Analysis
-
max time kernel
126s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
28-06-2024 13:45
General
-
Target
https://github.com/DeathDealerSoftware/XWorm-V5.3/releases/download/XWorm/XWorm.V5.3.Optimized.Bin.7z
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of FindShellTrayWindow 30 IoCs
-
Suspicious use of SendNotifyMessage 27 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/DeathDealerSoftware/XWorm-V5.3/releases/download/XWorm/XWorm.V5.3.Optimized.Bin.7z"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/DeathDealerSoftware/XWorm-V5.3/releases/download/XWorm/XWorm.V5.3.Optimized.Bin.7z2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3544.0.508870931\2058482599" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc383b24-4006-4ba0-9e4b-fa7a45deaec5} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" 1876 1a849a0e258 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3544.1.1871368751\368766922" -parentBuildID 20230214051806 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 23095 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfdb0f6d-85c9-4993-80cf-63c5935f74b6} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" 2484 1a83588b958 socket3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3544.2.906265743\2003232832" -childID 1 -isForBrowser -prefsHandle 3044 -prefMapHandle 3040 -prefsLen 23133 -prefMapSize 235121 -jsInitHandle 1168 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {324fcba3-dfff-4a81-bd29-f5f45f1b76c7} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" 3180 1a84cb38a58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3544.3.66710595\1557827053" -childID 2 -isForBrowser -prefsHandle 3972 -prefMapHandle 3968 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1168 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a22d4fb8-2226-4363-a442-432fe90d03a7} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" 3984 1a83587ce58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3544.4.383032127\1281116602" -childID 3 -isForBrowser -prefsHandle 4996 -prefMapHandle 4992 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1168 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bfb9c9e-22ee-4e0f-bad7-6e685d8d7a2b} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" 5076 1a8503a8158 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3544.5.1497731959\196696968" -childID 4 -isForBrowser -prefsHandle 5248 -prefMapHandle 5244 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1168 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1614868e-f2fd-4aec-a749-89bb91a6ebbf} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" 5164 1a8503a7e58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3544.6.506927070\567676073" -childID 5 -isForBrowser -prefsHandle 5360 -prefMapHandle 5364 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1168 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {563fcc90-ea5e-41cc-9dda-5cb46c21e5c2} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" 5276 1a8503a9058 tab3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\" -spe -an -ai#7zMap4376:108:7zEvent60061⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\XWorm V5.2.exe"C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\XWorm V5.2.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbe6d746f8,0x7ffbe6d74708,0x7ffbe6d747183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,3395129695481327657,9217986936235053474,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,3395129695481327657,9217986936235053474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,3395129695481327657,9217986936235053474,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3395129695481327657,9217986936235053474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3395129695481327657,9217986936235053474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3395129695481327657,9217986936235053474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,3395129695481327657,9217986936235053474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4168 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,3395129695481327657,9217986936235053474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4168 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3395129695481327657,9217986936235053474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3395129695481327657,9217986936235053474,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3395129695481327657,9217986936235053474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3395129695481327657,9217986936235053474,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:13⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
72B
MD503215af53dafae26e095c8abea1d98ae
SHA12e4b192e720fd12bd014fd511d5d1dda950a0bf7
SHA256d84db2d23036d7ce61b27815fa19aaa464b54e681eec8761f0462ffa66f1aa78
SHA51257a16512e27cdbf4ff2ba27b188b13311899109ac3489f01e29c281608c36bb0d7301a73f1b3d67c577bed7951ca5ff5656e8bb7f7ffb7a1159b4f74e94c1d8e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5e8f37f4e96f12016f7eb154f5bfdd25c
SHA1dff0c75f2ff0ad3d53104e79655d6c4001ccb2f7
SHA256b0aca6570ab987a776cf7066155e57bbabd0e0f9839970974c45f29a2f3fae70
SHA51283d9985738a955f9c6a11a17f990ce55c46f6c78e5d006064a9fbb15fbaf85792231ddfe1719fada8044fe2f96b772d24f0d2b2d38849942751922bbad39566b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d0b242bc-5fe2-43c1-b94f-fcd02a432f1a.tmpFilesize
6KB
MD561fff0ef529d991158f92ee78bc6647c
SHA12975c3077d22cba12f0823c069d3fd0fa680620e
SHA256f0c6904fa44bce147c609f3d56e2ff84d984d8e576056b86df5045ac36392b5f
SHA51280f0bac17ad4389e4f30fd02abcafed561dcb2ba70e4cbbaddbf9a3e0363bfe4fc02fab2a0acf3c74209750abfda9181293c1d062e544f7d58594bc125b3928d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD545931d55b08857b8925289f8ac4b7fdf
SHA1ead7b731a9de360758a297c6ef1f360f63a77eba
SHA25663f58d4e83230abace79be2b12121022358899d3b5926251fb65eff2d96b0a68
SHA512dca507f0562f9156229df4de712695e7758649fb70c6e56da5cd4d2dc7553a9354611c1e55115f26ea21ad2e506aa6634b836d646c3b96c298101361d6dd7791
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD571989ae26b065027ba347c04da2a030e
SHA157329cdc478d98663c49221bb65215bd04082b63
SHA256c134be3f1fb99603393beeb9a4e63f4c3d2d9856836f3e938e3b3f7e40c5f513
SHA5123900dc8a28341cccb80aa60c2c2619fb2bf77ccbac214d921def35ddc9e848edfe7148d68dd376612b5b139293fca9488289c11f11dce372b0c45c05a4f2defd
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\activity-stream.discovery_stream.json.tmpFilesize
30KB
MD5588ab1f16b1a97ddc3502d0d9bb63e01
SHA1240d3abd8869f7696af9e6c2ad875b8678dbfa35
SHA256863cb087026e241b8cf3fd68d6dd74d569b5d6a39c085ba77b84a2b9c428118f
SHA512c03be05727a69e5d497c045600296b027ddb8be6f90fed48c6ee52a59eccf8f94299bb04e741692e35c509ed3c40b503ede77cb42d4516dcbd8affecde3d4fff
-
C:\Users\Admin\AppData\Local\Temp\RFZzY\RFZzY.dllFilesize
112KB
MD52f1a50031dcf5c87d92e8b2491fdcea6
SHA171e2aaa2d1bb7dbe32a00e1d01d744830ecce08f
SHA25647578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed
SHA5121c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.jsFilesize
7KB
MD57755df0d315df87ddff3cdd110b2e02e
SHA19aaca1b1c0341f0b940695a4bafe7c4f4ba5cbab
SHA256384f400c38d3d9a621bb021c53667bd21672bc40b072e269c54cdc2004ed3515
SHA5122324479e7c4f7d5c3bbc9371d83ad7dc6a346c9e2045ffc14bbc13ee342061ba8b17fe372dc8bc417f1a5d7ad4dc55541bf9508e579b00a888c1dc84826623ea
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.jsFilesize
6KB
MD5444b03b5e26d4400f362850aaddf05a3
SHA192a1b0d9b71831ffd3bf49fc82cb35b1b8526f04
SHA256430f533c079d32135ceab700b932854b0306ef3f1951fbebed4b86bbd44a61dd
SHA512c0cfac21a598f8b85d98a66b9e4e880f689873085ebe3a640ffcaf3863a7eb0c668456cb0fb8b069080b7216d1d72715bd4295651685bfeff79c05ab7199f996
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs.jsFilesize
6KB
MD56f4e93e83aa97fd52c5aa12ac7724685
SHA1505cb5e71d3120e967dbab4b8c22fb618346794c
SHA256563266b0bffaab9d7551d96d13e85b8d62d510ac503473ff8250f6ff43390851
SHA5129ca172bb354a1d8960df64a01a247ad3bbb7e9934d3c1305bec59d2beae7279f8b3dd23340e31a9367c14a880249f8d6c2003c27e511f0703db4d327531b71d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD541ac68f27d1cd29f6582a4e1676217ad
SHA147416e536d6fde0310115c236485013b928233ef
SHA256123be15bcd1019f3e72ed897c4a50c3e3189969d12c608cde845771bd6f76a15
SHA5124a08a53f59e7fc7a519ce216e6e813cb9aa93b1f1a77bb8799d4ad4ea119981cc1c1e3da2da46851279604d8a4e1461eca307005b2432d3415c3bde3c01427de
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteFilesize
192KB
MD5c210faae758ba558d626ccf9af872071
SHA1447ba0d571f71345dec1bfefe6ef096f390ec399
SHA2564774fdf6a878ab856c382f1435640a12bf9b2bfd833f5250d5aa93f32aa78e65
SHA51252b61ae9db47d53e60051b32b9d89f22633de7cff14a4c5d7403033640aad720ad4904726a9a48c92ddb6476f586894bc35894e48b6a9d1b87796e4006c1119b
-
C:\Users\Admin\Downloads\XWorm.0RbDjHDz.V5.3.Optimized.Bin.7z.partFilesize
11.5MB
MD5227d0d65bc39980284cc93c1599c3f62
SHA14fc4d99d7247ca60bf0eb2ac64ab0aa2db033b2a
SHA256fa94f63945b0892acd91c8e235c36284160b95226aa04129c69abf2c2532f55a
SHA51209ab758c7bd83e275a67c9c7b248030eee5879e45f035bd384871cc586411b7ea3393c9dbb2ebbb2fa068fcd2d0e835a22a3b69cfcf962ddab4f61eaeb44ed7b
-
C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin.7zFilesize
29.5MB
MD5187b25b9e02c2b5d01a70d9d1855dd7c
SHA1d0c7d39012ad0507239a3b060ea42cc13b22eb65
SHA256f26803b764a54a90852b7fd274d5ced7a8a58f1715d3ab4b96900ad4f9dd0410
SHA512bea5cec59d0ebee26a71c78dc38da47a25ea7932d119868caf82b5e4bbbcecd8969abea80ad41b65352f264ced33c457a041c0d9f321c272a8f913802ee254ed
-
C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\GeoIP.datFilesize
1.2MB
MD58ef41798df108ce9bd41382c9721b1c9
SHA11e6227635a12039f4d380531b032bf773f0e6de0
SHA256bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740
SHA5124c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b
-
C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\Guna.UI2.dllFilesize
1.9MB
MD5bcc0fe2b28edd2da651388f84599059b
SHA144d7756708aafa08730ca9dbdc01091790940a4f
SHA256c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef
SHA5123bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8
-
C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\Icons\icon (15).icoFilesize
361KB
MD5e3143e8c70427a56dac73a808cba0c79
SHA163556c7ad9e778d5bd9092f834b5cc751e419d16
SHA256b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188
SHA51274e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc
-
C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\XWorm V5.2.exeFilesize
13.8MB
MD5897201dc6254281404ab74aa27790a71
SHA19409ddf7e72b7869f4d689c88f9bbc1bc241a56e
SHA256f41828bd13a3a85fdf7a1d688b21ce33d2015c3c5f46b4d92ab6ea8ea019e03a
SHA5122673cd7b927ffc22f3a4b4fbfcb1b4f576c416d67168e486e6d79fdd132129c9e244e36d7b7883a4a1ed51e993cc4384bf24f2fa3129584f2bd43fd16042de20
-
C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\XWorm V5.2.exe.configFilesize
183B
MD566f09a3993dcae94acfe39d45b553f58
SHA19d09f8e22d464f7021d7f713269b8169aed98682
SHA2567ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7
SHA512c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed
-
\??\pipe\LOCAL\crashpad_3932_UOSDEKECKWAPKLXYMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4540-287-0x000001F7ACF30000-0x000001F7ADD0E000-memory.dmpFilesize
13.9MB
-
memory/4540-295-0x00007FFBEDA40000-0x00007FFBEE501000-memory.dmpFilesize
10.8MB
-
memory/4540-304-0x00007FFBEDA40000-0x00007FFBEE501000-memory.dmpFilesize
10.8MB
-
memory/4540-286-0x00007FFBEDA43000-0x00007FFBEDA45000-memory.dmpFilesize
8KB
-
memory/4540-296-0x000001F7C9050000-0x000001F7C9C3C000-memory.dmpFilesize
11.9MB
-
memory/4540-394-0x00007FFBEDA43000-0x00007FFBEDA45000-memory.dmpFilesize
8KB
-
memory/4540-395-0x00007FFBEDA40000-0x00007FFBEE501000-memory.dmpFilesize
10.8MB
-
memory/4540-396-0x00007FFBEDA40000-0x00007FFBEE501000-memory.dmpFilesize
10.8MB
-
memory/4540-397-0x00007FFBEDA40000-0x00007FFBEE501000-memory.dmpFilesize
10.8MB
-
memory/4540-302-0x000001F7C9FD0000-0x000001F7CA1C4000-memory.dmpFilesize
2.0MB
-
memory/4540-303-0x00007FFBEDA40000-0x00007FFBEE501000-memory.dmpFilesize
10.8MB