quasar | 10c0a60ca1b17282e0853e2134e7d67b604b1b38a66677fb99ef918672be2c79

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20-12-2023 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efbb56f8386d1881cc20a3de36686239.exe
Size

16.8MB
MD5

efbb56f8386d1881cc20a3de36686239
SHA1

b58ff7105f942a68c58cdc2fb80e3bf8d0a8de16
SHA256

10c0a60ca1b17282e0853e2134e7d67b604b1b38a66677fb99ef918672be2c79
SHA512

e2d9f182859273c9f13bdf3fd87fa5818676b1f7b41da556ac3c724ab75e50db64e7421632ca0e3d5b4d4d4f519d54484af1a3e4da919d665475a8715bc63311
SSDEEP

393216:hRwHfrE1h2ye2vmGpEeaQrg8OUEsf3iCZOuko4xgWL74hwtG1ZtJRjHYX:4HfrEKgJeehrSW3NOVoudPliZtTHYX

Score

10^/10

quasar venomrat office04 evasion rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

smtp.yassine-bolard.nl:72

82.65.150.176:72

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes

encryption_key
V8QkE5vrgV4DVybE2MTP
install_name
$77Discord.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Discord
subdirectory
Discord

Signatures

Contains code to disable Windows Defender 18 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Program Files\Windows_Defender\$77-Venom.exe	disable_win_def
\Program Files\Windows_Defender\$77-Venom.exe	disable_win_def
\Program Files\Windows_Defender\$77-Venom.exe	disable_win_def
\Program Files\Windows_Defender\$77-Venom.exe	disable_win_def
\Program Files\Windows_Defender\$77-Venom.exe	disable_win_def
C:\Program Files\Windows_Defender\$77-Venom.exe	disable_win_def
C:\Program Files\Windows_Defender\$77-Venom.exe	disable_win_def
behavioral1/memory/1564-75-0x0000000000AD0000-0x0000000000B66000-memory.dmp	disable_win_def
\Windows\SysWOW64\Discord\$77Discord.exe	disable_win_def
behavioral1/memory/1988-85-0x0000000000330000-0x00000000003C6000-memory.dmp	disable_win_def
C:\Windows\SysWOW64\Discord\$77Discord.exe	disable_win_def
C:\Windows\SysWOW64\Discord\$77Discord.exe	disable_win_def
\Windows\SysWOW64\Discord\$77Discord.exe	disable_win_def
\Windows\SysWOW64\Discord\$77Discord.exe	disable_win_def
\Windows\SysWOW64\Discord\$77Discord.exe	disable_win_def
\Windows\SysWOW64\Discord\$77Discord.exe	disable_win_def
\Windows\SysWOW64\Discord\$77Discord.exe	disable_win_def
behavioral1/memory/1988-174-0x0000000002000000-0x0000000002040000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

$77-Venom.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	$77-Venom.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	$77-Venom.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	$77-Venom.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	$77-Venom.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 18 IoCs

Processes:

resource	yara_rule
C:\Program Files\Windows_Defender\$77-Venom.exe	family_quasar
\Program Files\Windows_Defender\$77-Venom.exe	family_quasar
\Program Files\Windows_Defender\$77-Venom.exe	family_quasar
\Program Files\Windows_Defender\$77-Venom.exe	family_quasar
\Program Files\Windows_Defender\$77-Venom.exe	family_quasar
C:\Program Files\Windows_Defender\$77-Venom.exe	family_quasar
C:\Program Files\Windows_Defender\$77-Venom.exe	family_quasar
behavioral1/memory/1564-75-0x0000000000AD0000-0x0000000000B66000-memory.dmp	family_quasar
\Windows\SysWOW64\Discord\$77Discord.exe	family_quasar
behavioral1/memory/1988-85-0x0000000000330000-0x00000000003C6000-memory.dmp	family_quasar
C:\Windows\SysWOW64\Discord\$77Discord.exe	family_quasar
C:\Windows\SysWOW64\Discord\$77Discord.exe	family_quasar
\Windows\SysWOW64\Discord\$77Discord.exe	family_quasar
\Windows\SysWOW64\Discord\$77Discord.exe	family_quasar
\Windows\SysWOW64\Discord\$77Discord.exe	family_quasar
\Windows\SysWOW64\Discord\$77Discord.exe	family_quasar
\Windows\SysWOW64\Discord\$77Discord.exe	family_quasar
behavioral1/memory/1988-174-0x0000000002000000-0x0000000002040000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Nirsoft 8 IoCs

Processes:

resource	yara_rule
\Program Files\Windows_Defender\AdvancedRun.exe	Nirsoft
C:\Program Files\Windows_Defender\AdvancedRun.exe	Nirsoft
C:\Program Files\Windows_Defender\AdvancedRun.exe	Nirsoft
C:\Program Files\Windows_Defender\AdvancedRun.exe	Nirsoft
\Program Files\Windows_Defender\AdvancedRun.exe	Nirsoft
C:\Program Files\Windows_Defender\AdvancedRun.exe	Nirsoft
\Program Files\Windows_Defender\AdvancedRun.exe	Nirsoft
\Program Files\Windows_Defender\AdvancedRun.exe	Nirsoft

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

892 cmd.exe

pid	process
892	cmd.exe

Executes dropped EXE 8 IoCs

Processes:

windows_defender_bypass.exeDiscord.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe$77-Venom.exe$77Discord.exe

pid	process
2976	windows_defender_bypass.exe
2728	Discord.exe
2820	AdvancedRun.exe
2680	AdvancedRun.exe
2552	AdvancedRun.exe
3060	AdvancedRun.exe
1564	$77-Venom.exe
1988	$77Discord.exe

Loads dropped DLL 24 IoCs

Processes:

efbb56f8386d1881cc20a3de36686239.exewindows_defender_bypass.exeAdvancedRun.exeAdvancedRun.exeDiscord.exe$77-Venom.exeWerFault.exe

pid	process
3040	efbb56f8386d1881cc20a3de36686239.exe
3040	efbb56f8386d1881cc20a3de36686239.exe
3040	efbb56f8386d1881cc20a3de36686239.exe
3040	efbb56f8386d1881cc20a3de36686239.exe
3040	efbb56f8386d1881cc20a3de36686239.exe
3040	efbb56f8386d1881cc20a3de36686239.exe
3040	efbb56f8386d1881cc20a3de36686239.exe
3040	efbb56f8386d1881cc20a3de36686239.exe
2976	windows_defender_bypass.exe
2976	windows_defender_bypass.exe
2976	windows_defender_bypass.exe
2976	windows_defender_bypass.exe
2820	AdvancedRun.exe
2680	AdvancedRun.exe
2728	Discord.exe
2728	Discord.exe
2728	Discord.exe
2728	Discord.exe
1564	$77-Venom.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

$77-Venom.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	$77-Venom.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	$77-Venom.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

flow	ioc
2	ip-api.com

Drops file in System32 directory 5 IoCs

Processes:

$77Discord.exe$77-Venom.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Discord\$77Discord.exe	$77Discord.exe
File opened for modification	C:\Windows\SysWOW64\Discord	$77Discord.exe
File created	C:\Windows\SysWOW64\Discord\r77-x64.dll	$77-Venom.exe
File created	C:\Windows\SysWOW64\Discord\$77Discord.exe	$77-Venom.exe
File opened for modification	C:\Windows\SysWOW64\Discord\$77Discord.exe	$77-Venom.exe

Drops file in Program Files directory 18 IoCs

Processes:

Discord.exepowershell.exeefbb56f8386d1881cc20a3de36686239.exewindows_defender_bypass.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows_Defender\16384.rnd	Discord.exe
File opened for modification	C:\Program Files\Windows_Defender\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Program Files\Windows_Update	efbb56f8386d1881cc20a3de36686239.exe
File opened for modification	C:\Program Files\Windows_Defender	windows_defender_bypass.exe
File created	C:\Program Files\Windows_Defender\__tmp_rar_sfx_access_check_259410677	windows_defender_bypass.exe
File created	C:\Program Files\Windows_Defender\Test.bat	windows_defender_bypass.exe
File created	C:\Program Files\Windows_Defender\AdvancedRun.exe	windows_defender_bypass.exe
File created	C:\Program Files\Windows_Defender\16384.rnd	Discord.exe
File created	C:\Program Files\Windows_Update\Discord.exe	efbb56f8386d1881cc20a3de36686239.exe
File opened for modification	C:\Program Files\Windows_Defender\Test.bat	windows_defender_bypass.exe
File created	C:\Program Files\Windows_Defender\$77-Venom.exe	Discord.exe
File opened for modification	C:\Program Files\Windows_Defender\$77-Venom.exe	Discord.exe
File created	C:\Program Files\Windows_Update\__tmp_rar_sfx_access_check_259409694	efbb56f8386d1881cc20a3de36686239.exe
File opened for modification	C:\Program Files\Windows_Update\Discord.exe	efbb56f8386d1881cc20a3de36686239.exe
File created	C:\Program Files\Windows_Update\Windows_Defender_Bypass.exe	efbb56f8386d1881cc20a3de36686239.exe
File opened for modification	C:\Program Files\Windows_Update\Windows_Defender_Bypass.exe	efbb56f8386d1881cc20a3de36686239.exe
File opened for modification	C:\Program Files\Windows_Defender\AdvancedRun.exe	windows_defender_bypass.exe
File created	C:\Program Files\Windows_Defender\__tmp_rar_sfx_access_check_259411004	Discord.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3008 1988 WerFault.exe $77Discord.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1012 schtasks.exe
1748 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2204 PING.EXE

pid	pid_target	process	target process
3008	1988	WerFault.exe	$77Discord.exe

pid	process
1012	schtasks.exe
1748	schtasks.exe

pid	process
2204	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exepowershell.exe$77-Venom.exe

pid	process
2820	AdvancedRun.exe
2820	AdvancedRun.exe
2680	AdvancedRun.exe
2680	AdvancedRun.exe
2552	AdvancedRun.exe
2552	AdvancedRun.exe
3060	AdvancedRun.exe
3060	AdvancedRun.exe
2956	powershell.exe
1564	$77-Venom.exe
1564	$77-Venom.exe
1564	$77-Venom.exe
1564	$77-Venom.exe
1564	$77-Venom.exe
1564	$77-Venom.exe
1564	$77-Venom.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe$77-Venom.exe$77Discord.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2820	AdvancedRun.exe
Token: SeImpersonatePrivilege	2820	AdvancedRun.exe
Token: SeDebugPrivilege	2680	AdvancedRun.exe
Token: SeImpersonatePrivilege	2680	AdvancedRun.exe
Token: SeDebugPrivilege	2552	AdvancedRun.exe
Token: SeImpersonatePrivilege	2552	AdvancedRun.exe
Token: SeDebugPrivilege	3060	AdvancedRun.exe
Token: SeImpersonatePrivilege	3060	AdvancedRun.exe
Token: SeDebugPrivilege	1564	$77-Venom.exe
Token: SeDebugPrivilege	1988	$77Discord.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	1988	$77Discord.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

$77Discord.exe

pid process

1988 $77Discord.exe

pid	process
1988	$77Discord.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

efbb56f8386d1881cc20a3de36686239.exewindows_defender_bypass.exeAdvancedRun.exeAdvancedRun.exeDiscord.exe$77-Venom.exe$77Discord.execmd.execmd.exe

description	pid	process	target process
PID 3040 wrote to memory of 2976	3040	efbb56f8386d1881cc20a3de36686239.exe	windows_defender_bypass.exe
PID 3040 wrote to memory of 2976	3040	efbb56f8386d1881cc20a3de36686239.exe	windows_defender_bypass.exe
PID 3040 wrote to memory of 2976	3040	efbb56f8386d1881cc20a3de36686239.exe	windows_defender_bypass.exe
PID 3040 wrote to memory of 2976	3040	efbb56f8386d1881cc20a3de36686239.exe	windows_defender_bypass.exe
PID 3040 wrote to memory of 2728	3040	efbb56f8386d1881cc20a3de36686239.exe	Discord.exe
PID 3040 wrote to memory of 2728	3040	efbb56f8386d1881cc20a3de36686239.exe	Discord.exe
PID 3040 wrote to memory of 2728	3040	efbb56f8386d1881cc20a3de36686239.exe	Discord.exe
PID 3040 wrote to memory of 2728	3040	efbb56f8386d1881cc20a3de36686239.exe	Discord.exe
PID 2976 wrote to memory of 2820	2976	windows_defender_bypass.exe	AdvancedRun.exe
PID 2976 wrote to memory of 2820	2976	windows_defender_bypass.exe	AdvancedRun.exe
PID 2976 wrote to memory of 2820	2976	windows_defender_bypass.exe	AdvancedRun.exe
PID 2976 wrote to memory of 2820	2976	windows_defender_bypass.exe	AdvancedRun.exe
PID 2976 wrote to memory of 2680	2976	windows_defender_bypass.exe	AdvancedRun.exe
PID 2976 wrote to memory of 2680	2976	windows_defender_bypass.exe	AdvancedRun.exe
PID 2976 wrote to memory of 2680	2976	windows_defender_bypass.exe	AdvancedRun.exe
PID 2976 wrote to memory of 2680	2976	windows_defender_bypass.exe	AdvancedRun.exe
PID 2820 wrote to memory of 2552	2820	AdvancedRun.exe	AdvancedRun.exe
PID 2820 wrote to memory of 2552	2820	AdvancedRun.exe	AdvancedRun.exe
PID 2820 wrote to memory of 2552	2820	AdvancedRun.exe	AdvancedRun.exe
PID 2680 wrote to memory of 3060	2680	AdvancedRun.exe	AdvancedRun.exe
PID 2680 wrote to memory of 3060	2680	AdvancedRun.exe	AdvancedRun.exe
PID 2680 wrote to memory of 3060	2680	AdvancedRun.exe	AdvancedRun.exe
PID 2728 wrote to memory of 1564	2728	Discord.exe	$77-Venom.exe
PID 2728 wrote to memory of 1564	2728	Discord.exe	$77-Venom.exe
PID 2728 wrote to memory of 1564	2728	Discord.exe	$77-Venom.exe
PID 2728 wrote to memory of 1564	2728	Discord.exe	$77-Venom.exe
PID 1564 wrote to memory of 1012	1564	$77-Venom.exe	schtasks.exe
PID 1564 wrote to memory of 1012	1564	$77-Venom.exe	schtasks.exe
PID 1564 wrote to memory of 1012	1564	$77-Venom.exe	schtasks.exe
PID 1564 wrote to memory of 1012	1564	$77-Venom.exe	schtasks.exe
PID 1564 wrote to memory of 1988	1564	$77-Venom.exe	$77Discord.exe
PID 1564 wrote to memory of 1988	1564	$77-Venom.exe	$77Discord.exe
PID 1564 wrote to memory of 1988	1564	$77-Venom.exe	$77Discord.exe
PID 1564 wrote to memory of 1988	1564	$77-Venom.exe	$77Discord.exe
PID 1564 wrote to memory of 2956	1564	$77-Venom.exe	powershell.exe
PID 1564 wrote to memory of 2956	1564	$77-Venom.exe	powershell.exe
PID 1564 wrote to memory of 2956	1564	$77-Venom.exe	powershell.exe
PID 1564 wrote to memory of 2956	1564	$77-Venom.exe	powershell.exe
PID 1988 wrote to memory of 1748	1988	$77Discord.exe	schtasks.exe
PID 1988 wrote to memory of 1748	1988	$77Discord.exe	schtasks.exe
PID 1988 wrote to memory of 1748	1988	$77Discord.exe	schtasks.exe
PID 1988 wrote to memory of 1748	1988	$77Discord.exe	schtasks.exe
PID 1988 wrote to memory of 568	1988	$77Discord.exe	cmd.exe
PID 1988 wrote to memory of 568	1988	$77Discord.exe	cmd.exe
PID 1988 wrote to memory of 568	1988	$77Discord.exe	cmd.exe
PID 1988 wrote to memory of 568	1988	$77Discord.exe	cmd.exe
PID 568 wrote to memory of 2628	568	cmd.exe	chcp.com
PID 568 wrote to memory of 2628	568	cmd.exe	chcp.com
PID 568 wrote to memory of 2628	568	cmd.exe	chcp.com
PID 568 wrote to memory of 2628	568	cmd.exe	chcp.com
PID 1988 wrote to memory of 3008	1988	$77Discord.exe	WerFault.exe
PID 1988 wrote to memory of 3008	1988	$77Discord.exe	WerFault.exe
PID 1988 wrote to memory of 3008	1988	$77Discord.exe	WerFault.exe
PID 1988 wrote to memory of 3008	1988	$77Discord.exe	WerFault.exe
PID 568 wrote to memory of 2204	568	cmd.exe	PING.EXE
PID 568 wrote to memory of 2204	568	cmd.exe	PING.EXE
PID 568 wrote to memory of 2204	568	cmd.exe	PING.EXE
PID 568 wrote to memory of 2204	568	cmd.exe	PING.EXE
PID 1564 wrote to memory of 1980	1564	$77-Venom.exe	cmd.exe
PID 1564 wrote to memory of 1980	1564	$77-Venom.exe	cmd.exe
PID 1564 wrote to memory of 1980	1564	$77-Venom.exe	cmd.exe
PID 1564 wrote to memory of 1980	1564	$77-Venom.exe	cmd.exe
PID 1980 wrote to memory of 892	1980	cmd.exe	cmd.exe
PID 1980 wrote to memory of 892	1980	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\efbb56f8386d1881cc20a3de36686239.exe
"C:\Users\Admin\AppData\Local\Temp\efbb56f8386d1881cc20a3de36686239.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Program Files\Windows_Update\windows_defender_bypass.exe
  "C:\Program Files\Windows_Update\windows_defender_bypass.exe" -pKazutoSan72@$%?:YB381#4PcVh9!0LqF5
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Program Files\Windows_Defender\AdvancedRun.exe
    "C:\Program Files\Windows_Defender\AdvancedRun.exe" /EXEFilename test.bat /RunAs 8 /Run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2680
- - C:\Program Files\Windows_Defender\AdvancedRun.exe
    "C:\Program Files\Windows_Defender\AdvancedRun.exe" /EXEFilename test.bat /RunAs 8 /Run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2820
- C:\Program Files\Windows_Update\Discord.exe
  "C:\Program Files\Windows_Update\Discord.exe" -pKazutoSan72@$%?:YB381#4PcVh9!0LqF5
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Program Files\Windows_Defender\$77-Venom.exe
    "C:\Program Files\Windows_Defender\$77-Venom.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Program Files\Windows_Defender\$77-Venom.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:1012
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2956
  - - C:\Windows\SysWOW64\Discord\$77Discord.exe
      "C:\Windows\SysWOW64\Discord\$77Discord.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1988
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\SysWOW64\Discord\$77Discord.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:1748
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1504
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:3008
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UzL39cDBUoV4.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:568
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
        5⤵
        Deletes itself
        
        PID:892
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kj4Kzr2cMXNq.bat" "
      4⤵
      PID:584

C:\Program Files\Windows_Defender\AdvancedRun.exe
"C:\Program Files\Windows_Defender\AdvancedRun.exe" /SpecialRun 14001f2b0 2820
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Program Files\Windows_Defender\AdvancedRun.exe
"C:\Program Files\Windows_Defender\AdvancedRun.exe" /SpecialRun 14001f2b0 2680
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\SysWOW64\chcp.com
chcp 65001
1⤵
PID:2628

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows_Defender\$77-Venom.exe

Filesize
383KB

MD5
d6c4a4e30eacf74c64c23f2fb97e3130

SHA1
94f0c0a4739a02be5fd83cf64e553fd9298ef1ff

SHA256
56c2a394428e665c26e252a6dc8cafa70a99cba7d2d7b4911ce5dee820715860

SHA512
7b781a4400a4accd543d019f8003d1c48a1c28b89f953a3e46ba8591fb891ffe908f9ae52fcb8d03934b53127c11b0d38b8f133d5a0570d9fd31cc33b487af80

Download Submit
C:\Program Files\Windows_Defender\$77-Venom.exe

Filesize
418KB

MD5
f14a8fbacfa61a3ea1f4e214e41d54e2

SHA1
7936d9fb0419af01f1e15bd6a7505e5fdd243282

SHA256
3d9e42446e070855fc11f8e801429da5298d0b4bb65209675f15c835fd23d827

SHA512
28f2cdf462682e7e325228a7fe69dbbe2cbe499921696dbe5b794baae02bd27be4bed1d4bb0389a2b22b829f598e539262bc25bc085e1a53e584b7b93db46793

Download Submit
C:\Program Files\Windows_Defender\$77-Venom.exe

Filesize
576KB

MD5
d33530be695abbae61885800b8dae773

SHA1
ff5c3f69b71ddcf20948d16e2a1a1602f54c9f69

SHA256
f650c17d393c32c30f3ba1e34bc981f5ec4357a2e2084752b2e47b3d72ca4676

SHA512
83c6828e113ef193a0ba10f8dd6790107821515e82ac3724da224f6b47eaf35a321583c99a20757a4e89a1d50f59e6dd349bfc5c3d5394361fe9510eeac146f1

Download Submit
C:\Program Files\Windows_Defender\AdvancedRun.exe

Filesize
58KB

MD5
315b26a4f8b2999125143efe2c6c2f24

SHA1
4f4ea0c133bb100352bea2ba0dd7351781d40a71

SHA256
1e99f3396280cce22f0586477a5ad7d6860a894fcbc09f0a233659d2cada3cbc

SHA512
002ba6ab36ab54290a7c8379eea0c3e2da5df976124c4bc3d62c4273f1859497fcce5e1a8d78e3c2a73d6f98274b1b813711ce76bb0786f067630ed00b8a9eca

Download Submit
C:\Program Files\Windows_Defender\AdvancedRun.exe

Filesize
148KB

MD5
fd048f729a521a51273897c937b0a132

SHA1
3ba5137721c135fe125f9667c45b01b9728d21ed

SHA256
71750e4d22b7a41ed8e5b1525e56e2c884a6d8170cae21636e8c201e555fa1e4

SHA512
9a04ab8b0f9dd4a9e8cd5f8c1a2fb66a3b3328da0ed026484f1c508a45e282128dc95278a886d51627a78bf07649dddfa259db2a8debd01eb92e9b568beb75ec

Download Submit
C:\Program Files\Windows_Defender\AdvancedRun.exe

Filesize
91KB

MD5
d36c73149188b70eb88c8daccaf426ce

SHA1
a46aaf2d12adf1a289f7a1aaf499d7a5cd72223e

SHA256
bfacd295da82489c880f1c71cc4b84fc3ec62bdc6300813ea0fc6974897ea8f1

SHA512
5b3d176af42dbc8ff409d3b338d9ea037cf3dbeb52f49afdf2007a1f800e5918df0ceb2073dac5b817b19b9557efaf065ec1968e67519785e7c1b843e9d68cff

Download Submit
C:\Program Files\Windows_Defender\AdvancedRun.exe

Filesize
98KB

MD5
19550dab6faefb198818b42e91520cff

SHA1
ccc79a81f78a8a2a8fbd10319d78c251ed047c24

SHA256
26bee7f2e0a8f7e7320b8fdd957864da571180666f79be8c18aef53230f1e6fc

SHA512
c3960b550d1e2e3e4a7c9c10913ea6fffbf9b1b4b8faae33d09ed6e141c8f673012aad3b554a7dd8429f0e0d0ee23bc822ca9b2da64de5570d8875860eba285f

Download Submit
C:\Program Files\Windows_Update\Discord.exe

Filesize
529KB

MD5
e3421c1540c9cf5e65d8d63312a5d98b

SHA1
794663a918eedd6c9b4c3c4d59f9f4ded77b4525

SHA256
0872f0cce8147c8758e48391852760c0272e7f5aac784b5d917db4a59ca4c61c

SHA512
98597815e69eb0e1bdd358377846067f368522260bb42493be32baf2564a1bf7de8734f46f4ab6be088eea0f2438bae5685d3600a8c5dc889c5c706e577b2171

Download Submit
C:\Program Files\Windows_Update\Discord.exe

Filesize
137KB

MD5
e313b28ef74e299d54d5c6a6945db853

SHA1
8e63690c40a443fd8a9ad5482764c464839ea9c1

SHA256
bb06b2b48d6dd432357ddf2c3d3f84f4621d9cfc90fa60a7bae54064798f3339

SHA512
ef9b14ec5079428a0962aa209479aece3660aae851ebd53d69e4b6c8f7019cba13843ed8afefde30b3f036d9b30f3a0248b20baa87f53d4aab6a381e09530656

Download Submit
C:\Program Files\Windows_Update\Discord.exe

Filesize
296KB

MD5
caa1f262ef740c0604b89ad0f34c4c8b

SHA1
2a6eada004c686a3cb218ed2068652226882e983

SHA256
dd4e260a6ae6aec5cc7ce44e7825c9dfdc6270040e3ee8a1150c5fd3f20d1ec0

SHA512
2e13bd1d8d813210b69bd82f03b85664b300eb30d596ef615ac499efbc8c1d1db3c680c0c112b551b128b7b95313f8958973f45ae8b8d8bafc0ed74e700df0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6F1A.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kj4Kzr2cMXNq.bat

Filesize
206B

MD5
723e66841c9f0ccaf68e55a488b624e8

SHA1
bbf9aea1dd157fdd6165342e3930626e3a069239

SHA256
402df060a9cf3172f2d7257a5fac6b8f3efb8961583dd71ce58ba96041aff8f8

SHA512
01fc11596eec78b95eeebad87c8d33135548f02cbbeea17656ef4f99407b9e49bbf53da94b81919b7223221b5e9cdffc537ade91d194cf98fb7aeb4475aaf9b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6F3C.tmp

Filesize
95KB

MD5
0b26fb0b90400ed31a88d628d683f494

SHA1
c44b895a0effa84e31cc79c55532f6075f466201

SHA256
8b35716cf2c030ac0023b2d41881a7fa501dc833a5862e95b274d41f18cb3b4c

SHA512
9e80a97efd6fdbd5c45a7f3fc50156e2b0a635ea1ed8c6598f161a864b2afe0d1fa59bf49476134bc1b6cf478f46a00e98606c12d942f8fa589bce7bb636f227

Download Submit
C:\Users\Admin\AppData\Local\Temp\UzL39cDBUoV4.bat

Filesize
201B

MD5
fb26bfec1a7af8a0afd8ed806332e9ff

SHA1
06a2e716f2f5a0ce0106548a319d42b560c5ab93

SHA256
d8629cb97a10ac4e7d9efd740052641590d6b89b2174ce86c5e2e519cfbc6128

SHA512
f4cd2b0503c4fd1ae5b513284cdf4a4a7fccc7252ffeb7421865b44ebf47c5787461e98f2fff599399d688b2157acc9e235777d065adcdc08b5768c045ebe05e

Download Submit
C:\Windows\SysWOW64\Discord\$77Discord.exe

Filesize
61KB

MD5
a471bd0050e2e79774a33c273105ec03

SHA1
cddbf9b8dfd4ecfab30a86de34e492e7351b959c

SHA256
ee616d0824a1f0460538822951c853be3738a3667aec7533131fa3b2afd11ba5

SHA512
c3a0e982142b9f63109d05eec656c3ee9c61ad1ffbeb99f9e4d5d5ac1b072b5002d447bcf03b068900f2b3780d19c754f1fa3ed997d1f194ea707f0a97c49e03

Download Submit
C:\Windows\SysWOW64\Discord\$77Discord.exe

Filesize
64KB

MD5
3af7ad2aaa7e03794d221ad19cf9db8b

SHA1
30811cca803f3275cfd00c7e20357797e91bd2b5

SHA256
0217c644c7808da890be51bfbfc4c632febc4cbebeb0c3cb4debb5ffff029c87

SHA512
92b45e60228248f4bb4dc8c3ecdfa295f514e6f70c82ece286636154b574df62166eedff60e12b1fc0ec2e0f154383a4843e290da7070198fab2f4b79309b511

Download Submit
\Program Files\Windows_Defender\$77-Venom.exe

Filesize
401KB

MD5
0ae2be284f9fd240cd74194e2bec4b6c

SHA1
61760f88c736c4002e5c70857f259abafe9adb9b

SHA256
4274cbbfdd5e12849285c0fee6a69272c65a3aaef690fc6120a706a6e872f33f

SHA512
7e28b9f87e95ab0beb0ad37588f2cf6b60a8645756dfed0fc56755810249c0bde6d79347ec7910c01a86d98002fba4296088d487eeae85553c28cd3608e88e83

Download Submit
\Program Files\Windows_Defender\$77-Venom.exe

Filesize
237KB

MD5
8631edc216d3f2a9afc10d2fd1955ea5

SHA1
d94da30a2715670df2a2275827a6515299441c28

SHA256
57b9a005cfa2a533eaf819cba8ed02a9c55b3a143b77ac77ed68fd47e989981b

SHA512
bc752b1ba6c5dd23dfc149d86e504c66c4c5b0663a46eb783afde6754348b9eda0cd9faecb4387cb1a333e0fe094422aa8e846b2029467e69512562edc49e284

Download Submit
\Program Files\Windows_Defender\$77-Venom.exe

Filesize
228KB

MD5
361fce3e7c77a37a2d1e103a3a17938f

SHA1
1fdf2eab653afd5e522899b467e9000ed0fb5aac

SHA256
d618f986b812186974e157bb1481d65c7ec7df4f04a4a536165f48ca4f9c7514

SHA512
e52f1db2ba19376eeef35ef92f75a86e53fc0136fc8b4e112589ccdbd513b4caafffb5ee49351a0b79f1f0375e8323df3e751ca0e8ca99d3b60d429c2919095a

Download Submit
\Program Files\Windows_Defender\$77-Venom.exe

Filesize
312KB

MD5
bd515ab801646e7826018c33b2c8b22a

SHA1
ce7f337d75e699393d91413bfbf1cde70d17b965

SHA256
cd3dd702699287dae3114e152abea0c0eea1bde79fce5345b466444039c9c12c

SHA512
bd961db8895982a36841bc445c2846cfd4de8ae1ce66c9d0a021c5a7c2e8242348e651f76e5f0298fef8229bfe5bbf29b9498e069ad5af380d137f5ce73cf9db

Download Submit
\Program Files\Windows_Defender\AdvancedRun.exe

Filesize
70KB

MD5
be3cb385332764ccfe297435e46ed8c8

SHA1
28451dcbfbe3ce62dedb18a16b5487defe23179c

SHA256
40d019f2438caf27be85f517ac7e90ed15e829cdcb2323e3ae003ff7ff93ecbb

SHA512
673c91a9deb3238ebd7576286134884b48fdbf13f225d2e7f3c7f487be60845dd671e7f1bc4f81e6c854bb5a4f43d6270bafc4e61731d493e92c5938a26e83f5

Download Submit
\Program Files\Windows_Defender\AdvancedRun.exe

Filesize
52KB

MD5
e612bb388ef2596498d1b493c31be025

SHA1
39159d4437bc7f072f9aeaea732ed31f7d8efc64

SHA256
261324accd5077f427a1a6239575383fb1f4b477038841a421047e7e6c7ddb3d

SHA512
5c4871a33849815a3bc9e182aa64aecb21649874712695ec8e217c619ff2f18fa70020696dfe04097bd792dd6b0dea700371d160dccf8035a800333d9ce31289

Download Submit
\Program Files\Windows_Defender\AdvancedRun.exe

Filesize
93KB

MD5
a397068eca453693811ec44ba28eac9d

SHA1
66488091c76b6de0df3735379a6df3a9fc74cd94

SHA256
122a746da7b7e98a00ad5915831a4b1f81066680b80161d4733e3a0eb2549bc3

SHA512
48fdb83603e5b14428beb065594e7aae642eb8591026cee7f3f7baaed18c09c962cece49473bbeb09bd352bc9a89d5a3780b2f16e26ae0830c73ae5751d16e96

Download Submit
\Program Files\Windows_Defender\AdvancedRun.exe

Filesize
39KB

MD5
d4f73023ce76266cba74f9141ff43f40

SHA1
145de64812f4fdc472b77193bd20147b5b312cb0

SHA256
a7774f1a764abe57c81727dffa6c54565b359a95d254af87f3962d02dc8430be

SHA512
23e0fa969df161eda9d946bfbb2aa362d98d72bcec322bc8b2cc409342cc56bf96cd86df5d1b5edecd777bdd01e666d070cb72d13a6c402fbc5fb39b937bb58b

Download Submit
\Program Files\Windows_Update\Discord.exe

Filesize
208KB

MD5
45e3fd36618178bc77254e9abb2b6822

SHA1
bac9c8ff43b5f87bf66a405ccdc176dac6983ade

SHA256
ab03dc00bff47373377c66fefdff93b79c6ca0e035aaec562c4bbed5085616f0

SHA512
989c8e8695c2cbd0599d7e750c6919cab7685bf49511612fcd63265e793afbfe14a99771d8d6db5163e6d92eea326769a9f83280a7d7a81eb1760932b6b0dc07

Download Submit
\Program Files\Windows_Update\Discord.exe

Filesize
558KB

MD5
6606dbf5087744b029dffac62851858c

SHA1
745335f2f4b21dab94afa34164714372bbdd52f7

SHA256
81da017e396b3ab4b40f0b2040c710261b4531baac49c906fe8484b12f822df7

SHA512
74f11d81983acd57e96c9d11996913783190c712217ba32d9f88b05707115ecaa1bc78614dc34c514c8e2b8d2723abfca624bae78c613ff79fb7d87c6858644f

Download Submit
\Program Files\Windows_Update\Discord.exe

Filesize
354KB

MD5
70743102330ec1990a9398b8733044a9

SHA1
ddcee941ad22df9889a146d08b3e1b07886d480b

SHA256
fec8d7ab78b9bbf22d5174ced9ed2c2724ec9607b4c69002e50f336792e5d734

SHA512
4bd1f2dd6669d3f07896d5abbe564f4bc771a08fb18a87441f251247aedbc3c16f802ba569cebaf7b64f6f3c9b3f0b00f27f72972b944e79bdb2ca276a16581f

Download Submit
\Program Files\Windows_Update\Discord.exe

Filesize
225KB

MD5
5bee18412a4138638f8855e782cdb936

SHA1
66f146e9c06ecc2b0da3f5926c121e8a45341fa2

SHA256
60b013e0415ca4e78a1a9bcfa634b3362c2ee9a4d044b5a9b857bb46dfe7d8cc

SHA512
bdad32a8403c615781f4afbbb14d1f1d16a936cbda7cae4f6118e52de750bab6b06607265a9c28eea95c90446050e62ecf8676f81d0253bb166f293a9002e1ee

Download Submit
\Program Files\Windows_Update\Windows_Defender_Bypass.exe

Filesize
339KB

MD5
bf92277e5e65c1174f446cfe4e5e9ea4

SHA1
54dd08b9405443d51006473cd78f404ccf06ee8a

SHA256
b8f59e47d92f6ec02282832a4dc0d516b5bf66c60f02f0808fe991e643e0dba5

SHA512
e8911aad42cc858ac1b56e78e9899ced4b05c0f077f6c4f1a951ea6152f30aa5bb5e04220e1d2ed59cf5493923130e2870815f915644b6ae395d3b25df985358

Download Submit
\Windows\SysWOW64\Discord\$77Discord.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\SysWOW64\Discord\$77Discord.exe

Filesize
322KB

MD5
f34f93a34e66e885960290e7d68646c8

SHA1
0dc455e75894577e37a2b2f4714a8a3695c239d1

SHA256
99204c81b62babfef461d2cfa2b270685a0b6e9927a055fb813653d5c0cb3866

SHA512
7048c8d216b25b08e2775f097df20065950109846737e814d12edf12434a8a46835459ff54c2cbbb8d2f3e63e3451515403da4713beba7f30a3dbdc1830f84a3

Download Submit
\Windows\SysWOW64\Discord\$77Discord.exe

Filesize
19KB

MD5
ab303f5d60b56cc3c21112e13c88f7bb

SHA1
a30d7408b5ddcd45c366b40695e48de2f41f6853

SHA256
2bcae1af8ffbda9bd155358fd12ff8f0876b9e21eda58af4baf682be5ecd085f

SHA512
ec10be3bc57d34109697536e0815a38e030009777b7d6cec258149b95af82ef5b86d95cc6d55ada26f5e3a7bbbebf46e6fb6427458ee014d527aaeb5f15d73aa

Download Submit
\Windows\SysWOW64\Discord\$77Discord.exe

Filesize
1KB

MD5
00f5ab8f4ea420dad246c4fe05325345

SHA1
dffc47e26824160ce54e062392bd708ca47c1252

SHA256
57c6f8d342c197b8e199ac0e861ee1f810e2435a59aaadb46ec31c4df714ee7c

SHA512
00ff002693017127cc79099d7931df00b29a273acc1085d5da21b822236027b2db7d4757adc7399e69e69f75fa46f7b7cd19f171c24bd2f3dfdf7f1b3456dc2b

Download Submit
\Windows\SysWOW64\Discord\$77Discord.exe

Filesize
338KB

MD5
3b4e33e17003e5404831e0b77b963207

SHA1
2082e74133d1c2515440226cc4cdd7f359b4bfcb

SHA256
2d12db9f84ff7f5cf8abad15dc5af07e47c4ef98c1b1c6710a56f57a8122f8ee

SHA512
d655ed0b737f5d9102ddf388ecb58de91239f67a426cc3e210dc6fd316bcac72a406e7ac7b2dfd7ede0688452c7fc2917ae1c286c7ff9b8915d811a4d822a221

Download Submit
\Windows\SysWOW64\Discord\$77Discord.exe

Filesize
122KB

MD5
37a4ab4d56b8db7f1c63a30ccaf79919

SHA1
4eac6e911e2bd73d13148a95966c80d06aa9f62a

SHA256
92e624fd3a1a9c38c9f57aba97b232264b4e3d63deba558f8986f49a6097d002

SHA512
6012ed28bd243c7d132353f941b3277b06a9710b41dae74b1fb240764c89ab412da45c16ee86558ffeb7859b04eaf63dacd7f73cb921368a6c1ea25792d1766e

Download Submit
memory/1564-76-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/1564-77-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/1564-75-0x0000000000AD0000-0x0000000000B66000-memory.dmp

Filesize
600KB

Download
memory/1564-172-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/1988-87-0x0000000002000000-0x0000000002040000-memory.dmp

Filesize
256KB

Download
memory/1988-86-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/1988-85-0x0000000000330000-0x00000000003C6000-memory.dmp

Filesize
600KB

Download
memory/1988-173-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/1988-174-0x0000000002000000-0x0000000002040000-memory.dmp

Filesize
256KB

Download
memory/2956-90-0x000000006ECB0000-0x000000006F25B000-memory.dmp

Filesize
5.7MB

Download
memory/2956-94-0x00000000027E0000-0x0000000002820000-memory.dmp

Filesize
256KB

Download
memory/2956-110-0x000000006ECB0000-0x000000006F25B000-memory.dmp

Filesize
5.7MB

Download
memory/2956-91-0x000000006ECB0000-0x000000006F25B000-memory.dmp

Filesize
5.7MB

Download
memory/2956-92-0x00000000027E0000-0x0000000002820000-memory.dmp

Filesize
256KB

Download
memory/2956-93-0x00000000027E0000-0x0000000002820000-memory.dmp

Filesize
256KB

Download