

SHA1
563af52bf618a035e65faedc5f104ad2985a9aa2

SHA256
fa11c7f5351841a73ca5700117e603e9226383bfdf940b5200088306498e0c5d

SHA512
38d7931b9023eec37d3675a32a16076b49509c0f8182383d047733cd25686ea84860c4df56fd09ce973e0d376596e4cfceab9c6914945cda1f4919c04a41c871

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\Chrome.exe

Filesize
38KB

MD5
c2fda9acce4aced142b2f6afe0d33276

SHA1
b656dff35296303cbe08097dfb702c18da39f329

SHA256
2455eecea2dfaafbfe9d37c8feedd6891a848b1cbc6497fbca729ee562cd1dbf

SHA512
ca3dbd21bc916536006e1ad3d585275388587800bb9306eeed96e1cdaa6b22a53418a952750d49fb48d193a0e931492f7a7f0120c33dbdbcffcdb402d754d17f

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (1).ico

Filesize
97KB

MD5
4f409511e9f93f175cd18187379e94cb

SHA1
598893866d60cd3a070279cc80fda49ee8c06c9b

SHA256
115f0db669b624d0a7782a7cfaf6e7c17282d88de3a287855dbd6fe0f8551a8f

SHA512
0d1f50243a3959968174aa3fd8f1a163946e9f7e743cbb2c9ef2492073f20da97949bf7d02c229096b97482ff725c08406e2e9aa72c820489535758470cf604f

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (10).ico

Filesize
115KB

MD5
ad1740cb3317527aa1acae6e7440311e

SHA1
7a0f8669ed1950db65632b01c489ed4d9aba434e

SHA256
7a97547954aaad629b0563cc78bca75e3339e8408b70da2ed67fa73b4935d878

SHA512
eee7807b78d4dd27b51cee07a6567e0d022180e007e1241266f4c53f1192c389be97332fcd9f0b8fda50627b40b8cf53027872304a68a210f4d754aa0243b0c2

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (11).ico

Filesize
9KB

MD5
1c2cea154deedc5a39daec2f1dadf991

SHA1
6b130d79f314fa9e4015758dea5f331bbe1e8997

SHA256
3b64b79e4092251ebf090164cd2c4815390f34849bbd76fb51085b6a13301b6d

SHA512
dceebc1e6fdfe67afebaef1aff11dd23eda6fae79eb6b222de16edebdfebd8e45de896e501608254fb041824080cb41c81ac972032638407efc6bfeb930bfd00

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (12).ico

Filesize
9KB

MD5
4ea9ab789f5ae96766e3f64c8a4e2480

SHA1
423cb762ce81fab3b2b4c9066fe6ea197d691770

SHA256
84b48ca52dfcd7c74171cf291d2ef1247c3c7591a56b538083834d82857fee50

SHA512
f917059b6f85e4a25909a27cad38b1ef0659161c32df54860226ff3d858127d8da592ea9072ad41d5a9986dd8c04a37e9ad34e2251883a8c2f0933e6aa201414

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (13).ico

Filesize
361KB

MD5
e6fec4185b607e01a938fa405e0a6c6c

SHA1
565e72809586e46700b74931e490e2dc1e7e3db1

SHA256
2e2f17b7dd15007192e7cbbd0019355f8be58068dc5042323123724b99ae4b44

SHA512
13daeb2bf124e573590359f18a1d962157dc635a88319c9ed1a2e8ccad6322fb081579e1e8fbe62ffe55c8286c2bc8acb251d572a4beb00641ad5009a380e513

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (14).ico

Filesize
361KB

MD5
0c24edec606abda7c6570b7dcf439298

SHA1
4478a102892e5eb4bb1da8e9c62d17724965691a

SHA256
8fc693238afc49a8098dac1762bfae891e818bb84749c6eef5f1b0c6c8ffddb2

SHA512
f8de3ffb8f9fe1394b3626ae5616213d4612b43f0635fa9053d74ac6fe536657e796289487f245b8abff74f1de8368c0df8e56bf21f540366ed86a378649ea24

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (16).ico

Filesize
97KB

MD5
14465d8d0f4688a4366c3bf163ba0a17

SHA1
9f1fa68a285db742e4834f7d670cae415ce6b3b6

SHA256
3f3c5ce486e5b9fa88dc60b60916053e8808c69167df1a11287fd3cd6db1ca6e

SHA512
01db4fac75136baf9c162265785877b21fba9c4b8d9dbe4e495191f15aa9c914e3d5baf1c4606041279a7138c7e5c8f4ccf6e64689354fc3fb3fa66ab3b1da2d

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (2).ico

Filesize
112KB

MD5
f1463f4e1a6ef6cc6e290d46830d2da1

SHA1
bda0d74a53c3f7aaf0da0f375d0c1b5aca2a7aaf

SHA256
142b529799268a753f5214265c53a26a7a6f8833b31640c90a69a4ff94cee5ec

SHA512
0fa93d009cc2f007d19e6fdda7ebe44c7ed77f30b49a6ef65c319133c0570ab84f2d86e8282b5069d7f2e238547722ac3966d2fa2fae4504133f0001a0387ae2

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (3).ico

Filesize
131KB

MD5
a512719efc9e6ecc5e2375abceb1669a

SHA1
51fae98edfab7cd6b6baac6df5ecbda082eeb1db

SHA256
b2f7fb22cd5b935cf19a2f58f7fef9db99db40772ff4bb331a73c345161c2574

SHA512
e0153dbc8f3fdda8d1a7082bc30a3895d7f4b3bc2982b4b4ece55653d1b4c293eba3ba6d4a0a581f0f7db95ab287d6616ef7bf03af4485904111798bf9d9e625

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (4).ico

Filesize
125KB

MD5
9c053bef57c4a7b575a0726af0e26dae

SHA1
47148d30bc9a6120a1d92617bf1f3e1ba6ca1a2c

SHA256
5bb21d6c04ed64a1368dace8f44aff855860e69f235492a5dc8b642a9ea88e41

SHA512
482d639ba60f57827d8a343f807f4f914289c45643307efaa666b584a085fe01ac7892252f41b7756fde93d215b4f3fed16e608bc45102d320d77239fa93146a

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (5).ico

Filesize
100KB

MD5
9dbdd6972e129d31568661a89c81d8f9

SHA1
747399af62062598120214cef29761c367cfd28a

SHA256
45c85bdaaf0e0c30678d8d77e2585871ea6d1298ee0d30037745bacea6338484

SHA512
e52572de3f0d57d24a24d65eca4ff638890ccc9c5aca3f213ff885eda3c40de115849eb64c341f557d601f566ce21f8fc0df25cc4b13aaad5e941449a6b7f87d

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (6).ico

Filesize
106KB

MD5
d7c9666d30936e29ce156a2e04807863

SHA1
845e805d55156372232e0110e5dc80380e2cb1e5

SHA256
6ea04cf08751a2f6bb2f0e994258a44d5183b6cdb1471a0ee285659eada045b5

SHA512
3cfd7a41f65c5a0dc23a90c6af358179efb3ae771f50534c3d76c486fe2d432ea3128a46b4b367c4714e86e8c0862a7385bd80662fe6ea82d7048f453570ed56

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (7).ico

Filesize
164KB

MD5
7891c91d1761dc8a8846d362e6e31869

SHA1
0229bb01b7b4a0fca305eb521ec5dfbaa53674ea

SHA256
29d38c75af79aa0554f34cdfecb311f88f8dd02b02facaa299b9700841806ab8

SHA512
ed14614a706da985566853dc13df0d1128a718f39ec9957320813803fe07e59de337d51033970e2f57d9f56da3546c506f5f0f3becfa91ce741576855be14ba7

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (8).ico

Filesize
108KB

MD5
af1739a9b1a1bf72e7072ad9551c6eea

SHA1
8da0a34c3a8040c4b7c67d7143c853c71b3d208d

SHA256
a65cbbdc2ca671a9edd7edac0c6737b3b116e357727e003e5fdeff163c6c21ab

SHA512
eeeac307371c38b75e256083c55a3fe4ab096c1c7520a4b7acb40fad3af5a0d6c88aaf85f2c3e418034abee422c2a3ba13731adf7ee6078016da4dd2e989b120

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Icons\icon (9).ico

Filesize
264KB

MD5
3e24e40b41ecc59750c9231d8f8da40b

SHA1
91a701cf25aea2984f75846b6c83865d668ccad6

SHA256
bd1c33a67244801e828035904882ec53bd2ea8a1db9265a06d1aa08cf444ca80

SHA512
fe62edddb62dd4b695f1ef40ffb7a0119d480d1c176f0254acee19a45d6433ef6c308acbe567c721018390626c71f7a0f7bcd195d59d54c19cf019f13c4f7572

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\SimpleObfuscator.dll

Filesize
1.4MB

MD5
9043d712208178c33ba8e942834ce457

SHA1
e0fa5c730bf127a33348f5d2a5673260ae3719d1

SHA256
b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c

SHA512
dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Sounds\Intro.wav

Filesize
238KB

MD5
ad3b4fae17bcabc254df49f5e76b87a6

SHA1
1683ff029eebaffdc7a4827827da7bb361c8747e

SHA256
e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf

SHA512
3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\Downloads\Xworm-V5.6\Xworm V5.6.exe.config

Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
C:\Windows\System32\perfc007.dat

Filesize
48KB

MD5
c5ab9298b0503f20e6f88fcc902563ca

SHA1
b8fb62b4e2ebad2222d882ba43d437ffec14e55c

SHA256
140abd66468171331b2fac4e032ba8ea0a762c72f25eb613616861674cdc8144

SHA512
1f13de06ec0bcc8a78faa7bd708b9563b07df620b246cf68e8d84ea797924cb4e71a1eab93bfcc55e25a6653cbc525a9dcb12dbafcc0af5a17fb0dc216d6a305

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
51KB

MD5
70c7ba068b82106810720fdec5406762

SHA1
744c05ee14ea69e9706a07967b4ca1597298729d

SHA256
f3fccee564956fd81a1bba3477a18b04197bccf5efa057713c92a77b266c7b33

SHA512
14bb6e89946abcc10f640e2d553623b319c829e31ff872be0976c3d0419bc8ac656e4774333d4040df9507f064e9f92347677f4b20c66317fffaabed5bb1c4b4

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
47KB

MD5
391168ff06e8d68c7a6f90c1ccb088be

SHA1
c3f8c12481c9d3559e8df93ade8f5bfefd271627

SHA256
7f2847cbf10a70dec0bfb78ca1bf2e548caa8de43deb290cc21d4d1a47bd7525

SHA512
71fe34a07a2107c03fc4735ca78814adc1c55ee3362ce01d6b9983b0ac52315485135b58edecbcd67252c1e27a451138a765bdf3f746e1241834cf35106520c6

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
46KB

MD5
afc0429d5050b0057aea0a66a565c61a

SHA1
73f4910cee7b27a049d6dfe291bb6c8a99c6dc8b

SHA256
f6847323dd961aef9230bca3409a01b7c4e5e16dcca8a2e2417c9dc750871cf6

SHA512
a33920642f3ec69c04ff61b09149a57ea91e76bb8d51f1d393a31b5079a3f83939863d6a924bf2a2982786b2825bb634e3d0c0920c7bc0bf6a91e214ef8555bd

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
39KB

MD5
d2e290b16307caa1dd426f08b6224b4a

SHA1
d45b5170af096ac4bc9f78a44be251595316b77f

SHA256
fb62613c279eea286bc6ae7c4065cb225894b0ffadabcb0a6f239fca4cf6306a

SHA512
5f47de23b06fe51c0fb29fba9f09fdc3ac7b1268fcbdd6810a5d2a0739af726535929cc30730a651c1820f86726b4263dfe2735375e4eff0c12550a17a8dc800

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
320KB

MD5
b9a5000ea316ac348cf77beb0e5bc379

SHA1
4e666af14169eb10a0a08ac2f5ed5ecf4764df46

SHA256
1b25a6879c667258cdb900683004ef007c6b3a1a933d823b124d9a6acf9de608

SHA512
9fd911586a0aebec11c48e9f78de3b3f6e41c98a2770f5ac10d0a3947b4b3f326a8c5028c478c8634fb84a071186606e69a7aff83b1cf972d4728e3923503118

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
310KB

MD5
1ad05e460c6fbb5f7b96e059a4ab6cef

SHA1
1c3e4e455fa0630aaa78a1d19537d5ff787960cf

SHA256
0ae16c72ca5301b0f817e69a4bac29157369ecfbadc6c13a5a37db5901238c71

SHA512
c608aa10b547003b25ff63bb1999a5fff0256aadd8b005fdd26569a9828d3591129a0f21c11ec8e5d5f390b11c49f2ef8a6e36375c9e13d547415e0ec97a398f

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
360KB

MD5
1402add2a611322eb6f624705c8a9a4e

SHA1
d08b0b5e602d4587e534cf5e9c3d04c549a5aa47

SHA256
0ac43c8e77edb2c1468420653fc5d505b26cdc4da06c4121ce4bbecae561e6cb

SHA512
177d5ea7e77eee154042b5e064db67a5cac9435890a2ff65cd98da21433f4e7de743e9df22ac0ac61be89fc0be8655b46454ed4a930d13fc7c1dfebe5896781f

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
363KB

MD5
d0a8d13996333367f0e1721ca8658e00

SHA1
f48f432c5a0d3c425961e6ed6291ddb0f4b5a116

SHA256
68a7924621a0fbc13d0ea151617d13732a991cef944aae67d44fc030740a82e9

SHA512
8a68c62b5fc983975d010ae6504a1cbfdf34d5656e3277d9a09eb92929e201e27ca7bd2030740c8240a4afd56af57c223b4fd6de193bedf84ac7238777310de4

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
353KB

MD5
a5389200f9bbc7be1276d74ccd2939b4

SHA1
8d6f17c7d36f686e727b6e7b3a62812297228943

SHA256
494db162e2ccd95e69404a34170b6e59847f444881834f3c175c6bc70d783087

SHA512
fc1d1e81362d186410b4af3d6add3c8b32fdd75ea79b7e868cc16615358264af04f47170229d32dffcbf7e1ba2b841ccd2d4f27b0f8d82a0685806c22d3d0a92

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
158KB

MD5
41f2dbe6f02b3bb9802d60f10b4ef7a2

SHA1
f1b03d28e5be3db3341f3a399d1cc887fe8da794

SHA256
eca01d5405d7e8af92ea60f888f891415ea2e1e6484caff15cbaf5a645700db2

SHA512
1c7b85e12050d670d48121e7670e1dab787e0a0b134e0ab314dc571c3969d0f9652ff76666bb433aac5886ca532404963a3041a1d4b4352e3051c838965fd3b1

Download Submit
C:\Windows\system32\perfc009.dat

Filesize
122KB

MD5
243bb32f23a8a2fa8113e879d73bfdf7

SHA1
2f9d0154d65d0b8979a1aeb95b6cf43384114f70

SHA256
69012c5b50e669fca5ad692dc405017da474a5a4ec876de70d9748a4f30c046c

SHA512
34f7663ef59412a12ce950eb5ab947b2fb6bb811d5cfd92d05b6a884bcb2fc31fdc880b8e152a383055ca0efee707eb23bbfe181ace8c1ca112262f2a75bf0a8

Download Submit
memory/4572-2000-0x0000000000BD0000-0x0000000000C02000-memory.dmp

Filesize
200KB

Download
memory/5460-2015-0x0000025CEAED0000-0x0000025CEAEF2000-memory.dmp

Filesize
136KB

Download
memory/6104-1978-0x000001E5E2BE0000-0x000001E5E2D48000-memory.dmp

Filesize
1.4MB

Download
memory/6104-1929-0x000001E5D8EB0000-0x000001E5D90A4000-memory.dmp

Filesize
2.0MB

Download
memory/6104-1927-0x000001E5BB860000-0x000001E5BC748000-memory.dmp

Filesize
14.9MB

Download