amadey | 4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df

Analysis

max time kernel
108s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-05-2022 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
Size

23KB
MD5

f6a89138844ae967a364d21960ecf30d
SHA1

49fedb666276b477e636e493be47d1011fddbf06
SHA256

4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df
SHA512

af81ed3093e5a46fad90efc073ea353bf3a192aa21081f2811d54cae2b8aaaaebf7e351f06f1d1dad22fef68ac5dc326333bdaec1ac0958fe716c111bfd25a30

Score

10^/10

amadey quasar malek evasion persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

amadey

Version

3.08

190.123.44.138/Qbv2ff03/index.php

Extracted

Family

quasar

Version

2.8.0.1

Botnet

Malek

54.237.250.208:5553

Mutex

COjIFE2SxD895kMBY2

Attributes

encryption_key
1Xdt7BW8AuSSiRQFMe7U
install_name
Notepad.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Notepad
subdirectory

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Quasar Payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000114001\Notepad.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\1000114001\Notepad.exe	family_quasar
behavioral2/memory/3144-144-0x0000000000CB0000-0x0000000000DB4000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Notepad.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Notepad.exe	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata
suricata: ET MALWARE Possible Kelihos.F EXE Download Common Structure
suricata: ET MALWARE Possible Kelihos.F EXE Download Common Structure
suricata
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Notepad.exeNotepad.exe

pid process

3144 Notepad.exe
5116 Notepad.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
3144	Notepad.exe
5116	Notepad.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exeNotepad.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	Notepad.exe

Drops startup file 2 IoCs

Processes:

4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4864 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4864	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

26 ip-api.com
38 api.ipify.org

flow	ioc
26	ip-api.com
38	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe

description	pid	process	target process
PID 3012 set thread context of 4936	3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 5 IoCs

Processes:

Notepad.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open\command	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open	Notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\shell\open\command\	Notepad.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exerundll32.exepowershell.exe

pid	process
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
4864	rundll32.exe
4864	rundll32.exe
208	powershell.exe
4864	rundll32.exe
4864	rundll32.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exeNotepad.exeNotepad.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
Token: SeDebugPrivilege	3144	Notepad.exe
Token: SeBackupPrivilege	3144	Notepad.exe
Token: SeBackupPrivilege	3144	Notepad.exe
Token: SeBackupPrivilege	3144	Notepad.exe
Token: SeBackupPrivilege	3144	Notepad.exe
Token: SeBackupPrivilege	3144	Notepad.exe
Token: SeBackupPrivilege	3144	Notepad.exe
Token: SeSecurityPrivilege	3144	Notepad.exe
Token: SeBackupPrivilege	3144	Notepad.exe
Token: SeBackupPrivilege	3144	Notepad.exe
Token: SeBackupPrivilege	3144	Notepad.exe
Token: SeBackupPrivilege	3144	Notepad.exe
Token: SeBackupPrivilege	3144	Notepad.exe
Token: SeSecurityPrivilege	3144	Notepad.exe
Token: SeBackupPrivilege	3144	Notepad.exe
Token: SeBackupPrivilege	3144	Notepad.exe
Token: SeSecurityPrivilege	3144	Notepad.exe
Token: SeBackupPrivilege	3144	Notepad.exe
Token: SeBackupPrivilege	3144	Notepad.exe
Token: SeSecurityPrivilege	3144	Notepad.exe
Token: SeBackupPrivilege	3144	Notepad.exe
Token: SeBackupPrivilege	3144	Notepad.exe
Token: SeSecurityPrivilege	3144	Notepad.exe
Token: SeBackupPrivilege	3144	Notepad.exe
Token: SeBackupPrivilege	3144	Notepad.exe
Token: SeSecurityPrivilege	3144	Notepad.exe
Token: SeBackupPrivilege	3144	Notepad.exe
Token: SeSecurityPrivilege	3144	Notepad.exe
Token: SeBackupPrivilege	3144	Notepad.exe
Token: SeSecurityPrivilege	3144	Notepad.exe
Token: SeSecurityPrivilege	3144	Notepad.exe
Token: SeBackupPrivilege	3144	Notepad.exe
Token: SeBackupPrivilege	3144	Notepad.exe
Token: SeSecurityPrivilege	3144	Notepad.exe
Token: SeBackupPrivilege	3144	Notepad.exe
Token: SeBackupPrivilege	3144	Notepad.exe
Token: SeSecurityPrivilege	3144	Notepad.exe
Token: SeBackupPrivilege	3144	Notepad.exe
Token: SeDebugPrivilege	5116	Notepad.exe
Token: SeDebugPrivilege	384	powershell.exe
Token: SeDebugPrivilege	208	powershell.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exeNotepad.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3012 wrote to memory of 4936	3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
PID 3012 wrote to memory of 4936	3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
PID 3012 wrote to memory of 4936	3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
PID 3012 wrote to memory of 4936	3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
PID 3012 wrote to memory of 4936	3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
PID 3012 wrote to memory of 4936	3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
PID 3012 wrote to memory of 4936	3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
PID 3012 wrote to memory of 4936	3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
PID 3012 wrote to memory of 4936	3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
PID 3012 wrote to memory of 4936	3012	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
PID 4936 wrote to memory of 3144	4936	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe	Notepad.exe
PID 4936 wrote to memory of 3144	4936	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe	Notepad.exe
PID 4936 wrote to memory of 3144	4936	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe	Notepad.exe
PID 3144 wrote to memory of 5116	3144	Notepad.exe	Notepad.exe
PID 3144 wrote to memory of 5116	3144	Notepad.exe	Notepad.exe
PID 3144 wrote to memory of 5116	3144	Notepad.exe	Notepad.exe
PID 3144 wrote to memory of 1136	3144	Notepad.exe	cmd.exe
PID 3144 wrote to memory of 1136	3144	Notepad.exe	cmd.exe
PID 3144 wrote to memory of 1136	3144	Notepad.exe	cmd.exe
PID 3144 wrote to memory of 1756	3144	Notepad.exe	cmd.exe
PID 3144 wrote to memory of 1756	3144	Notepad.exe	cmd.exe
PID 3144 wrote to memory of 1756	3144	Notepad.exe	cmd.exe
PID 3144 wrote to memory of 2124	3144	Notepad.exe	cmd.exe
PID 3144 wrote to memory of 2124	3144	Notepad.exe	cmd.exe
PID 3144 wrote to memory of 2124	3144	Notepad.exe	cmd.exe
PID 1136 wrote to memory of 208	1136	cmd.exe	powershell.exe
PID 1136 wrote to memory of 208	1136	cmd.exe	powershell.exe
PID 1136 wrote to memory of 208	1136	cmd.exe	powershell.exe
PID 3144 wrote to memory of 876	3144	Notepad.exe	cmd.exe
PID 3144 wrote to memory of 876	3144	Notepad.exe	cmd.exe
PID 3144 wrote to memory of 876	3144	Notepad.exe	cmd.exe
PID 3144 wrote to memory of 3888	3144	Notepad.exe	cmd.exe
PID 3144 wrote to memory of 3888	3144	Notepad.exe	cmd.exe
PID 3144 wrote to memory of 3888	3144	Notepad.exe	cmd.exe
PID 1756 wrote to memory of 384	1756	cmd.exe	powershell.exe
PID 1756 wrote to memory of 384	1756	cmd.exe	powershell.exe
PID 1756 wrote to memory of 384	1756	cmd.exe	powershell.exe
PID 3144 wrote to memory of 2396	3144	Notepad.exe	cmd.exe
PID 3144 wrote to memory of 2396	3144	Notepad.exe	cmd.exe
PID 3144 wrote to memory of 2396	3144	Notepad.exe	cmd.exe
PID 4936 wrote to memory of 4864	4936	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe	rundll32.exe
PID 4936 wrote to memory of 4864	4936	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe	rundll32.exe
PID 4936 wrote to memory of 4864	4936	4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe	rundll32.exe
PID 3144 wrote to memory of 4472	3144	Notepad.exe	cmd.exe
PID 3144 wrote to memory of 4472	3144	Notepad.exe	cmd.exe
PID 3144 wrote to memory of 4472	3144	Notepad.exe	cmd.exe
PID 3144 wrote to memory of 4108	3144	Notepad.exe	cmd.exe
PID 3144 wrote to memory of 4108	3144	Notepad.exe	cmd.exe
PID 3144 wrote to memory of 4108	3144	Notepad.exe	cmd.exe
PID 2124 wrote to memory of 4620	2124	cmd.exe	powershell.exe
PID 2124 wrote to memory of 4620	2124	cmd.exe	powershell.exe
PID 2124 wrote to memory of 4620	2124	cmd.exe	powershell.exe
PID 876 wrote to memory of 1564	876	cmd.exe	powershell.exe
PID 876 wrote to memory of 1564	876	cmd.exe	powershell.exe
PID 876 wrote to memory of 1564	876	cmd.exe	powershell.exe
PID 3144 wrote to memory of 924	3144	Notepad.exe	cmd.exe
PID 3144 wrote to memory of 924	3144	Notepad.exe	cmd.exe
PID 3144 wrote to memory of 924	3144	Notepad.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
"C:\Users\Admin\AppData\Local\Temp\4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012

C:\Users\Admin\AppData\Local\Temp\4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
"C:\Users\Admin\AppData\Local\Temp\4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4936

C:\Users\Admin\AppData\Local\Temp\1000114001\Notepad.exe
"C:\Users\Admin\AppData\Local\Temp\1000114001\Notepad.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3144

C:\Users\Admin\AppData\Roaming\Notepad.exe
"C:\Users\Admin\AppData\Roaming\Notepad.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\ & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Program Files\RDP Wrapper & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Program Files\RDP Wrapper
5⤵
PID:4620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom.exe & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom.exe
5⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\winvnc.exe & exit
4⤵
PID:3888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\winvnc.exe
5⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe & exit
4⤵
PID:2396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe
5⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\enableff.exe & exit
4⤵
PID:4472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\enableff.exe
5⤵
PID:3532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\Adduser.exe & exit
4⤵
PID:4108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\Adduser.exe
5⤵
PID:2228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe & exit
4⤵
PID:924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe
5⤵
PID:3456

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\Venomadd.exe & exit
4⤵
PID:4428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\Venomadd.exe
5⤵
PID:2508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\Venomdpr.exe & exit
4⤵
PID:2436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\Venomdpr.exe
5⤵
PID:2940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\autoupdate1.exe & exit
4⤵
PID:5052

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\autoupdate1.exe
5⤵
PID:4992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\autoupdate2.exe & exit
4⤵
PID:4384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\autoupdate2.exe
5⤵
PID:1284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\update.exe & exit
4⤵
PID:3732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Venom\update.exe
5⤵
PID:204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\VenomDWelbasiD.exe & exit
4⤵
PID:4160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\VenomDWelbasiD.exe
5⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\allow.exe & exit
4⤵
PID:2692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\allow.exe
5⤵
PID:5212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\enableff.exe & exit
4⤵
PID:4488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\enableff.exe
5⤵
PID:5276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Program Files\RDP Wrapper & exit
4⤵
PID:3340

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Program Files\RDP Wrapper
5⤵
PID:5416

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Program Files (x86)\RDP Wrapper & exit
4⤵
PID:2768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Program Files (x86)\RDP Wrapper
5⤵
PID:5604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b netsh advfirewall firewall add rule name=vnc action=allow dir=in protocol=tcp localport=5901 & exit
4⤵
PID:4104

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=vnc action=allow dir=in protocol=tcp localport=5901
5⤵
PID:5744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b netsh advfirewall firewall add rule name=vnc action=allow dir=in protocol=tcp localport=5900 & exit
4⤵
PID:4920

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name=vnc action=allow dir=in protocol=tcp localport=5900
5⤵
PID:5928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Venom-ngrok" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\Venom-ngrok.exe" enable=yes & exit
4⤵
PID:2180

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Venom-ngrok" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\Venom-ngrok.exe" enable=yes
5⤵
PID:4084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\Venom-winvnc.exe" enable=yes & exit
4⤵
PID:5152

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\Venom-winvnc.exe" enable=yes
5⤵
PID:5512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" enable=yes & exit
4⤵
PID:5236

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" enable=yes
5⤵
PID:5448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe" enable=yes & exit
4⤵
PID:5376

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe" enable=yes
5⤵
PID:5920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\winvnc.exe" enable=yes & exit
4⤵
PID:5524

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\winvnc.exe" enable=yes
5⤵
PID:6000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" enable=yes & exit
4⤵
PID:5664

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" enable=yes
5⤵
PID:6200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Windows Service" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\autoupdate2.exe" enable=yes & exit
4⤵
PID:6016

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Windows Service" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\autoupdate2.exe" enable=yes
5⤵
PID:6520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Windows Folder" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\autoupdate1.exe" enable=yes & exit
4⤵
PID:5840

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Windows Folder" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\autoupdate1.exe" enable=yes
5⤵
PID:6284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Windows Task" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\update.exe" enable=yes & exit
4⤵
PID:3112

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Windows Task" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\update.exe" enable=yes
5⤵
PID:6712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Windows" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\venom_nkrok.exe" enable=yes & exit
4⤵
PID:2348

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Windows" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\venom_nkrok.exe" enable=yes
5⤵
PID:6776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Windows System" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\venom\nkrok.exe" enable=yes & exit
4⤵
PID:1560

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Windows System" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\venom\nkrok.exe" enable=yes
5⤵
PID:6916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "ngrok" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\Venom-ngrok.exe" -Action Allow & exit
4⤵
PID:1532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell New-NetFirewallRule -DisplayName "ngrok" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\Venom-ngrok.exe" -Action Allow
5⤵
PID:7108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "vnc" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\Venom-winvnc.exe" -Action Allow & exit
4⤵
PID:3368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell New-NetFirewallRule -DisplayName "vnc" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\Venom-winvnc.exe" -Action Allow
5⤵
PID:6292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "ngrok" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\Venom-ngrok.exe" -Action Allow & exit
4⤵
PID:5476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell New-NetFirewallRule -DisplayName "ngrok" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\Venom-ngrok.exe" -Action Allow
5⤵
PID:7164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "vnc" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\Venom-winvnc.exe" -Action Allow & exit
4⤵
PID:6168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell New-NetFirewallRule -DisplayName "vnc" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\Venom-winvnc.exe" -Action Allow
5⤵
PID:6228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "rdp" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" -Action Allow & exit
4⤵
PID:6264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell New-NetFirewallRule -DisplayName "rdp" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" -Action Allow
5⤵
PID:5160

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "rdp" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" -Action Allow & exit
4⤵
PID:6388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell New-NetFirewallRule -DisplayName "rdp" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" -Action Allow
5⤵
PID:6944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Google" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe" -Action Allow & exit
4⤵
PID:6492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell New-NetFirewallRule -DisplayName "Google" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe" -Action Allow
5⤵
PID:6424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Google" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe" -Action Allow & exit
4⤵
PID:6592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell New-NetFirewallRule -DisplayName "Google" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe" -Action Allow
5⤵
PID:5648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Chrome" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\winvnc.exe" -Action Allow & exit
4⤵
PID:6744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell New-NetFirewallRule -DisplayName "Chrome" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\winvnc.exe" -Action Allow
5⤵
PID:6652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Chrome" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\winvnc.exe" -Action Allow & exit
4⤵
PID:6836

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell New-NetFirewallRule -DisplayName "Chrome" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\winvnc.exe" -Action Allow
5⤵
PID:5556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows Update" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" -Action Allow & exit
4⤵
PID:6908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell New-NetFirewallRule -DisplayName "Windows Update" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" -Action Allow
5⤵
PID:6532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows Update" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" -Action Allow & exit
4⤵
PID:7036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell New-NetFirewallRule -DisplayName "Windows Update" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" -Action Allow
5⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows task" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\autoupdate1.exe" -Action Allow & exit
4⤵
PID:7156

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell New-NetFirewallRule -DisplayName "Windows task" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\autoupdate1.exe" -Action Allow
5⤵
PID:4872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows task" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\autoupdate1.exe" -Action Allow & exit
4⤵
PID:5768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell New-NetFirewallRule -DisplayName "Windows task" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\autoupdate1.exe" -Action Allow
5⤵
PID:1440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows Service" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\autoupdate2.exe" -Action Allow & exit
4⤵
PID:6156

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell New-NetFirewallRule -DisplayName "Windows Service" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\autoupdate2.exe" -Action Allow
5⤵
PID:3648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows Service" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\autoupdate2.exe" -Action Allow & exit
4⤵
PID:6800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell New-NetFirewallRule -DisplayName "Windows Service" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\autoupdate2.exe" -Action Allow
5⤵
PID:5192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows Folder" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\update.exe" -Action Allow & exit
4⤵
PID:3096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell New-NetFirewallRule -DisplayName "Windows Folder" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\update.exe" -Action Allow
5⤵
PID:5620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows Folder" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\update.exe" -Action Allow & exit
4⤵
PID:5684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell New-NetFirewallRule -DisplayName "Windows Folder" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\update.exe" -Action Allow
5⤵
PID:4868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\venom_nkrok.exe" -Action Allow & exit
4⤵
PID:5992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell New-NetFirewallRule -DisplayName "Windows" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\venom_nkrok.exe" -Action Allow
5⤵
PID:2596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\venom_nkrok.exe" -Action Allow & exit
4⤵
PID:5928

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell New-NetFirewallRule -DisplayName "Windows" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\venom_nkrok.exe" -Action Allow
5⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows System" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\venom\nkrok.exe" -Action Allow & exit
4⤵
PID:4260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell New-NetFirewallRule -DisplayName "Windows System" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\venom\nkrok.exe" -Action Allow
5⤵
PID:1120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows System" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\venom\nkrok.exe" -Action Allow & exit
4⤵
PID:5424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell New-NetFirewallRule -DisplayName "Windows System" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\venom\nkrok.exe" -Action Allow
5⤵
PID:6072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b wusa /uninstall /kb:4471332 /quiet & exit
4⤵
PID:2324

C:\Windows\SysWOW64\wusa.exe
wusa /uninstall /kb:4471332 /quiet
5⤵
PID:5088

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\376fde80dfdc81\cred.dll, Main
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
f7659f2fa1c6bab42d2385d020c20d7a

SHA1
a2da73dd66384233072454048279ee00b8c10273

SHA256
a23e865f32aff470b9f5310d56376c1629878c15ad98d604331312f12ac7cdea

SHA512
534ac44c6d45f3a30df98c36dcef3f9ec2cbd488ad0d7117ae4450ec93016cb067d3f4d01d25a248febe2ad41b9d393d20620e6d0a46553e7cc502892364fca5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
f7659f2fa1c6bab42d2385d020c20d7a

SHA1
a2da73dd66384233072454048279ee00b8c10273

SHA256
a23e865f32aff470b9f5310d56376c1629878c15ad98d604331312f12ac7cdea

SHA512
534ac44c6d45f3a30df98c36dcef3f9ec2cbd488ad0d7117ae4450ec93016cb067d3f4d01d25a248febe2ad41b9d393d20620e6d0a46553e7cc502892364fca5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
6466a89da97f9cf1a8e35095ca4945b6

SHA1
9df375125bedd7a98435b99faff32846d551750e

SHA256
1019033809ee2aa526e100b14c5bb994c91d89a159ece03feb69f64970fea1a0

SHA512
218878641739e69f1042e7450fd842f1c22e22009e6a2564d99304a842703f8f96e410e636df1fff831a8da9273fda869323aecadaf360b62cc2ece018d62c45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
5f6819c13af51fda896171c1a136cdf8

SHA1
04acad46a0037d00967f588b622c5368948bd8ad

SHA256
0cec24a3ae8449919ad4516fc1306e0f552e580f7cf7b86814c5812984021c75

SHA512
2cd419c1d5e693bc6133df1d6a895a45a7a4a839e851b80394edeed4435048f04967ef206ae17771c11d6aca9986c0393ecdf04f03acdbc82e055d83a78c56d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
d21a7022f6517884ea857c61ec882881

SHA1
3e42df6024c3966aebfb71bd7da482a23bccf7c4

SHA256
bf27e82d6f6999d2c56194e3dc83e455f77e7b4b24fee46ecd0f00eb27ad9de0

SHA512
7c335d484de7aecd91bebb0a23e8b3d53635490e9cfc7a9c5b50df441c72f256cf373a5b53dba5dbf1c744b84a4e7b993fbf3de8ab5c6bb93a46dc4bf6cfb87c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
d21a7022f6517884ea857c61ec882881

SHA1
3e42df6024c3966aebfb71bd7da482a23bccf7c4

SHA256
bf27e82d6f6999d2c56194e3dc83e455f77e7b4b24fee46ecd0f00eb27ad9de0

SHA512
7c335d484de7aecd91bebb0a23e8b3d53635490e9cfc7a9c5b50df441c72f256cf373a5b53dba5dbf1c744b84a4e7b993fbf3de8ab5c6bb93a46dc4bf6cfb87c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
d21a7022f6517884ea857c61ec882881

SHA1
3e42df6024c3966aebfb71bd7da482a23bccf7c4

SHA256
bf27e82d6f6999d2c56194e3dc83e455f77e7b4b24fee46ecd0f00eb27ad9de0

SHA512
7c335d484de7aecd91bebb0a23e8b3d53635490e9cfc7a9c5b50df441c72f256cf373a5b53dba5dbf1c744b84a4e7b993fbf3de8ab5c6bb93a46dc4bf6cfb87c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
ab2dde411dd98ebd08676d6942a295a8

SHA1
4244a92e08880ced49e93ae650c16a68ae71fe0d

SHA256
133be40510bbb92eb61f002bb1607cf70d1d40afdefe981b41f9471b6d09b7dc

SHA512
c7414ea172361d5136804fb2394f119f91a51af54aec94221454067e64b16726919f84c082502be039ed193b5c95280934f8e6500d9f96cdcf9fff4c2461e3c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
654abd1e77ca622b3031476c45dfb0f5

SHA1
ad374b11b9184dbd94dfe8256fe688e9aacf08f5

SHA256
a555318246655943c00a7bafe37e30b10b16cb8a17a60b75cde128c55117b1b4

SHA512
2896f577570371b7299d7964519abeaf94495aab51807eff5221bc635d245b5798f389a3020217e471d885b90d83ae63e5d9e2451699d2526f481ecb9499eca2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
fe0960348bcf3a3abce117d64167fb11

SHA1
eec7682c50e49407f4180883d164fa858854225f

SHA256
d364d2ee5cc3b2fb93ef19294789479012905f79afa9cc3fc4c203834cb89fe8

SHA512
6adeb52aae212b719ea602f8e42594aec92e0f77120b776fb1264fc1cf48418b41f393df907e362e02b9e28a55b6fc6555923910c15d9563900d07e588ca98c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
fe0960348bcf3a3abce117d64167fb11

SHA1
eec7682c50e49407f4180883d164fa858854225f

SHA256
d364d2ee5cc3b2fb93ef19294789479012905f79afa9cc3fc4c203834cb89fe8

SHA512
6adeb52aae212b719ea602f8e42594aec92e0f77120b776fb1264fc1cf48418b41f393df907e362e02b9e28a55b6fc6555923910c15d9563900d07e588ca98c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
5b3a21af1ed8ca6a34f6150186af3b7d

SHA1
d2cbaef1b614141731718103c8cc05cead9b9232

SHA256
ca627dddb40af9eca64ced45134f034831900b6a114d62d60a2f5481dbbca1df

SHA512
26c958c9a60ecc9d2d54d77d4537e0529a87beb39aaa1a77f75cbb912a73002ea076a84d700b29828f78894edf2c568d73017d67cdfd6108e864bc220b46d0a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
5b3a21af1ed8ca6a34f6150186af3b7d

SHA1
d2cbaef1b614141731718103c8cc05cead9b9232

SHA256
ca627dddb40af9eca64ced45134f034831900b6a114d62d60a2f5481dbbca1df

SHA512
26c958c9a60ecc9d2d54d77d4537e0529a87beb39aaa1a77f75cbb912a73002ea076a84d700b29828f78894edf2c568d73017d67cdfd6108e864bc220b46d0a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
da3c79443b47072c126c666afd4f78c6

SHA1
0c52ca635332bb00c6f31a3892c7aeec811e0822

SHA256
29e9db53622c49efe90a6d89713bfd447fa6af229143bf3bb70cc48d28dbf84b

SHA512
e05fae60fcff9bfbb496be7af2faeb132255b627c7011b76368131da9e89f059f5205cc8b006d50c938a85edd317e57a5d34eca97dc65dd42338e05cc402ad3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
da3c79443b47072c126c666afd4f78c6

SHA1
0c52ca635332bb00c6f31a3892c7aeec811e0822

SHA256
29e9db53622c49efe90a6d89713bfd447fa6af229143bf3bb70cc48d28dbf84b

SHA512
e05fae60fcff9bfbb496be7af2faeb132255b627c7011b76368131da9e89f059f5205cc8b006d50c938a85edd317e57a5d34eca97dc65dd42338e05cc402ad3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
093b2b42faf9f48e9e4d2fded6ddedc7

SHA1
30efc29a1718f51fa79f7d1a90cf3b06760e3394

SHA256
06a7956058fd3b81f41d2a6ce54e09b9cb38570583f705be91e0c0dd9f53eeec

SHA512
5bca7747d59324509e1f77ae577160375ef9c01e08cdaf2f0f7c2560798e213e60b4377c226b7bafabe17908b44a429c46ce46dfcf7a1f4aa166c573161682ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
4af579084a98e6230fd5f8ada37ea2bd

SHA1
456a4b940c3d14d57a85fe34d4e11b60099bb454

SHA256
21613326709e5e6d22c714de036eab4d4545a4163bced82f279d69b640b49c91

SHA512
2108e2ae829d858d3d416f33009ad951441b30cb3ea28cd4bb2ef3f91bc7fa7e21323b0d720bd7f02cd584f1469965b5327ce27396451f365c01f5c723ee3404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
6695b584c0395ca402870b705287aaf6

SHA1
9e7a60b73944acbc1dad1d4b30c74f31943f5ce8

SHA256
5398155ba1388817c238923c6d3fcd4b3a8e61d0970eac8312d1b343d2bfde9b

SHA512
a647fe51a698aeed478d744edc2d810eaed2607a32be06864d4a1f651eb79c5abff496464f3e77133665cb8797bdb0f3c324c8e70860d5d4e892f2c64ed8dd4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000114001\Notepad.exe
Filesize
1016KB

MD5
0fcdfcdb23ebfbdedacdcd6428ed7fd1

SHA1
a559212a2192eb375967af20afcc53e6470f4e9a

SHA256
de5cd04d98f447bcc313f638ea96140d3d636fd8498ca5c37def12cb19b920f5

SHA512
ed90f859c9f58f5f5b9882dafe7bde4b9631a9e81f02aa970fb721e50533d77a816989049febcd386b7e27a1d2dc49d68f6b8c2cc1fcaf108a43fc8a32e6ea9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000114001\Notepad.exe
Filesize
1016KB

MD5
0fcdfcdb23ebfbdedacdcd6428ed7fd1

SHA1
a559212a2192eb375967af20afcc53e6470f4e9a

SHA256
de5cd04d98f447bcc313f638ea96140d3d636fd8498ca5c37def12cb19b920f5

SHA512
ed90f859c9f58f5f5b9882dafe7bde4b9631a9e81f02aa970fb721e50533d77a816989049febcd386b7e27a1d2dc49d68f6b8c2cc1fcaf108a43fc8a32e6ea9f

Download Submit
C:\Users\Admin\AppData\Roaming\376fde80dfdc81\cred.dll
Filesize
126KB

MD5
cab629e61884212c046e0147a3585f5f

SHA1
10265561adbdfb39dac01337468f183c336fcd71

SHA256
3dfdec90c5e2ebde218405a6f6283637c12dca1b4a7bc465c9b752b8f700c6e9

SHA512
fbdfb02cf61e510690742429168db1378d7c09df7441b09d771371833861c58d673913f93c20583d66891b3883b6ecce19313a966471c2f79c3e9482bdf5e9a9

Download Submit
C:\Users\Admin\AppData\Roaming\376fde80dfdc81\cred.dll
Filesize
126KB

MD5
cab629e61884212c046e0147a3585f5f

SHA1
10265561adbdfb39dac01337468f183c336fcd71

SHA256
3dfdec90c5e2ebde218405a6f6283637c12dca1b4a7bc465c9b752b8f700c6e9

SHA512
fbdfb02cf61e510690742429168db1378d7c09df7441b09d771371833861c58d673913f93c20583d66891b3883b6ecce19313a966471c2f79c3e9482bdf5e9a9

Download Submit
C:\Users\Admin\AppData\Roaming\Notepad.exe
Filesize
1016KB

MD5
0fcdfcdb23ebfbdedacdcd6428ed7fd1

SHA1
a559212a2192eb375967af20afcc53e6470f4e9a

SHA256
de5cd04d98f447bcc313f638ea96140d3d636fd8498ca5c37def12cb19b920f5

SHA512
ed90f859c9f58f5f5b9882dafe7bde4b9631a9e81f02aa970fb721e50533d77a816989049febcd386b7e27a1d2dc49d68f6b8c2cc1fcaf108a43fc8a32e6ea9f

Download Submit
C:\Users\Admin\AppData\Roaming\Notepad.exe
Filesize
1016KB

MD5
0fcdfcdb23ebfbdedacdcd6428ed7fd1

SHA1
a559212a2192eb375967af20afcc53e6470f4e9a

SHA256
de5cd04d98f447bcc313f638ea96140d3d636fd8498ca5c37def12cb19b920f5

SHA512
ed90f859c9f58f5f5b9882dafe7bde4b9631a9e81f02aa970fb721e50533d77a816989049febcd386b7e27a1d2dc49d68f6b8c2cc1fcaf108a43fc8a32e6ea9f

Download Submit
memory/204-236-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/204-190-0x0000000000000000-mapping.dmp

Download
memory/208-156-0x00000000030A0000-0x00000000030D6000-memory.dmp

Filesize
216KB

Download
memory/208-206-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/208-207-0x0000000006B80000-0x0000000006B9E000-memory.dmp

Filesize
120KB

Download
memory/208-160-0x00000000057C0000-0x0000000005DE8000-memory.dmp

Filesize
6.2MB

Download
memory/208-204-0x0000000007820000-0x0000000007852000-memory.dmp

Filesize
200KB

Download
memory/208-153-0x0000000000000000-mapping.dmp

Download
memory/208-168-0x0000000005EF0000-0x0000000005F12000-memory.dmp

Filesize
136KB

Download
memory/208-184-0x0000000006670000-0x000000000668E000-memory.dmp

Filesize
120KB

Download
memory/208-170-0x0000000005FA0000-0x0000000006006000-memory.dmp

Filesize
408KB

Download
memory/384-210-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/384-157-0x0000000000000000-mapping.dmp

Download
memory/384-219-0x00000000055B0000-0x00000000055BA000-memory.dmp

Filesize
40KB

Download
memory/876-154-0x0000000000000000-mapping.dmp

Download
memory/924-167-0x0000000000000000-mapping.dmp

Download
memory/1136-150-0x0000000000000000-mapping.dmp

Download
memory/1284-191-0x0000000000000000-mapping.dmp

Download
memory/1284-237-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/1440-282-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/1532-223-0x0000000000000000-mapping.dmp

Download
memory/1560-220-0x0000000000000000-mapping.dmp

Download
memory/1564-214-0x0000000008070000-0x00000000086EA000-memory.dmp

Filesize
6.5MB

Download
memory/1564-212-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/1564-166-0x0000000000000000-mapping.dmp

Download
memory/1592-173-0x0000000000000000-mapping.dmp

Download
memory/1592-231-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/1684-241-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/1684-194-0x0000000000000000-mapping.dmp

Download
memory/1756-151-0x0000000000000000-mapping.dmp

Download
memory/1924-281-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/2124-152-0x0000000000000000-mapping.dmp

Download
memory/2128-227-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/2128-176-0x0000000000000000-mapping.dmp

Download
memory/2180-193-0x0000000000000000-mapping.dmp

Download
memory/2228-228-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/2228-175-0x0000000000000000-mapping.dmp

Download
memory/2348-217-0x0000000000000000-mapping.dmp

Download
memory/2396-158-0x0000000000000000-mapping.dmp

Download
memory/2436-171-0x0000000000000000-mapping.dmp

Download
memory/2508-182-0x0000000000000000-mapping.dmp

Download
memory/2508-233-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/2692-181-0x0000000000000000-mapping.dmp

Download
memory/2768-188-0x0000000000000000-mapping.dmp

Download
memory/2940-186-0x0000000000000000-mapping.dmp

Download
memory/2940-234-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/3012-130-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/3012-131-0x0000000005660000-0x0000000005C04000-memory.dmp

Filesize
5.6MB

Download
memory/3012-132-0x0000000004FB0000-0x0000000005042000-memory.dmp

Filesize
584KB

Download
memory/3012-133-0x0000000002B50000-0x0000000002B5A000-memory.dmp

Filesize
40KB

Download
memory/3012-134-0x00000000065B0000-0x000000000664C000-memory.dmp

Filesize
624KB

Download
memory/3012-135-0x0000000006650000-0x00000000066B6000-memory.dmp

Filesize
408KB

Download
memory/3112-215-0x0000000000000000-mapping.dmp

Download
memory/3144-260-0x0000000006400000-0x000000000644A000-memory.dmp

Filesize
296KB

Download
memory/3144-144-0x0000000000CB0000-0x0000000000DB4000-memory.dmp

Filesize
1.0MB

Download
memory/3144-145-0x0000000006450000-0x0000000006462000-memory.dmp

Filesize
72KB

Download
memory/3144-141-0x0000000000000000-mapping.dmp

Download
memory/3340-185-0x0000000000000000-mapping.dmp

Download
memory/3456-232-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/3456-180-0x0000000000000000-mapping.dmp

Download
memory/3532-230-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/3532-178-0x0000000000000000-mapping.dmp

Download
memory/3648-280-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/3732-177-0x0000000000000000-mapping.dmp

Download
memory/3888-155-0x0000000000000000-mapping.dmp

Download
memory/4084-218-0x0000000000000000-mapping.dmp

Download
memory/4104-189-0x0000000000000000-mapping.dmp

Download
memory/4108-164-0x0000000000000000-mapping.dmp

Download
memory/4160-179-0x0000000000000000-mapping.dmp

Download
memory/4384-174-0x0000000000000000-mapping.dmp

Download
memory/4428-169-0x0000000000000000-mapping.dmp

Download
memory/4472-161-0x0000000000000000-mapping.dmp

Download
memory/4488-183-0x0000000000000000-mapping.dmp

Download
memory/4620-239-0x00000000078D0000-0x00000000078EA000-memory.dmp

Filesize
104KB

Download
memory/4620-224-0x0000000007810000-0x00000000078A6000-memory.dmp

Filesize
600KB

Download
memory/4620-209-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/4620-165-0x0000000000000000-mapping.dmp

Download
memory/4620-240-0x00000000078C0000-0x00000000078C8000-memory.dmp

Filesize
32KB

Download
memory/4620-216-0x0000000007590000-0x00000000075AA000-memory.dmp

Filesize
104KB

Download
memory/4620-238-0x00000000077D0000-0x00000000077DE000-memory.dmp

Filesize
56KB

Download
memory/4864-159-0x0000000000000000-mapping.dmp

Download
memory/4868-285-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/4872-283-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/4920-192-0x0000000000000000-mapping.dmp

Download
memory/4936-140-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4936-137-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4936-139-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4936-138-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4936-136-0x0000000000000000-mapping.dmp

Download
memory/4992-235-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/4992-187-0x0000000000000000-mapping.dmp

Download
memory/5052-172-0x0000000000000000-mapping.dmp

Download
memory/5116-149-0x0000000005FE0000-0x000000000601C000-memory.dmp

Filesize
240KB

Download
memory/5116-146-0x0000000000000000-mapping.dmp

Download
memory/5152-195-0x0000000000000000-mapping.dmp

Download
memory/5160-269-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/5192-279-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/5212-242-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/5212-196-0x0000000000000000-mapping.dmp

Download
memory/5236-197-0x0000000000000000-mapping.dmp

Download
memory/5276-246-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/5276-198-0x0000000000000000-mapping.dmp

Download
memory/5376-199-0x0000000000000000-mapping.dmp

Download
memory/5416-247-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/5416-200-0x0000000000000000-mapping.dmp

Download
memory/5448-222-0x0000000000000000-mapping.dmp

Download
memory/5476-225-0x0000000000000000-mapping.dmp

Download
memory/5512-221-0x0000000000000000-mapping.dmp

Download
memory/5524-201-0x0000000000000000-mapping.dmp

Download
memory/5556-276-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/5604-253-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/5604-202-0x0000000000000000-mapping.dmp

Download
memory/5620-284-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/5648-275-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/5664-203-0x0000000000000000-mapping.dmp

Download
memory/5744-205-0x0000000000000000-mapping.dmp

Download
memory/5840-208-0x0000000000000000-mapping.dmp

Download
memory/5920-226-0x0000000000000000-mapping.dmp

Download
memory/5928-211-0x0000000000000000-mapping.dmp

Download
memory/6000-229-0x0000000000000000-mapping.dmp

Download
memory/6016-213-0x0000000000000000-mapping.dmp

Download
memory/6228-268-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/6292-278-0x0000000007960000-0x000000000797A000-memory.dmp

Filesize
104KB

Download
memory/6292-265-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/6424-273-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/6532-274-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/6652-272-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/6944-267-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/7108-264-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download
memory/7164-277-0x0000000006800000-0x000000000680E000-memory.dmp

Filesize
56KB

Download
memory/7164-266-0x000000006E7D0000-0x000000006E81C000-memory.dmp

Filesize
304KB

Download