xworm | 227dbbb256d5236819196deda5707bc6abd1df5ba9a483edf82443ad12f26930

Analysis

max time kernel
9s
max time network
10s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2025, 20:58

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

XClient.exe
Size

336KB
MD5

5fcc047b04b088650ffab33ab0d3a991
SHA1

310de3660d360e55e02aeabc2bb96fe1a00fbeb1
SHA256

227dbbb256d5236819196deda5707bc6abd1df5ba9a483edf82443ad12f26930
SHA512

5bc2803bb1fbcd18b33f7c23120fa144cb29c07376c40622f20d69386932bbf82e8160ec7ec11c781a0624a875ee198369c7b2cf8b2464986054d7c5d94c4cf4
SSDEEP

6144:gv9QxBt25x/5bTgVziHzZnSKrCbYM+2ba8Mq:NxBt8/5/gVziHlBrCbYP85

Score

10^/10

xworm bootkit defense_evasion execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/memory/3748-1-0x000002764B110000-0x000002764B16A000-memory.dmp	family_xworm
behavioral2/memory/3748-297-0x00000276659B0000-0x00000276659D8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4528	powershell.exe
1792	powershell.exe
4112	powershell.exe
4060	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	XClient.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	XClient.exe

Executes dropped EXE 1 IoCs

pid	Process
4636	chkxjn1o.ofl.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	XClient.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
27	pastebin.com
26	pastebin.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	wmiprvse.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\svchost	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 44 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "001840129631C35A"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4872	SCHTASKS.exe
100	SCHTASKS.exe
1684	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe
4636	chkxjn1o.ofl.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3748	XClient.exe
Token: SeDebugPrivilege	4636	chkxjn1o.ofl.exe
Token: SeShutdownPrivilege	5056	MusNotification.exe
Token: SeCreatePagefilePrivilege	5056	MusNotification.exe
Token: SeShutdownPrivilege	1020	dwm.exe
Token: SeCreatePagefilePrivilege	1020	dwm.exe
Token: SeShutdownPrivilege	2152	svchost.exe
Token: SeCreatePagefilePrivilege	2152	svchost.exe
Token: SeShutdownPrivilege	2152	svchost.exe
Token: SeCreatePagefilePrivilege	2152	svchost.exe
Token: SeShutdownPrivilege	2152	svchost.exe
Token: SeCreatePagefilePrivilege	2152	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2252	svchost.exe
Token: SeIncreaseQuotaPrivilege	2252	svchost.exe
Token: SeSecurityPrivilege	2252	svchost.exe
Token: SeTakeOwnershipPrivilege	2252	svchost.exe
Token: SeLoadDriverPrivilege	2252	svchost.exe
Token: SeBackupPrivilege	2252	svchost.exe
Token: SeRestorePrivilege	2252	svchost.exe
Token: SeShutdownPrivilege	2252	svchost.exe
Token: SeSystemEnvironmentPrivilege	2252	svchost.exe
Token: SeManageVolumePrivilege	2252	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2252	svchost.exe
Token: SeIncreaseQuotaPrivilege	2252	svchost.exe
Token: SeSecurityPrivilege	2252	svchost.exe
Token: SeTakeOwnershipPrivilege	2252	svchost.exe
Token: SeLoadDriverPrivilege	2252	svchost.exe
Token: SeSystemtimePrivilege	2252	svchost.exe
Token: SeBackupPrivilege	2252	svchost.exe
Token: SeRestorePrivilege	2252	svchost.exe
Token: SeShutdownPrivilege	2252	svchost.exe
Token: SeSystemEnvironmentPrivilege	2252	svchost.exe
Token: SeUndockPrivilege	2252	svchost.exe
Token: SeManageVolumePrivilege	2252	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2252	svchost.exe
Token: SeIncreaseQuotaPrivilege	2252	svchost.exe
Token: SeSecurityPrivilege	2252	svchost.exe
Token: SeTakeOwnershipPrivilege	2252	svchost.exe
Token: SeLoadDriverPrivilege	2252	svchost.exe
Token: SeSystemtimePrivilege	2252	svchost.exe
Token: SeBackupPrivilege	2252	svchost.exe
Token: SeRestorePrivilege	2252	svchost.exe
Token: SeShutdownPrivilege	2252	svchost.exe
Token: SeSystemEnvironmentPrivilege	2252	svchost.exe
Token: SeUndockPrivilege	2252	svchost.exe
Token: SeManageVolumePrivilege	2252	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2252	svchost.exe
Token: SeIncreaseQuotaPrivilege	2252	svchost.exe
Token: SeSecurityPrivilege	2252	svchost.exe
Token: SeTakeOwnershipPrivilege	2252	svchost.exe
Token: SeLoadDriverPrivilege	2252	svchost.exe
Token: SeSystemtimePrivilege	2252	svchost.exe
Token: SeBackupPrivilege	2252	svchost.exe
Token: SeRestorePrivilege	2252	svchost.exe
Token: SeShutdownPrivilege	2252	svchost.exe
Token: SeSystemEnvironmentPrivilege	2252	svchost.exe
Token: SeUndockPrivilege	2252	svchost.exe
Token: SeManageVolumePrivilege	2252	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2252	svchost.exe
Token: SeIncreaseQuotaPrivilege	2252	svchost.exe
Token: SeSecurityPrivilege	2252	svchost.exe
Token: SeTakeOwnershipPrivilege	2252	svchost.exe
Token: SeLoadDriverPrivilege	2252	svchost.exe
Token: SeSystemtimePrivilege	2252	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4996	Conhost.exe
1288	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3748 wrote to memory of 4636	3748	XClient.exe	85
PID 3748 wrote to memory of 4636	3748	XClient.exe	85
PID 3748 wrote to memory of 4872	3748	XClient.exe	86
PID 3748 wrote to memory of 4872	3748	XClient.exe	86
PID 4636 wrote to memory of 608	4636	chkxjn1o.ofl.exe	5
PID 4636 wrote to memory of 672	4636	chkxjn1o.ofl.exe	7
PID 4636 wrote to memory of 952	4636	chkxjn1o.ofl.exe	12
PID 4636 wrote to memory of 1020	4636	chkxjn1o.ofl.exe	13
PID 4636 wrote to memory of 516	4636	chkxjn1o.ofl.exe	14
PID 4636 wrote to memory of 992	4636	chkxjn1o.ofl.exe	16
PID 4636 wrote to memory of 1064	4636	chkxjn1o.ofl.exe	17
PID 4636 wrote to memory of 1076	4636	chkxjn1o.ofl.exe	18
PID 4636 wrote to memory of 1144	4636	chkxjn1o.ofl.exe	19
PID 4636 wrote to memory of 1204	4636	chkxjn1o.ofl.exe	20
PID 4636 wrote to memory of 1220	4636	chkxjn1o.ofl.exe	21
PID 4636 wrote to memory of 1252	4636	chkxjn1o.ofl.exe	22
PID 4636 wrote to memory of 1368	4636	chkxjn1o.ofl.exe	23
PID 4636 wrote to memory of 1396	4636	chkxjn1o.ofl.exe	24
PID 4636 wrote to memory of 1444	4636	chkxjn1o.ofl.exe	25
PID 4636 wrote to memory of 1456	4636	chkxjn1o.ofl.exe	26
PID 4636 wrote to memory of 1504	4636	chkxjn1o.ofl.exe	27
PID 4636 wrote to memory of 1564	4636	chkxjn1o.ofl.exe	28
PID 4636 wrote to memory of 1628	4636	chkxjn1o.ofl.exe	29
PID 4636 wrote to memory of 1664	4636	chkxjn1o.ofl.exe	30
PID 4636 wrote to memory of 1736	4636	chkxjn1o.ofl.exe	31
PID 4636 wrote to memory of 1764	4636	chkxjn1o.ofl.exe	32
PID 4636 wrote to memory of 1856	4636	chkxjn1o.ofl.exe	33
PID 4636 wrote to memory of 1864	4636	chkxjn1o.ofl.exe	34
PID 4636 wrote to memory of 1912	4636	chkxjn1o.ofl.exe	35
PID 4636 wrote to memory of 1920	4636	chkxjn1o.ofl.exe	36
PID 4636 wrote to memory of 2024	4636	chkxjn1o.ofl.exe	37
PID 4636 wrote to memory of 2076	4636	chkxjn1o.ofl.exe	39
PID 4636 wrote to memory of 2244	4636	chkxjn1o.ofl.exe	40
PID 4636 wrote to memory of 2252	4636	chkxjn1o.ofl.exe	41
PID 4636 wrote to memory of 2400	4636	chkxjn1o.ofl.exe	42
PID 4636 wrote to memory of 2408	4636	chkxjn1o.ofl.exe	43
PID 4636 wrote to memory of 2568	4636	chkxjn1o.ofl.exe	44
PID 4636 wrote to memory of 2596	4636	chkxjn1o.ofl.exe	45
PID 4636 wrote to memory of 2680	4636	chkxjn1o.ofl.exe	46
PID 4636 wrote to memory of 2748	4636	chkxjn1o.ofl.exe	47
PID 4636 wrote to memory of 2760	4636	chkxjn1o.ofl.exe	48
PID 4636 wrote to memory of 2780	4636	chkxjn1o.ofl.exe	49
PID 4636 wrote to memory of 2824	4636	chkxjn1o.ofl.exe	50
PID 4636 wrote to memory of 2888	4636	chkxjn1o.ofl.exe	51
PID 4636 wrote to memory of 2988	4636	chkxjn1o.ofl.exe	52
PID 4636 wrote to memory of 2860	4636	chkxjn1o.ofl.exe	53
PID 4636 wrote to memory of 3444	4636	chkxjn1o.ofl.exe	55
PID 4636 wrote to memory of 3452	4636	chkxjn1o.ofl.exe	56
PID 4636 wrote to memory of 3648	4636	chkxjn1o.ofl.exe	57
PID 4636 wrote to memory of 3836	4636	chkxjn1o.ofl.exe	58
PID 4636 wrote to memory of 4032	4636	chkxjn1o.ofl.exe	60
PID 4636 wrote to memory of 4168	4636	chkxjn1o.ofl.exe	62
PID 4636 wrote to memory of 4156	4636	chkxjn1o.ofl.exe	65
PID 4636 wrote to memory of 552	4636	chkxjn1o.ofl.exe	66
PID 4636 wrote to memory of 1800	4636	chkxjn1o.ofl.exe	68
PID 4636 wrote to memory of 1488	4636	chkxjn1o.ofl.exe	69
PID 4636 wrote to memory of 4868	4636	chkxjn1o.ofl.exe	70
PID 4636 wrote to memory of 1096	4636	chkxjn1o.ofl.exe	71
PID 4636 wrote to memory of 4484	4636	chkxjn1o.ofl.exe	72
PID 4636 wrote to memory of 4424	4636	chkxjn1o.ofl.exe	73
PID 4636 wrote to memory of 4560	4636	chkxjn1o.ofl.exe	74
PID 4636 wrote to memory of 2712	4636	chkxjn1o.ofl.exe	76
PID 4636 wrote to memory of 1716	4636	chkxjn1o.ofl.exe	77
PID 4636 wrote to memory of 5056	4636	chkxjn1o.ofl.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1020

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1144
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2888
- C:\Windows\system32\MusNotification.exe
  C:\Windows\system32\MusNotification.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1396
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1444

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1920

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
PID:2748

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2824

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3444

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3452
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3748
- - C:\Users\Admin\AppData\Local\Temp\chkxjn1o.ofl.exe
    "C:\Users\Admin\AppData\Local\Temp\chkxjn1o.ofl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4636
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "MasonXClient.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\XClient.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4872
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "MasonXClient.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\XClient.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:100
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4528
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1792
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:4996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4112
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4060
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1288
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1684
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3648

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3836

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4032

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4156

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:1488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4868

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1096

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4484

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4424

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2712

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1716

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4092

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4504

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3520

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe b6b5d39c37041e5e8fcd915bf6fe1a06 lEXGqPLLbU6AC8HECirSJQ.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:3464
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Writes to the Master Boot Record (MBR)
PID:4216

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC796.tmp.csv

Filesize
39KB

MD5
fd0295c717dd5798e11081f20f93a483

SHA1
947896f1b62170e352923d14442d3c3ad3fa29cc

SHA256
b48c99281c29bb2223a7963449d1e759fc303a810de76aad6d8d7e9954565c7f

SHA512
2127d709ddf45b9c35f101cf1e7097937f7aff4b4394e68ee9395830cc68cc839f442930bdf7ff23df5531a775710f7b3cc29a434deea5a2d29759f52f12d74b

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7C5.tmp.txt

Filesize
13KB

MD5
65bd6a548ff996393fcc9b1d41d642b6

SHA1
3d6e785ad806fdf6c5bdbf5f6c04defcb1139276

SHA256
2d843b0329d38519b64b48769854ca22e91a7aac0edd237b61883607c96b6c08

SHA512
eb107b58f6fd3e1905658f44e48d3d4f5735ba916088bf725e1ae5e6a18c0f687b3174e0f915d469115bbc7086bfd20a0b6908debe86c3821bffd1c761c00c19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aba273eeba4876ea41ee0e64b4cbb51d

SHA1
bef5f75b81cf27268dc0d0f30f00b022f9288db9

SHA256
67fc3f5c3407858793c6fac6131b0f340667ffc567fa76b43245ecf2621322c9

SHA512
23dc2f0cfc68194dcbf407a6528cf9f9a8aa89f4821be22413bde036ae5ca44144b568aa3160372b9741f3d0f5baa48dff8a8b582bdedc3ad3fb121af340c0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
481c1608c2bec426ca209e8800611abd

SHA1
5df5a08760b0e5c56cb9daf768894435354d2651

SHA256
44e538c7570e175634f9929d350a79203730fcb753638f611a1dd4780ec430ed

SHA512
5a87762225beffbd34048fd0d617a75eff25ca6dfe47c258cdfad8c841f8b0b4144ae8c7ef04ee5de36987cb6ae0953499d5fa27b2100483a8042ee5e27d190c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yqu3cbu1.qyg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\chkxjn1o.ofl.exe

Filesize
161KB

MD5
94f1ab3a068f83b32639579ec9c5d025

SHA1
38f3d5bc5de46feb8de093d11329766b8e2054ae

SHA256
879cc20b41635709bb304e315aaa5ca4708b480a1bfc2f4935fcf2215188efb0

SHA512
44d5236a804d63302b21ca25ebc148a64605508d03c990a244c44ceb8630849da0510b7b2d0bee72e01ca6681e2d86d7e6aee8847674a26f0028d149b9abee0c

Download Submit
memory/516-39-0x00007FFF7B2F0000-0x00007FFF7B300000-memory.dmp

Filesize
64KB

Download
memory/516-41-0x00000163021A0000-0x00000163021CB000-memory.dmp

Filesize
172KB

Download
memory/516-423-0x00000163021A0000-0x00000163021CB000-memory.dmp

Filesize
172KB

Download
memory/516-38-0x00000163021A0000-0x00000163021CB000-memory.dmp

Filesize
172KB

Download
memory/608-26-0x00000204A4F40000-0x00000204A4F6B000-memory.dmp

Filesize
172KB

Download
memory/608-27-0x00007FFFBB30D000-0x00007FFFBB30E000-memory.dmp

Filesize
4KB

Download
memory/608-13-0x00000204A4F10000-0x00000204A4F35000-memory.dmp

Filesize
148KB

Download
memory/608-14-0x00000204A4F40000-0x00000204A4F6B000-memory.dmp

Filesize
172KB

Download
memory/608-15-0x00007FFF7B2F0000-0x00007FFF7B300000-memory.dmp

Filesize
64KB

Download
memory/672-19-0x00007FFF7B2F0000-0x00007FFF7B300000-memory.dmp

Filesize
64KB

Download
memory/672-18-0x000002B5C7000000-0x000002B5C702B000-memory.dmp

Filesize
172KB

Download
memory/672-28-0x000002B5C7000000-0x000002B5C702B000-memory.dmp

Filesize
172KB

Download
memory/952-33-0x0000017147ED0000-0x0000017147EFB000-memory.dmp

Filesize
172KB

Download
memory/952-36-0x0000017147ED0000-0x0000017147EFB000-memory.dmp

Filesize
172KB

Download
memory/952-345-0x0000017147ED0000-0x0000017147EFB000-memory.dmp

Filesize
172KB

Download
memory/952-34-0x00007FFF7B2F0000-0x00007FFF7B300000-memory.dmp

Filesize
64KB

Download
memory/992-47-0x00007FFF7B2F0000-0x00007FFF7B300000-memory.dmp

Filesize
64KB

Download
memory/992-464-0x000002021B200000-0x000002021B22B000-memory.dmp

Filesize
172KB

Download
memory/992-58-0x000002021B200000-0x000002021B22B000-memory.dmp

Filesize
172KB

Download
memory/992-46-0x000002021B200000-0x000002021B22B000-memory.dmp

Filesize
172KB

Download
memory/1020-30-0x00007FFFBB30C000-0x00007FFFBB30D000-memory.dmp

Filesize
4KB

Download
memory/1020-31-0x00007FFFBB30F000-0x00007FFFBB310000-memory.dmp

Filesize
4KB

Download
memory/1020-32-0x00007FFF7B2F0000-0x00007FFF7B300000-memory.dmp

Filesize
64KB

Download
memory/1020-29-0x0000023F1A7A0000-0x0000023F1A7CB000-memory.dmp

Filesize
172KB

Download
memory/1020-23-0x0000023F1A7A0000-0x0000023F1A7CB000-memory.dmp

Filesize
172KB

Download
memory/1064-465-0x000001690A360000-0x000001690A38B000-memory.dmp

Filesize
172KB

Download
memory/1064-50-0x00007FFF7B2F0000-0x00007FFF7B300000-memory.dmp

Filesize
64KB

Download
memory/1064-49-0x000001690A360000-0x000001690A38B000-memory.dmp

Filesize
172KB

Download
memory/1064-59-0x000001690A360000-0x000001690A38B000-memory.dmp

Filesize
172KB

Download
memory/1076-53-0x00007FFF7B2F0000-0x00007FFF7B300000-memory.dmp

Filesize
64KB

Download
memory/1076-52-0x000001F808DD0000-0x000001F808DFB000-memory.dmp

Filesize
172KB

Download
memory/1144-55-0x0000020FDC490000-0x0000020FDC4BB000-memory.dmp

Filesize
172KB

Download
memory/1144-56-0x00007FFF7B2F0000-0x00007FFF7B300000-memory.dmp

Filesize
64KB

Download
memory/1204-61-0x0000017241B90000-0x0000017241BBB000-memory.dmp

Filesize
172KB

Download
memory/1204-62-0x00007FFF7B2F0000-0x00007FFF7B300000-memory.dmp

Filesize
64KB

Download
memory/1220-72-0x000001E7AD970000-0x000001E7AD99B000-memory.dmp

Filesize
172KB

Download
memory/1220-73-0x00007FFF7B2F0000-0x00007FFF7B300000-memory.dmp

Filesize
64KB

Download
memory/1252-76-0x00007FFF7B2F0000-0x00007FFF7B300000-memory.dmp

Filesize
64KB

Download
memory/1252-75-0x000002825B650000-0x000002825B67B000-memory.dmp

Filesize
172KB

Download
memory/1368-79-0x00007FFF7B2F0000-0x00007FFF7B300000-memory.dmp

Filesize
64KB

Download
memory/1368-78-0x000001D326C90000-0x000001D326CBB000-memory.dmp

Filesize
172KB

Download
memory/1396-81-0x000001D1A4970000-0x000001D1A499B000-memory.dmp

Filesize
172KB

Download
memory/1396-82-0x00007FFF7B2F0000-0x00007FFF7B300000-memory.dmp

Filesize
64KB

Download
memory/1456-83-0x000001EDA7160000-0x000001EDA718B000-memory.dmp

Filesize
172KB

Download
memory/1456-85-0x00007FFF7B2F0000-0x00007FFF7B300000-memory.dmp

Filesize
64KB

Download
memory/3748-297-0x00000276659B0000-0x00000276659D8000-memory.dmp

Filesize
160KB

Download
memory/3748-466-0x0000027665840000-0x0000027665850000-memory.dmp

Filesize
64KB

Download
memory/3748-291-0x00007FFF9D1B3000-0x00007FFF9D1B5000-memory.dmp

Filesize
8KB

Download
memory/3748-0-0x00007FFF9D1B3000-0x00007FFF9D1B5000-memory.dmp

Filesize
8KB

Download
memory/3748-2-0x00000276654D0000-0x00000276654FC000-memory.dmp

Filesize
176KB

Download
memory/3748-1-0x000002764B110000-0x000002764B16A000-memory.dmp

Filesize
360KB

Download
memory/4528-355-0x000001AF74F80000-0x000001AF74FA2000-memory.dmp

Filesize
136KB

Download
memory/4636-12-0x00007FFFBAC40000-0x00007FFFBACFE000-memory.dmp

Filesize
760KB

Download
memory/4636-11-0x00007FFFBB270000-0x00007FFFBB465000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads