rhadamanthys | hxxps://www[.]youtube[.]com/redirect?event=video_description&redir_token=QUFFLUhqa2RHQmw2eHZCVUNHRFl2b2FVb1dQNXR6MDVMZ3xBQ3Jtc0tuaXlnZkhPekFnZlFOWTJUdU9NS3NjbkF3dE5UdlZIelBJNWdSRHR5eWdPZW5hVURtTUIzQ09QcDY3ZFNBVlNtWVB2eGNtVTF4eVRUXzVHTEl4WXQzSVVJRFhkNU1kMFFUOGpBRFZ5Y1g0V192V1NnOA&q=https%3A%2F%2Fwww[.]mediafire[.]com%2Ffolder%2F85txqbn671ucv%2Frbscrpt&v=QyV5jYyv6Uc

Analysis

max time kernel
112s
max time network
98s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
04/02/2025, 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqa2RHQmw2eHZCVUNHRFl2b2FVb1dQNXR6MDVMZ3xBQ3Jtc0tuaXlnZkhPekFnZlFOWTJUdU9NS3NjbkF3dE5UdlZIelBJNWdSRHR5eWdPZW5hVURtTUIzQ09QcDY3ZFNBVlNtWVB2eGNtVTF4eVRUXzVHTEl4WXQzSVVJRFhkNU1kMFFUOGpBRFZ5Y1g0V192V1NnOA&q=https%3A%2F%2Fwww.mediafire.com%2Ffolder%2F85txqbn671ucv%2Frbscrpt&v=QyV5jYyv6Uc

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Detects Rhadamanthys payload 4 IoCs

resource	yara_rule
behavioral1/memory/1892-489-0x00000000058B0000-0x0000000005931000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/1892-493-0x00000000058B0000-0x0000000005931000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/1892-492-0x00000000058B0000-0x0000000005931000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/1892-491-0x00000000058B0000-0x0000000005931000-memory.dmp	Rhadamanthys_v8

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1892 created 400	1892	United.com	51

Executes dropped EXE 1 IoCs

pid	Process
1892	United.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3300	tasklist.exe
2556	tasklist.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MovedCloud	Bootstrapperx-64.exe
File opened for modification	C:\Windows\WindAdvertisement	Bootstrapperx-64.exe
File opened for modification	C:\Windows\MiscellaneousAppreciated	Bootstrapperx-64.exe
File opened for modification	C:\Windows\AcresSyntax	Bootstrapperx-64.exe
File opened for modification	C:\Windows\EfficiencyMsn	Bootstrapperx-64.exe
File opened for modification	C:\Windows\OperatesNeeded	Bootstrapperx-64.exe
File opened for modification	C:\Windows\FlexibleSonic	Bootstrapperx-64.exe
File opened for modification	C:\Windows\TimelyIncoming	Bootstrapperx-64.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2016	1892	WerFault.exe	127

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	United.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapperx-64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4588	msedge.exe
4588	msedge.exe
4772	msedge.exe
4772	msedge.exe
3924	identity_helper.exe
3924	identity_helper.exe
3776	msedge.exe
3776	msedge.exe
1892	United.com
1892	United.com
1892	United.com
1892	United.com
1892	United.com
1892	United.com
1892	United.com
1892	United.com
1892	United.com
1892	United.com
3552	svchost.exe
3552	svchost.exe
3552	svchost.exe
3552	svchost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	4444	7zG.exe
Token: 35	4444	7zG.exe
Token: SeSecurityPrivilege	4444	7zG.exe
Token: SeSecurityPrivilege	4444	7zG.exe
Token: SeDebugPrivilege	3300	tasklist.exe
Token: SeDebugPrivilege	2556	tasklist.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
1892	United.com
1892	United.com
1892	United.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 1648	4772	msedge.exe	83
PID 4772 wrote to memory of 1648	4772	msedge.exe	83
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 5004	4772	msedge.exe	84
PID 4772 wrote to memory of 4588	4772	msedge.exe	85
PID 4772 wrote to memory of 4588	4772	msedge.exe	85
PID 4772 wrote to memory of 1168	4772	msedge.exe	86
PID 4772 wrote to memory of 1168	4772	msedge.exe	86
PID 4772 wrote to memory of 1168	4772	msedge.exe	86
PID 4772 wrote to memory of 1168	4772	msedge.exe	86
PID 4772 wrote to memory of 1168	4772	msedge.exe	86
PID 4772 wrote to memory of 1168	4772	msedge.exe	86
PID 4772 wrote to memory of 1168	4772	msedge.exe	86
PID 4772 wrote to memory of 1168	4772	msedge.exe	86
PID 4772 wrote to memory of 1168	4772	msedge.exe	86
PID 4772 wrote to memory of 1168	4772	msedge.exe	86
PID 4772 wrote to memory of 1168	4772	msedge.exe	86
PID 4772 wrote to memory of 1168	4772	msedge.exe	86
PID 4772 wrote to memory of 1168	4772	msedge.exe	86
PID 4772 wrote to memory of 1168	4772	msedge.exe	86
PID 4772 wrote to memory of 1168	4772	msedge.exe	86
PID 4772 wrote to memory of 1168	4772	msedge.exe	86
PID 4772 wrote to memory of 1168	4772	msedge.exe	86
PID 4772 wrote to memory of 1168	4772	msedge.exe	86
PID 4772 wrote to memory of 1168	4772	msedge.exe	86
PID 4772 wrote to memory of 1168	4772	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:400
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqa2RHQmw2eHZCVUNHRFl2b2FVb1dQNXR6MDVMZ3xBQ3Jtc0tuaXlnZkhPekFnZlFOWTJUdU9NS3NjbkF3dE5UdlZIelBJNWdSRHR5eWdPZW5hVURtTUIzQ09QcDY3ZFNBVlNtWVB2eGNtVTF4eVRUXzVHTEl4WXQzSVVJRFhkNU1kMFFUOGpBRFZ5Y1g0V192V1NnOA&q=https%3A%2F%2Fwww.mediafire.com%2Ffolder%2F85txqbn671ucv%2Frbscrpt&v=QyV5jYyv6Uc
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffdf39d46f8,0x7ffdf39d4708,0x7ffdf39d4718
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,13732567604468234173,15414031296375085604,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,13732567604468234173,15414031296375085604,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,13732567604468234173,15414031296375085604,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13732567604468234173,15414031296375085604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13732567604468234173,15414031296375085604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,13732567604468234173,15414031296375085604,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,13732567604468234173,15414031296375085604,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13732567604468234173,15414031296375085604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13732567604468234173,15414031296375085604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13732567604468234173,15414031296375085604,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13732567604468234173,15414031296375085604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13732567604468234173,15414031296375085604,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13732567604468234173,15414031296375085604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,13732567604468234173,15414031296375085604,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6408 /prefetch:8
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13732567604468234173,15414031296375085604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13732567604468234173,15414031296375085604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
  2⤵
  PID:2608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13732567604468234173,15414031296375085604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
  2⤵
  PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13732567604468234173,15414031296375085604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13732567604468234173,15414031296375085604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,13732567604468234173,15414031296375085604,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3532

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\R---3---L\" -ad -an -ai#7zMap16867:80:7zEvent10911
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\ccf675d5-697a-476f-977e-a56402cb66ff_Release.zip.6ff\Release\Bootstrapperx-64.exe
"C:\Users\Admin\AppData\Local\Temp\ccf675d5-697a-476f-977e-a56402cb66ff_Release.zip.6ff\Release\Bootstrapperx-64.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c expand Syria.wav Syria.wav.cmd & Syria.wav.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:740
- - C:\Windows\SysWOW64\expand.exe
    expand Syria.wav Syria.wav.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:460
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3300
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:416
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2556
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3540
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 228593
    3⤵
    - System Location Discovery: System Language Discovery
    PID:352
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Arrangement.wav
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2288
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Subscriber" Budgets
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4560
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 228593\United.com + Myrtle + Fabulous + Reproduction + Sprint + Revisions + Showtimes + Features + Headers + Coalition + Shirt 228593\United.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4908
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Virginia.wav + ..\Argue.wav + ..\Infinite.wav + ..\Trailers.wav + ..\Incentives.wav + ..\Angels.wav + ..\Java.wav + ..\P.wav + ..\Wealth.wav + ..\Audi.wav e
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5008
- - C:\Users\Admin\AppData\Local\Temp\228593\United.com
    United.com e
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SendNotifyMessage
    PID:1892
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 956
      4⤵
      Program crash
      PID:2016
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1892 -ip 1892
1⤵
PID:4168

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\79384a92-ec67-45e0-82b1-e63ccfd13254_Release.zip.254\Release\scripts\config.txt
1⤵
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
55708ea6a193823c5162db60a9f7396d

SHA1
cc48e8644d8a1c4588af35d319a477e6457416dd

SHA256
2e00fc9c4ec5aa772eb34ec24bd92e66b23a5100789a7d7d05b97344bc0c45c9

SHA512
fb5fabcd0341d2c7af481cba196cacd4ef577ec356d92e8623646fddf3a51badcce19a261c7df3e705af6aa790a56e64d73888a6e8cd508b87c3d341fde8f690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
214KB

MD5
ba958dfa97ba4abe328dce19c50cd19c

SHA1
122405a9536dd824adcc446c3f0f3a971c94f1b1

SHA256
3124365e9e20791892ee21f47763d3df116763da0270796ca42fd63ecc23c607

SHA512
aad22e93babe3255a7e78d9a9e24c1cda167d449e5383bb740125445e7c7ddd8df53a0e53705f4262a49a307dc54ceb40c66bab61bec206fbe59918110af70bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
d45509db85b3e8a88bcfe5196e7968ae

SHA1
ab30865e7f7069d28612aeb249297888fe6c4829

SHA256
138fa22076a7cd5a26e623e86f5a9478a7698be6beaf69c2adbfb504408bf227

SHA512
384d1caea078c4a2ace34ad55663c509f607628f2cff05a8ddeebe10b50e5b6d8abe1b976a324c0eeeca560f1554b8d958871e265ac700fd593055d58dea9629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
88c79d62b2ba930aa7aa5b168de45532

SHA1
86547ba481173866be7d8ad825fade00485c8857

SHA256
97733d3d972e6d5a42f6025638725e8c2049e15b17b36db455ed616b87f0846f

SHA512
28674a9f4c68f58d429d905862fe4ca3167d761ed42441c0bb2f7cab1c589a57faf39ae72f003a2985218d42677b2aaf5643e5838cdb8b3d74c2bae4d0a6ab93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
97b824913567c4122a97c7a9a89e85d2

SHA1
64c28dd17327ba0b1a196be1db5dc4c4ecee2fc4

SHA256
764e015a86f6a69cb59cb98ee6a79305414dac8d284e8cf16e57b65ec2a8f9aa

SHA512
fc7912df40f8f9937f82819e18a7563725ceb6158e8fb760bcb7e5e29d122c54628f8ca0f9d76d007959fc9158493119c0e0338a87305e87c3c4543f4994abe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
9bf12d3229e7d33556bc8dd2dc1e6117

SHA1
e87cf340958572b39036bd23eb19fc1a3edb8d3d

SHA256
040d21aa660f863f515fd57f70db295d5aa8d895a43190f703dd9f4753065872

SHA512
8ff707162bd1a455f94daf340d18b956c945a1015b64b26b0967b95aee4a603670c62d8d8d1f7ebcdbdbc55b8064d96020a221224727a2b4353ec04d503f22cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0a2e79379a8cc15b54dc15a2fe80b8a7

SHA1
21a083691fb973666418458622b0fd81ff78288c

SHA256
86036e7ac88fde7533212a3150642ce6d71656c41325a49db3603a04b3fc1ae9

SHA512
0e3bfa6877a9721f7cac02000bad9ae87681c7d8282b94601be26117624b38531cd6041114ebcba795913ee4c1bc6672ac2e063eaa63053d6c3896f1a9768332

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
c5f961d7c246075423e8d4e54da44e35

SHA1
5f562616c61e036c76a61bb0a216067456ca0e65

SHA256
1b72f0bd8b0098fbfc3e093811ff6d4074a5fc6550aa297dbe061c8835347fc7

SHA512
19ca892bf3ae9d4ead5dfba769a40c305412c32ff99035a4509550958828c60dd2ef4f76ca98f1f039ead1c6cd063a7d459f0dc487f855a821ac8f6d88da8af3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
7a6b081c196dd786b3117d9725df966c

SHA1
1c68b0d4e7f7bd3724fa212aec03cf7e0677bfac

SHA256
749dc5e0330559354a240f21f3dbd5030a8f7f4a1b39c15debb87d06901432bf

SHA512
12490cc499b3fda45ddf92853def00d5d104d7cdca55f81475c28d9b1aa38c87c1c19be832b3290c4c6c67d4da4b8ba56034cf9e4016bd6a87cfcf46f6d72873

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
731f62b2f8f047d056b366071b168005

SHA1
025872f48c74b57ed532270a1ac2a4e07f4aafab

SHA256
e7057e8bea1df14816b75c7945a3c76a5b450bb3485aae15fc8238abddde83fe

SHA512
202eca8599e3451e9698fe306abf487215eb217a85d25de3d0d8783eac2247fb9e29a4b90db6963cb2a04c20912567d923cb4115d917d6f497875f53b14dcdba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580d3a.TMP

Filesize
1KB

MD5
bcfcf852d2edf06f10bb7095df5c789c

SHA1
4fb48ac2d64f89e5e02fb4e7d0978bfc2f0ec43f

SHA256
227091445d57b016fdb11d091e9448c6034dcd2cebd5aeb7d265a1257cc2a900

SHA512
c0bd6d0df4fc03252023f9355ae0cd6d1b28f4d6e942218dff1afb6e722fc830a15f52f50d91b5d1d51489dfc2c6a3ed92fac82080fa88640fde867cadfb71b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
532e46ee100de7948189f447991a35ef

SHA1
eff3355266f66e2be03eb552d380194bc72fabd2

SHA256
dcad8ba189d88025ea62d6195aea135a74143227a1f445046d50c92c523d934f

SHA512
573e70564ac0dadba927464c49beab5c6365faa3f2b0aafb42be7fbb8dff60c8fee9b62c094cc963ad954e23818b13c4ac111d5e46f916531c89aef51ce2351b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0087a62299e56a80b9d02e224186479b

SHA1
aaa6f6bd65cbf319dcbbdebbacc6f33ae7825301

SHA256
b217b2b9a58c2eb4c5867145f612d83937e1baa212088341c8ddc4bfbac6f998

SHA512
4c1b3341fb7f177424198e0b4eada75064826a590269d0eab80faab507cc6b00a64c3e14648e2f9868501ae1cfee68e23c823b1724c080aa3a33ee904a074601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
89faf75f9e6daf43e880b74251e40d14

SHA1
7febdb1ddcbd3f9fe527f2fc28a950a00190b90a

SHA256
cb41e91983f2a5d7c921e3b26bde37b9d9cdd37bfea30e74690633c1a630d42e

SHA512
0cf2e98e0140d411a43391386cc6774c566d798cf9f702c1d91ef2e64572d1b3d76c98d2857b82b58ba135f82a193a83bf57d04d4a540eb44d4781996a285205

Download Submit
C:\Users\Admin\AppData\Local\Temp\228593\United.com

Filesize
505KB

MD5
47898fdb873ac9923f922fe5c84d6601

SHA1
7804af694280bf9dab51604520937566794a1449

SHA256
56454db205f3dd6c97f2b56195b2b4c9f8178c013e387042d8494dde2a15c97d

SHA512
9f3ca64f1fdf05eb15bde71ce0820a035fcd7b5982aff53a1816cdf997e24059c5a97207a90a226184fffd4270b5fddeefb01545916516b19272292b9ad596b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\228593\United.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Arrangement.wav

Filesize
478KB

MD5
8623e73567097bd8a4a308f935a5e06d

SHA1
01c6c425e6500dae4d9d837f416af96dd55063a9

SHA256
0f5be6e5955479b945efae6ab6fe4a562791cae1d56d23b5b1e2f51f82eaf93f

SHA512
1d35dfb0b677fa6b9a9ac942d3c47c3a17a4f4b2886110baa3d8dc3c4f91a18c5a582eb9939d06375520c3fda987ad17f52646c12990cf397f9331aa0bead25c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Budgets

Filesize
648B

MD5
c036d16077afa340939fb16360648f1f

SHA1
afed8a54fcd01b48053fdff183d516aff04d9cf4

SHA256
6b95229ab411f5a22fafd9d3950f155142df5f526360b888ef44e52f7983a35d

SHA512
d521dc8813e4e46fa69525a8c83dee8794eae58690232ba0d2c1c0a5ed1837ad2aa25512b644af24d0bd9688f14a107bf917c4b9570fefa6e7bc23d8ccf82bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Coalition

Filesize
83KB

MD5
74b2b4001084148d8dec3103640d8c4d

SHA1
70561ee88f0858da22393c4b76f66d3955547d43

SHA256
0bb4128b538c2fa24284a9a253942357cc86f4041e3da8d886da6323d6f9e208

SHA512
45d3aa8d972ff675ce11acc846fab202ff292bd79467a8f83e2f84a3ef3db521ea744c512eb0498cda94dafad7523794e58b5a9d19a0b058add13b4114c42f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fabulous

Filesize
113KB

MD5
34574e494c9d51dd6b2ecb92932d913c

SHA1
736e8efc4fef938b4fa9eeba4044a020dbacb80f

SHA256
b1bace8d13e8ae110e43160c93f20f2369ec2b231a54e9325dd9fc5ae9a36bb2

SHA512
292584ee7ce651add6479b427950a399a9bd1db7ffdc33751aee9f71ad337fa0fcc57bd4200cfc7ffda3c48d6d7ca092591a0e7632deb196890247f2644422e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Features

Filesize
52KB

MD5
0e73b06549daf3f3ba4193b59a73f5f8

SHA1
a2e08dcfb77fed37145498982471ab9d11702647

SHA256
b911e4d13db023a90955171486eb0f87c2369759fa9c5c72af45e8bfb68ff953

SHA512
c7f747887d2454309357946e300c01f777249ce6a234439fd153988a3102c35d5d8b21fd61f3586f51776eac215f55a16bc640d5d39497b0b38f926ca5ae2b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Headers

Filesize
103KB

MD5
015ef246730982f7ff8d27789fabc744

SHA1
591b4167980417174359e5e2d9bb7c919b451aea

SHA256
343e7879a8c9bafc7aa9e17f554b852833147a36115ce2aad9554aca9c9dc86c

SHA512
8a360bc6e3c03b007c5108fd5d882b096d971e1fe1007cbd7343fbff55da7554a7989209b13109bb5d5207c00841155cdc0430241984d2cd02946524e6ae4e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Myrtle

Filesize
51KB

MD5
6c08b39c4174bf657236b0ae8c0c4a8e

SHA1
1858ec99820f6728b944f689b8aa124290aa0267

SHA256
ae5d4223352f490915e3a1aa569fbc2674f8c61e1d6cf83dda9ca079ac4b07f4

SHA512
a10de8c17d958c73b29c116cfdf5e82a2c7fcddf38ee431714307074b7810ef8630bc6c4d20b0a910c8f1e4d6d9ca8a0ddd003526891a900dfd9f1d6209f4a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reproduction

Filesize
86KB

MD5
14466fa336d55ffe10b70d3e45519d11

SHA1
f025943c99c9071176ce4eab72f7fe94819c2a8a

SHA256
a8345ad092d8da319cb97aca22e0dbed5336d2e87adecbf9f42481fb6230795d

SHA512
e6c862d317fb7758d05ebadb237bf4133f4b245dd50da4fe92fc3bb107308a7bc570fc04e93012ece8bde940ab543bcce1b19d50fb523fa603b10487b044eeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Revisions

Filesize
147KB

MD5
c0555c99baa3dec47b42241189fecd1a

SHA1
87ffe498c3503979dac44343e111d849cbab2350

SHA256
f1da24f18ff2a154efe0cf2a9885b51f4dcea379589d7a38cfdac93ab373bb14

SHA512
6c26e3e461934c90550de84faac8ced8785ee17b31cec48ee42fe0095e13891a9b8b63337b4191d533c0d6db35f81500eb03e4538ec8d33b26320fa1ffa35983

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shirt

Filesize
37KB

MD5
2fa824b6b249035d6cdaead634057676

SHA1
d8916b0997b19e1ba4abcac56c32c4668d5b6eaa

SHA256
1cae5ca2b67594b4ea380117aa718bafc756745e207c1b116ca9d59c8ec186fc

SHA512
7122ba257cca4ee467a0df1063c3336a19e22ab480d6c91bcba629dcc1fc6931ead5a251b6b252662859296bdf52cbf06090c468ec96bc2a6b6cded4375ef422

Download Submit
C:\Users\Admin\AppData\Local\Temp\Showtimes

Filesize
144KB

MD5
8ae2d560efd0b454771ada745f97c979

SHA1
f57ee54e5d7451098f9504c4d1427781855a0a17

SHA256
4f71e944e29732d123a525eaef4ace53b0df88a34895e6b413f4fa76c319384a

SHA512
876b04c126528b2a4ac5d79cd6874bb0ae3f3c0b23849fae7f0f795ac380413896a19cae382210d27467b9e534cc37aa7a05bbc3c37019941ae73c916e2f4a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sprint

Filesize
108KB

MD5
f775a23e9297ed279256748aa3ed2ed6

SHA1
ba238b559f0253404d471248e20225b3ae007e08

SHA256
16c02b9412f58fb47b8773ea3e3291f7c5bb20774ad06de76a93196c6c1a0553

SHA512
f3011512db79f04673ffa57e608105e466cae79b8bd6600ea268d08d599773de82176eb93d785931cdd16dcb2eba1d0e1bbf8563c5d13bed0a1926e98702e14e

Download Submit
C:\Users\Admin\AppData\Local\Temp\syria.wav

Filesize
11KB

MD5
bdc3dd9d0e90637e7c5073add4e2c9b9

SHA1
6c8b8bb8dc40a016ad8e81c3529c3ab745482fad

SHA256
b0a429be14c369adba8c0ef4d8df7d0395d2ce41537024a21aa9e9937b541997

SHA512
61b1fe464d710a862f17344179a34f040e11e4e167e4d15c8ac44c083cca763076ae1ab0005fd47201e3773abaea9120e331ef22437abe389890c84510444ef0

Download Submit
C:\Users\Admin\Downloads\R---3---L.zip

Filesize
24.0MB

MD5
5c70296bf094688676a10f8f44f46672

SHA1
20e54d1b31696d07c2741201bb3ab8f6e9a3a7d1

SHA256
17f100fbe9950521f41bb08be437fa22b84e4dbe1eda067e308260e96923d82d

SHA512
23c361eb51cfdf0f5126e97753c51a73d43e10b4b4f97e7fc7ab21fb9a9dea50ec87ded489e6386fadc9e055f9408f5359b694afa662b137862d0270ccdfd61c

Download Submit
memory/1892-487-0x00000000058B0000-0x0000000005931000-memory.dmp

Filesize
516KB

Download
memory/1892-495-0x0000000005940000-0x0000000005D40000-memory.dmp

Filesize
4.0MB

Download
memory/1892-488-0x00000000058B0000-0x0000000005931000-memory.dmp

Filesize
516KB

Download
memory/1892-493-0x00000000058B0000-0x0000000005931000-memory.dmp

Filesize
516KB

Download
memory/1892-492-0x00000000058B0000-0x0000000005931000-memory.dmp

Filesize
516KB

Download
memory/1892-491-0x00000000058B0000-0x0000000005931000-memory.dmp

Filesize
516KB

Download
memory/1892-494-0x0000000005940000-0x0000000005D40000-memory.dmp

Filesize
4.0MB

Download
memory/1892-489-0x00000000058B0000-0x0000000005931000-memory.dmp

Filesize
516KB

Download
memory/1892-496-0x00007FFE02C70000-0x00007FFE02E68000-memory.dmp

Filesize
2.0MB

Download
memory/1892-498-0x0000000075EC0000-0x00000000760FA000-memory.dmp

Filesize
2.2MB

Download
memory/3552-499-0x0000000000E80000-0x0000000000E8A000-memory.dmp

Filesize
40KB

Download
memory/3552-502-0x00007FFE02C70000-0x00007FFE02E68000-memory.dmp

Filesize
2.0MB

Download
memory/3552-504-0x0000000075EC0000-0x00000000760FA000-memory.dmp

Filesize
2.2MB

Download
memory/3552-501-0x0000000001440000-0x0000000001840000-memory.dmp

Filesize
4.0MB

Download