cobaltstrike | d5ce0809bfd359dd4d5d8ed050f8ad9d321f9f34179f5ace550dacbde9133d4c

Resubmissions

24/08/2024, 11:33

240824-nnznzsxgpc 10

24/08/2024, 11:26

240824-njxntsxerc 10

24/08/2024, 11:20

240824-nfr9yaygrk 10

Analysis

max time kernel
147s
max time network
130s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
24/08/2024, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe
Size

5.9MB
MD5

fddabf0ae5d62e5888eeef778ec1e7bc
SHA1

eec4e6c645dcc10238a4d01e43c4fc822e8fb4f5
SHA256

d5ce0809bfd359dd4d5d8ed050f8ad9d321f9f34179f5ace550dacbde9133d4c
SHA512

72c50dcb906ee06d3d8769143df0eea1e370303f993b291738b4127f34baa38fd5067539dc8577673e524b8f9596ae0d56e166a4bfaf84f9e447c7cfa6e5654c
SSDEEP

98304:oemTLkNdfE0pZrD56utgpPFotBER/mQ32lU0:T+q56utgpPF8u/70

Score

10^/10

cobaltstrike xmrig 0 backdoor discovery miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000400000002a9d0-5.dat	cobalt_reflective_dll
behavioral1/files/0x000200000002aa21-10.dat	cobalt_reflective_dll
behavioral1/files/0x000700000002aa18-11.dat	cobalt_reflective_dll
behavioral1/files/0x000100000002aa24-31.dat	cobalt_reflective_dll
behavioral1/files/0x000100000002aa25-38.dat	cobalt_reflective_dll
behavioral1/files/0x000100000002aa26-46.dat	cobalt_reflective_dll
behavioral1/files/0x000100000002aa29-54.dat	cobalt_reflective_dll
behavioral1/files/0x000100000002aa2c-64.dat	cobalt_reflective_dll
behavioral1/files/0x000300000002aa1f-85.dat	cobalt_reflective_dll
behavioral1/files/0x000100000002aa30-117.dat	cobalt_reflective_dll
behavioral1/files/0x000100000002aa33-127.dat	cobalt_reflective_dll
behavioral1/files/0x000100000002aa32-123.dat	cobalt_reflective_dll
behavioral1/files/0x000100000002aa31-121.dat	cobalt_reflective_dll
behavioral1/files/0x000100000002aa2f-111.dat	cobalt_reflective_dll
behavioral1/files/0x000100000002aa2d-94.dat	cobalt_reflective_dll
behavioral1/files/0x000100000002aa2e-92.dat	cobalt_reflective_dll
behavioral1/files/0x000100000002aa2b-75.dat	cobalt_reflective_dll
behavioral1/files/0x000100000002aa2a-73.dat	cobalt_reflective_dll
behavioral1/files/0x000100000002aa27-67.dat	cobalt_reflective_dll
behavioral1/files/0x000100000002aa23-33.dat	cobalt_reflective_dll
behavioral1/files/0x000100000002aa22-28.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral1/memory/2872-0-0x00007FF6A4BA0000-0x00007FF6A4EF4000-memory.dmp	xmrig
behavioral1/files/0x000400000002a9d0-5.dat	xmrig
behavioral1/memory/4832-6-0x00007FF6FBC00000-0x00007FF6FBF54000-memory.dmp	xmrig
behavioral1/files/0x000200000002aa21-10.dat	xmrig
behavioral1/files/0x000700000002aa18-11.dat	xmrig
behavioral1/memory/3556-25-0x00007FF6E60D0000-0x00007FF6E6424000-memory.dmp	xmrig
behavioral1/files/0x000100000002aa24-31.dat	xmrig
behavioral1/files/0x000100000002aa25-38.dat	xmrig
behavioral1/files/0x000100000002aa26-46.dat	xmrig
behavioral1/files/0x000100000002aa29-54.dat	xmrig
behavioral1/files/0x000100000002aa2c-64.dat	xmrig
behavioral1/files/0x000300000002aa1f-85.dat	xmrig
behavioral1/memory/2356-86-0x00007FF646240000-0x00007FF646594000-memory.dmp	xmrig
behavioral1/memory/3824-99-0x00007FF7F9C80000-0x00007FF7F9FD4000-memory.dmp	xmrig
behavioral1/memory/396-106-0x00007FF762A90000-0x00007FF762DE4000-memory.dmp	xmrig
behavioral1/files/0x000100000002aa30-117.dat	xmrig
behavioral1/memory/4832-125-0x00007FF6FBC00000-0x00007FF6FBF54000-memory.dmp	xmrig
behavioral1/memory/1612-129-0x00007FF70CC50000-0x00007FF70CFA4000-memory.dmp	xmrig
behavioral1/files/0x000100000002aa33-127.dat	xmrig
behavioral1/memory/4728-126-0x00007FF6C2CA0000-0x00007FF6C2FF4000-memory.dmp	xmrig
behavioral1/files/0x000100000002aa32-123.dat	xmrig
behavioral1/files/0x000100000002aa31-121.dat	xmrig
behavioral1/memory/2532-120-0x00007FF7A3D80000-0x00007FF7A40D4000-memory.dmp	xmrig
behavioral1/memory/1476-119-0x00007FF731D70000-0x00007FF7320C4000-memory.dmp	xmrig
behavioral1/memory/2784-115-0x00007FF69B750000-0x00007FF69BAA4000-memory.dmp	xmrig
behavioral1/files/0x000100000002aa2f-111.dat	xmrig
behavioral1/memory/2872-109-0x00007FF6A4BA0000-0x00007FF6A4EF4000-memory.dmp	xmrig
behavioral1/files/0x000100000002aa2d-94.dat	xmrig
behavioral1/files/0x000100000002aa2e-92.dat	xmrig
behavioral1/memory/4512-91-0x00007FF738790000-0x00007FF738AE4000-memory.dmp	xmrig
behavioral1/memory/4108-83-0x00007FF75C5A0000-0x00007FF75C8F4000-memory.dmp	xmrig
behavioral1/files/0x000100000002aa2b-75.dat	xmrig
behavioral1/files/0x000100000002aa2a-73.dat	xmrig
behavioral1/memory/3112-72-0x00007FF69DA50000-0x00007FF69DDA4000-memory.dmp	xmrig
behavioral1/memory/3868-71-0x00007FF743840000-0x00007FF743B94000-memory.dmp	xmrig
behavioral1/files/0x000100000002aa27-67.dat	xmrig
behavioral1/memory/1872-65-0x00007FF609F10000-0x00007FF60A264000-memory.dmp	xmrig
behavioral1/memory/3388-60-0x00007FF778CF0000-0x00007FF779044000-memory.dmp	xmrig
behavioral1/memory/3668-49-0x00007FF6EF960000-0x00007FF6EFCB4000-memory.dmp	xmrig
behavioral1/memory/2828-45-0x00007FF62EBD0000-0x00007FF62EF24000-memory.dmp	xmrig
behavioral1/memory/3592-37-0x00007FF768120000-0x00007FF768474000-memory.dmp	xmrig
behavioral1/files/0x000100000002aa23-33.dat	xmrig
behavioral1/files/0x000100000002aa22-28.dat	xmrig
behavioral1/memory/3044-20-0x00007FF6712F0000-0x00007FF671644000-memory.dmp	xmrig
behavioral1/memory/4940-12-0x00007FF6D9D80000-0x00007FF6DA0D4000-memory.dmp	xmrig
behavioral1/memory/4940-130-0x00007FF6D9D80000-0x00007FF6DA0D4000-memory.dmp	xmrig
behavioral1/memory/3556-132-0x00007FF6E60D0000-0x00007FF6E6424000-memory.dmp	xmrig
behavioral1/memory/3592-133-0x00007FF768120000-0x00007FF768474000-memory.dmp	xmrig
behavioral1/memory/3044-131-0x00007FF6712F0000-0x00007FF671644000-memory.dmp	xmrig
behavioral1/memory/3668-134-0x00007FF6EF960000-0x00007FF6EFCB4000-memory.dmp	xmrig
behavioral1/memory/3112-137-0x00007FF69DA50000-0x00007FF69DDA4000-memory.dmp	xmrig
behavioral1/memory/3868-136-0x00007FF743840000-0x00007FF743B94000-memory.dmp	xmrig
behavioral1/memory/1872-135-0x00007FF609F10000-0x00007FF60A264000-memory.dmp	xmrig
behavioral1/memory/4512-138-0x00007FF738790000-0x00007FF738AE4000-memory.dmp	xmrig
behavioral1/memory/396-140-0x00007FF762A90000-0x00007FF762DE4000-memory.dmp	xmrig
behavioral1/memory/3824-139-0x00007FF7F9C80000-0x00007FF7F9FD4000-memory.dmp	xmrig
behavioral1/memory/1476-141-0x00007FF731D70000-0x00007FF7320C4000-memory.dmp	xmrig
behavioral1/memory/2532-142-0x00007FF7A3D80000-0x00007FF7A40D4000-memory.dmp	xmrig
behavioral1/memory/4832-143-0x00007FF6FBC00000-0x00007FF6FBF54000-memory.dmp	xmrig
behavioral1/memory/4940-144-0x00007FF6D9D80000-0x00007FF6DA0D4000-memory.dmp	xmrig
behavioral1/memory/3044-145-0x00007FF6712F0000-0x00007FF671644000-memory.dmp	xmrig
behavioral1/memory/3556-146-0x00007FF6E60D0000-0x00007FF6E6424000-memory.dmp	xmrig
behavioral1/memory/3592-147-0x00007FF768120000-0x00007FF768474000-memory.dmp	xmrig
behavioral1/memory/2828-149-0x00007FF62EBD0000-0x00007FF62EF24000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4832	rTEyoZw.exe
4940	iTbeJgJ.exe
3044	qKPtXEJ.exe
3556	bMEbceK.exe
3592	pMQQYlh.exe
2828	tgbymRK.exe
3388	iLiSWxG.exe
3668	NLcrfOJ.exe
4108	LgZRqGI.exe
1872	LjqdTXH.exe
2356	WlbJeQS.exe
3868	YtJjIfS.exe
3112	xRQZhwb.exe
3824	driPgDQ.exe
4512	elInvIY.exe
2784	shyLaXu.exe
396	LkOgPaF.exe
1476	IhYGboN.exe
4728	yVOugUJ.exe
2532	ctnvIxE.exe
1612	ZPfbasi.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2872-0-0x00007FF6A4BA0000-0x00007FF6A4EF4000-memory.dmp	upx
behavioral1/files/0x000400000002a9d0-5.dat	upx
behavioral1/memory/4832-6-0x00007FF6FBC00000-0x00007FF6FBF54000-memory.dmp	upx
behavioral1/files/0x000200000002aa21-10.dat	upx
behavioral1/files/0x000700000002aa18-11.dat	upx
behavioral1/memory/3556-25-0x00007FF6E60D0000-0x00007FF6E6424000-memory.dmp	upx
behavioral1/files/0x000100000002aa24-31.dat	upx
behavioral1/files/0x000100000002aa25-38.dat	upx
behavioral1/files/0x000100000002aa26-46.dat	upx
behavioral1/files/0x000100000002aa29-54.dat	upx
behavioral1/files/0x000100000002aa2c-64.dat	upx
behavioral1/files/0x000300000002aa1f-85.dat	upx
behavioral1/memory/2356-86-0x00007FF646240000-0x00007FF646594000-memory.dmp	upx
behavioral1/memory/3824-99-0x00007FF7F9C80000-0x00007FF7F9FD4000-memory.dmp	upx
behavioral1/memory/396-106-0x00007FF762A90000-0x00007FF762DE4000-memory.dmp	upx
behavioral1/files/0x000100000002aa30-117.dat	upx
behavioral1/memory/4832-125-0x00007FF6FBC00000-0x00007FF6FBF54000-memory.dmp	upx
behavioral1/memory/1612-129-0x00007FF70CC50000-0x00007FF70CFA4000-memory.dmp	upx
behavioral1/files/0x000100000002aa33-127.dat	upx
behavioral1/memory/4728-126-0x00007FF6C2CA0000-0x00007FF6C2FF4000-memory.dmp	upx
behavioral1/files/0x000100000002aa32-123.dat	upx
behavioral1/files/0x000100000002aa31-121.dat	upx
behavioral1/memory/2532-120-0x00007FF7A3D80000-0x00007FF7A40D4000-memory.dmp	upx
behavioral1/memory/1476-119-0x00007FF731D70000-0x00007FF7320C4000-memory.dmp	upx
behavioral1/memory/2784-115-0x00007FF69B750000-0x00007FF69BAA4000-memory.dmp	upx
behavioral1/files/0x000100000002aa2f-111.dat	upx
behavioral1/memory/2872-109-0x00007FF6A4BA0000-0x00007FF6A4EF4000-memory.dmp	upx
behavioral1/files/0x000100000002aa2d-94.dat	upx
behavioral1/files/0x000100000002aa2e-92.dat	upx
behavioral1/memory/4512-91-0x00007FF738790000-0x00007FF738AE4000-memory.dmp	upx
behavioral1/memory/4108-83-0x00007FF75C5A0000-0x00007FF75C8F4000-memory.dmp	upx
behavioral1/files/0x000100000002aa2b-75.dat	upx
behavioral1/files/0x000100000002aa2a-73.dat	upx
behavioral1/memory/3112-72-0x00007FF69DA50000-0x00007FF69DDA4000-memory.dmp	upx
behavioral1/memory/3868-71-0x00007FF743840000-0x00007FF743B94000-memory.dmp	upx
behavioral1/files/0x000100000002aa27-67.dat	upx
behavioral1/memory/1872-65-0x00007FF609F10000-0x00007FF60A264000-memory.dmp	upx
behavioral1/memory/3388-60-0x00007FF778CF0000-0x00007FF779044000-memory.dmp	upx
behavioral1/memory/3668-49-0x00007FF6EF960000-0x00007FF6EFCB4000-memory.dmp	upx
behavioral1/memory/2828-45-0x00007FF62EBD0000-0x00007FF62EF24000-memory.dmp	upx
behavioral1/memory/3592-37-0x00007FF768120000-0x00007FF768474000-memory.dmp	upx
behavioral1/files/0x000100000002aa23-33.dat	upx
behavioral1/files/0x000100000002aa22-28.dat	upx
behavioral1/memory/3044-20-0x00007FF6712F0000-0x00007FF671644000-memory.dmp	upx
behavioral1/memory/4940-12-0x00007FF6D9D80000-0x00007FF6DA0D4000-memory.dmp	upx
behavioral1/memory/4940-130-0x00007FF6D9D80000-0x00007FF6DA0D4000-memory.dmp	upx
behavioral1/memory/3556-132-0x00007FF6E60D0000-0x00007FF6E6424000-memory.dmp	upx
behavioral1/memory/3592-133-0x00007FF768120000-0x00007FF768474000-memory.dmp	upx
behavioral1/memory/3044-131-0x00007FF6712F0000-0x00007FF671644000-memory.dmp	upx
behavioral1/memory/3668-134-0x00007FF6EF960000-0x00007FF6EFCB4000-memory.dmp	upx
behavioral1/memory/3112-137-0x00007FF69DA50000-0x00007FF69DDA4000-memory.dmp	upx
behavioral1/memory/3868-136-0x00007FF743840000-0x00007FF743B94000-memory.dmp	upx
behavioral1/memory/1872-135-0x00007FF609F10000-0x00007FF60A264000-memory.dmp	upx
behavioral1/memory/4512-138-0x00007FF738790000-0x00007FF738AE4000-memory.dmp	upx
behavioral1/memory/396-140-0x00007FF762A90000-0x00007FF762DE4000-memory.dmp	upx
behavioral1/memory/3824-139-0x00007FF7F9C80000-0x00007FF7F9FD4000-memory.dmp	upx
behavioral1/memory/1476-141-0x00007FF731D70000-0x00007FF7320C4000-memory.dmp	upx
behavioral1/memory/2532-142-0x00007FF7A3D80000-0x00007FF7A40D4000-memory.dmp	upx
behavioral1/memory/4832-143-0x00007FF6FBC00000-0x00007FF6FBF54000-memory.dmp	upx
behavioral1/memory/4940-144-0x00007FF6D9D80000-0x00007FF6DA0D4000-memory.dmp	upx
behavioral1/memory/3044-145-0x00007FF6712F0000-0x00007FF671644000-memory.dmp	upx
behavioral1/memory/3556-146-0x00007FF6E60D0000-0x00007FF6E6424000-memory.dmp	upx
behavioral1/memory/3592-147-0x00007FF768120000-0x00007FF768474000-memory.dmp	upx
behavioral1/memory/2828-149-0x00007FF62EBD0000-0x00007FF62EF24000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\pMQQYlh.exe	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\ctnvIxE.exe	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\driPgDQ.exe	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\yVOugUJ.exe	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\qKPtXEJ.exe	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\iLiSWxG.exe	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\YtJjIfS.exe	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\xRQZhwb.exe	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\shyLaXu.exe	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\LkOgPaF.exe	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\IhYGboN.exe	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\bMEbceK.exe	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\tgbymRK.exe	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\LjqdTXH.exe	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\LgZRqGI.exe	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\WlbJeQS.exe	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\elInvIY.exe	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\ZPfbasi.exe	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\rTEyoZw.exe	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\iTbeJgJ.exe	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\NLcrfOJ.exe	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4532	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4628	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4380	OpenWith.exe
4628	vlc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe
Token: SeLockMemoryPrivilege	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4628	vlc.exe
4628	vlc.exe
4628	vlc.exe
4628	vlc.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4628	vlc.exe
4628	vlc.exe
4628	vlc.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
5068	OpenWith.exe
4380	OpenWith.exe
4380	OpenWith.exe
4380	OpenWith.exe
4380	OpenWith.exe
4380	OpenWith.exe
4380	OpenWith.exe
4380	OpenWith.exe
4380	OpenWith.exe
4380	OpenWith.exe
4380	OpenWith.exe
4380	OpenWith.exe
2912	AcroRd32.exe
2912	AcroRd32.exe
2912	AcroRd32.exe
2912	AcroRd32.exe
4628	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 4832	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	82
PID 2872 wrote to memory of 4832	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	82
PID 2872 wrote to memory of 4940	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	83
PID 2872 wrote to memory of 4940	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	83
PID 2872 wrote to memory of 3044	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	84
PID 2872 wrote to memory of 3044	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	84
PID 2872 wrote to memory of 3556	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	86
PID 2872 wrote to memory of 3556	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	86
PID 2872 wrote to memory of 3592	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	87
PID 2872 wrote to memory of 3592	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	87
PID 2872 wrote to memory of 2828	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	88
PID 2872 wrote to memory of 2828	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	88
PID 2872 wrote to memory of 3388	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	89
PID 2872 wrote to memory of 3388	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	89
PID 2872 wrote to memory of 3668	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	90
PID 2872 wrote to memory of 3668	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	90
PID 2872 wrote to memory of 4108	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	91
PID 2872 wrote to memory of 4108	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	91
PID 2872 wrote to memory of 1872	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	92
PID 2872 wrote to memory of 1872	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	92
PID 2872 wrote to memory of 2356	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	93
PID 2872 wrote to memory of 2356	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	93
PID 2872 wrote to memory of 3868	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	94
PID 2872 wrote to memory of 3868	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	94
PID 2872 wrote to memory of 3112	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	95
PID 2872 wrote to memory of 3112	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	95
PID 2872 wrote to memory of 3824	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	96
PID 2872 wrote to memory of 3824	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	96
PID 2872 wrote to memory of 4512	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	97
PID 2872 wrote to memory of 4512	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	97
PID 2872 wrote to memory of 2784	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	98
PID 2872 wrote to memory of 2784	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	98
PID 2872 wrote to memory of 396	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	99
PID 2872 wrote to memory of 396	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	99
PID 2872 wrote to memory of 1476	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	100
PID 2872 wrote to memory of 1476	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	100
PID 2872 wrote to memory of 4728	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	101
PID 2872 wrote to memory of 4728	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	101
PID 2872 wrote to memory of 2532	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	102
PID 2872 wrote to memory of 2532	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	102
PID 2872 wrote to memory of 1612	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	103
PID 2872 wrote to memory of 1612	2872	20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe	103
PID 4380 wrote to memory of 2912	4380	OpenWith.exe	118
PID 4380 wrote to memory of 2912	4380	OpenWith.exe	118
PID 4380 wrote to memory of 2912	4380	OpenWith.exe	118
PID 2912 wrote to memory of 4492	2912	AcroRd32.exe	121
PID 2912 wrote to memory of 4492	2912	AcroRd32.exe	121
PID 2912 wrote to memory of 4492	2912	AcroRd32.exe	121
PID 4492 wrote to memory of 1992	4492	RdrCEF.exe	122
PID 4492 wrote to memory of 1992	4492	RdrCEF.exe	122
PID 4492 wrote to memory of 1992	4492	RdrCEF.exe	122
PID 4492 wrote to memory of 1992	4492	RdrCEF.exe	122
PID 4492 wrote to memory of 1992	4492	RdrCEF.exe	122
PID 4492 wrote to memory of 1992	4492	RdrCEF.exe	122
PID 4492 wrote to memory of 1992	4492	RdrCEF.exe	122
PID 4492 wrote to memory of 1992	4492	RdrCEF.exe	122
PID 4492 wrote to memory of 1992	4492	RdrCEF.exe	122
PID 4492 wrote to memory of 1992	4492	RdrCEF.exe	122
PID 4492 wrote to memory of 1992	4492	RdrCEF.exe	122
PID 4492 wrote to memory of 1992	4492	RdrCEF.exe	122
PID 4492 wrote to memory of 1992	4492	RdrCEF.exe	122
PID 4492 wrote to memory of 1992	4492	RdrCEF.exe	122
PID 4492 wrote to memory of 1992	4492	RdrCEF.exe	122
PID 4492 wrote to memory of 1992	4492	RdrCEF.exe	122

C:\Users\Admin\AppData\Local\Temp\20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe
"C:\Users\Admin\AppData\Local\Temp\20240824fddabf0ae5d62e5888eeef778ec1e7bccobaltstrikecobaltstrikepoetrat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\System\rTEyoZw.exe
  C:\Windows\System\rTEyoZw.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\System\iTbeJgJ.exe
  C:\Windows\System\iTbeJgJ.exe
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Windows\System\qKPtXEJ.exe
  C:\Windows\System\qKPtXEJ.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\bMEbceK.exe
  C:\Windows\System\bMEbceK.exe
  2⤵
  - Executes dropped EXE
  PID:3556
- C:\Windows\System\pMQQYlh.exe
  C:\Windows\System\pMQQYlh.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\System\tgbymRK.exe
  C:\Windows\System\tgbymRK.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System\iLiSWxG.exe
  C:\Windows\System\iLiSWxG.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System\NLcrfOJ.exe
  C:\Windows\System\NLcrfOJ.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System\LgZRqGI.exe
  C:\Windows\System\LgZRqGI.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System\LjqdTXH.exe
  C:\Windows\System\LjqdTXH.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System\WlbJeQS.exe
  C:\Windows\System\WlbJeQS.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\YtJjIfS.exe
  C:\Windows\System\YtJjIfS.exe
  2⤵
  - Executes dropped EXE
  PID:3868
- C:\Windows\System\xRQZhwb.exe
  C:\Windows\System\xRQZhwb.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System\driPgDQ.exe
  C:\Windows\System\driPgDQ.exe
  2⤵
  - Executes dropped EXE
  PID:3824
- C:\Windows\System\elInvIY.exe
  C:\Windows\System\elInvIY.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System\shyLaXu.exe
  C:\Windows\System\shyLaXu.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System\LkOgPaF.exe
  C:\Windows\System\LkOgPaF.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System\IhYGboN.exe
  C:\Windows\System\IhYGboN.exe
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\System\yVOugUJ.exe
  C:\Windows\System\yVOugUJ.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System\ctnvIxE.exe
  C:\Windows\System\ctnvIxE.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System\ZPfbasi.exe
  C:\Windows\System\ZPfbasi.exe
  2⤵
  - Executes dropped EXE
  PID:1612

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2704

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5068

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\BackupAdd.ps1xml
1⤵
- Opens file in notepad (likely ransom note)
PID:4532

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\PushDisable.xps"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E3424485052F0B0D976AA198200C6DB6 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1992
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A60FC220351B066E253D849BA66F43F6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A60FC220351B066E253D849BA66F43F6 --renderer-client-id=2 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:1636
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B8E086BB9D6DB12A80C28C52C90FA12F --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:764
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4D193BE92FFD7858B2173FC2095AEAE3 --mojo-platform-channel-handle=1988 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4092
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=96C9A1A4DECF7CF3308DACE2604E267D --mojo-platform-channel-handle=1972 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4476

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\SuspendCompress.wmv"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4628

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\SuspendCompress.wmv"
1⤵
PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\IhYGboN.exe

Filesize
5.9MB

MD5
831afc42dab2c85020f30b91042528dc

SHA1
b54fe3cae9596079918493a728521fc1b48573f7

SHA256
68c0208c680cb1ac0f77a0348b05da01ca4ac1b4109618448c367e9bb3add462

SHA512
b7802871a9b711a37af88754d4751280896871d785c34385e6c41b93322eac2c476e60359683b6f881ec17da53b2a36988141f8e54621e330f205eb839fbd341

Download Submit
C:\Windows\System\LgZRqGI.exe

Filesize
5.9MB

MD5
1e59bd60a4a77ec90004f88aa70d0a28

SHA1
cf65044da079510781de6c99289ceca5af0e2663

SHA256
ef344aafd059297f2d3d146b74ab55358b34a3c33d44c71cb48aa8315dafe04f

SHA512
e3d652ded97f122b698d7f02f69a7b499f6f1fb775eb83825dfa97815c7e1f8de2d08c2d61f516f3922ad5eb937c8fe92b2033444ceb1b141ea1dcfc7f32d76e

Download Submit
C:\Windows\System\LjqdTXH.exe

Filesize
5.9MB

MD5
014272c1010e1c922c2310ca717c5a43

SHA1
5120dc6ef3fed40097223f38c8e23ef0926f1002

SHA256
5a63d892576fc61a6d6ae44c2e7761d4472ea83618bbb0417b4e76eb32d729e5

SHA512
c41d1f43b73300ef3a3307e5055a35453681e21000749a30c73262e20c820b5adb2a3134fd5193ef669fff0e0a329aff8c18f22b3ce547cb22cae00af5ce3087

Download Submit
C:\Windows\System\LkOgPaF.exe

Filesize
5.9MB

MD5
b850657361650c2165e5a4d211561ef1

SHA1
e53868085edd1fb482b738d6000f9987969b59ff

SHA256
830e1ab149c189bfd547d8444b42465d5c85cc8a5003050acf87d856f759b79f

SHA512
552f4e1ccb230d1f4b161a5806749f2a33a074624c2d7c3abf8c98fad3c6c5268ad523508239351491d49d8162e448fc014b077d4966a808024a47a0c4c6afb2

Download Submit
C:\Windows\System\NLcrfOJ.exe

Filesize
5.9MB

MD5
46d8be25283f73bcc4a9293a07daab3d

SHA1
8d8cb47148d879f7d3d8de113c1bc45b95b4bdb8

SHA256
3c1291744b8dee71f56f78fa0aed3a2dc56a924d13c14da4795e454278da5e96

SHA512
47922d545729588a4a7f8b80a46ce2cda9d045432ce7aaecb288f7eb5f3e95ac3ffa45701ebe574b46872c82668380549f232ff0610316edfdc25ca4a9d970ad

Download Submit
C:\Windows\System\WlbJeQS.exe

Filesize
5.9MB

MD5
d15ca21de6fddf02788c581edaff4399

SHA1
0f6156cbbf2e820fb14012459490416b78831c2e

SHA256
c08ea35c1df1221aa967bfbbb27fc9001d883e4d62bf11634f61d31901a6a5b4

SHA512
6ae478890eed588d4c5c639ceb284be86b957a5787f8418f682a126b837b0181333dda9a4fab85272094bee9c17b0af7b8e1eaaf3d26104633d64b2cf9e970bf

Download Submit
C:\Windows\System\YtJjIfS.exe

Filesize
5.9MB

MD5
e1677be76d6b4deefd1d65ce05f82238

SHA1
410e9fe257aa32b884cea71309b7d7d6b6a8f190

SHA256
4ed14cfbb67d227679065f8c8a79849f3ad9954bf8ed9521ba02b9d9f16673eb

SHA512
a54de22422b4c0251be3f5ef93eb41be38f4a4648599d8e9c4a147370bc90280f44fbdaf61586e18674c06b8729860400ea5a168fc7f7cb4c38d39d67be8255f

Download Submit
C:\Windows\System\ZPfbasi.exe

Filesize
5.9MB

MD5
99499bd9d634be86201327cb8a8bae18

SHA1
05f576dc950df23bc81a517ed00ea7529aed3405

SHA256
ba8e866bb3bf2934a225b46473f90ff15c97cc73c3ad47ed4e9b780c363e94fc

SHA512
8a989cf1709151b2df8ed03a4bdf144e97c963c9f04812b2c3ef1998a92764e56a2ea51be5dfdb7af15cb9ad15dbc81fd60a21601e13f3e29ce821e2472d498f

Download Submit
C:\Windows\System\bMEbceK.exe

Filesize
5.9MB

MD5
4011b664074de895000e977c8d649912

SHA1
3fca9fdac22c3b775810159d5ce090c2a410f132

SHA256
42c7e4a01d3699ee9efa8e4e4c06e5e940a1bebd133c957468442c4518e801cd

SHA512
ed80514b52f9d07aec6f4d5bb0c55354b2de857b82a0c7a0ecdd4f479e6643f5f8dcca10ffac0cae04ece473fa2568114010fb102d84433d441c6d1cb75f707a

Download Submit
C:\Windows\System\ctnvIxE.exe

Filesize
5.9MB

MD5
5afa84748c72a8d81df3e6121a1e36dd

SHA1
a44c96515f9e9940fb8b0714bd523035f4b19d0d

SHA256
8d3b3a96793d1ee82804101188060b8d74f41e18170965186a6b924ead87ccb3

SHA512
51efcc58677d92f76fc83118a844c8264b27cfdec0009f3229d9fa783a1fa88ecc93046f9534c0a1797919a3c76d6e0ec8e767204facfb20241aad7a3542c04f

Download Submit
C:\Windows\System\driPgDQ.exe

Filesize
5.9MB

MD5
7d998d35541ab1338aa31161e40c7dd7

SHA1
7a9761d94fe1e81bfba4f0a0637a8b2b287670a3

SHA256
cc83b093b4907c33cda34694750d7627b3db50fa151e8ca09067a23ec819f9eb

SHA512
4d5ad7fc706e6dd97195fde75871dd20b96d2fe8dcb91a3dfc7293c8fda33ee42a79aba67c0d502023be0475d604b6674e4edabe13d3cb282167c306782c8704

Download Submit
C:\Windows\System\elInvIY.exe

Filesize
5.9MB

MD5
fb62476beab5990a5f52ca7e0dd7d98a

SHA1
0831372a4f5bf9e35bb59a7c557af84e58575a4c

SHA256
0038bc6dabefe8405504131feea759dec925a3d07855ecb8855e958f83ef338e

SHA512
95ce6b4014c6cdd1411c1d9950785d258630a76412023fe29a5cceca83cc295264b16de3de7dbc4122f922f1fa19a9d54c5a9f119bbf0674db4f6f914e8c61e0

Download Submit
C:\Windows\System\iLiSWxG.exe

Filesize
5.9MB

MD5
c93f253bb603ddd6f239ad6bfaf11375

SHA1
89957f011e38ac886f6796549823c2075d02b44c

SHA256
25786736dbea6fca2aa516d87447d1367859d639fdec7440945de9c96edd55ab

SHA512
6164d8d7bb4f99f142d3c7ce4e899eaaa543036bde7a81933ee0e7d003c73a9cae9d9e3a0f3d19da2ec84a60fff20575e6a60fbce40f59da752f8d858c9282a1

Download Submit
C:\Windows\System\iTbeJgJ.exe

Filesize
5.9MB

MD5
454c32aaa9fad2a4d5d221b0c1ac9465

SHA1
b2ec83f3ed08f2c4a5c4424cca025dbc9b14f165

SHA256
1d9ec0b898ecafb7f6113bb38dedc3220fe82d0d14e4cbef4e788001a69e6a94

SHA512
24c239cd041ddc9cb1bd7113dc0eee82b444e1edcc876e79d8f47bc508c88a4e82c614ce5226ba7b7bf2cc7859dc453530579fd1c990068200eaace72d7f8421

Download Submit
C:\Windows\System\pMQQYlh.exe

Filesize
5.9MB

MD5
1ea8da949aca95194e860c01e41615db

SHA1
3293c8dcfea4bbc745cf9d7abe46bdb254de5bdf

SHA256
2c39a19f1719ad72e1672ceb7856fea248512eb198b74acfee1f88cb5bb896a3

SHA512
be77803a6c8e258408fb7aef074893156adbca7408915f0421ff724f55494881e7b93e52f69739a19a0db748f76656a87e70d52e04b91b6f2ae3f3082417196f

Download Submit
C:\Windows\System\qKPtXEJ.exe

Filesize
5.9MB

MD5
736838e8d6c7b88e08c3dcec6f93ae01

SHA1
7e3b3eecf7883b9be5b31a0338cb9e6cd9d814b4

SHA256
92e10eac4c92b7ac877cc130cc48600180e1f3265ec7ced26cae8efaf720de80

SHA512
c6755c7482e56392964f654739bdc87bb268eb7975e95f11df5045198c20d2f67df9231a6aad6f59d719776101752b994dc0372c2487dfdeecf779598abda61f

Download Submit
C:\Windows\System\rTEyoZw.exe

Filesize
5.9MB

MD5
c08c79ae6005993d83017a4720517baa

SHA1
2903c70a7b220902574700438752f0cccfbb00b9

SHA256
6f0d9b835a6e93c54cf0690caa11d87a21db76e729e6c40c1b2da1ac60888807

SHA512
d78d64163adca95bee447af558a5faf62c2edbae7f2d61a1cd72d6759908c6f3c2c93e81a1b139bf0ddd62ab12831136e7ec468f08dcc540fb04086e055ab2cc

Download Submit
C:\Windows\System\shyLaXu.exe

Filesize
5.9MB

MD5
e5dce30c384f4a3adb49bf903c021582

SHA1
4c6f89ecdac501994e265993d90d6a49ef22f88b

SHA256
d8ea7520fd2fc2ae4a53f5617e0628aa70359268760c6d4035f48c6b54032f7d

SHA512
38a0a2213a3de492f89bf5e604e3d0b8cbe0d1559b5069d773f5353f7039eca82faac80d4d44f57d37515f2085ca524292b4ee8bcf02ddea928e2c2685a5c2e1

Download Submit
C:\Windows\System\tgbymRK.exe

Filesize
5.9MB

MD5
7c911d2c871f6d1f21144adf0bbed1b6

SHA1
a5d89154cd6ff1134e6d4529a99b7c917040c027

SHA256
45869cabd408e4582c84a008f60d26ee405d6ca68887a1d44f7b141c39b57df1

SHA512
e833d6a9bfe5c3ab196a3536161570c248189f84aba5d073383f25ac381bc5e787cd626ae9a9f1d26ecc4a8b2b62dbadb9703a16043f5a2dd0f59668266eba80

Download Submit
C:\Windows\System\xRQZhwb.exe

Filesize
5.9MB

MD5
7b1a5f08380a55620b2a5911a384b97c

SHA1
bd8adcf5bee3525dda6e470c59c06fe0dc3369d7

SHA256
b55d33a79289435efc70491d0d90ff2f4cf9fcbf90d143ea6e71d7839503f411

SHA512
4fe89977dac5b9fa6cb11eb6b9a6b2ed35b3455f94f720d9a01ae10ccf1acafd5d9febbbb6e44e7a77bfcb07e4b16cb4801af9d81cab8d3cda542418419de4ed

Download Submit
C:\Windows\System\yVOugUJ.exe

Filesize
5.9MB

MD5
49fcdbbdc9badc74cb85d8d2bdac1c83

SHA1
1aef5e9c526496f8b2ff8f676681599b40c9b43b

SHA256
aad060b71851e0b1903b1d1974241ef0aaf463447f3c54c24df65eaefcbd9bd4

SHA512
c9c458573d940f65f4962c1e18bd5e44e61e8c6b0cba3c9b93ff8325dadbaac2aca06ee8a5fcc8b790e6a016d1e050420bcec33adda1a23307f978201ca3abd9

Download Submit
memory/396-140-0x00007FF762A90000-0x00007FF762DE4000-memory.dmp

Filesize
3.3MB

Download
memory/396-106-0x00007FF762A90000-0x00007FF762DE4000-memory.dmp

Filesize
3.3MB

Download
memory/396-160-0x00007FF762A90000-0x00007FF762DE4000-memory.dmp

Filesize
3.3MB

Download
memory/1476-159-0x00007FF731D70000-0x00007FF7320C4000-memory.dmp

Filesize
3.3MB

Download
memory/1476-119-0x00007FF731D70000-0x00007FF7320C4000-memory.dmp

Filesize
3.3MB

Download
memory/1476-141-0x00007FF731D70000-0x00007FF7320C4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-129-0x00007FF70CC50000-0x00007FF70CFA4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-163-0x00007FF70CC50000-0x00007FF70CFA4000-memory.dmp

Filesize
3.3MB

Download
memory/1872-65-0x00007FF609F10000-0x00007FF60A264000-memory.dmp

Filesize
3.3MB

Download
memory/1872-135-0x00007FF609F10000-0x00007FF60A264000-memory.dmp

Filesize
3.3MB

Download
memory/1872-151-0x00007FF609F10000-0x00007FF60A264000-memory.dmp

Filesize
3.3MB

Download
memory/2356-153-0x00007FF646240000-0x00007FF646594000-memory.dmp

Filesize
3.3MB

Download
memory/2356-86-0x00007FF646240000-0x00007FF646594000-memory.dmp

Filesize
3.3MB

Download
memory/2532-142-0x00007FF7A3D80000-0x00007FF7A40D4000-memory.dmp

Filesize
3.3MB

Download
memory/2532-161-0x00007FF7A3D80000-0x00007FF7A40D4000-memory.dmp

Filesize
3.3MB

Download
memory/2532-120-0x00007FF7A3D80000-0x00007FF7A40D4000-memory.dmp

Filesize
3.3MB

Download
memory/2784-156-0x00007FF69B750000-0x00007FF69BAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2784-115-0x00007FF69B750000-0x00007FF69BAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2828-149-0x00007FF62EBD0000-0x00007FF62EF24000-memory.dmp

Filesize
3.3MB

Download
memory/2828-45-0x00007FF62EBD0000-0x00007FF62EF24000-memory.dmp

Filesize
3.3MB

Download
memory/2872-0-0x00007FF6A4BA0000-0x00007FF6A4EF4000-memory.dmp

Filesize
3.3MB

Download
memory/2872-164-0x00007FF6A4BA0000-0x00007FF6A4EF4000-memory.dmp

Filesize
3.3MB

Download
memory/2872-109-0x00007FF6A4BA0000-0x00007FF6A4EF4000-memory.dmp

Filesize
3.3MB

Download
memory/2872-1-0x000001E9BA1B0000-0x000001E9BA1C0000-memory.dmp

Filesize
64KB

Download
memory/3044-131-0x00007FF6712F0000-0x00007FF671644000-memory.dmp

Filesize
3.3MB

Download
memory/3044-20-0x00007FF6712F0000-0x00007FF671644000-memory.dmp

Filesize
3.3MB

Download
memory/3044-145-0x00007FF6712F0000-0x00007FF671644000-memory.dmp

Filesize
3.3MB

Download
memory/3112-137-0x00007FF69DA50000-0x00007FF69DDA4000-memory.dmp

Filesize
3.3MB

Download
memory/3112-72-0x00007FF69DA50000-0x00007FF69DDA4000-memory.dmp

Filesize
3.3MB

Download
memory/3112-155-0x00007FF69DA50000-0x00007FF69DDA4000-memory.dmp

Filesize
3.3MB

Download
memory/3388-148-0x00007FF778CF0000-0x00007FF779044000-memory.dmp

Filesize
3.3MB

Download
memory/3388-60-0x00007FF778CF0000-0x00007FF779044000-memory.dmp

Filesize
3.3MB

Download
memory/3452-206-0x00007FF821410000-0x00007FF821427000-memory.dmp

Filesize
92KB

Download
memory/3452-207-0x00007FF8213E0000-0x00007FF8213F1000-memory.dmp

Filesize
68KB

Download
memory/3452-205-0x00007FF824650000-0x00007FF824668000-memory.dmp

Filesize
96KB

Download
memory/3452-203-0x00007FF820580000-0x00007FF8205B4000-memory.dmp

Filesize
208KB

Download
memory/3452-202-0x00007FF66EE50000-0x00007FF66EF48000-memory.dmp

Filesize
992KB

Download
memory/3452-204-0x00007FF80A0C0000-0x00007FF80A376000-memory.dmp

Filesize
2.7MB

Download
memory/3556-25-0x00007FF6E60D0000-0x00007FF6E6424000-memory.dmp

Filesize
3.3MB

Download
memory/3556-146-0x00007FF6E60D0000-0x00007FF6E6424000-memory.dmp

Filesize
3.3MB

Download
memory/3556-132-0x00007FF6E60D0000-0x00007FF6E6424000-memory.dmp

Filesize
3.3MB

Download
memory/3592-147-0x00007FF768120000-0x00007FF768474000-memory.dmp

Filesize
3.3MB

Download
memory/3592-37-0x00007FF768120000-0x00007FF768474000-memory.dmp

Filesize
3.3MB

Download
memory/3592-133-0x00007FF768120000-0x00007FF768474000-memory.dmp

Filesize
3.3MB

Download
memory/3668-134-0x00007FF6EF960000-0x00007FF6EFCB4000-memory.dmp

Filesize
3.3MB

Download
memory/3668-49-0x00007FF6EF960000-0x00007FF6EFCB4000-memory.dmp

Filesize
3.3MB

Download
memory/3668-150-0x00007FF6EF960000-0x00007FF6EFCB4000-memory.dmp

Filesize
3.3MB

Download
memory/3824-99-0x00007FF7F9C80000-0x00007FF7F9FD4000-memory.dmp

Filesize
3.3MB

Download
memory/3824-139-0x00007FF7F9C80000-0x00007FF7F9FD4000-memory.dmp

Filesize
3.3MB

Download
memory/3824-158-0x00007FF7F9C80000-0x00007FF7F9FD4000-memory.dmp

Filesize
3.3MB

Download
memory/3868-136-0x00007FF743840000-0x00007FF743B94000-memory.dmp

Filesize
3.3MB

Download
memory/3868-154-0x00007FF743840000-0x00007FF743B94000-memory.dmp

Filesize
3.3MB

Download
memory/3868-71-0x00007FF743840000-0x00007FF743B94000-memory.dmp

Filesize
3.3MB

Download
memory/4108-152-0x00007FF75C5A0000-0x00007FF75C8F4000-memory.dmp

Filesize
3.3MB

Download
memory/4108-83-0x00007FF75C5A0000-0x00007FF75C8F4000-memory.dmp

Filesize
3.3MB

Download
memory/4512-138-0x00007FF738790000-0x00007FF738AE4000-memory.dmp

Filesize
3.3MB

Download
memory/4512-157-0x00007FF738790000-0x00007FF738AE4000-memory.dmp

Filesize
3.3MB

Download
memory/4512-91-0x00007FF738790000-0x00007FF738AE4000-memory.dmp

Filesize
3.3MB

Download
memory/4628-232-0x00007FF66EE50000-0x00007FF66EF48000-memory.dmp

Filesize
992KB

Download
memory/4628-221-0x00007FF820560000-0x00007FF820577000-memory.dmp

Filesize
92KB

Download
memory/4628-235-0x000001A037FB0000-0x000001A039060000-memory.dmp

Filesize
16.7MB

Download
memory/4628-234-0x00007FF80A0C0000-0x00007FF80A376000-memory.dmp

Filesize
2.7MB

Download
memory/4628-217-0x00007FF80A0C0000-0x00007FF80A376000-memory.dmp

Filesize
2.7MB

Download
memory/4628-218-0x00007FF824650000-0x00007FF824668000-memory.dmp

Filesize
96KB

Download
memory/4628-219-0x00007FF821410000-0x00007FF821427000-memory.dmp

Filesize
92KB

Download
memory/4628-220-0x00007FF8213E0000-0x00007FF8213F1000-memory.dmp

Filesize
68KB

Download
memory/4628-210-0x00007FF66EE50000-0x00007FF66EF48000-memory.dmp

Filesize
992KB

Download
memory/4628-224-0x00007FF81D440000-0x00007FF81D451000-memory.dmp

Filesize
68KB

Download
memory/4628-211-0x00007FF820580000-0x00007FF8205B4000-memory.dmp

Filesize
208KB

Download
memory/4628-223-0x00007FF81D460000-0x00007FF81D47D000-memory.dmp

Filesize
116KB

Download
memory/4628-225-0x00007FF809C80000-0x00007FF809E8B000-memory.dmp

Filesize
2.0MB

Download
memory/4628-233-0x00007FF820580000-0x00007FF8205B4000-memory.dmp

Filesize
208KB

Download
memory/4628-222-0x00007FF81D870000-0x00007FF81D881000-memory.dmp

Filesize
68KB

Download
memory/4728-126-0x00007FF6C2CA0000-0x00007FF6C2FF4000-memory.dmp

Filesize
3.3MB

Download
memory/4728-162-0x00007FF6C2CA0000-0x00007FF6C2FF4000-memory.dmp

Filesize
3.3MB

Download
memory/4832-6-0x00007FF6FBC00000-0x00007FF6FBF54000-memory.dmp

Filesize
3.3MB

Download
memory/4832-125-0x00007FF6FBC00000-0x00007FF6FBF54000-memory.dmp

Filesize
3.3MB

Download
memory/4832-143-0x00007FF6FBC00000-0x00007FF6FBF54000-memory.dmp

Filesize
3.3MB

Download
memory/4940-144-0x00007FF6D9D80000-0x00007FF6DA0D4000-memory.dmp

Filesize
3.3MB

Download
memory/4940-130-0x00007FF6D9D80000-0x00007FF6DA0D4000-memory.dmp

Filesize
3.3MB

Download
memory/4940-12-0x00007FF6D9D80000-0x00007FF6DA0D4000-memory.dmp

Filesize
3.3MB

Download