rhadamanthys | 52ee0e34f2e2c814ceb5b59b6fdf9b6f7a86d097e76e73a92085304f62044678

Resubmissions

06/02/2025, 14:58

250206-scexnaxrex 10

06/02/2025, 14:57

250206-sbxfbaxrdv 1

Analysis

max time kernel
59s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
06/02/2025, 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AppSetup(Val0Updated).rar
Size

79.7MB
MD5

b254b2593bebe886a63cb85f852d0e68
SHA1

0de3dd2f71ad561f35e790aeb875af584a4535fa
SHA256

52ee0e34f2e2c814ceb5b59b6fdf9b6f7a86d097e76e73a92085304f62044678
SHA512

45b79a11fb6b96ce0f5243d50cd9287dc80c73d8f9d3875fcc06908ad069ac310aacd992d13347ebcdc067c6e36ce329216fb7a5a509e7bd8fbc94416696cdd2
SSDEEP

1572864:MVieG6yP2+5w0fZJVHO5nhVKGPQWtDrKwCn0wZaeAfRvDPi51tfcQFIMQ:0ieG6ypu0fjVHuVnRDrKfHVAfBDPiLib

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Detects Rhadamanthys payload 2 IoCs

resource	yara_rule
behavioral1/memory/3300-244-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/3300-245-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3300 created 2688	3300	MSBuild.exe	47

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	App_Setup.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	App_Setup.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	App_Setup.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	scanner.exe

Executes dropped EXE 15 IoCs

pid	Process
2856	App_Setup.exe
3108	App_Setup.tmp
4848	App_Setup.exe
3068	App_Setup.tmp
3052	App_Setup.exe
2364	App_Setup.tmp
1456	App_Setup.exe
3616	App_Setup.tmp
3664	App_Setup.exe
3988	App_Setup.tmp
1636	App_Setup.exe
4992	App_Setup.tmp
3288	scanner.exe
888	scanner.exe
3612	scanner.exe

Loads dropped DLL 12 IoCs

pid	Process
3108	App_Setup.tmp
3108	App_Setup.tmp
3068	App_Setup.tmp
3068	App_Setup.tmp
2364	App_Setup.tmp
2364	App_Setup.tmp
3616	App_Setup.tmp
3616	App_Setup.tmp
3988	App_Setup.tmp
3988	App_Setup.tmp
4992	App_Setup.tmp
4992	App_Setup.tmp

Enumerates processes with tasklist 1 TTPs 12 IoCs

discovery

Process Discovery

T1057

pid	Process
1988	tasklist.exe
2872	tasklist.exe
1828	tasklist.exe
1128	tasklist.exe
2968	tasklist.exe
392	tasklist.exe
64	tasklist.exe
5076	tasklist.exe
3048	tasklist.exe
1764	tasklist.exe
2548	tasklist.exe
3860	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3612 set thread context of 3300	3612	scanner.exe	170

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4232	3300	WerFault.exe	170

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App_Setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scanner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scanner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scanner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App_Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App_Setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App_Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App_Setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App_Setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App_Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App_Setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App_Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App_Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App_Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App_Setup.tmp

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4752	cmd.exe
4528	PING.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	scanner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	scanner.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4528	PING.EXE

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
4368	7zFM.exe
4368	7zFM.exe
3068	App_Setup.tmp
3068	App_Setup.tmp
3616	App_Setup.tmp
3616	App_Setup.tmp
4368	7zFM.exe
4368	7zFM.exe
4368	7zFM.exe
4368	7zFM.exe
4368	7zFM.exe
4368	7zFM.exe
4368	7zFM.exe
4368	7zFM.exe
4368	7zFM.exe
4368	7zFM.exe
4368	7zFM.exe
4368	7zFM.exe
4368	7zFM.exe
4368	7zFM.exe
4368	7zFM.exe
4368	7zFM.exe
4992	App_Setup.tmp
4992	App_Setup.tmp
4992	App_Setup.tmp
4992	App_Setup.tmp
4992	App_Setup.tmp
4992	App_Setup.tmp
4992	App_Setup.tmp
4992	App_Setup.tmp
4992	App_Setup.tmp
4992	App_Setup.tmp
4368	7zFM.exe
4368	7zFM.exe
4368	7zFM.exe
4368	7zFM.exe
4368	7zFM.exe
4368	7zFM.exe
4368	7zFM.exe
4368	7zFM.exe
4368	7zFM.exe
4368	7zFM.exe
4368	7zFM.exe
4368	7zFM.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3300	MSBuild.exe
3300	MSBuild.exe
3300	MSBuild.exe
3300	MSBuild.exe
1112	svchost.exe
1112	svchost.exe
1112	svchost.exe
1112	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4368	7zFM.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeRestorePrivilege	4368	7zFM.exe
Token: 35	4368	7zFM.exe
Token: SeSecurityPrivilege	4368	7zFM.exe
Token: SeSecurityPrivilege	4368	7zFM.exe
Token: SeDebugPrivilege	2872	tasklist.exe
Token: SeDebugPrivilege	1828	tasklist.exe
Token: SeDebugPrivilege	1128	tasklist.exe
Token: SeSecurityPrivilege	4368	7zFM.exe
Token: SeDebugPrivilege	2968	tasklist.exe
Token: SeDebugPrivilege	392	tasklist.exe
Token: SeDebugPrivilege	5076	tasklist.exe
Token: SeDebugPrivilege	3048	tasklist.exe
Token: SeDebugPrivilege	1764	tasklist.exe
Token: SeDebugPrivilege	2548	tasklist.exe
Token: SeDebugPrivilege	3860	tasklist.exe
Token: SeDebugPrivilege	1988	tasklist.exe
Token: SeDebugPrivilege	64	tasklist.exe
Token: SeDebugPrivilege	3088	taskmgr.exe
Token: SeSystemProfilePrivilege	3088	taskmgr.exe
Token: SeCreateGlobalPrivilege	3088	taskmgr.exe
Token: 33	3088	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3088	taskmgr.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
4368	7zFM.exe
4368	7zFM.exe
3068	App_Setup.tmp
4368	7zFM.exe
4368	7zFM.exe
4368	7zFM.exe
3616	App_Setup.tmp
4992	App_Setup.tmp
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 2856	4368	7zFM.exe	94
PID 4368 wrote to memory of 2856	4368	7zFM.exe	94
PID 4368 wrote to memory of 2856	4368	7zFM.exe	94
PID 2856 wrote to memory of 3108	2856	App_Setup.exe	97
PID 2856 wrote to memory of 3108	2856	App_Setup.exe	97
PID 2856 wrote to memory of 3108	2856	App_Setup.exe	97
PID 3108 wrote to memory of 4848	3108	App_Setup.tmp	98
PID 3108 wrote to memory of 4848	3108	App_Setup.tmp	98
PID 3108 wrote to memory of 4848	3108	App_Setup.tmp	98
PID 4848 wrote to memory of 3068	4848	App_Setup.exe	99
PID 4848 wrote to memory of 3068	4848	App_Setup.exe	99
PID 4848 wrote to memory of 3068	4848	App_Setup.exe	99
PID 3068 wrote to memory of 588	3068	App_Setup.tmp	102
PID 3068 wrote to memory of 588	3068	App_Setup.tmp	102
PID 588 wrote to memory of 2872	588	cmd.exe	104
PID 588 wrote to memory of 2872	588	cmd.exe	104
PID 588 wrote to memory of 1692	588	cmd.exe	105
PID 588 wrote to memory of 1692	588	cmd.exe	105
PID 3068 wrote to memory of 2812	3068	App_Setup.tmp	107
PID 3068 wrote to memory of 2812	3068	App_Setup.tmp	107
PID 2812 wrote to memory of 1828	2812	cmd.exe	109
PID 2812 wrote to memory of 1828	2812	cmd.exe	109
PID 2812 wrote to memory of 3140	2812	cmd.exe	110
PID 2812 wrote to memory of 3140	2812	cmd.exe	110
PID 3068 wrote to memory of 2884	3068	App_Setup.tmp	111
PID 3068 wrote to memory of 2884	3068	App_Setup.tmp	111
PID 4368 wrote to memory of 3052	4368	7zFM.exe	106
PID 4368 wrote to memory of 3052	4368	7zFM.exe	106
PID 4368 wrote to memory of 3052	4368	7zFM.exe	106
PID 2884 wrote to memory of 1128	2884	cmd.exe	113
PID 2884 wrote to memory of 1128	2884	cmd.exe	113
PID 2884 wrote to memory of 2320	2884	cmd.exe	114
PID 2884 wrote to memory of 2320	2884	cmd.exe	114
PID 3052 wrote to memory of 2364	3052	App_Setup.exe	115
PID 3052 wrote to memory of 2364	3052	App_Setup.exe	115
PID 3052 wrote to memory of 2364	3052	App_Setup.exe	115
PID 3068 wrote to memory of 2408	3068	App_Setup.tmp	116
PID 3068 wrote to memory of 2408	3068	App_Setup.tmp	116
PID 2364 wrote to memory of 1456	2364	App_Setup.tmp	119
PID 2364 wrote to memory of 1456	2364	App_Setup.tmp	119
PID 2364 wrote to memory of 1456	2364	App_Setup.tmp	119
PID 2408 wrote to memory of 2968	2408	cmd.exe	120
PID 2408 wrote to memory of 2968	2408	cmd.exe	120
PID 2408 wrote to memory of 1112	2408	cmd.exe	121
PID 2408 wrote to memory of 1112	2408	cmd.exe	121
PID 1456 wrote to memory of 3616	1456	App_Setup.exe	122
PID 1456 wrote to memory of 3616	1456	App_Setup.exe	122
PID 1456 wrote to memory of 3616	1456	App_Setup.exe	122
PID 4368 wrote to memory of 3664	4368	7zFM.exe	118
PID 4368 wrote to memory of 3664	4368	7zFM.exe	118
PID 4368 wrote to memory of 3664	4368	7zFM.exe	118
PID 3664 wrote to memory of 3988	3664	App_Setup.exe	123
PID 3664 wrote to memory of 3988	3664	App_Setup.exe	123
PID 3664 wrote to memory of 3988	3664	App_Setup.exe	123
PID 3068 wrote to memory of 748	3068	App_Setup.tmp	124
PID 3068 wrote to memory of 748	3068	App_Setup.tmp	124
PID 3988 wrote to memory of 1636	3988	App_Setup.tmp	126
PID 3988 wrote to memory of 1636	3988	App_Setup.tmp	126
PID 3988 wrote to memory of 1636	3988	App_Setup.tmp	126
PID 748 wrote to memory of 392	748	cmd.exe	127
PID 748 wrote to memory of 392	748	cmd.exe	127
PID 748 wrote to memory of 1848	748	cmd.exe	128
PID 748 wrote to memory of 1848	748	cmd.exe	128
PID 1636 wrote to memory of 4992	1636	App_Setup.exe	129

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2688
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1112

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\AppSetup(Val0Updated).rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Users\Admin\AppData\Local\Temp\7zO011377E7\App_Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO011377E7\App_Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\is-TDVQU.tmp\App_Setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-TDVQU.tmp\App_Setup.tmp" /SL5="$80206,8476246,845824,C:\Users\Admin\AppData\Local\Temp\7zO011377E7\App_Setup.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3108
  - - C:\Users\Admin\AppData\Local\Temp\7zO011377E7\App_Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO011377E7\App_Setup.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4848
    - - C:\Users\Admin\AppData\Local\Temp\is-S7J0O.tmp\App_Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-S7J0O.tmp\App_Setup.tmp" /SL5="$90206,8476246,845824,C:\Users\Admin\AppData\Local\Temp\7zO011377E7\App_Setup.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3068
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Windows\system32\find.exe
        
        find /I "wrsa.exe"
        7⤵
        
        PID:1692
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
        
        C:\Windows\system32\find.exe
        
        find /I "opssvc.exe"
        7⤵
        
        PID:3140
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
        
        C:\Windows\system32\find.exe
        
        find /I "avastui.exe"
        7⤵
        
        PID:2320
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\system32\find.exe
        
        find /I "avgui.exe"
        7⤵
        
        PID:1112
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:392
        
        C:\Windows\system32\find.exe
        
        find /I "nswscsvc.exe"
        7⤵
        
        PID:1848
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
        6⤵
        
        PID:2100
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
        
        C:\Windows\system32\find.exe
        
        find /I "sophoshealth.exe"
        7⤵
        
        PID:2292
      - C:\Users\Admin\AppData\Roaming\mkvtoolnix\scanner.exe
        
        "C:\Users\Admin\AppData\Roaming\mkvtoolnix\\scanner.exe" "C:\Users\Admin\AppData\Roaming\mkvtoolnix\\deambulatory.eml"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && scanner.exe C:\ProgramData\\1nfdXZ.a3x && del C:\ProgramData\\1nfdXZ.a3x
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 127.0.0.1
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4528
        
        C:\Users\Admin\AppData\Roaming\mkvtoolnix\scanner.exe
        
        scanner.exe C:\ProgramData\\1nfdXZ.a3x
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:3612
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        9⤵
        
        PID:4544
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        9⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 388
        10⤵
        Program crash
        
        PID:4232
- C:\Users\Admin\AppData\Local\Temp\7zO011AA918\App_Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO011AA918\App_Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Users\Admin\AppData\Local\Temp\is-ETM9E.tmp\App_Setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-ETM9E.tmp\App_Setup.tmp" /SL5="$40210,8476246,845824,C:\Users\Admin\AppData\Local\Temp\7zO011AA918\App_Setup.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Users\Admin\AppData\Local\Temp\7zO011AA918\App_Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO011AA918\App_Setup.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1456
    - - C:\Users\Admin\AppData\Local\Temp\is-OIVS6.tmp\App_Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-OIVS6.tmp\App_Setup.tmp" /SL5="$7026E,8476246,845824,C:\Users\Admin\AppData\Local\Temp\7zO011AA918\App_Setup.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:3616
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
        6⤵
        
        PID:760
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\system32\find.exe
        
        find /I "wrsa.exe"
        7⤵
        
        PID:4836
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
        6⤵
        
        PID:3612
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\system32\find.exe
        
        find /I "opssvc.exe"
        7⤵
        
        PID:4828
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
        6⤵
        
        PID:1940
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\system32\find.exe
        
        find /I "avastui.exe"
        7⤵
        
        PID:4688
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
        6⤵
        
        PID:4484
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3860
        
        C:\Windows\system32\find.exe
        
        find /I "avgui.exe"
        7⤵
        
        PID:3168
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
        6⤵
        
        PID:4548
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\system32\find.exe
        
        find /I "nswscsvc.exe"
        7⤵
        
        PID:648
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
        6⤵
        
        PID:4884
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:64
        
        C:\Windows\system32\find.exe
        
        find /I "sophoshealth.exe"
        7⤵
        
        PID:4268
      - C:\Users\Admin\AppData\Roaming\mkvtoolnix\scanner.exe
        
        "C:\Users\Admin\AppData\Roaming\mkvtoolnix\\scanner.exe" "C:\Users\Admin\AppData\Roaming\mkvtoolnix\\deambulatory.eml"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:888
- C:\Users\Admin\AppData\Local\Temp\7zO011F6D18\App_Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO011F6D18\App_Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Users\Admin\AppData\Local\Temp\is-5F99N.tmp\App_Setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-5F99N.tmp\App_Setup.tmp" /SL5="$202CC,8476246,845824,C:\Users\Admin\AppData\Local\Temp\7zO011F6D18\App_Setup.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - C:\Users\Admin\AppData\Local\Temp\7zO011F6D18\App_Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO011F6D18\App_Setup.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1636
    - - C:\Users\Admin\AppData\Local\Temp\is-14O7O.tmp\App_Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-14O7O.tmp\App_Setup.tmp" /SL5="$302CC,8476246,845824,C:\Users\Admin\AppData\Local\Temp\7zO011F6D18\App_Setup.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:4992

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3300 -ip 3300
1⤵
PID:3168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-0PN3O.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-REN1F.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TDVQU.tmp\App_Setup.tmp

Filesize
3.2MB

MD5
830f17248f7dd32c54a7bfd9c16a404d

SHA1
8b04ea9041784a2d4a902f4e615cf4bdb9f3d995

SHA256
424b7e90cac9245dd0175f0566acd597fd6f89579154c6f080c24a97aa3c7f96

SHA512
678d2117963e0cd56e25988b521e434861b3e26aacaddd0616add26c524223e3a9f2012f5ab3a7d065be79a9dcecca4edabea6d574bce9deee17174c1ff7547b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VJ4EL.tmp\is-5L8HG.tmp

Filesize
53KB

MD5
4e1d7df7612e1efb030592c5ae992bde

SHA1
1df24c667f581e49a7b3cb92db6263b5039eb9cb

SHA256
48d91cd358e37d57e43a58c992b5454f2a249e924ac2a13293e4105c102608a7

SHA512
1cca901df70e3887a4ceee6600e740d9b57e6573e793a87e501e813b8225ff8364ebaa1e0ae8ad2a69c8ffc691241ce643e02cad152f92868f52a38ac8eaadcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VJ4EL.tmp\is-68Q41.tmp

Filesize
572KB

MD5
901e5427453f62f2573239b397f51a27

SHA1
5b1cb06f09f936962989318c0cdd38d5e33b158f

SHA256
4668efc64bdc143ccf7fdb7ffe15472a7746394f935989dd75ec5ca204a2415b

SHA512
df5131db1b7b7c5d52000097fb64234c3aa944d9b9758b861cd9cf1d6f6963c474716a1f6a75f6f8d7ccd53113bbd20ee1cc597ee8ce51240781b94eebb8d2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VJ4EL.tmp\is-889SE.tmp

Filesize
2.3MB

MD5
28355c163de4eed265fc768e856ce492

SHA1
3795d8bbddeafb1eff6f7930627aa3166d328a3d

SHA256
dd7a9fc4dbc3838695f43a5029e02d5e42e7b3fd004f618301afc147bf6338e9

SHA512
5e43d5ac084e3cbca8d095d3fabca638b1a8ae0e91d8ff13e70b1b5553dc63bb47d675147d82b0d2883b92b976a4fae109e8415cd502fdd1b6b1bf20233ea136

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VJ4EL.tmp\is-8AF8D.tmp

Filesize
4.4MB

MD5
77abbe9e4f1f4755c698ee7a2ffadc26

SHA1
e7b57361291d7665a50f0902c2a2a5b335bf449b

SHA256
ed996df1900c71079adc5f210228a1435942ed8c5e13554c26789e07114b65b2

SHA512
cc94969ecbb93b8d73af975ad7a506ee80d439e795ae03ce4a2f0228118e6d6957f11d4e5259d2b65623b5c75e2b9584e596aacb648edb9cb7b6cad1114b8f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VJ4EL.tmp\is-LJ8Q1.tmp

Filesize
5.4MB

MD5
c9edcdbb26a8c972686133f605590b4c

SHA1
dc6dc1e155bb418c78dd84b35b16a997c76d9fb7

SHA256
a92f762078ec06563481387528ac8548ebbe99793cc86f7cbf0f8448b6fefe64

SHA512
702e590f709526c10822b862395ac34de1859645b34cd0b78ebf4960ac9bfd41e92387914c8c14a69015ee548a925c4e41a4c0708f8b8fc1a5197d5832db1e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VJ4EL.tmp\is-OFVML.tmp

Filesize
1002KB

MD5
9c6c663d391e76136f1644a509a86dce

SHA1
7189f5ef6f7ade50689b2f67c68d2bdb4ef35bd5

SHA256
46640a0c796ac57d5f9339c3a4a2bb6cf7a8435e58581e44fbbda664815c9e76

SHA512
7b2c8ec83a37aa69f1a97bb11c4de74a04508b3d58d67f127aa000c32481c54749eb9867affbd3cbadb41fc34d3c19a671b68ff6d9d9414966f2228f791029ef

Download Submit
C:\Users\Admin\AppData\Roaming\mkvtoolnix\deambulatory.eml

Filesize
60KB

MD5
9e3e11bdf74bc4ebf2de5062999614f1

SHA1
18ad9ea3509bb1ae3dba6cc88977530449a0e6d2

SHA256
4a64907ec5df11086a99bc27aa07500666f04e6a793a6bd79aa5b6d9d5171cef

SHA512
71fcf2afe05dca13382736a935edbd0dcac3caf80013c6d850c00b8c7114fac21018b313da74603d6677812d2d5c1bf7b04b4fd30dc1e4a8da91ee7ba6c094aa

Download Submit
C:\Users\Admin\AppData\Roaming\mkvtoolnix\deambulatory.wav

Filesize
3.6MB

MD5
73552f1eabec20c538a98bb67843cd29

SHA1
a062f3697ac0fb84bf19a6de2c056bfa3bac2268

SHA256
16e54bfa3d687e35be66f8dc3b48cd65f946d1ed80e568207f53de8893120eeb

SHA512
fb8fa736c2d4b7b2943b60b71c73268d5e44ea2629f9f5e5611a706287f274314d56766ffd6b759bd29e8a335ceb7e230a22f57a9f6f7bbbdb271c07390485db

Download Submit
C:\Users\Admin\AppData\Roaming\mkvtoolnix\scanner.exe

Filesize
921KB

MD5
3f58a517f1f4796225137e7659ad2adb

SHA1
e264ba0e9987b0ad0812e5dd4dd3075531cfe269

SHA256
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

SHA512
acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

Download Submit
memory/1112-251-0x00000000007C0000-0x00000000007CA000-memory.dmp

Filesize
40KB

Download
memory/1112-253-0x0000000000F50000-0x0000000001350000-memory.dmp

Filesize
4.0MB

Download
memory/1112-254-0x00007FF8A4350000-0x00007FF8A4545000-memory.dmp

Filesize
2.0MB

Download
memory/1112-256-0x0000000075730000-0x0000000075945000-memory.dmp

Filesize
2.1MB

Download
memory/1456-102-0x0000000000420000-0x00000000004FC000-memory.dmp

Filesize
880KB

Download
memory/1456-201-0x0000000000420000-0x00000000004FC000-memory.dmp

Filesize
880KB

Download
memory/1456-215-0x0000000000420000-0x00000000004FC000-memory.dmp

Filesize
880KB

Download
memory/1636-203-0x0000000000650000-0x000000000072C000-memory.dmp

Filesize
880KB

Download
memory/1636-157-0x0000000000650000-0x000000000072C000-memory.dmp

Filesize
880KB

Download
memory/2364-120-0x00000000009C0000-0x0000000000D03000-memory.dmp

Filesize
3.3MB

Download
memory/2856-14-0x00000000006F1000-0x0000000000799000-memory.dmp

Filesize
672KB

Download
memory/2856-33-0x00000000006F0000-0x00000000007CC000-memory.dmp

Filesize
880KB

Download
memory/2856-12-0x00000000006F0000-0x00000000007CC000-memory.dmp

Filesize
880KB

Download
memory/3052-77-0x0000000000420000-0x00000000004FC000-memory.dmp

Filesize
880KB

Download
memory/3052-122-0x0000000000420000-0x00000000004FC000-memory.dmp

Filesize
880KB

Download
memory/3068-64-0x0000000000AE0000-0x0000000000E23000-memory.dmp

Filesize
3.3MB

Download
memory/3068-191-0x0000000000AE0000-0x0000000000E23000-memory.dmp

Filesize
3.3MB

Download
memory/3088-235-0x0000026F604B0000-0x0000026F604B1000-memory.dmp

Filesize
4KB

Download
memory/3088-236-0x0000026F604B0000-0x0000026F604B1000-memory.dmp

Filesize
4KB

Download
memory/3088-231-0x0000026F604B0000-0x0000026F604B1000-memory.dmp

Filesize
4KB

Download
memory/3088-232-0x0000026F604B0000-0x0000026F604B1000-memory.dmp

Filesize
4KB

Download
memory/3088-234-0x0000026F604B0000-0x0000026F604B1000-memory.dmp

Filesize
4KB

Download
memory/3088-233-0x0000026F604B0000-0x0000026F604B1000-memory.dmp

Filesize
4KB

Download
memory/3088-226-0x0000026F604B0000-0x0000026F604B1000-memory.dmp

Filesize
4KB

Download
memory/3088-225-0x0000026F604B0000-0x0000026F604B1000-memory.dmp

Filesize
4KB

Download
memory/3088-227-0x0000026F604B0000-0x0000026F604B1000-memory.dmp

Filesize
4KB

Download
memory/3088-237-0x0000026F604B0000-0x0000026F604B1000-memory.dmp

Filesize
4KB

Download
memory/3108-32-0x0000000000DD0000-0x0000000001113000-memory.dmp

Filesize
3.3MB

Download
memory/3108-19-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/3300-244-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3300-250-0x0000000075730000-0x0000000075945000-memory.dmp

Filesize
2.1MB

Download
memory/3300-248-0x00007FF8A4350000-0x00007FF8A4545000-memory.dmp

Filesize
2.0MB

Download
memory/3300-247-0x0000000001430000-0x0000000001830000-memory.dmp

Filesize
4.0MB

Download
memory/3300-246-0x0000000001430000-0x0000000001830000-memory.dmp

Filesize
4.0MB

Download
memory/3300-245-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3300-243-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3616-202-0x0000000000B00000-0x0000000000E43000-memory.dmp

Filesize
3.3MB

Download
memory/3616-214-0x0000000000B00000-0x0000000000E43000-memory.dmp

Filesize
3.3MB

Download
memory/3664-160-0x0000000000650000-0x000000000072C000-memory.dmp

Filesize
880KB

Download
memory/3664-119-0x0000000000650000-0x000000000072C000-memory.dmp

Filesize
880KB

Download
memory/3988-159-0x0000000000470000-0x00000000007B3000-memory.dmp

Filesize
3.3MB

Download
memory/4848-63-0x00000000006F0000-0x00000000007CC000-memory.dmp

Filesize
880KB

Download
memory/4848-30-0x00000000006F0000-0x00000000007CC000-memory.dmp

Filesize
880KB

Download
memory/4848-194-0x00000000006F0000-0x00000000007CC000-memory.dmp

Filesize
880KB

Download
memory/4992-241-0x0000000000FF0000-0x0000000001333000-memory.dmp

Filesize
3.3MB

Download
memory/4992-204-0x0000000000FF0000-0x0000000001333000-memory.dmp

Filesize
3.3MB

Download
memory/4992-219-0x0000000000FF0000-0x0000000001333000-memory.dmp

Filesize
3.3MB

Download