quasar | 4576693687b188ea748add6660d7eee2dd3bdb86a60a9cf8dc99c0d191d61303

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-12-2023 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa48fe6b5774a66cab06338fa55d17de.exe
Size

16.7MB
MD5

aa48fe6b5774a66cab06338fa55d17de
SHA1

a734431bb537225596ef3ea0674944b2ecd6fe22
SHA256

4576693687b188ea748add6660d7eee2dd3bdb86a60a9cf8dc99c0d191d61303
SHA512

9e7e64ce6c54ac98e54ee8f7eb576849bad99ec4281786023b948deb65067917929099a56f802079cda98761733184f7981a164a1200b5062a26fd3d176eb680
SSDEEP

393216:dRwHfrE1h2ye2vmGpEeaQrg8OUEsf3iCZOuko4xgWL74hwtG1ZtJRjHYX:8HfrEKgJeehrSW3NOVoudPliZtTHYX

Score

10^/10

quasar venomrat office04 evasion rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

smtp.yassine-bolard.nl:72

82.65.150.176:72

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes

encryption_key
V8QkE5vrgV4DVybE2MTP
install_name
$77Discord.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Discord
subdirectory
Discord

Signatures

Contains code to disable Windows Defender 19 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
\Program Files\Windows_Defender\$77-Venom.exe	disable_win_def
C:\Program Files\Windows_Defender\$77-Venom.exe	disable_win_def
\Program Files\Windows_Defender\$77-Venom.exe	disable_win_def
\Program Files\Windows_Defender\$77-Venom.exe	disable_win_def
\Program Files\Windows_Defender\$77-Venom.exe	disable_win_def
C:\Program Files\Windows_Defender\$77-Venom.exe	disable_win_def
C:\Program Files\Windows_Defender\$77-Venom.exe	disable_win_def
behavioral1/memory/2824-72-0x0000000000F00000-0x0000000000F96000-memory.dmp	disable_win_def
\Windows\SysWOW64\Discord\$77Discord.exe	disable_win_def
C:\Windows\SysWOW64\Discord\$77Discord.exe	disable_win_def
behavioral1/memory/2912-82-0x00000000011C0000-0x0000000001256000-memory.dmp	disable_win_def
C:\Windows\SysWOW64\Discord\$77Discord.exe	disable_win_def
\Windows\SysWOW64\Discord\$77Discord.exe	disable_win_def
\Windows\SysWOW64\Discord\$77Discord.exe	disable_win_def
\Windows\SysWOW64\Discord\$77Discord.exe	disable_win_def
\Windows\SysWOW64\Discord\$77Discord.exe	disable_win_def
\Windows\SysWOW64\Discord\$77Discord.exe	disable_win_def
C:\Program Files\Windows_Defender\$77-Venom.exe	disable_win_def
behavioral1/memory/1700-175-0x0000000004730000-0x0000000004770000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

$77-Venom.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	$77-Venom.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	$77-Venom.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	$77-Venom.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	$77-Venom.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 19 IoCs

Processes:

resource	yara_rule
\Program Files\Windows_Defender\$77-Venom.exe	family_quasar
C:\Program Files\Windows_Defender\$77-Venom.exe	family_quasar
\Program Files\Windows_Defender\$77-Venom.exe	family_quasar
\Program Files\Windows_Defender\$77-Venom.exe	family_quasar
\Program Files\Windows_Defender\$77-Venom.exe	family_quasar
C:\Program Files\Windows_Defender\$77-Venom.exe	family_quasar
C:\Program Files\Windows_Defender\$77-Venom.exe	family_quasar
behavioral1/memory/2824-72-0x0000000000F00000-0x0000000000F96000-memory.dmp	family_quasar
\Windows\SysWOW64\Discord\$77Discord.exe	family_quasar
C:\Windows\SysWOW64\Discord\$77Discord.exe	family_quasar
behavioral1/memory/2912-82-0x00000000011C0000-0x0000000001256000-memory.dmp	family_quasar
C:\Windows\SysWOW64\Discord\$77Discord.exe	family_quasar
\Windows\SysWOW64\Discord\$77Discord.exe	family_quasar
\Windows\SysWOW64\Discord\$77Discord.exe	family_quasar
\Windows\SysWOW64\Discord\$77Discord.exe	family_quasar
\Windows\SysWOW64\Discord\$77Discord.exe	family_quasar
\Windows\SysWOW64\Discord\$77Discord.exe	family_quasar
C:\Program Files\Windows_Defender\$77-Venom.exe	family_quasar
behavioral1/memory/1700-175-0x0000000004730000-0x0000000004770000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Nirsoft 7 IoCs

Processes:

resource	yara_rule
C:\Program Files\Windows_Defender\AdvancedRun.exe	Nirsoft
\Program Files\Windows_Defender\AdvancedRun.exe	Nirsoft
C:\Program Files\Windows_Defender\AdvancedRun.exe	Nirsoft
C:\Program Files\Windows_Defender\AdvancedRun.exe	Nirsoft
C:\Program Files\Windows_Defender\AdvancedRun.exe	Nirsoft
C:\Program Files\Windows_Defender\AdvancedRun.exe	Nirsoft
\Program Files\Windows_Defender\AdvancedRun.exe	Nirsoft

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1680 cmd.exe

pid	process
1680	cmd.exe

Executes dropped EXE 9 IoCs

Processes:

windows_defender_bypass.exeDiscord.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe$77-Venom.exe$77Discord.exe$77-Venom.exe

pid	process
2396	windows_defender_bypass.exe
2788	Discord.exe
2588	AdvancedRun.exe
1712	AdvancedRun.exe
2636	AdvancedRun.exe
1872	AdvancedRun.exe
2824	$77-Venom.exe
2912	$77Discord.exe
1700	$77-Venom.exe

Loads dropped DLL 21 IoCs

Processes:

aa48fe6b5774a66cab06338fa55d17de.exewindows_defender_bypass.exeDiscord.exe$77-Venom.exeWerFault.exe

pid	process
1144	aa48fe6b5774a66cab06338fa55d17de.exe
1144	aa48fe6b5774a66cab06338fa55d17de.exe
1144	aa48fe6b5774a66cab06338fa55d17de.exe
1144	aa48fe6b5774a66cab06338fa55d17de.exe
1144	aa48fe6b5774a66cab06338fa55d17de.exe
1144	aa48fe6b5774a66cab06338fa55d17de.exe
1144	aa48fe6b5774a66cab06338fa55d17de.exe
1144	aa48fe6b5774a66cab06338fa55d17de.exe
2396	windows_defender_bypass.exe
2396	windows_defender_bypass.exe
2396	windows_defender_bypass.exe
2788	Discord.exe
2788	Discord.exe
2788	Discord.exe
2788	Discord.exe
2824	$77-Venom.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

$77-Venom.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	$77-Venom.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	$77-Venom.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

flow	ioc
2	ip-api.com

Drops file in System32 directory 5 IoCs

Processes:

$77Discord.exe$77-Venom.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Discord	$77Discord.exe
File created	C:\Windows\SysWOW64\Discord\r77-x64.dll	$77-Venom.exe
File created	C:\Windows\SysWOW64\Discord\$77Discord.exe	$77-Venom.exe
File opened for modification	C:\Windows\SysWOW64\Discord\$77Discord.exe	$77-Venom.exe
File opened for modification	C:\Windows\SysWOW64\Discord\$77Discord.exe	$77Discord.exe

Drops file in Program Files directory 18 IoCs

Processes:

windows_defender_bypass.exeDiscord.exepowershell.exeaa48fe6b5774a66cab06338fa55d17de.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows_Defender\AdvancedRun.exe	windows_defender_bypass.exe
File opened for modification	C:\Program Files\Windows_Defender\16384.rnd	Discord.exe
File opened for modification	C:\Program Files\Windows_Defender\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files\Windows_Update\Discord.exe	aa48fe6b5774a66cab06338fa55d17de.exe
File opened for modification	C:\Program Files\Windows_Defender	windows_defender_bypass.exe
File created	C:\Program Files\Windows_Defender\Test.bat	windows_defender_bypass.exe
File created	C:\Program Files\Windows_Defender\$77-Venom.exe	Discord.exe
File created	C:\Program Files\Windows_Update\Windows_Defender_Bypass.exe	aa48fe6b5774a66cab06338fa55d17de.exe
File opened for modification	C:\Program Files\Windows_Update\Windows_Defender_Bypass.exe	aa48fe6b5774a66cab06338fa55d17de.exe
File created	C:\Program Files\Windows_Defender\__tmp_rar_sfx_access_check_259410349	windows_defender_bypass.exe
File opened for modification	C:\Program Files\Windows_Defender\$77-Venom.exe	Discord.exe
File created	C:\Program Files\Windows_Defender\16384.rnd	Discord.exe
File opened for modification	C:\Program Files\Windows_Update	aa48fe6b5774a66cab06338fa55d17de.exe
File opened for modification	C:\Program Files\Windows_Update\Discord.exe	aa48fe6b5774a66cab06338fa55d17de.exe
File opened for modification	C:\Program Files\Windows_Defender\Test.bat	windows_defender_bypass.exe
File created	C:\Program Files\Windows_Defender\AdvancedRun.exe	windows_defender_bypass.exe
File created	C:\Program Files\Windows_Defender\__tmp_rar_sfx_access_check_259410646	Discord.exe
File created	C:\Program Files\Windows_Update\__tmp_rar_sfx_access_check_259409366	aa48fe6b5774a66cab06338fa55d17de.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2152 2912 WerFault.exe $77Discord.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2632 schtasks.exe
1524 schtasks.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

796 PING.EXE
1736 PING.EXE

pid	pid_target	process	target process
2152	2912	WerFault.exe	$77Discord.exe

pid	process
2632	schtasks.exe
1524	schtasks.exe

pid	process
796	PING.EXE
1736	PING.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exepowershell.exe$77-Venom.exe$77-Venom.exe

pid	process
2588	AdvancedRun.exe
2588	AdvancedRun.exe
1712	AdvancedRun.exe
1712	AdvancedRun.exe
2636	AdvancedRun.exe
2636	AdvancedRun.exe
1872	AdvancedRun.exe
1872	AdvancedRun.exe
2928	powershell.exe
2824	$77-Venom.exe
2824	$77-Venom.exe
2824	$77-Venom.exe
2824	$77-Venom.exe
2824	$77-Venom.exe
2824	$77-Venom.exe
2824	$77-Venom.exe
1700	$77-Venom.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe$77-Venom.exe$77Discord.exepowershell.exe$77-Venom.exe

description	pid	process
Token: SeDebugPrivilege	2588	AdvancedRun.exe
Token: SeImpersonatePrivilege	2588	AdvancedRun.exe
Token: SeDebugPrivilege	1712	AdvancedRun.exe
Token: SeImpersonatePrivilege	1712	AdvancedRun.exe
Token: SeDebugPrivilege	2636	AdvancedRun.exe
Token: SeImpersonatePrivilege	2636	AdvancedRun.exe
Token: SeDebugPrivilege	1872	AdvancedRun.exe
Token: SeImpersonatePrivilege	1872	AdvancedRun.exe
Token: SeDebugPrivilege	2824	$77-Venom.exe
Token: SeDebugPrivilege	2912	$77Discord.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2912	$77Discord.exe
Token: SeDebugPrivilege	1700	$77-Venom.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

$77Discord.exe

pid process

2912 $77Discord.exe

pid	process
2912	$77Discord.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

aa48fe6b5774a66cab06338fa55d17de.exewindows_defender_bypass.exeAdvancedRun.exeAdvancedRun.exeDiscord.exe$77-Venom.exe$77Discord.execmd.execmd.exe

description	pid	process	target process
PID 1144 wrote to memory of 2396	1144	aa48fe6b5774a66cab06338fa55d17de.exe	windows_defender_bypass.exe
PID 1144 wrote to memory of 2396	1144	aa48fe6b5774a66cab06338fa55d17de.exe	windows_defender_bypass.exe
PID 1144 wrote to memory of 2396	1144	aa48fe6b5774a66cab06338fa55d17de.exe	windows_defender_bypass.exe
PID 1144 wrote to memory of 2396	1144	aa48fe6b5774a66cab06338fa55d17de.exe	windows_defender_bypass.exe
PID 1144 wrote to memory of 2788	1144	aa48fe6b5774a66cab06338fa55d17de.exe	Discord.exe
PID 1144 wrote to memory of 2788	1144	aa48fe6b5774a66cab06338fa55d17de.exe	Discord.exe
PID 1144 wrote to memory of 2788	1144	aa48fe6b5774a66cab06338fa55d17de.exe	Discord.exe
PID 1144 wrote to memory of 2788	1144	aa48fe6b5774a66cab06338fa55d17de.exe	Discord.exe
PID 2396 wrote to memory of 2588	2396	windows_defender_bypass.exe	AdvancedRun.exe
PID 2396 wrote to memory of 2588	2396	windows_defender_bypass.exe	AdvancedRun.exe
PID 2396 wrote to memory of 2588	2396	windows_defender_bypass.exe	AdvancedRun.exe
PID 2396 wrote to memory of 2588	2396	windows_defender_bypass.exe	AdvancedRun.exe
PID 2396 wrote to memory of 1712	2396	windows_defender_bypass.exe	AdvancedRun.exe
PID 2396 wrote to memory of 1712	2396	windows_defender_bypass.exe	AdvancedRun.exe
PID 2396 wrote to memory of 1712	2396	windows_defender_bypass.exe	AdvancedRun.exe
PID 2396 wrote to memory of 1712	2396	windows_defender_bypass.exe	AdvancedRun.exe
PID 2588 wrote to memory of 2636	2588	AdvancedRun.exe	AdvancedRun.exe
PID 2588 wrote to memory of 2636	2588	AdvancedRun.exe	AdvancedRun.exe
PID 2588 wrote to memory of 2636	2588	AdvancedRun.exe	AdvancedRun.exe
PID 1712 wrote to memory of 1872	1712	AdvancedRun.exe	AdvancedRun.exe
PID 1712 wrote to memory of 1872	1712	AdvancedRun.exe	AdvancedRun.exe
PID 1712 wrote to memory of 1872	1712	AdvancedRun.exe	AdvancedRun.exe
PID 2788 wrote to memory of 2824	2788	Discord.exe	$77-Venom.exe
PID 2788 wrote to memory of 2824	2788	Discord.exe	$77-Venom.exe
PID 2788 wrote to memory of 2824	2788	Discord.exe	$77-Venom.exe
PID 2788 wrote to memory of 2824	2788	Discord.exe	$77-Venom.exe
PID 2824 wrote to memory of 2632	2824	$77-Venom.exe	schtasks.exe
PID 2824 wrote to memory of 2632	2824	$77-Venom.exe	schtasks.exe
PID 2824 wrote to memory of 2632	2824	$77-Venom.exe	schtasks.exe
PID 2824 wrote to memory of 2632	2824	$77-Venom.exe	schtasks.exe
PID 2824 wrote to memory of 2912	2824	$77-Venom.exe	$77Discord.exe
PID 2824 wrote to memory of 2912	2824	$77-Venom.exe	$77Discord.exe
PID 2824 wrote to memory of 2912	2824	$77-Venom.exe	$77Discord.exe
PID 2824 wrote to memory of 2912	2824	$77-Venom.exe	$77Discord.exe
PID 2824 wrote to memory of 2928	2824	$77-Venom.exe	powershell.exe
PID 2824 wrote to memory of 2928	2824	$77-Venom.exe	powershell.exe
PID 2824 wrote to memory of 2928	2824	$77-Venom.exe	powershell.exe
PID 2824 wrote to memory of 2928	2824	$77-Venom.exe	powershell.exe
PID 2912 wrote to memory of 1524	2912	$77Discord.exe	schtasks.exe
PID 2912 wrote to memory of 1524	2912	$77Discord.exe	schtasks.exe
PID 2912 wrote to memory of 1524	2912	$77Discord.exe	schtasks.exe
PID 2912 wrote to memory of 1524	2912	$77Discord.exe	schtasks.exe
PID 2912 wrote to memory of 2096	2912	$77Discord.exe	cmd.exe
PID 2912 wrote to memory of 2096	2912	$77Discord.exe	cmd.exe
PID 2912 wrote to memory of 2096	2912	$77Discord.exe	cmd.exe
PID 2912 wrote to memory of 2096	2912	$77Discord.exe	cmd.exe
PID 2096 wrote to memory of 1616	2096	cmd.exe	chcp.com
PID 2096 wrote to memory of 1616	2096	cmd.exe	chcp.com
PID 2096 wrote to memory of 1616	2096	cmd.exe	chcp.com
PID 2096 wrote to memory of 1616	2096	cmd.exe	chcp.com
PID 2912 wrote to memory of 2152	2912	$77Discord.exe	WerFault.exe
PID 2912 wrote to memory of 2152	2912	$77Discord.exe	WerFault.exe
PID 2912 wrote to memory of 2152	2912	$77Discord.exe	WerFault.exe
PID 2912 wrote to memory of 2152	2912	$77Discord.exe	WerFault.exe
PID 2096 wrote to memory of 796	2096	cmd.exe	PING.EXE
PID 2096 wrote to memory of 796	2096	cmd.exe	PING.EXE
PID 2096 wrote to memory of 796	2096	cmd.exe	PING.EXE
PID 2096 wrote to memory of 796	2096	cmd.exe	PING.EXE
PID 2824 wrote to memory of 1812	2824	$77-Venom.exe	cmd.exe
PID 2824 wrote to memory of 1812	2824	$77-Venom.exe	cmd.exe
PID 2824 wrote to memory of 1812	2824	$77-Venom.exe	cmd.exe
PID 2824 wrote to memory of 1812	2824	$77-Venom.exe	cmd.exe
PID 1812 wrote to memory of 1680	1812	cmd.exe	cmd.exe
PID 1812 wrote to memory of 1680	1812	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\aa48fe6b5774a66cab06338fa55d17de.exe
"C:\Users\Admin\AppData\Local\Temp\aa48fe6b5774a66cab06338fa55d17de.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Program Files\Windows_Update\windows_defender_bypass.exe
  "C:\Program Files\Windows_Update\windows_defender_bypass.exe" -pKazutoSan72@$%?:YB381#4PcVh9!0LqF5
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Program Files\Windows_Defender\AdvancedRun.exe
    "C:\Program Files\Windows_Defender\AdvancedRun.exe" /EXEFilename test.bat /RunAs 8 /Run
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1712
- - C:\Program Files\Windows_Defender\AdvancedRun.exe
    "C:\Program Files\Windows_Defender\AdvancedRun.exe" /EXEFilename test.bat /RunAs 8 /Run
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2588
- C:\Program Files\Windows_Update\Discord.exe
  "C:\Program Files\Windows_Update\Discord.exe" -pKazutoSan72@$%?:YB381#4PcVh9!0LqF5
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Program Files\Windows_Defender\$77-Venom.exe
    "C:\Program Files\Windows_Defender\$77-Venom.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Program Files\Windows_Defender\$77-Venom.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:2632
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2928
  - - C:\Windows\SysWOW64\Discord\$77Discord.exe
      "C:\Windows\SysWOW64\Discord\$77Discord.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\SysWOW64\Discord\$77Discord.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:1524
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\alNU2OVRWgCn.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2096
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1616
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:796
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 1488
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2152
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1812
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
        5⤵
        Deletes itself
        
        PID:1680
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\qHl0MKJ7xKM3.bat" "
      4⤵
      PID:676
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:1736
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:276
    - - C:\Program Files\Windows_Defender\$77-Venom.exe
        
        "C:\Program Files\Windows_Defender\$77-Venom.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700

C:\Program Files\Windows_Defender\AdvancedRun.exe
"C:\Program Files\Windows_Defender\AdvancedRun.exe" /SpecialRun 14001f2b0 2588
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Program Files\Windows_Defender\AdvancedRun.exe
"C:\Program Files\Windows_Defender\AdvancedRun.exe" /SpecialRun 14001f2b0 1712
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows_Defender\$77-Venom.exe

Filesize
185KB

MD5
68cab928478416ca36e23603bd0f5fdd

SHA1
a0644f62a149671b5a04d5965c7b4e6661387838

SHA256
fc3bdf497993d2321601ad862fcd0341c91942f2709b793e92f4d0c57d65919b

SHA512
f9cbc3ad2487a3f2cd48724d70f1be571d4c9ada1e2e009bad4f86d32bc3aa0974d6f4f74b2ce7f0143ed4e7cee5cb6210c99b691e23edc8064a131201271de2

Download Submit
C:\Program Files\Windows_Defender\$77-Venom.exe

Filesize
281KB

MD5
b8a792d86606ce3bd2789a1464504b80

SHA1
11aecc15b157f0fd8e5809bc631961dd1145e8e8

SHA256
fa57c969431354a7270887de1aae7f8dcb23340f28e04a755f726c8e9106f19c

SHA512
1de41181052aad8f1af27d52e8041acf56127a19c8730f38e3e1015d523a7dbda28eb6623279cb8bbe1279d394a7eef5cdd54230fbfb8da7262d8162b6c60592

Download Submit
C:\Program Files\Windows_Defender\$77-Venom.exe

Filesize
252KB

MD5
688959b3a01eb36316b8f621f1893c89

SHA1
8f6fd0aea7655e28fe486d092cbd06e8ef04a9a5

SHA256
a07e0044a1f2ad3ccbb8545d80df90b46b2c701434a184f209cefc89538fd9b7

SHA512
f1b8e93ba74a3efdd54833280ba37c63b563a64b1d1e8ff00e1fffe2e9ecf37401aac72c122dce2f4df845ce0cd0326c836885f4a75edff84a9c95f59f3e7f9b

Download Submit
C:\Program Files\Windows_Defender\$77-Venom.exe

Filesize
340KB

MD5
2eac07048c037a6ee0a7b5061094b30b

SHA1
559699e4f34431a901f0036c75dd88c83b36a1a9

SHA256
c90c7cb5a2965bcd3c9680c9a7a400a10dcb5e951c4eb866eda6feb55f224a29

SHA512
2ae8f9c93742378dc48194e6a9f98a042c9c7a80f865a893111f510fbc0a318cbf1df0dbff00a7672f8e09dd1e4c3803b047bb8ef35810b8606dd39246debaf5

Download Submit
C:\Program Files\Windows_Defender\AdvancedRun.exe

Filesize
139KB

MD5
aa6948170b38f325599b0b3e9a93fbff

SHA1
b50a682e215fff24d5ae273e8750542ba2787548

SHA256
d04d0602399a11b3255c6a14a0ac3e9b9b43560a7bf64438952331a00806c2d7

SHA512
0ce72477bab7908e56f914322f95f4b4bc74558d34e887ea3e86509d718cf5ee9e4e6228933fdc83b7603eab74eb522d8acb349818445d56f89a8908ec9ce3b7

Download Submit
C:\Program Files\Windows_Defender\AdvancedRun.exe

Filesize
105KB

MD5
c6a36deb588850dee4563f70b7e9c53d

SHA1
46f823c7e30d5bbc45ee175c4958a465fad3068f

SHA256
2d00c718b3ec5971817c9f270ea4a9771a479f3361d0025a589ccca9b2611425

SHA512
6bc1d81db9a6c08c08f0cc6ee53402713ad66742ee014b7a0d0b81f8b5ba134cd5f48dd26e5eda78987362a4d0920a7386364322b7ba790c0ede45e19f3bffed

Download Submit
C:\Program Files\Windows_Defender\AdvancedRun.exe

Filesize
35KB

MD5
55ac28848e792e72cb6474e9990d3fc1

SHA1
d9f30a3d340c817ecdad735e157094e13ef7181a

SHA256
a66c79cf146535b67d7a5d31e3f6c6a214d0a9f3a7955db5f2b1c55fb1a82eab

SHA512
52b9b049e143715a883f952da0ea4e42ef31665fc79bd6c1dd749f743e8e25242627063281c21b682da30b270190907a62bafb4c35adff678c8192250de9d08a

Download Submit
C:\Program Files\Windows_Defender\AdvancedRun.exe

Filesize
92KB

MD5
7ee9f2461df5febfe17613493e6e88c3

SHA1
f96dc8983e981a63d8acbc8986d40515bca6f1b0

SHA256
7907ef1d7ee95978c411cef05f8b8cb4218c78c691cac5f68bfcdb687fdf197e

SHA512
85168211344ad63f975bf3295583db3de7cd6048a5904c37411cfeda1cb5a4168395f947b96265b9fecc950630e5ea8ea956780d84b73bb9491a3e4f2b84d9e4

Download Submit
C:\Program Files\Windows_Defender\AdvancedRun.exe

Filesize
144KB

MD5
b539e07612c0684fb583e106573627da

SHA1
10c67b7849900f0683f6b63bb36157cfd4ff5f20

SHA256
a6c966b2456dfe716412234f2adc0f4cfe4207ee625ff8c5ae785129f445c0a5

SHA512
1457a07d0b0012f3130420030b1ba859c0a9742901a170d581e3ff703c3c81bf8a664fbc83cedc0a2f4641b525bf22154a98cf98f269e56a53a137eb41734e25

Download Submit
C:\Program Files\Windows_Update\Discord.exe

Filesize
1.6MB

MD5
8e88e3b10015a5bb7545752d397cdbae

SHA1
3f0adfda338b6971d59f90cbdcbf0cba8dadd827

SHA256
a8f8fbe25b39233dae53da99095a55c3187caddb9bd09ea3638fa7ae94de166e

SHA512
e00c8b506987a4437f7dc176f3d9420d63bb21c0caa6b5cba623aa4d477584a97b1fc54106b0c2cd6ca5e7142ef245e92b9012ba49141d40de76b205c522efd2

Download Submit
C:\Program Files\Windows_Update\Discord.exe

Filesize
412KB

MD5
f9d9131d434bd262f6583c215b5df505

SHA1
289cbcf34fad13da1d44cf4193c88b7b98201d30

SHA256
745d3138709c23568d533a17b08bb0092b27f6e38bfdda792a38f97ab8632058

SHA512
db4ec838fa3abb22c88cdba58638290c741b41cabc77d00d4541682435a0277f5b42897e578637f3a789daf213425dc092f1ebaf666dc644bf12882607f91b7a

Download Submit
C:\Program Files\Windows_Update\Discord.exe

Filesize
1.2MB

MD5
8a463ce02ca1891b7bc3bf737ea9da72

SHA1
ee4422df76d508788abc455faf525f3e9ac17e41

SHA256
867f194cc2d41ba62080c969f51df07b6130b7589a7d7063b6cb5a3c3ae6155b

SHA512
5a1f57cf060195cf65c3281b82b071803d246bbf90d455db44fb15388c786616d0bd36c48b30415949c468c405ed4a0c8e1aec5b0dff3a18ad4b578a762da69b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7706.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7747.tmp

Filesize
14KB

MD5
21082bac9fa11eef2919dd69cdec199a

SHA1
b44291e2ef22a28345d925c58e95270379fd79a7

SHA256
03f658c114dcfc0734cda513aca2dc72667699fe32fd6874dca57e691ca83bff

SHA512
9691e98f78ac863f12e070cff93ec46033bdb26ce91abd9c22fb5782c471656f70776bc5c5f5e46a5c79bd9f2898ff8bc02f471e893db82032abfe89f4d38415

Download Submit
C:\Users\Admin\AppData\Local\Temp\alNU2OVRWgCn.bat

Filesize
201B

MD5
ac95dfec5d7b11117b0b48475b26cc6f

SHA1
06f807171026299dd23cd72f758b82e287d9cc31

SHA256
0a00add58df427ec32a5508e3ca4cb5b358284e59ce985dd2e1e1bbd2214858a

SHA512
9577819ab17544352b238528cd2a8c09f87f1e86e3477cf69ceddae1a1cb14952c93e4f072689a438e0f178659b08bf8503e30738cf91efdbe83272c88d5a1c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qHl0MKJ7xKM3.bat

Filesize
206B

MD5
0190238b49888de245e803a3e7f8db9d

SHA1
a22215efe573fcb0bc062050244d2538105e2813

SHA256
47ab5eebd2ae8bb8278cef84abe4af28e7236f4d4f4c55bfe9ee2dfb38906c29

SHA512
9b9eda93f9300e3fadec5dec134c58e17277133e9cb2d86159b379033c0a3b6f45b8f222910a67117a8779994469543716b5bfee07e899fccd2a10f1df74189d

Download Submit
C:\Windows\SysWOW64\Discord\$77Discord.exe

Filesize
156KB

MD5
c2c8e16adf7cf04b20ed2be1bcc2acc6

SHA1
c6f1e8ee5d1074388c1b1e2b65d4d5858d0fe72f

SHA256
1e0548b2f336d946fd277bf37929cd775d5c33fece07b2b7b7e78fc978ccc549

SHA512
2657982356d2a7dca470e7e8d2a6674dd1cd6ba54b1e0f7ab9ab3340f08cc31e6cc6194e1bf7334051ce6015ac636e7925b3e28be5b3d4a82d64fe08d7b35af9

Download Submit
C:\Windows\SysWOW64\Discord\$77Discord.exe

Filesize
312KB

MD5
535e630bdc20569099ebcf0ed02e8d90

SHA1
22c182461e623645bd27984cb02cf92b3798a3a3

SHA256
a537d709c9dc54e87fbadf0b04d54413f3a139b9e324430f604192b888c02fa2

SHA512
44f1b50f667357ef098515da2171b0cabbc06bb6551f205945c9d0ee6671d18950f58149f155bc45dcbfd32bb59d6a0474b75b24aeb21f1d43cbb90e3ab9d00c

Download Submit
\Program Files\Windows_Defender\$77-Venom.exe

Filesize
356KB

MD5
52ee4fba3a18b956e6ec83ff3376e419

SHA1
59a45c7be67aad10a44008ee5c49f43b4e353a02

SHA256
8150ff13e0c25dbc7edceae4d8bbf304d9cdcca52e1137926262612c465dd528

SHA512
2bc60c061ce25fa49b9f0bf6360d64f4f52425b98ebe86d158a417c08a7626376bfc2cf428b560fb176f0bdb22fa7cf0475896f353e6258116fe35f66c3ed49a

Download Submit
\Program Files\Windows_Defender\$77-Venom.exe

Filesize
405KB

MD5
d299bafdf7a35545db6ac8bcb899513a

SHA1
238328395cba9f86fc045b880c681dcc78309193

SHA256
6bfadd9219289bafe311b9e5ab6b156981bf161305b98ec9e98aa726cbef2330

SHA512
c5c6376735aec7b06c2d021cea6d273bb3a4d9372f40d8fabd4412344fd7831339462c7088772a6b6cb27fae7f916ce1ff04bd427da5cd915163a4c05e166b72

Download Submit
\Program Files\Windows_Defender\$77-Venom.exe

Filesize
377KB

MD5
d77350aaddbd3eee21c05b73e8f828a9

SHA1
ff2adf66a0634453bb4b8c19e5eb84210ecc91dd

SHA256
f5ceaf2c0b4d3f9ab168d8e3f9620d2677ffd216a017c7046ebe1c33bdff9fce

SHA512
02e0a537060534b907738785f207a2e54543c37026b49ca262db1715844a9f6cc2637492c43208d82e67e6f0ed3f3dd3fbb4e5ac77d4d04fb9e196e88bec9320

Download Submit
\Program Files\Windows_Defender\$77-Venom.exe

Filesize
474KB

MD5
0a4e318dac64f85e86f29048b56b09f6

SHA1
825b4a2dc0cf1a772af086aa35dcd83e62bf755c

SHA256
9262e6f23afb2a0287e71aa641f3723e40f4c3d22b2353b9be4c001dc8dbf9d7

SHA512
415c6db35ce138b489532dd547de4d79ec3a311b0e9961ee334a7aafc6629dfa2b3fc9ddcc9b9a8d7992f750d9a6bee6d395460e028a85ef9302a9fabd75ee87

Download Submit
\Program Files\Windows_Defender\AdvancedRun.exe

Filesize
147KB

MD5
54ff717308909ff0b44bf4288b940556

SHA1
dc8e37e5325122b3886f415c5dc63c5682780dca

SHA256
e9e8366dd8b4f41cfe4219b0c14d3e543b21219909bd9dcd21cd49448dbba0e5

SHA512
78b83c2d438949a98492fca2e24964b25a3fb8f41deea77f2106a024316f671ce3256ec2ce116807cbaeb2b2c0db8b3af5c23ab8c1adfdf3e2924b9486066f5c

Download Submit
\Program Files\Windows_Defender\AdvancedRun.exe

Filesize
148KB

MD5
fd048f729a521a51273897c937b0a132

SHA1
3ba5137721c135fe125f9667c45b01b9728d21ed

SHA256
71750e4d22b7a41ed8e5b1525e56e2c884a6d8170cae21636e8c201e555fa1e4

SHA512
9a04ab8b0f9dd4a9e8cd5f8c1a2fb66a3b3328da0ed026484f1c508a45e282128dc95278a886d51627a78bf07649dddfa259db2a8debd01eb92e9b568beb75ec

Download Submit
\Program Files\Windows_Update\Discord.exe

Filesize
1.3MB

MD5
55062fe38c22d96e670f5d230eb5dea8

SHA1
2d61220ae24f46b2e0f21b19bf0ddc2bd677afca

SHA256
cba6e9b9673c98b1421da2e3b164cafb2aaef80a0097606ec5710eb618811b4b

SHA512
7c8ffb2d15fa6e579cedc56c8be80b7d09ad1c9bbc24279a6a443fb3971566d4e5965a68c9f0dd67ffc3223cf76274c63cb490cca8f86478b3bcae4cceea3865

Download Submit
\Program Files\Windows_Update\Discord.exe

Filesize
742KB

MD5
fe7f837edafa07651efd654fd6df5cbb

SHA1
08b9bd29f0f50e70b5eee4ba5ed1ebb47ab1550c

SHA256
03cfe03677bd888c39aeac1a71d6a85b01ac80ed4a60d0eabde30d5f251eb575

SHA512
9ee944393e0ebdeee2795d0e9d299632241a41c29e562004a5687e0e60c2e73de374e54d786f0a79f05da74d9a88eeeba18c0dbda13b3cff33f901db929709b5

Download Submit
\Program Files\Windows_Update\Discord.exe

Filesize
538KB

MD5
5122c6e8f857a15430ec89db14bd2de0

SHA1
2b4e22063f18e0373ca3bbdae88d430b0fcc22f1

SHA256
a191e623cfd180032c5b994c8d554de7687052842ecf4800b30e1df7744fd1df

SHA512
dc6ea217f8a19d047fc1d08fbde067c497f9a36a9d305adb261ded5ade32f53d904b4bbdbad256b56dc5eedf9c33df45f669561be71f56a6cee5cec29fcc993a

Download Submit
\Program Files\Windows_Update\Discord.exe

Filesize
1.2MB

MD5
8174f1116092b6d4a5e7bfceb3ec3a9c

SHA1
a0894aac1c25949b3ece6ded3b5feb7c7426a604

SHA256
76cfc5ead47632317e8c04f6ca8453eba15bffea46fb2749f185b42828dd4d28

SHA512
317670e41065d50311dd640372ebda457b8411566210836a67a2504d845b20090a99f7e14b9677d8cd5d4d731fec71a356946dba0fc42b59a831268cd2338b9b

Download Submit
\Program Files\Windows_Update\Windows_Defender_Bypass.exe

Filesize
339KB

MD5
bf92277e5e65c1174f446cfe4e5e9ea4

SHA1
54dd08b9405443d51006473cd78f404ccf06ee8a

SHA256
b8f59e47d92f6ec02282832a4dc0d516b5bf66c60f02f0808fe991e643e0dba5

SHA512
e8911aad42cc858ac1b56e78e9899ced4b05c0f077f6c4f1a951ea6152f30aa5bb5e04220e1d2ed59cf5493923130e2870815f915644b6ae395d3b25df985358

Download Submit
\Windows\SysWOW64\Discord\$77Discord.exe

Filesize
233KB

MD5
9376b73d8eaad9d2f2fccb59ef2bf4bd

SHA1
292ec0d22f889d4c5a9b15b7da34707a450d04f5

SHA256
6edaf1fafeb19b5ad662789988e9d78c5fe84011d2a0dae1c6b35862a4095bac

SHA512
2e1e6ee0ca3c4d56a61306fb61e119e7a7b125013a66f3fe6518cccbd14795a6ab9a56c187225ce0d4f35216b9412a7865332922e31beb1d35de9e38773c03bd

Download Submit
\Windows\SysWOW64\Discord\$77Discord.exe

Filesize
293KB

MD5
4f9afb0beb77e6ff9b219ed6915ab539

SHA1
aa43a5e09dd1cd7f3a9b6811766de69b44e2a025

SHA256
cacb0c8a1770eea7d169e42032bd795fa10fdd6e3a06a327670bfd8c962982d9

SHA512
9c32484f13a0d4f4142862c07f5b78c6183a523c1c8abf7894535caea95885c09c8eb7d2899c2e3b1ee26c837ef78680dc3cf01e0fb077a6e8d24037f6c522f8

Download Submit
\Windows\SysWOW64\Discord\$77Discord.exe

Filesize
186KB

MD5
8102de37b057c4c48734063b4df9b362

SHA1
582cc3fb53a666c61d430fb9a859fcb5ae7b254d

SHA256
5c27e45b2c0753cb5701f4b43cb7056cf6a6f7476eec30d1d6cf13184934057b

SHA512
92f9ec5f5f7fd2fee040286aa967a85cc2df50bbc9947713b49eb9ae43b9ed0f63258b683347f5c354030ab61e738ad8a69948835c084cfd6a130b7aee3fdc44

Download Submit
\Windows\SysWOW64\Discord\$77Discord.exe

Filesize
99KB

MD5
4ed1e2227df81dcd31c5c343b3a82841

SHA1
bffce7ac48201a77b4ebb76f623f2001e653ddab

SHA256
5857aac610e2b95566cb2db8c9e5bced036c763d4d7a392b4c3ce7d58be8f417

SHA512
9ab808df5bc4f3824e8a3e51ccc14ce4fd91a803c8eb5ba6445a1cb7151cbecbe9223d4584da8dc8760f5534bf3c49ac5b620ddff97aa13f6f10cc0e3e92e739

Download Submit
\Windows\SysWOW64\Discord\$77Discord.exe

Filesize
558KB

MD5
f57ee3b2b7c35c59ffbcce14aa60f695

SHA1
a0aaf3e35c61e1f6f501eb79136ea6e5a74aaae9

SHA256
b0ee776c33e0472bd0d6186c48bf4d45fbefd6baefa91aa9a46099ddd2785bae

SHA512
e1228184cf9c6788d7484af179268c36d87e10b9d5e5c0785e842ed719644588ffede4081ef324d05733dfe36cf50a880dd355ce99b48b61e4756f7d09bc6d86

Download Submit
\Windows\SysWOW64\Discord\$77Discord.exe

Filesize
299KB

MD5
b3f53bb7b181b64311b47923e2276cae

SHA1
302291c1ca08811579fd9752b39fb319c460387c

SHA256
18a719260bf5f3a2701cbc06f980ed1801e9fd951c9ad22a406ed27d32289d65

SHA512
242c3499396d3e1740ed656167e0a15cc7c382a8ab991cbd908b7fbc1a3bbbfa63efa279c979d8b3ec63e85402efc6bb46794428f25ec016aa0e4315d5d0b146

Download Submit
memory/1700-175-0x0000000004730000-0x0000000004770000-memory.dmp

Filesize
256KB

Download
memory/1700-174-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/1700-173-0x0000000004730000-0x0000000004770000-memory.dmp

Filesize
256KB

Download
memory/1700-172-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-73-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-72-0x0000000000F00000-0x0000000000F96000-memory.dmp

Filesize
600KB

Download
memory/2824-74-0x00000000003D0000-0x0000000000410000-memory.dmp

Filesize
256KB

Download
memory/2824-169-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2912-170-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2912-84-0x00000000003F0000-0x0000000000430000-memory.dmp

Filesize
256KB

Download
memory/2912-83-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2912-82-0x00000000011C0000-0x0000000001256000-memory.dmp

Filesize
600KB

Download
memory/2928-87-0x000000006F340000-0x000000006F8EB000-memory.dmp

Filesize
5.7MB

Download
memory/2928-107-0x000000006F340000-0x000000006F8EB000-memory.dmp

Filesize
5.7MB

Download
memory/2928-89-0x0000000001BF0000-0x0000000001C30000-memory.dmp

Filesize
256KB

Download
memory/2928-91-0x0000000001BF0000-0x0000000001C30000-memory.dmp

Filesize
256KB

Download
memory/2928-90-0x000000006F340000-0x000000006F8EB000-memory.dmp

Filesize
5.7MB

Download
memory/2928-88-0x0000000001BF0000-0x0000000001C30000-memory.dmp

Filesize
256KB

Download