Analysis
-
max time kernel
18s -
max time network
24s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15-07-2024 10:23
Behavioral task
behavioral1
Sample
XWorm v5.6/XWormV5.6.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
XWorm v5.6/XWormV5.6.exe
Resource
win10v2004-20240709-en
General
-
Target
XWorm v5.6/XWormV5.6.exe
-
Size
24.9MB
-
MD5
80786c7f485cdeedad5016f586b747cd
-
SHA1
7a8275a72b74634d9862382347915aac251057a1
-
SHA256
6b9af6498afcc0035482ae73ee8b18d007d83050b621758b689e8d0d9396e7f5
-
SHA512
89847c6c07361dff68e435e8208f1c6ddedefe1ccefce48e11510f10e2f30849492b9b0b983b0945fdcd94d260565bfb238b0f58979380602c52fb2751a6be27
-
SSDEEP
786432:Cpjdtg5O9/MeKI/C6x77eS9LWIMBgk1m1e8A16Wo6N:R89jC6V7ewLzk1X8lW9
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1524-128-0x0000025DB16A0000-0x0000025DB1894000-memory.dmp family_agenttesla -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 4612 powershell.exe 1704 powershell.exe -
Creates new service(s) 2 TTPs
-
Drops file in Drivers directory 1 IoCs
Processes:
XWorm_Bypass.exedescription ioc process File created C:\Windows\system32\drivers\etc\hosts XWorm_Bypass.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
XWormV5.6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation XWormV5.6.exe -
Drops startup file 1 IoCs
Processes:
Bypass_helper.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass_helper.exe Bypass_helper.exe -
Executes dropped EXE 5 IoCs
Processes:
Xworm V5.6.exeXWorm_Bypass.exeBypass_helper.exeBypass_helper.exeXworm_Bypass.exepid process 1524 Xworm V5.6.exe 2228 XWorm_Bypass.exe 1452 Bypass_helper.exe 4176 Bypass_helper.exe 4428 Xworm_Bypass.exe -
Loads dropped DLL 49 IoCs
Processes:
Bypass_helper.exepid process 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI14522\python312.dll upx behavioral2/memory/4176-126-0x00007FF9D93A0000-0x00007FF9D9A79000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI14522\_bz2.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI14522\libffi-8.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI14522\_lzma.pyd upx behavioral2/memory/4176-143-0x00007FF9EEA70000-0x00007FF9EEA9D000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI14522\_wmi.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI14522\_queue.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI14522\select.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI14522\_socket.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI14522\_ssl.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI14522\_sqlite3.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI14522\_overlapped.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI14522\_multiprocessing.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI14522\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI14522\_decimal.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI14522\_cffi_backend.cp312-win_amd64.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI14522\_asyncio.pyd upx behavioral2/memory/4176-170-0x00007FF9EEC90000-0x00007FF9EEC9D000-memory.dmp upx behavioral2/memory/4176-169-0x00007FF9EF370000-0x00007FF9EF37D000-memory.dmp upx behavioral2/memory/4176-168-0x00007FF9EF190000-0x00007FF9EF1A9000-memory.dmp upx behavioral2/memory/4176-167-0x00007FF9F0910000-0x00007FF9F091D000-memory.dmp upx behavioral2/memory/4176-172-0x00007FF9EBB70000-0x00007FF9EBBA3000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI14522\unicodedata.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI14522\sqlite3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI14522\pyexpat.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI14522\libssl-3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI14522\libcrypto-3.dll upx behavioral2/memory/4176-142-0x00007FF9F0920000-0x00007FF9F0939000-memory.dmp upx behavioral2/memory/4176-138-0x00007FF9F4060000-0x00007FF9F406F000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI14522\_ctypes.pyd upx behavioral2/memory/4176-176-0x00007FF9D5860000-0x00007FF9D592D000-memory.dmp upx behavioral2/memory/4176-137-0x00007FF9F2D40000-0x00007FF9F2D65000-memory.dmp upx behavioral2/memory/4176-177-0x00007FF9D2660000-0x00007FF9D2B89000-memory.dmp upx behavioral2/memory/4176-180-0x00007FF9EBB50000-0x00007FF9EBB66000-memory.dmp upx behavioral2/memory/4176-183-0x00007FF9EB840000-0x00007FF9EB852000-memory.dmp upx behavioral2/memory/4176-184-0x00007FF9EB800000-0x00007FF9EB835000-memory.dmp upx behavioral2/memory/4176-188-0x00007FF9EB7D0000-0x00007FF9EB7F4000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI14522\psutil\_psutil_windows.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI14522\charset_normalizer\md__mypyc.cp312-win_amd64.pyd upx behavioral2/memory/4176-205-0x00007FF9D55C0000-0x00007FF9D56DB000-memory.dmp upx behavioral2/memory/4176-203-0x00007FF9EB4D0000-0x00007FF9EB4F7000-memory.dmp upx behavioral2/memory/4176-208-0x00007FF9EB420000-0x00007FF9EB42C000-memory.dmp upx behavioral2/memory/4176-207-0x00007FF9EB4B0000-0x00007FF9EB4BB000-memory.dmp upx behavioral2/memory/4176-206-0x00007FF9EB4C0000-0x00007FF9EB4CB000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI14522\Cryptodome\Cipher\_raw_ecb.pyd upx behavioral2/memory/4176-202-0x00007FF9EBB00000-0x00007FF9EBB0B000-memory.dmp upx behavioral2/memory/4176-221-0x00007FF9EADB0000-0x00007FF9EADBC000-memory.dmp upx behavioral2/memory/4176-220-0x00007FF9EADC0000-0x00007FF9EADD2000-memory.dmp upx behavioral2/memory/4176-219-0x00007FF9EADE0000-0x00007FF9EADED000-memory.dmp upx behavioral2/memory/4176-218-0x00007FF9EADF0000-0x00007FF9EADFC000-memory.dmp upx behavioral2/memory/4176-217-0x00007FF9EAE00000-0x00007FF9EAE0C000-memory.dmp upx behavioral2/memory/4176-216-0x00007FF9EAE10000-0x00007FF9EAE1B000-memory.dmp upx behavioral2/memory/4176-215-0x00007FF9EAE20000-0x00007FF9EAE2B000-memory.dmp upx behavioral2/memory/4176-214-0x00007FF9EAE30000-0x00007FF9EAE3C000-memory.dmp upx behavioral2/memory/4176-213-0x00007FF9EAF20000-0x00007FF9EAF2E000-memory.dmp upx behavioral2/memory/4176-229-0x00007FF9EAD20000-0x00007FF9EAD49000-memory.dmp upx behavioral2/memory/4176-228-0x00007FF9EAF60000-0x00007FF9EAF6C000-memory.dmp upx behavioral2/memory/4176-227-0x00007FF9EAF70000-0x00007FF9EAF7B000-memory.dmp upx behavioral2/memory/4176-225-0x00007FF9EBB70000-0x00007FF9EBBA3000-memory.dmp upx behavioral2/memory/4176-224-0x00007FF9E9280000-0x00007FF9E92AE000-memory.dmp upx behavioral2/memory/4176-223-0x00007FF9D4F20000-0x00007FF9D51A3000-memory.dmp upx behavioral2/memory/4176-212-0x00007FF9EAF30000-0x00007FF9EAF3C000-memory.dmp upx behavioral2/memory/4176-211-0x00007FF9EAF40000-0x00007FF9EAF4C000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
Processes:
flow ioc 18 raw.githubusercontent.com 19 raw.githubusercontent.com 21 discord.com 22 discord.com 26 discord.com 27 discord.com -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 api.ipify.org 17 api.ipify.org 25 api.ipify.org -
Drops file in System32 directory 4 IoCs
Processes:
XWorm_Bypass.exesvchost.exedescription ioc process File opened for modification C:\Windows\system32\MRT.exe XWorm_Bypass.exe File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
XWorm_Bypass.exedescription pid process target process PID 2228 set thread context of 2868 2228 XWorm_Bypass.exe dialer.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1688 sc.exe 2760 sc.exe 4756 sc.exe 2544 sc.exe 2356 sc.exe 4760 sc.exe 5104 sc.exe 3468 sc.exe 3964 sc.exe 2664 sc.exe 3664 sc.exe 1192 sc.exe 1756 sc.exe 2204 sc.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
Xworm V5.6.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Xworm V5.6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Xworm V5.6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Xworm V5.6.exe -
Modifies data under HKEY_USERS 46 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 59 IoCs
Processes:
Bypass_helper.exeXworm V5.6.exeXWorm_Bypass.exepowershell.exedialer.exeXworm_Bypass.exepowershell.exepid process 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 4176 Bypass_helper.exe 1524 Xworm V5.6.exe 1524 Xworm V5.6.exe 1524 Xworm V5.6.exe 1524 Xworm V5.6.exe 1524 Xworm V5.6.exe 1524 Xworm V5.6.exe 2228 XWorm_Bypass.exe 1524 Xworm V5.6.exe 1524 Xworm V5.6.exe 4612 powershell.exe 4612 powershell.exe 1524 Xworm V5.6.exe 1524 Xworm V5.6.exe 2228 XWorm_Bypass.exe 2228 XWorm_Bypass.exe 2228 XWorm_Bypass.exe 2228 XWorm_Bypass.exe 2228 XWorm_Bypass.exe 2228 XWorm_Bypass.exe 2228 XWorm_Bypass.exe 2228 XWorm_Bypass.exe 2868 dialer.exe 2868 dialer.exe 2228 XWorm_Bypass.exe 2228 XWorm_Bypass.exe 2228 XWorm_Bypass.exe 4428 Xworm_Bypass.exe 2868 dialer.exe 2868 dialer.exe 1524 Xworm V5.6.exe 1524 Xworm V5.6.exe 1704 powershell.exe 1704 powershell.exe 2868 dialer.exe 2868 dialer.exe 2868 dialer.exe 2868 dialer.exe 2868 dialer.exe 2868 dialer.exe 1704 powershell.exe 2868 dialer.exe 2868 dialer.exe 2868 dialer.exe 2868 dialer.exe 2868 dialer.exe 2868 dialer.exe 2868 dialer.exe 2868 dialer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Bypass_helper.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 4176 Bypass_helper.exe Token: SeIncreaseQuotaPrivilege 4336 WMIC.exe Token: SeSecurityPrivilege 4336 WMIC.exe Token: SeTakeOwnershipPrivilege 4336 WMIC.exe Token: SeLoadDriverPrivilege 4336 WMIC.exe Token: SeSystemProfilePrivilege 4336 WMIC.exe Token: SeSystemtimePrivilege 4336 WMIC.exe Token: SeProfSingleProcessPrivilege 4336 WMIC.exe Token: SeIncBasePriorityPrivilege 4336 WMIC.exe Token: SeCreatePagefilePrivilege 4336 WMIC.exe Token: SeBackupPrivilege 4336 WMIC.exe Token: SeRestorePrivilege 4336 WMIC.exe Token: SeShutdownPrivilege 4336 WMIC.exe Token: SeDebugPrivilege 4336 WMIC.exe Token: SeSystemEnvironmentPrivilege 4336 WMIC.exe Token: SeRemoteShutdownPrivilege 4336 WMIC.exe Token: SeUndockPrivilege 4336 WMIC.exe Token: SeManageVolumePrivilege 4336 WMIC.exe Token: 33 4336 WMIC.exe Token: 34 4336 WMIC.exe Token: 35 4336 WMIC.exe Token: 36 4336 WMIC.exe Token: SeIncreaseQuotaPrivilege 4336 WMIC.exe Token: SeSecurityPrivilege 4336 WMIC.exe Token: SeTakeOwnershipPrivilege 4336 WMIC.exe Token: SeLoadDriverPrivilege 4336 WMIC.exe Token: SeSystemProfilePrivilege 4336 WMIC.exe Token: SeSystemtimePrivilege 4336 WMIC.exe Token: SeProfSingleProcessPrivilege 4336 WMIC.exe Token: SeIncBasePriorityPrivilege 4336 WMIC.exe Token: SeCreatePagefilePrivilege 4336 WMIC.exe Token: SeBackupPrivilege 4336 WMIC.exe Token: SeRestorePrivilege 4336 WMIC.exe Token: SeShutdownPrivilege 4336 WMIC.exe Token: SeDebugPrivilege 4336 WMIC.exe Token: SeSystemEnvironmentPrivilege 4336 WMIC.exe Token: SeRemoteShutdownPrivilege 4336 WMIC.exe Token: SeUndockPrivilege 4336 WMIC.exe Token: SeManageVolumePrivilege 4336 WMIC.exe Token: 33 4336 WMIC.exe Token: 34 4336 WMIC.exe Token: 35 4336 WMIC.exe Token: 36 4336 WMIC.exe Token: SeIncreaseQuotaPrivilege 448 WMIC.exe Token: SeSecurityPrivilege 448 WMIC.exe Token: SeTakeOwnershipPrivilege 448 WMIC.exe Token: SeLoadDriverPrivilege 448 WMIC.exe Token: SeSystemProfilePrivilege 448 WMIC.exe Token: SeSystemtimePrivilege 448 WMIC.exe Token: SeProfSingleProcessPrivilege 448 WMIC.exe Token: SeIncBasePriorityPrivilege 448 WMIC.exe Token: SeCreatePagefilePrivilege 448 WMIC.exe Token: SeBackupPrivilege 448 WMIC.exe Token: SeRestorePrivilege 448 WMIC.exe Token: SeShutdownPrivilege 448 WMIC.exe Token: SeDebugPrivilege 448 WMIC.exe Token: SeSystemEnvironmentPrivilege 448 WMIC.exe Token: SeRemoteShutdownPrivilege 448 WMIC.exe Token: SeUndockPrivilege 448 WMIC.exe Token: SeManageVolumePrivilege 448 WMIC.exe Token: 33 448 WMIC.exe Token: 34 448 WMIC.exe Token: 35 448 WMIC.exe Token: 36 448 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Xworm V5.6.exepid process 1524 Xworm V5.6.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Xworm V5.6.exepid process 1524 Xworm V5.6.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
XWormV5.6.exeBypass_helper.exeBypass_helper.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exeXWorm_Bypass.exedialer.exedescription pid process target process PID 3564 wrote to memory of 1524 3564 XWormV5.6.exe Xworm V5.6.exe PID 3564 wrote to memory of 1524 3564 XWormV5.6.exe Xworm V5.6.exe PID 3564 wrote to memory of 2228 3564 XWormV5.6.exe XWorm_Bypass.exe PID 3564 wrote to memory of 2228 3564 XWormV5.6.exe XWorm_Bypass.exe PID 3564 wrote to memory of 1452 3564 XWormV5.6.exe Bypass_helper.exe PID 3564 wrote to memory of 1452 3564 XWormV5.6.exe Bypass_helper.exe PID 1452 wrote to memory of 4176 1452 Bypass_helper.exe Bypass_helper.exe PID 1452 wrote to memory of 4176 1452 Bypass_helper.exe Bypass_helper.exe PID 4176 wrote to memory of 3440 4176 Bypass_helper.exe cmd.exe PID 4176 wrote to memory of 3440 4176 Bypass_helper.exe cmd.exe PID 3440 wrote to memory of 4336 3440 cmd.exe WMIC.exe PID 3440 wrote to memory of 4336 3440 cmd.exe WMIC.exe PID 4176 wrote to memory of 4760 4176 Bypass_helper.exe cmd.exe PID 4176 wrote to memory of 4760 4176 Bypass_helper.exe cmd.exe PID 4760 wrote to memory of 2072 4760 cmd.exe netsh.exe PID 4760 wrote to memory of 2072 4760 cmd.exe netsh.exe PID 4176 wrote to memory of 3252 4176 Bypass_helper.exe cmd.exe PID 4176 wrote to memory of 3252 4176 Bypass_helper.exe cmd.exe PID 3252 wrote to memory of 448 3252 cmd.exe WMIC.exe PID 3252 wrote to memory of 448 3252 cmd.exe WMIC.exe PID 4176 wrote to memory of 3704 4176 Bypass_helper.exe wmic.exe PID 4176 wrote to memory of 3704 4176 Bypass_helper.exe wmic.exe PID 4176 wrote to memory of 4924 4176 Bypass_helper.exe cmd.exe PID 4176 wrote to memory of 4924 4176 Bypass_helper.exe cmd.exe PID 4924 wrote to memory of 3480 4924 cmd.exe WMIC.exe PID 4924 wrote to memory of 3480 4924 cmd.exe WMIC.exe PID 4176 wrote to memory of 2720 4176 Bypass_helper.exe cmd.exe PID 4176 wrote to memory of 2720 4176 Bypass_helper.exe cmd.exe PID 2720 wrote to memory of 3580 2720 cmd.exe WMIC.exe PID 2720 wrote to memory of 3580 2720 cmd.exe WMIC.exe PID 4176 wrote to memory of 2680 4176 Bypass_helper.exe cmd.exe PID 4176 wrote to memory of 2680 4176 Bypass_helper.exe cmd.exe PID 2680 wrote to memory of 4308 2680 cmd.exe WMIC.exe PID 2680 wrote to memory of 4308 2680 cmd.exe WMIC.exe PID 4176 wrote to memory of 3980 4176 Bypass_helper.exe cmd.exe PID 4176 wrote to memory of 3980 4176 Bypass_helper.exe cmd.exe PID 3980 wrote to memory of 4520 3980 cmd.exe PING.EXE PID 3980 wrote to memory of 4520 3980 cmd.exe PING.EXE PID 2216 wrote to memory of 1652 2216 cmd.exe wusa.exe PID 2216 wrote to memory of 1652 2216 cmd.exe wusa.exe PID 2228 wrote to memory of 2868 2228 XWorm_Bypass.exe dialer.exe PID 2228 wrote to memory of 2868 2228 XWorm_Bypass.exe dialer.exe PID 2228 wrote to memory of 2868 2228 XWorm_Bypass.exe dialer.exe PID 2228 wrote to memory of 2868 2228 XWorm_Bypass.exe dialer.exe PID 2228 wrote to memory of 2868 2228 XWorm_Bypass.exe dialer.exe PID 2228 wrote to memory of 2868 2228 XWorm_Bypass.exe dialer.exe PID 2228 wrote to memory of 2868 2228 XWorm_Bypass.exe dialer.exe PID 2868 wrote to memory of 608 2868 dialer.exe winlogon.exe PID 2868 wrote to memory of 660 2868 dialer.exe lsass.exe PID 2868 wrote to memory of 948 2868 dialer.exe svchost.exe PID 2868 wrote to memory of 316 2868 dialer.exe dwm.exe PID 2868 wrote to memory of 424 2868 dialer.exe svchost.exe PID 2868 wrote to memory of 508 2868 dialer.exe svchost.exe PID 2868 wrote to memory of 1136 2868 dialer.exe svchost.exe PID 2868 wrote to memory of 1144 2868 dialer.exe svchost.exe PID 2868 wrote to memory of 1152 2868 dialer.exe svchost.exe PID 2868 wrote to memory of 1160 2868 dialer.exe svchost.exe PID 2868 wrote to memory of 1236 2868 dialer.exe svchost.exe PID 2868 wrote to memory of 1256 2868 dialer.exe svchost.exe PID 2868 wrote to memory of 1304 2868 dialer.exe svchost.exe PID 2868 wrote to memory of 1408 2868 dialer.exe svchost.exe PID 2868 wrote to memory of 1436 2868 dialer.exe svchost.exe PID 2868 wrote to memory of 1604 2868 dialer.exe svchost.exe PID 2868 wrote to memory of 1612 2868 dialer.exe svchost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWormV5.6.exe"C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWormV5.6.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe"C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe"3⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe"C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "MCDRJPTJ"4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "MCDRJPTJ" binpath= "C:\ProgramData\Xworm_Bypass.exe" start= "auto"4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "MCDRJPTJ"4⤵
- Launches sc.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe"C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe"C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profiles"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles6⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\wmic.exewmic cpu get Name5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /F "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe""5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping localhost -n 36⤵
- Runs ping.exe
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\ProgramData\Xworm_Bypass.exeC:\ProgramData\Xworm_Bypass.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵
-
C:\Windows\system32\dialer.exedialer.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MO2gs8XTiO\Browser\cc's.txtFilesize
91B
MD55aa796b6950a92a226cc5c98ed1c47e8
SHA16706a4082fc2c141272122f1ca424a446506c44d
SHA256c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c
SHA512976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad
-
C:\Users\Admin\AppData\Local\Temp\MO2gs8XTiO\Browser\history.txtFilesize
23B
MD55638715e9aaa8d3f45999ec395e18e77
SHA14e3dc4a1123edddf06d92575a033b42a662fe4ad
SHA2564db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6
SHA51278c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b
-
C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exeFilesize
25.7MB
MD5fdd34dc8e5f2c59153cea0c37646ca8d
SHA17e8965a1bbd74f8f999f4dd94a66f9d240b8c7ab
SHA25699704a3fbd648ef8449232da2768920ac86345939d789d918150fa52d72c1d7e
SHA512980da4844bc0a2434978d9477b850198eab8fdd8f4272abcd50a2df3ef6a7d73f5d3928a73d747e67a15cf0ec9cd6b285df3bcf0b796536f34fe343701f82007
-
C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exeFilesize
2.7MB
MD5cbf264fda371ab41dccd5e100b59a2cb
SHA1b0cea8c96cd73b6b085f5ef59ea820b120053754
SHA2566e330ee9b36579c504acb6485d5be7e9a529713ca70e83fe15cfb36bc76584ed
SHA512f2af35828d2074c3325eeb8fc0e0694fcbcdd844be630c0fa292276a32f2ec99eb599f9f035ba33204df31f4a368f248c60f35f2cf1df3eb929fe49cf77e6b7e
-
C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exeFilesize
24.7MB
MD5d626f885874892781aa6efcc7e0c2a69
SHA109f2aeab8f4618f26471261a746bad43bfc917ff
SHA256df512cabbda87f7630eaa05abce3b84698a00a36d41222a95649f851d3317a1f
SHA51226695528d81a1cf737d9337f11ca29fcbb7defb0418002e955501d7048c597cf23330be7bc49d33eceead020eb3a3e752d6a6c048ee54aa23c9e1981a520aa63
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\Cryptodome\Cipher\_raw_ecb.pydFilesize
9KB
MD51a48e6e2a3243a0e38996e61f9f61a68
SHA1488a1aa38cd3c068bdf24b96234a12232007616c
SHA256c7b01a0290bc43910ee776bd90de05e37b77f5bd33feaf7d38f4c362e255e061
SHA512d7acd779b7cab5577289511f137dc664966fcaac39748e33ca4d266a785b17766106944df21c8f2452fd28e008529f3e0097282ad3c69f1069a93df25c6da764
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\VCRUNTIME140.dllFilesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\VCRUNTIME140_1.dllFilesize
48KB
MD5f8dfa78045620cf8a732e67d1b1eb53d
SHA1ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\_asyncio.pydFilesize
37KB
MD5b72e9a2f4d4389175e96cd4086b27aac
SHA12acfa17bb063ee9cf36fadbac802e95551d70d85
SHA256f9924bbead1aca98422ba421f5139a4c147559aae5928dfd2f6aada20cb6bb42
SHA512b55f40451fa9bdd62c761823613fcfe734aaa28e26fb02a9620ad39ab7539c9257eac8cc10d4a3f2390c23a4d951cc02d695498530a4c1d91b4e51e625316e06
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\_bz2.pydFilesize
48KB
MD5f991618bfd497e87441d2628c39ea413
SHA198819134d64f44f83a18985c2ec1e9ee8b949290
SHA256333c06fad79094d43465d128d68078296c925d1ea2b6b5bf13072a8d5cb65e7e
SHA5123a9ecb293abedcdba3493feb7d19f987735ced5a5194abaa1d1e00946e7ea0f878dd71868eb3d9bfec80432df862367661b825c9e71409c60ec73d1708a63ef6
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\_cffi_backend.cp312-win_amd64.pydFilesize
71KB
MD5886da52cb1d06bd17acbd5c29355a3f5
SHA145dee87aefb1300ec51f612c3b2a204874be6f28
SHA256770d04ebe9f4d8271659ba9bf186b8ae422fdd76f7293dbc84be78d9d6dd92cc
SHA512d6c7a90b8fa017f72f499943d73e4015f2eec0e46188c27848892a99be35e0ecbda1f692630863b89109b04636e813ddad2051f323a24b4d373192a6b67cf978
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\_ctypes.pydFilesize
59KB
MD576288ffffdce92111c79636f71b9bc9d
SHA115c10dcd31dab89522bf5b790e912dc7e6b3183b
SHA256192cc2ac818c78cd21e9f969a95c0ff777d4cd5f79ae51ab7c366d2b8540f6a1
SHA51229efc143cd72bf886e9bf54463706484f22222f024bd7e8cb206c32f40b76d823efd36061b05bbd6bcf562f83d95449acb3f1440c95e63750c643c15a10816c9
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\_decimal.pydFilesize
105KB
MD5c2f5d61323fb7d08f90231300658c299
SHA1a6b15204980e28fc660b5a23194348e6aded83fc
SHA256a8ea1e613149d04e7ce637413aad6df636556916902718f64e57fdff44f959bb
SHA512df22676b5268175562574078459820f11eedb06f2845c86398c54861e9e3fb92547e7341b497fb0e79e9d3abba655e6593b1049bf78818c0ba7b9c96e3748606
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\_hashlib.pydFilesize
35KB
MD5caaea46ee25211cbdc762feb95dc1e4d
SHA11f900cc99c02f4300d65628c1b22ddf8f39a94d4
SHA2563ef6e0e5bf3f1ea9713f534c496a96eded9d3394a64324b046a61222dab5073b
SHA51268c2b1634fcca930c1651f550494a2ef187cf52dce8ff28f410ebed4d84487e3b08f6f70223a83b5313c564dcd293748f3c22f2a4218218e634e924c8390cf9a
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\_lzma.pydFilesize
86KB
MD5f07f0cfe4bc118aebcde63740635a565
SHA144ee88102830434bb9245934d6d4456c77c7b649
SHA256cc5302895aa164d5667d0df3ebeeee804384889b01d38182b3f7179f3c4ff8c0
SHA512fcd701903ccd454a661c27835b53f738d947f38e9d67620f52f12781a293e42ae6b96c260600396883d95dd5f536dba2874aaee083adbcc78d66873cefc8e99d
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\_multiprocessing.pydFilesize
27KB
MD50c942dacb385235a97e373bdbe8a1a5e
SHA1cf864c004d710525f2cf1bec9c19ddf28984ca72
SHA256d5161d4e260b2bb498f917307f1c21381d738833efc6e8008f2ebfb9447c583b
SHA512ca10c6842634cec3cada209b61dd5b60d8ea63722e3a77aa05e8c61f64b1564febe9612b554a469927dbce877b6c29c357b099e81fa7e73ceeae04b8998aa5a5
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\_overlapped.pydFilesize
33KB
MD5ed9cff0d68ba23aad53c3a5791668e8d
SHA1a38c9886d0de7224e36516467803c66a2e71c7d9
SHA256e88452d26499f51d48fe4b6bd95fc782bad809f0cb009d249aacf688b9a4e43f
SHA5126020f886702d9ff6530b1f0dad548db6ad34171a1eb677cb1ba14d9a8943664934d0cfe68b642b1dd942a70e3ae375071591a66b709c90bd8a13303a54d2198b
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\_queue.pydFilesize
26KB
MD58347192a8c190895ec8806a3291e70d9
SHA10a634f4bd15b7ce719d91f0c1332e621f90d3f83
SHA256b1ad27547e8f7ab2d1ce829ca9bdcc2b332dc5c2ef4fe224ccb76c78821c7a19
SHA512de6858ed68982844c405ca8aecf5a0aa62127807b783a154ba5d844b44f0f8f42828dc097ac4d0d1aa8366cdcab44b314effcb0020b65db4657df83b1b8f5fed
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\_socket.pydFilesize
44KB
MD57e92d1817e81cbafdbe29f8bec91a271
SHA108868b9895196f194b2e054c04edccf1a4b69524
SHA25619573ccc379190277674a013f35bf055f6dbb57adfce79152152a0de3ff8c87c
SHA5120ed41a3ce83b8f4a492555a41881d292ece61d544f0a4df282f3cc37822255a7a32647724568c9a3b04d13fd3cc93eb080e54ac2ce7705b6b470454366be1cbe
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\_sqlite3.pydFilesize
57KB
MD529a6551e9b7735a4cb4a61c86f4eb66c
SHA1f552a610d64a181b675c70c3b730aa746e1612d0
SHA25678c29a6479a0a2741920937d13d404e0c69d21f6bd76bdfec5d415857391b517
SHA51254a322bfe5e34f0b6b713e22df312cfbde4a2b52240a920b2fa3347939cf2a1fecbeac44d7c1fa2355ee6dc714891acd3ee827d73131fd1e39fba390c3a444e6
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\_ssl.pydFilesize
65KB
MD58696f07039706f2e444f83bb05a65659
SHA16c6fff6770a757e7c4b22e6e22982317727bf65b
SHA2565405af77bc6ad0c598490b666c599c625195f7bf2a63db83632e3a416c73e371
SHA51293e9f8fc1ae8a458eb4d9e7d7294b5c2230cb753386842e72d07cb7f43f248d204d13d93aedae95ec1a7aa6a81a7c09fdba56a0bc31924a1722c423473d97758
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\_uuid.pydFilesize
24KB
MD57a00ff38d376abaaa1394a4080a6305b
SHA1d43a9e3aa3114e7fc85c851c9791e839b3a0ee13
SHA256720e9b68c41c8d9157865e4dd243fb1731f627f3af29c43250804a5995a82016
SHA512ce39452df539eeeff390f260c062a0c902557fda25a7be9a58274675b82b30bddb7737b242e525f7d501db286f4873b901d94e1cd09aa8864f052594f4b34789
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\_wmi.pydFilesize
28KB
MD5f3767430bbc7664d719e864759b806e4
SHA1f27d26e99141f15776177756de303e83422f7d07
SHA256787caad25cb4e2df023ead5e5a3fcd160b1c59a2e4ae1fc7b25c5087964defe8
SHA512b587dfff4ba86142663de6ef8710ac7ab8831ca5fc989820b6a197bcd31ac5fdcb0b5982bf9a1fc13b331d0e53dc1b7367b54bb47910f3d1e18f8193449acb9c
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\base_library.zipFilesize
1.3MB
MD5630153ac2b37b16b8c5b0dbb69a3b9d6
SHA1f901cd701fe081489b45d18157b4a15c83943d9d
SHA256ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2
SHA5127e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\charset_normalizer\md.cp312-win_amd64.pydFilesize
9KB
MD521898e2e770cb9b71dc5973dd0d0ede0
SHA199de75d743f6e658a1bec52419230690b3e84677
SHA256edd490bec8ec903cdbf62f39e0675181e50b7f1df4dc48a3e650e18d19804138
SHA512dc8636d817ae1199200c24ac22def5d12642db951b87f4826015fd1d5c428d45410ce3b7f5bb5aaaa05deecf91d954b948f537bd6fa52a53364ab3609caac81d
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\charset_normalizer\md__mypyc.cp312-win_amd64.pydFilesize
39KB
MD54e5cd67d83f5226410ef9f5bc6fddab9
SHA1dd75f79986808ff22f1049680f848a547ba7ab84
SHA25680645609f9a48a8aaf988fa667f5aa32445e32f8027f61b27884d738ad608ae4
SHA512e52eb7b51562a336c73c6b5b8a1ae821a7c2ad0145633858fc78d6af1a27d8f57ba59cfffa84a376f59d5362a19a7cc09fa1f691c7b50b3ac27c439781a42ba0
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\libcrypto-3.dllFilesize
1.6MB
MD5e68a459f00b05b0bd7eafe3da4744aa9
SHA141565d2cc2daedd148eeae0c57acd385a6a74254
SHA2563fcf6956df6f5dc92b2519062b40475b94786184388540a0353f8a0868413648
SHA5126c4f3747af7be340a3db91e906b949684a39cafc07f42b9fcc27116f4f4bf405583fc0db3684312b277d000d8e6a566db2c43601fa2af499700319c660ef1108
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\libffi-8.dllFilesize
29KB
MD5bb1feaa818eba7757ada3d06f5c57557
SHA1f2de5f06dc6884166de165d34ef2b029bb0acf8b
SHA256a7ac89b42d203ad40bad636ad610cf9f6da02128e5a20b8b4420530a35a4fb29
SHA51295dd1f0c482b0b0190e561bc08fe58db39fd8bb879a2dec0cabd40d78773161eb76441a9b1230399e3add602685d0617c092fff8bf0ab6903b537a9382782a97
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\libssl-3.dllFilesize
222KB
MD59b8d3341e1866178f8cecf3d5a416ac8
SHA18f2725b78795237568905f1a9cd763a001826e86
SHA25685dd8c17928e78c20cf915c1985659fe99088239793f2bd46acb31a3c344c559
SHA512815abc0517f94982fc402480bba6e0749f44150765e7f8975e4fcbfce62c4a5ff741e39e462d66b64ba3b804bd5b7190b67fff037d11bb314c7d581cfa6097a8
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\psutil\_psutil_windows.pydFilesize
31KB
MD5d2ab09582b4c649abf814cdce5d34701
SHA1b7a3ebd6ff94710cf527baf0bb920b42d4055649
SHA256571115cca942bc76010b379df5d28afcb0f0d0de65a3bac89a95c6a86838b983
SHA512022ccaeb99dc08997d917f85c6bc3aefdad5074c995008942a2f35f46ba07d73bb5bc7bc971ec71cb0e60dcb096b2c990866fe29c57670d069e7bdc3b14f6172
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\pyexpat.pydFilesize
87KB
MD5edcb8f65306461e42065ac6fc3bae5e7
SHA14faa04375c3d2c2203be831995403e977f1141eb
SHA2561299da117c98d741e31c8fb117b0f65ae039a4122934a93d0bbb8dfbddd2dcd7
SHA512221e6e1eb9065f54a48040b48f7b6109853306f04506ccf9ecb2f5813a5bd9675c38565a59e72770bf33d132977aa1558cc290720e39a4f3a74a0e7c2a3f88fa
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\python3.dllFilesize
66KB
MD56271a2fe61978ca93e60588b6b63deb2
SHA1be26455750789083865fe91e2b7a1ba1b457efb8
SHA256a59487ea2c8723277f4579067248836b216a801c2152efb19afee4ac9785d6fb
SHA5128c32bcb500a94ff47f5ef476ae65d3b677938ebee26e80350f28604aaee20b044a5d55442e94a11ccd9962f34d22610b932ac9d328197cf4d2ffbc7df640efba
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\python312.dllFilesize
1.8MB
MD52889fb28cd8f2f32997be99eb81fd7eb
SHA1adfeb3a08d20e22dde67b60869c93291ca688093
SHA256435430e3abfde589d8535bc24a4b1d4147a4971dbe59e9377603974c07a1b637
SHA512aaa33b8178a8831008ea6ad39b05189d55aa228a20a2315e45df6e2ff590c94478cfc76c9adb762689edb021ecdf98df3e7074d8d65c1c477273056b7509f8ee
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\select.pydFilesize
25KB
MD5c16b7b88792826c2238d3cf28ce773dd
SHA1198b5d424a66c85e2c07e531242c52619d932afa
SHA256b81be8cc053734f317ff4de3476dd8c383cc65fe3f2f1e193a20181f9ead3747
SHA5127b1b2494fe0ef71869072d3c41ba1f2b67e3b9dcc36603d1503bb914d8b8e803dc1b66a3cbf0e45c43e4a5b7a8f44504a35d5e8e1090d857b28b7eba1b89c08a
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\sqlite3.dllFilesize
630KB
MD58776a7f72e38d2ee7693c61009835b0c
SHA1677a127c04ef890e372d70adc2ab388134753d41
SHA256c467fcc7377b4a176e8963f54ffff5c96d1eb86d95c4df839af070d6d7dbf954
SHA512815bf905fa9a66c05e5c92506d2661c87559c6205c71daa205368dbfd3d56b8a302a4d31729bc6d4c1d86cbcf057638aa17bde0d85ccc59ce1cbcb9e64349732
-
C:\Users\Admin\AppData\Local\Temp\_MEI14522\unicodedata.pydFilesize
295KB
MD54253cde4d54e752ae54ff45217361471
SHA106aa069c348b10158d2412f473c243b24d6fc7bc
SHA25667634e2df60da6b457e4ebfbae3edb1f48d87752221600a5814b5e8f351166e6
SHA5123b714a57747eddf39fc3a84ab3ca37cc0b8103dd3f987331ffb2d1d46f9a34f3793bb0493c55e02ab873314c8990eaebdd0284ad087a651c06a7f862b1a61c80
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_023e02zr.mar.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/316-395-0x00007FF9B9CD0000-0x00007FF9B9CE0000-memory.dmpFilesize
64KB
-
memory/316-394-0x0000025C0C1A0000-0x0000025C0C1CB000-memory.dmpFilesize
172KB
-
memory/424-402-0x00007FF9B9CD0000-0x00007FF9B9CE0000-memory.dmpFilesize
64KB
-
memory/424-401-0x00000257C3170000-0x00000257C319B000-memory.dmpFilesize
172KB
-
memory/608-385-0x000001DFAEB20000-0x000001DFAEB4B000-memory.dmpFilesize
172KB
-
memory/608-384-0x000001DFAEAF0000-0x000001DFAEB14000-memory.dmpFilesize
144KB
-
memory/608-386-0x00007FF9B9CD0000-0x00007FF9B9CE0000-memory.dmpFilesize
64KB
-
memory/660-390-0x00007FF9B9CD0000-0x00007FF9B9CE0000-memory.dmpFilesize
64KB
-
memory/660-389-0x0000024B58EC0000-0x0000024B58EEB000-memory.dmpFilesize
172KB
-
memory/948-398-0x00007FF9B9CD0000-0x00007FF9B9CE0000-memory.dmpFilesize
64KB
-
memory/948-397-0x0000018E407D0000-0x0000018E407FB000-memory.dmpFilesize
172KB
-
memory/1524-260-0x0000025DB31E0000-0x0000025DB320C000-memory.dmpFilesize
176KB
-
memory/1524-187-0x00007FF9DB143000-0x00007FF9DB145000-memory.dmpFilesize
8KB
-
memory/1524-259-0x0000025DB3240000-0x0000025DB32F2000-memory.dmpFilesize
712KB
-
memory/1524-192-0x0000025DB2410000-0x0000025DB3038000-memory.dmpFilesize
12.2MB
-
memory/1524-258-0x0000025DB30F0000-0x0000025DB3172000-memory.dmpFilesize
520KB
-
memory/1524-117-0x0000025D951A0000-0x0000025D96A58000-memory.dmpFilesize
24.7MB
-
memory/1524-20-0x00007FF9DB143000-0x00007FF9DB145000-memory.dmpFilesize
8KB
-
memory/1524-261-0x0000025DB5120000-0x0000025DB5402000-memory.dmpFilesize
2.9MB
-
memory/1524-128-0x0000025DB16A0000-0x0000025DB1894000-memory.dmpFilesize
2.0MB
-
memory/1704-689-0x00000272D3360000-0x00000272D3366000-memory.dmpFilesize
24KB
-
memory/1704-688-0x00000272D3330000-0x00000272D3338000-memory.dmpFilesize
32KB
-
memory/1704-686-0x00000272D3320000-0x00000272D332A000-memory.dmpFilesize
40KB
-
memory/1704-685-0x00000272D3340000-0x00000272D335C000-memory.dmpFilesize
112KB
-
memory/1704-684-0x00000272D31D0000-0x00000272D31DA000-memory.dmpFilesize
40KB
-
memory/1704-683-0x00000272D3110000-0x00000272D31C5000-memory.dmpFilesize
724KB
-
memory/1704-682-0x00000272D30F0000-0x00000272D310C000-memory.dmpFilesize
112KB
-
memory/1704-687-0x00000272D3380000-0x00000272D339A000-memory.dmpFilesize
104KB
-
memory/1704-690-0x00000272D3370000-0x00000272D337A000-memory.dmpFilesize
40KB
-
memory/2868-373-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2868-374-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2868-377-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2868-375-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2868-372-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2868-379-0x00007FF9F8CA0000-0x00007FF9F8D5E000-memory.dmpFilesize
760KB
-
memory/2868-378-0x00007FF9F9C50000-0x00007FF9F9E45000-memory.dmpFilesize
2.0MB
-
memory/2868-381-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/4176-196-0x00007FF9EB580000-0x00007FF9EB594000-memory.dmpFilesize
80KB
-
memory/4176-295-0x00007FF9EAE20000-0x00007FF9EAE2B000-memory.dmpFilesize
44KB
-
memory/4176-223-0x00007FF9D4F20000-0x00007FF9D51A3000-memory.dmpFilesize
2.5MB
-
memory/4176-212-0x00007FF9EAF30000-0x00007FF9EAF3C000-memory.dmpFilesize
48KB
-
memory/4176-211-0x00007FF9EAF40000-0x00007FF9EAF4C000-memory.dmpFilesize
48KB
-
memory/4176-210-0x00007FF9EAF50000-0x00007FF9EAF5B000-memory.dmpFilesize
44KB
-
memory/4176-209-0x00007FF9D2660000-0x00007FF9D2B89000-memory.dmpFilesize
5.2MB
-
memory/4176-225-0x00007FF9EBB70000-0x00007FF9EBBA3000-memory.dmpFilesize
204KB
-
memory/4176-226-0x000001CB8A300000-0x000001CB8A829000-memory.dmpFilesize
5.2MB
-
memory/4176-195-0x00007FF9EB7B0000-0x00007FF9EB7C8000-memory.dmpFilesize
96KB
-
memory/4176-193-0x00007FF9D93A0000-0x00007FF9D9A79000-memory.dmpFilesize
6.8MB
-
memory/4176-189-0x00007FF9D56E0000-0x00007FF9D5856000-memory.dmpFilesize
1.5MB
-
memory/4176-227-0x00007FF9EAF70000-0x00007FF9EAF7B000-memory.dmpFilesize
44KB
-
memory/4176-228-0x00007FF9EAF60000-0x00007FF9EAF6C000-memory.dmpFilesize
48KB
-
memory/4176-253-0x00007FF9D5860000-0x00007FF9D592D000-memory.dmpFilesize
820KB
-
memory/4176-255-0x00007FF9EEC40000-0x00007FF9EEC4F000-memory.dmpFilesize
60KB
-
memory/4176-229-0x00007FF9EAD20000-0x00007FF9EAD49000-memory.dmpFilesize
164KB
-
memory/4176-213-0x00007FF9EAF20000-0x00007FF9EAF2E000-memory.dmpFilesize
56KB
-
memory/4176-214-0x00007FF9EAE30000-0x00007FF9EAE3C000-memory.dmpFilesize
48KB
-
memory/4176-215-0x00007FF9EAE20000-0x00007FF9EAE2B000-memory.dmpFilesize
44KB
-
memory/4176-274-0x00007FF9D2660000-0x00007FF9D2B89000-memory.dmpFilesize
5.2MB
-
memory/4176-311-0x00007FF9EB7D0000-0x00007FF9EB7F4000-memory.dmpFilesize
144KB
-
memory/4176-321-0x00007FF9EEC40000-0x00007FF9EEC4F000-memory.dmpFilesize
60KB
-
memory/4176-320-0x00007FF9D4F20000-0x00007FF9D51A3000-memory.dmpFilesize
2.5MB
-
memory/4176-319-0x00007FF9E9280000-0x00007FF9E92AE000-memory.dmpFilesize
184KB
-
memory/4176-318-0x00007FF9EAD20000-0x00007FF9EAD49000-memory.dmpFilesize
164KB
-
memory/4176-317-0x00007FF9EADB0000-0x00007FF9EADBC000-memory.dmpFilesize
48KB
-
memory/4176-316-0x00007FF9EADC0000-0x00007FF9EADD2000-memory.dmpFilesize
72KB
-
memory/4176-315-0x00007FF9EADE0000-0x00007FF9EADED000-memory.dmpFilesize
52KB
-
memory/4176-314-0x00007FF9EADF0000-0x00007FF9EADFC000-memory.dmpFilesize
48KB
-
memory/4176-313-0x00007FF9EAE00000-0x00007FF9EAE0C000-memory.dmpFilesize
48KB
-
memory/4176-312-0x00007FF9EAE10000-0x00007FF9EAE1B000-memory.dmpFilesize
44KB
-
memory/4176-310-0x00007FF9EB840000-0x00007FF9EB852000-memory.dmpFilesize
72KB
-
memory/4176-309-0x00007FF9EBB50000-0x00007FF9EBB66000-memory.dmpFilesize
88KB
-
memory/4176-308-0x00007FF9EB800000-0x00007FF9EB835000-memory.dmpFilesize
212KB
-
memory/4176-307-0x00007FF9EB580000-0x00007FF9EB594000-memory.dmpFilesize
80KB
-
memory/4176-306-0x00007FF9D5860000-0x00007FF9D592D000-memory.dmpFilesize
820KB
-
memory/4176-305-0x00007FF9EBB70000-0x00007FF9EBBA3000-memory.dmpFilesize
204KB
-
memory/4176-304-0x00007FF9EEC90000-0x00007FF9EEC9D000-memory.dmpFilesize
52KB
-
memory/4176-303-0x00007FF9EF370000-0x00007FF9EF37D000-memory.dmpFilesize
52KB
-
memory/4176-302-0x00007FF9EF190000-0x00007FF9EF1A9000-memory.dmpFilesize
100KB
-
memory/4176-301-0x00007FF9F0910000-0x00007FF9F091D000-memory.dmpFilesize
52KB
-
memory/4176-300-0x00007FF9EEA70000-0x00007FF9EEA9D000-memory.dmpFilesize
180KB
-
memory/4176-299-0x00007FF9F0920000-0x00007FF9F0939000-memory.dmpFilesize
100KB
-
memory/4176-298-0x00007FF9F4060000-0x00007FF9F406F000-memory.dmpFilesize
60KB
-
memory/4176-297-0x00007FF9F2D40000-0x00007FF9F2D65000-memory.dmpFilesize
148KB
-
memory/4176-296-0x00007FF9D93A0000-0x00007FF9D9A79000-memory.dmpFilesize
6.8MB
-
memory/4176-224-0x00007FF9E9280000-0x00007FF9E92AE000-memory.dmpFilesize
184KB
-
memory/4176-294-0x00007FF9EAE30000-0x00007FF9EAE3C000-memory.dmpFilesize
48KB
-
memory/4176-293-0x00007FF9EAF20000-0x00007FF9EAF2E000-memory.dmpFilesize
56KB
-
memory/4176-292-0x00007FF9EAF30000-0x00007FF9EAF3C000-memory.dmpFilesize
48KB
-
memory/4176-291-0x00007FF9EAF40000-0x00007FF9EAF4C000-memory.dmpFilesize
48KB
-
memory/4176-290-0x00007FF9EAF50000-0x00007FF9EAF5B000-memory.dmpFilesize
44KB
-
memory/4176-289-0x00007FF9EAF60000-0x00007FF9EAF6C000-memory.dmpFilesize
48KB
-
memory/4176-288-0x00007FF9EAF70000-0x00007FF9EAF7B000-memory.dmpFilesize
44KB
-
memory/4176-287-0x00007FF9EB420000-0x00007FF9EB42C000-memory.dmpFilesize
48KB
-
memory/4176-286-0x00007FF9EB4B0000-0x00007FF9EB4BB000-memory.dmpFilesize
44KB
-
memory/4176-285-0x00007FF9EB4C0000-0x00007FF9EB4CB000-memory.dmpFilesize
44KB
-
memory/4176-284-0x00007FF9D55C0000-0x00007FF9D56DB000-memory.dmpFilesize
1.1MB
-
memory/4176-283-0x00007FF9EB4D0000-0x00007FF9EB4F7000-memory.dmpFilesize
156KB
-
memory/4176-282-0x00007FF9EBB00000-0x00007FF9EBB0B000-memory.dmpFilesize
44KB
-
memory/4176-280-0x00007FF9EB7B0000-0x00007FF9EB7C8000-memory.dmpFilesize
96KB
-
memory/4176-279-0x00007FF9D56E0000-0x00007FF9D5856000-memory.dmpFilesize
1.5MB
-
memory/4176-126-0x00007FF9D93A0000-0x00007FF9D9A79000-memory.dmpFilesize
6.8MB
-
memory/4176-216-0x00007FF9EAE10000-0x00007FF9EAE1B000-memory.dmpFilesize
44KB
-
memory/4176-217-0x00007FF9EAE00000-0x00007FF9EAE0C000-memory.dmpFilesize
48KB
-
memory/4176-218-0x00007FF9EADF0000-0x00007FF9EADFC000-memory.dmpFilesize
48KB
-
memory/4176-219-0x00007FF9EADE0000-0x00007FF9EADED000-memory.dmpFilesize
52KB
-
memory/4176-220-0x00007FF9EADC0000-0x00007FF9EADD2000-memory.dmpFilesize
72KB
-
memory/4176-221-0x00007FF9EADB0000-0x00007FF9EADBC000-memory.dmpFilesize
48KB
-
memory/4176-202-0x00007FF9EBB00000-0x00007FF9EBB0B000-memory.dmpFilesize
44KB
-
memory/4176-206-0x00007FF9EB4C0000-0x00007FF9EB4CB000-memory.dmpFilesize
44KB
-
memory/4176-207-0x00007FF9EB4B0000-0x00007FF9EB4BB000-memory.dmpFilesize
44KB
-
memory/4176-208-0x00007FF9EB420000-0x00007FF9EB42C000-memory.dmpFilesize
48KB
-
memory/4176-203-0x00007FF9EB4D0000-0x00007FF9EB4F7000-memory.dmpFilesize
156KB
-
memory/4176-205-0x00007FF9D55C0000-0x00007FF9D56DB000-memory.dmpFilesize
1.1MB
-
memory/4176-188-0x00007FF9EB7D0000-0x00007FF9EB7F4000-memory.dmpFilesize
144KB
-
memory/4176-184-0x00007FF9EB800000-0x00007FF9EB835000-memory.dmpFilesize
212KB
-
memory/4176-183-0x00007FF9EB840000-0x00007FF9EB852000-memory.dmpFilesize
72KB
-
memory/4176-180-0x00007FF9EBB50000-0x00007FF9EBB66000-memory.dmpFilesize
88KB
-
memory/4176-177-0x00007FF9D2660000-0x00007FF9D2B89000-memory.dmpFilesize
5.2MB
-
memory/4176-178-0x000001CB8A300000-0x000001CB8A829000-memory.dmpFilesize
5.2MB
-
memory/4176-137-0x00007FF9F2D40000-0x00007FF9F2D65000-memory.dmpFilesize
148KB
-
memory/4176-176-0x00007FF9D5860000-0x00007FF9D592D000-memory.dmpFilesize
820KB
-
memory/4176-138-0x00007FF9F4060000-0x00007FF9F406F000-memory.dmpFilesize
60KB
-
memory/4176-142-0x00007FF9F0920000-0x00007FF9F0939000-memory.dmpFilesize
100KB
-
memory/4176-172-0x00007FF9EBB70000-0x00007FF9EBBA3000-memory.dmpFilesize
204KB
-
memory/4176-167-0x00007FF9F0910000-0x00007FF9F091D000-memory.dmpFilesize
52KB
-
memory/4176-168-0x00007FF9EF190000-0x00007FF9EF1A9000-memory.dmpFilesize
100KB
-
memory/4176-169-0x00007FF9EF370000-0x00007FF9EF37D000-memory.dmpFilesize
52KB
-
memory/4176-170-0x00007FF9EEC90000-0x00007FF9EEC9D000-memory.dmpFilesize
52KB
-
memory/4176-143-0x00007FF9EEA70000-0x00007FF9EEA9D000-memory.dmpFilesize
180KB
-
memory/4612-361-0x000001B5383D0000-0x000001B5383F2000-memory.dmpFilesize
136KB