cobaltstrike | 5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103

Analysis

max time kernel
1001s
max time network
1007s
platform
windows10-1703_x64
resource
win10-20231023-en
resource tags

arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
submitted
01-11-2023 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103.exe
Size

283KB
MD5

a62d5c8ef4d626febfcd2c00898c6c27
SHA1

854e020efefbf393e04d897b6b0b83ef92fd2db8
SHA256

5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103
SHA512

3a35487449b985f338473866da4308de760bdd3f52934e786dd28fb0030898a98000c0538159c8e2cb0ac54cda04fd9a73d7dfd1bcfc60be1c397c42730cd6da
SSDEEP

6144:guH8asY3G/Mzhc/Ly9iB036PQ3ouBIkBZ8dRaBvvQD:gz1aG/L/O53jBZcGvvQD

Score

10^/10

cobaltstrike 1580103824 backdoor trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

1580103824

http://109.206.243.59:443/Enable/1998/BPYMMENCN

Attributes

access_type
512
beacon_type
2048
host
109.206.243.59,/Enable/1998/BPYMMENCN
http_header1
AAAACgAAACxBY2NlcHQ6IGltYWdlLyosIHRleHQvaHRtbCwgYXBwbGljYXRpb24vanNvbgAAAAoAAAATQWNjZXB0LUxhbmd1YWdlOiB1awAAAAoAAAAjQWNjZXB0LUVuY29kaW5nOiBpZGVudGl0eSwgY29tcHJlc3MAAAAHAAAAAAAAAA8AAAANAAAAAgAAAAZfQU9pZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACtBY2NlcHQ6IGFwcGxpY2F0aW9uL3htbCwgaW1hZ2UvKiwgdGV4dC9odG1sAAAACgAAABZBY2NlcHQtTGFuZ3VhZ2U6IGVuLXphAAAACgAAAB1BY2NlcHQtRW5jb2Rpbmc6IGlkZW50aXR5LCBicgAAAAcAAAAAAAAADwAAAA0AAAAFAAAACV9WR0tDR0FHRAAAAAcAAAABAAAADwAAAAgAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
8448
polling_time
92081
port_number
443
sc_process32
%windir%\syswow64\w32tm.exe
sc_process64
%windir%\sysnative\systray.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCDjafSAG/t5AV7MoJ0+yfqNVP8VKHTcWG23Xwqeq+bC34ftgavpOGxc90RaJYkBZQfMrMG2vVGWBcJjYS9OpN0RgqnTKV7X386f0joSLS9E/wKAP7GwQKUwjE7xZVlzelWDQBRq7/OaBXAF405hSi4eRWAuEIZeAWk8/irwifE5wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
2.589791488e+09
unknown2
AAAABAAAAAEAAASeAAAAAgAAA6EAAAANAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/Link/configs/Y8JEK5UPLWVZ
user_agent
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36
watermark
1580103824

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/5004-0-0x00007FF6552C0000-0x00007FF655599000-memory.dmp	upx
behavioral1/memory/5004-5-0x00007FF6552C0000-0x00007FF655599000-memory.dmp	upx

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wmplayer.exeunregmp2.exe

description	ioc	process
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe

Drops file in Windows directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exeWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies registry class 11 IoCs

Processes:

OpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\php_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\php_auto_file\shell\edit\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\php_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\php_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\php_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\.php	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\.php\ = "php_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\php_auto_file\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\php_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\php_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe

Opens file in notepad (likely ransom note) 5 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXENOTEPAD.EXENOTEPAD.EXE

pid process

1320 NOTEPAD.EXE
2772 NOTEPAD.EXE
2920 NOTEPAD.EXE
428 NOTEPAD.EXE
2700 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4428 WINWORD.EXE
4428 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

3716 chrome.exe
3716 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

2740 OpenWith.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3716 chrome.exe
3716 chrome.exe
3716 chrome.exe

pid	process
1320	NOTEPAD.EXE
2772	NOTEPAD.EXE
2920	NOTEPAD.EXE
428	NOTEPAD.EXE
2700	NOTEPAD.EXE

pid	process
2740	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

unregmp2.exewmplayer.exechrome.exe

description	pid	process
Token: SeShutdownPrivilege	1268	unregmp2.exe
Token: SeCreatePagefilePrivilege	1268	unregmp2.exe
Token: SeShutdownPrivilege	4904	wmplayer.exe
Token: SeCreatePagefilePrivilege	4904	wmplayer.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

wmplayer.exechrome.exe

pid	process
4904	wmplayer.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe

Suspicious use of SetWindowsHookEx 30 IoCs

Processes:

WINWORD.EXEOpenWith.exe

pid	process
4428	WINWORD.EXE
4428	WINWORD.EXE
4428	WINWORD.EXE
4428	WINWORD.EXE
4428	WINWORD.EXE
4428	WINWORD.EXE
4428	WINWORD.EXE
4428	WINWORD.EXE
4428	WINWORD.EXE
4428	WINWORD.EXE
4428	WINWORD.EXE
4428	WINWORD.EXE
4428	WINWORD.EXE
2740	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe
2740	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

wmplayer.exeunregmp2.exesetup_wm.exeOpenWith.exechrome.exe

description	pid	process	target process
PID 4576 wrote to memory of 2052	4576	wmplayer.exe	setup_wm.exe
PID 4576 wrote to memory of 2052	4576	wmplayer.exe	setup_wm.exe
PID 4576 wrote to memory of 2052	4576	wmplayer.exe	setup_wm.exe
PID 4576 wrote to memory of 2080	4576	wmplayer.exe	unregmp2.exe
PID 4576 wrote to memory of 2080	4576	wmplayer.exe	unregmp2.exe
PID 4576 wrote to memory of 2080	4576	wmplayer.exe	unregmp2.exe
PID 2080 wrote to memory of 1268	2080	unregmp2.exe	unregmp2.exe
PID 2080 wrote to memory of 1268	2080	unregmp2.exe	unregmp2.exe
PID 2052 wrote to memory of 4904	2052	setup_wm.exe	wmplayer.exe
PID 2052 wrote to memory of 4904	2052	setup_wm.exe	wmplayer.exe
PID 2052 wrote to memory of 4904	2052	setup_wm.exe	wmplayer.exe
PID 2740 wrote to memory of 428	2740	OpenWith.exe	NOTEPAD.EXE
PID 2740 wrote to memory of 428	2740	OpenWith.exe	NOTEPAD.EXE
PID 3716 wrote to memory of 1320	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 1320	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4800	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 1524	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 1524	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4880	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4880	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4880	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4880	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4880	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4880	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4880	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4880	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4880	3716	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103.exe
"C:\Users\Admin\AppData\Local\Temp\5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103.exe"
1⤵
PID:5004

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\JoinSubmit.ps1xml
1⤵
- Opens file in notepad (likely ransom note)
PID:2700

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2752

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\security\logs\scesetup.log
1⤵
- Opens file in notepad (likely ransom note)
PID:1320

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\JoinSubmit.ps1xml
1⤵
- Opens file in notepad (likely ransom note)
PID:2772

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ClearComplete.cmd
1⤵
- Opens file in notepad (likely ransom note)
PID:2920

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:4820

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\JoinEdit.odt"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4428

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4576

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
2⤵
- Suspicious use of WriteProcessMemory
PID:2052

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /Play C:\Users\Admin\Desktop\UninstallNew.mpeg
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4904

C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
2⤵
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\System32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1268

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
- Drops file in Windows directory
PID:2372

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SyncFormat.php
2⤵
- Opens file in notepad (likely ransom note)
PID:428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffcc1389758,0x7ffcc1389768,0x7ffcc1389778
2⤵
PID:1320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1820 --field-trial-handle=1860,i,146455616292685627,15366044936214670650,131072 /prefetch:8
2⤵
PID:1524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1860,i,146455616292685627,15366044936214670650,131072 /prefetch:2
2⤵
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1860,i,146455616292685627,15366044936214670650,131072 /prefetch:8
2⤵
PID:4880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1860,i,146455616292685627,15366044936214670650,131072 /prefetch:1
2⤵
PID:4224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1860,i,146455616292685627,15366044936214670650,131072 /prefetch:1
2⤵
PID:4032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4480 --field-trial-handle=1860,i,146455616292685627,15366044936214670650,131072 /prefetch:8
2⤵
PID:1432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4620 --field-trial-handle=1860,i,146455616292685627,15366044936214670650,131072 /prefetch:1
2⤵
PID:1940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4720 --field-trial-handle=1860,i,146455616292685627,15366044936214670650,131072 /prefetch:8
2⤵
PID:4396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4904 --field-trial-handle=1860,i,146455616292685627,15366044936214670650,131072 /prefetch:8
2⤵
PID:2496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5068 --field-trial-handle=1860,i,146455616292685627,15366044936214670650,131072 /prefetch:8
2⤵
PID:4320

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3640

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
42bfde4360d8605c2399341ed693b41b

SHA1
34b1d585634adb7be0769c43db5d52f14bad3d79

SHA256
8e34d931124d7e14f1278009e4080a436c9db12da869a36b859ac0a2372ad77c

SHA512
f98de59c07f95e114763cbfb771fa1d5fa3d2c0cad699ab7d976b3dafb87128ccdff21cefed0d33cc547421155ec27b3e9a522c594400ce5dffa419afa3a0be6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
dd5dc16038919e7732772c41cbc3c8d6

SHA1
ecd7abc1968198146c7d0de32422567d8e6eb13d

SHA256
3cfe4e3745a3caac8fedd44b893c1b3a7beb87218ce2f7e52011f9b640ad4805

SHA512
0e3fa99f5e328d35c02ec68d3873d9cf12d6bbc79966b0f13f2b1c0c5bdcaff668b2ef1e6610b5eeb9a8324c1b306f8a76bf0da6225cda1eb52d58d54dd949a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
effdf8bdabe6b76d7fbecc2df9115a1e

SHA1
febd429b864b53b06ec7dfecd8c3d7fe912f2035

SHA256
af711ce0be7d578135232507d7fa0ea093491303e6e1d82ff85d2a10e28a32d9

SHA512
d7025eba43f82a2ba7ad51e75609b182e0d55785b739e922629b432e247cf08aa6671e07ea24fee33dd2489cdcacf41d4fa56a9c1956d2a515fe01da2a3774f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
218KB

MD5
f9f594d5d6e18db44780021d98169c41

SHA1
a1dd3aae0f96f120633efed33a4e82b8d7a2536f

SHA256
c18b652efa9e8aca27e645dfd4888b4bda43c3a4e3d575fef7bb0f7301a08f72

SHA512
d8bd37b281853a8865ef0b0173a6a7200c577f1d3712402130acdf15f262c0a6b750d971d2b62cdc186c057285b28de03d82fbc6c2700acc18ae4bcd2a121975

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
Filesize
64KB

MD5
98df921f667bf303621c789390ed9f2e

SHA1
d9c82e51534cf1c2eb5a255286de6a09ca364d1a

SHA256
8b8497d37fa9ddd44e275aa7631d7c7173c384a501d11e73e3d4401513c4bbe3

SHA512
58e896295763c2729c5a19986356e7cc7706265bbda5cd9cec98201ec9ce86c4b68a3e388c86aba198870ca4b8ab1a7876f2d8e1fff7437216dd2789b3ed3796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
Filesize
1024KB

MD5
c5c2aa123499431c7fa04fade09d65e2

SHA1
7094589684c606623a4b1e8adc21d75c1aa0a4c5

SHA256
34788e1ce730fac2718d580f1f6e471facddeb08e25cce464e7de560f988a490

SHA512
3b40acfca1c163f265b57046e482affabe1d3a0d389667ad88f010a5142aaf3ac150debca41ac02ddeb8e719336f2edfefcb8219b8d59eb418b9dbe1d5d36cc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp92437.WMC\allservices.xml
Filesize
546B

MD5
df03e65b8e082f24dab09c57bc9c6241

SHA1
6b0dacbf38744c9a381830e6a5dc4c71bd7cedbf

SHA256
155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba

SHA512
ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp93906.WMC\serviceinfo.xml
Filesize
523B

MD5
d58da90d6dc51f97cb84dfbffe2b2300

SHA1
5f86b06b992a3146cb698a99932ead57a5ec4666

SHA256
93acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad

SHA512
7f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
Filesize
1KB

MD5
4d1f3c19308d95acb9f96946174a8634

SHA1
023c5d8da5db88943b8ae494359d3d297a7b99c7

SHA256
9ae884258a1db7014bc12ad6fee9ada9fc3523c6234a2b59f798b2577dd9a597

SHA512
0d91defaa7f68d82e3111a996daf61d8865aef210851cafecb94eef2b3b2ca48cfb2fb89e5f59df94631ef42b925056240d87d46e3c3a675124ca8b3fdad7f8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
Filesize
1KB

MD5
49fe67bac88f793f3c54220a2de51df9

SHA1
19a302db41d54817532786e49cb291a1d4a21082

SHA256
23cb38b2bf4fb5df383078bd08b4af1ca4bd603ca99f614396baf1060c6e2e4e

SHA512
2662502acbd3ade8d76548609717ec1008d8963496736641600a7b5143faa7043441d1a7ed6ae74fb551e5404763481977c8cecd8a30e68edbd0492de0efcbea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
Filesize
3KB

MD5
9500c85ec2cf974d63eb5a8a0bf046de

SHA1
3b4d946d457e6151cb8b85dd765d8acaa25c0567

SHA256
b52717319778161ab616ba6b4b66f81ebab87fe41068c839a90e0818aed96b0d

SHA512
70f9844ade7bfaa1d1da10a4a5cbea51a0fd29add4beb12af74e63c4991e2ef152b407b37d9e5c3766a60e02d8cf9a5ba1a6e5029aac5c03e6c05410d006180a

Download Submit
\??\pipe\crashpad_3716_HSHQUUMPMFZBGPZW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4428-118-0x00007FFCDC160000-0x00007FFCDC20E000-memory.dmp

Filesize
696KB

Download
memory/4428-113-0x00007FFCDC6E0000-0x00007FFCDC8BB000-memory.dmp

Filesize
1.9MB

Download
memory/4428-114-0x00007FFCDC6E0000-0x00007FFCDC8BB000-memory.dmp

Filesize
1.9MB

Download
memory/4428-115-0x00007FFCDC6E0000-0x00007FFCDC8BB000-memory.dmp

Filesize
1.9MB

Download
memory/4428-117-0x00007FFCDC6E0000-0x00007FFCDC8BB000-memory.dmp

Filesize
1.9MB

Download
memory/4428-99-0x00007FFCDC6E0000-0x00007FFCDC8BB000-memory.dmp

Filesize
1.9MB

Download
memory/4428-119-0x00007FFCDC6E0000-0x00007FFCDC8BB000-memory.dmp

Filesize
1.9MB

Download
memory/4428-120-0x00007FFCDC6E0000-0x00007FFCDC8BB000-memory.dmp

Filesize
1.9MB

Download
memory/4428-121-0x00007FFCDC6E0000-0x00007FFCDC8BB000-memory.dmp

Filesize
1.9MB

Download
memory/4428-122-0x00007FFCDC6E0000-0x00007FFCDC8BB000-memory.dmp

Filesize
1.9MB

Download
memory/4428-123-0x00007FFC9C770000-0x00007FFC9C780000-memory.dmp

Filesize
64KB

Download
memory/4428-124-0x00007FFCDC6E0000-0x00007FFCDC8BB000-memory.dmp

Filesize
1.9MB

Download
memory/4428-125-0x00007FFCDC160000-0x00007FFCDC20E000-memory.dmp

Filesize
696KB

Download
memory/4428-268-0x00007FFCDC6E0000-0x00007FFCDC8BB000-memory.dmp

Filesize
1.9MB

Download
memory/4428-269-0x00007FFCDC6E0000-0x00007FFCDC8BB000-memory.dmp

Filesize
1.9MB

Download
memory/4428-278-0x00007FFCDC6E0000-0x00007FFCDC8BB000-memory.dmp

Filesize
1.9MB

Download
memory/4428-325-0x00007FFCDC160000-0x00007FFCDC20E000-memory.dmp

Filesize
696KB

Download
memory/4428-328-0x00007FFCDC160000-0x00007FFCDC20E000-memory.dmp

Filesize
696KB

Download
memory/4428-330-0x00007FFCDC6E0000-0x00007FFCDC8BB000-memory.dmp

Filesize
1.9MB

Download
memory/4428-331-0x00007FFCDC6E0000-0x00007FFCDC8BB000-memory.dmp

Filesize
1.9MB

Download
memory/4428-332-0x00007FFCDC160000-0x00007FFCDC20E000-memory.dmp

Filesize
696KB

Download
memory/4428-333-0x00007FFC9C770000-0x00007FFC9C780000-memory.dmp

Filesize
64KB

Download
memory/4428-112-0x00007FFCDC6E0000-0x00007FFCDC8BB000-memory.dmp

Filesize
1.9MB

Download
memory/4428-111-0x00007FFCDC6E0000-0x00007FFCDC8BB000-memory.dmp

Filesize
1.9MB

Download
memory/4428-110-0x00007FFCDC6E0000-0x00007FFCDC8BB000-memory.dmp

Filesize
1.9MB

Download
memory/4428-109-0x00007FFCDC6E0000-0x00007FFCDC8BB000-memory.dmp

Filesize
1.9MB

Download
memory/4428-108-0x00007FFCDC6E0000-0x00007FFCDC8BB000-memory.dmp

Filesize
1.9MB

Download
memory/4428-101-0x00007FFCDC6E0000-0x00007FFCDC8BB000-memory.dmp

Filesize
1.9MB

Download
memory/4428-103-0x00007FFCDC6E0000-0x00007FFCDC8BB000-memory.dmp

Filesize
1.9MB

Download
memory/4428-104-0x00007FFCDC6E0000-0x00007FFCDC8BB000-memory.dmp

Filesize
1.9MB

Download
memory/4428-106-0x00007FFCDC6E0000-0x00007FFCDC8BB000-memory.dmp

Filesize
1.9MB

Download
memory/4904-400-0x0000000008180000-0x0000000008190000-memory.dmp

Filesize
64KB

Download
memory/4904-433-0x0000000008470000-0x0000000008480000-memory.dmp

Filesize
64KB

Download
memory/4904-404-0x0000000008180000-0x0000000008190000-memory.dmp

Filesize
64KB

Download
memory/4904-406-0x0000000008470000-0x0000000008480000-memory.dmp

Filesize
64KB

Download
memory/4904-409-0x0000000008470000-0x0000000008480000-memory.dmp

Filesize
64KB

Download
memory/4904-410-0x0000000008470000-0x0000000008480000-memory.dmp

Filesize
64KB

Download
memory/4904-415-0x0000000008470000-0x0000000008480000-memory.dmp

Filesize
64KB

Download
memory/4904-413-0x0000000008470000-0x0000000008480000-memory.dmp

Filesize
64KB

Download
memory/4904-417-0x0000000008470000-0x0000000008480000-memory.dmp

Filesize
64KB

Download
memory/4904-416-0x0000000008180000-0x0000000008190000-memory.dmp

Filesize
64KB

Download
memory/4904-419-0x0000000008470000-0x0000000008480000-memory.dmp

Filesize
64KB

Download
memory/4904-422-0x0000000008470000-0x0000000008480000-memory.dmp

Filesize
64KB

Download
memory/4904-424-0x0000000008470000-0x0000000008480000-memory.dmp

Filesize
64KB

Download
memory/4904-426-0x0000000008470000-0x0000000008480000-memory.dmp

Filesize
64KB

Download
memory/4904-428-0x0000000008470000-0x0000000008480000-memory.dmp

Filesize
64KB

Download
memory/4904-429-0x0000000008470000-0x0000000008480000-memory.dmp

Filesize
64KB

Download
memory/4904-431-0x0000000008470000-0x0000000008480000-memory.dmp

Filesize
64KB

Download
memory/4904-402-0x0000000008180000-0x0000000008190000-memory.dmp

Filesize
64KB

Download
memory/4904-436-0x0000000008470000-0x0000000008480000-memory.dmp

Filesize
64KB

Download
memory/4904-440-0x0000000008180000-0x0000000008190000-memory.dmp

Filesize
64KB

Download
memory/4904-437-0x0000000008180000-0x0000000008190000-memory.dmp

Filesize
64KB

Download
memory/4904-442-0x0000000008180000-0x0000000008190000-memory.dmp

Filesize
64KB

Download
memory/4904-443-0x0000000008470000-0x0000000008480000-memory.dmp

Filesize
64KB

Download
memory/4904-444-0x0000000008470000-0x0000000008480000-memory.dmp

Filesize
64KB

Download
memory/4904-398-0x0000000008180000-0x0000000008190000-memory.dmp

Filesize
64KB

Download
memory/4904-396-0x0000000008180000-0x0000000008190000-memory.dmp

Filesize
64KB

Download
memory/4904-394-0x00000000079A0000-0x00000000079B0000-memory.dmp

Filesize
64KB

Download
memory/4904-390-0x00000000079A0000-0x00000000079B0000-memory.dmp

Filesize
64KB

Download
memory/5004-0-0x00007FF6552C0000-0x00007FF655599000-memory.dmp

Filesize
2.8MB

Download
memory/5004-5-0x00007FF6552C0000-0x00007FF655599000-memory.dmp

Filesize
2.8MB

Download
memory/5004-4-0x0000025A2A9F0000-0x0000025A2AA78000-memory.dmp

Filesize
544KB

Download
memory/5004-3-0x0000025A2A9F0000-0x0000025A2AA78000-memory.dmp

Filesize
544KB

Download
memory/5004-1-0x0000025A2A8F0000-0x0000025A2A9F0000-memory.dmp

Filesize
1024KB

Download