phobos | 757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634

Analysis

max time kernel
300s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
20-08-2023 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe
Size

1.2MB
MD5

3f520f0a58e0f6a68affc7a6b31b0bf2
SHA1

5c020a7f2cb8f3c17d6d7351166fde08e526d401
SHA256

757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634
SHA512

16e1918b9435c446b9444701600607e1d3c425d55944026411164dd011a3770145457aa90f8e505b9d7f23d9e90f4a59cd97f070a42fd91178b1ad4c13de2026
SSDEEP

24576:tt/QqsBX5lT1cH2DTCA+mFPTAv28+xEE4HTfcSMEYmVsbFY:ttbyX5uSVRTAv28i1wT9YmVs

Score

10^/10

phobos rhadamanthys evasion persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>cartilage</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #C6B5C4; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #B5CC8E; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #e6ecf2; border-left: 10px solid #B58CB2; } .alert { background: #FFE4E4; border-left: 10px solid #FFA07A; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC.</div> <div class='bold'>If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Or write us to the Tox: <span class='mark'>78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>C145F53C-3483</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Extracted

Path

C:\users\public\desktop\info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Or write us to the Tox: 78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074 Write this ID in the title of your message C145F53C-3483 You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Detect rhadamanthys stealer shellcode 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2488-1153-0x0000000001FA0000-0x00000000023A0000-memory.dmp	family_rhadamanthys
behavioral1/memory/2488-1155-0x0000000001FA0000-0x00000000023A0000-memory.dmp	family_rhadamanthys
behavioral1/memory/2488-1166-0x0000000001FA0000-0x00000000023A0000-memory.dmp	family_rhadamanthys
behavioral1/memory/2488-1168-0x0000000001FA0000-0x00000000023A0000-memory.dmp	family_rhadamanthys

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe

description	pid	Process	procid_target
PID 2488 created 1316	2488	757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe	14

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	Process
4000	bcdedit.exe
4008	bcdedit.exe
3520	bcdedit.exe
3896	bcdedit.exe

Renames multiple (312) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

wbadmin.exewbadmin.exe

pid	Process
4016	wbadmin.exe
3628	wbadmin.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Processes:

netsh.exenetsh.exe

pid	Process
2496	netsh.exe
1748	netsh.exe

Deletes itself 1 IoCs

Processes:

certreq.exe

pid	Process
876	certreq.exe

Drops startup file 3 IoCs

Processes:

750eN.exe

description	ioc	Process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\750eN.exe	750eN.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	750eN.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[C145F53C-3483].[[email protected]].8base	750eN.exe

Executes dropped EXE 7 IoCs

Processes:

46g.exe42C.exe750eN.exe-7024H.exe750eN.exe750eN.exe750eN.exe

pid	Process
2220	46g.exe
2268	42C.exe
2128	750eN.exe
828	-7024H.exe
1488	750eN.exe
1752	750eN.exe
1632	750eN.exe

Loads dropped DLL 2 IoCs

Processes:

Explorer.EXE

pid	Process
2040
1316	Explorer.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

750eN.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\750eN = "C:\\Users\\Admin\\AppData\\Local\\750eN.exe"	750eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Run\750eN = "C:\\Users\\Admin\\AppData\\Local\\750eN.exe"	750eN.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

750eN.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5ZFTQ8N3\desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	750eN.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	750eN.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	750eN.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	750eN.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	750eN.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	750eN.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	750eN.exe
File opened for modification	C:\Users\Public\desktop.ini	750eN.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	750eN.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-377084978-2088738870-2818360375-1000\desktop.ini	750eN.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	750eN.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\20BGZFMZ\desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	750eN.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	750eN.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	750eN.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	750eN.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	750eN.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	750eN.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	750eN.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	750eN.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	750eN.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\WJ8HJG09\desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	750eN.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	750eN.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	750eN.exe
File opened for modification	C:\Program Files\desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	750eN.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	750eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	750eN.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	750eN.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-377084978-2088738870-2818360375-1000\desktop.ini	750eN.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	750eN.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	750eN.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	750eN.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	750eN.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\COWGNRUO\desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SIB16BF9\desktop.ini	750eN.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	750eN.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe750eN.exe750eN.exe

description	pid	Process	procid_target
PID 2444 set thread context of 2488	2444	757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe	28
PID 2128 set thread context of 1488	2128	750eN.exe	38
PID 1752 set thread context of 1632	1752	750eN.exe	70

Drops file in Program Files directory 64 IoCs

Processes:

750eN.exe

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_ja.jar.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090783.WMF.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBCAL.XML	750eN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Athens.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar	750eN.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\HST10	750eN.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libwindrive_plugin.dll	750eN.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0289430.JPG.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00712_.WMF.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Payment Type.accft	750eN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml	750eN.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jpeg.dll	750eN.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt	750eN.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\hxdsui.dll	750eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0212661.WMF	750eN.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationFramework.resources.dll	750eN.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00222_.WMF.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\cs.pak.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans_1.2.200.v20140214-0004.jar	750eN.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Mendoza	750eN.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kamchatka	750eN.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png	750eN.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\pidgenx.dll	750eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Black Tie.eftx	750eN.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Clarity.eftx.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MORPH9.DLL.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_Undocked.png	750eN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\eula.dll.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\de-DE\PurblePlace.exe.mui	750eN.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\METCONV.DLL.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00350_.WMF	750eN.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293570.WMF.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\SNEEZE.WAV	750eN.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsColorChart.html.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_ja_4.4.0.v20140623020002.jar	750eN.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.DirectoryServices.AccountManagement.dll	750eN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_zh_4.4.0.v20140623020002.jar	750eN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_ja.jar.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File created	C:\Program Files\Java\jre7\bin\jawt.dll.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_K_COL.HXK.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENVELOPE.XML.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader_icd.json.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench_1.1.0.v20140512-1820.jar.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File created	C:\Program Files\Java\jre7\lib\zi\EST.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Budapest.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18247_.WMF	750eN.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\blank.png	750eN.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\alertIcon.png	750eN.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\USP10.DLL	750eN.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03339_.WMF.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02085_.GIF.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE	750eN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_de_DE.jar.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\eqnedt32.exe.manifest.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287018.WMF.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC	750eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif	750eN.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Resources.dll	750eN.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107734.WMF.id[C145F53C-3483].[[email protected]].8base	750eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\+Connect to New Data Source.odc	750eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_increaseindent.gif	750eN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml.id[C145F53C-3483].[[email protected]].8base	750eN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exe

pid	Process
2344	vssadmin.exe
876	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exemshta.exemshta.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.execertreq.exe750eN.exe

pid	Process
2488	757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe
2488	757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe
2488	757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe
2488	757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe
876	certreq.exe
876	certreq.exe
876	certreq.exe
876	certreq.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe
1488	750eN.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe750eN.exe46g.exe-7024H.exe750eN.exe750eN.exevssvc.exeWMIC.exewbengine.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	2444	757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe
Token: SeDebugPrivilege	2128	750eN.exe
Token: SeDebugPrivilege	2220	46g.exe
Token: SeDebugPrivilege	828	-7024H.exe
Token: SeDebugPrivilege	1752	750eN.exe
Token: SeDebugPrivilege	1488	750eN.exe
Token: SeBackupPrivilege	2532	vssvc.exe
Token: SeRestorePrivilege	2532	vssvc.exe
Token: SeAuditPrivilege	2532	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1672	WMIC.exe
Token: SeSecurityPrivilege	1672	WMIC.exe
Token: SeTakeOwnershipPrivilege	1672	WMIC.exe
Token: SeLoadDriverPrivilege	1672	WMIC.exe
Token: SeSystemProfilePrivilege	1672	WMIC.exe
Token: SeSystemtimePrivilege	1672	WMIC.exe
Token: SeProfSingleProcessPrivilege	1672	WMIC.exe
Token: SeIncBasePriorityPrivilege	1672	WMIC.exe
Token: SeCreatePagefilePrivilege	1672	WMIC.exe
Token: SeBackupPrivilege	1672	WMIC.exe
Token: SeRestorePrivilege	1672	WMIC.exe
Token: SeShutdownPrivilege	1672	WMIC.exe
Token: SeDebugPrivilege	1672	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1672	WMIC.exe
Token: SeRemoteShutdownPrivilege	1672	WMIC.exe
Token: SeUndockPrivilege	1672	WMIC.exe
Token: SeManageVolumePrivilege	1672	WMIC.exe
Token: 33	1672	WMIC.exe
Token: 34	1672	WMIC.exe
Token: 35	1672	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1672	WMIC.exe
Token: SeSecurityPrivilege	1672	WMIC.exe
Token: SeTakeOwnershipPrivilege	1672	WMIC.exe
Token: SeLoadDriverPrivilege	1672	WMIC.exe
Token: SeSystemProfilePrivilege	1672	WMIC.exe
Token: SeSystemtimePrivilege	1672	WMIC.exe
Token: SeProfSingleProcessPrivilege	1672	WMIC.exe
Token: SeIncBasePriorityPrivilege	1672	WMIC.exe
Token: SeCreatePagefilePrivilege	1672	WMIC.exe
Token: SeBackupPrivilege	1672	WMIC.exe
Token: SeRestorePrivilege	1672	WMIC.exe
Token: SeShutdownPrivilege	1672	WMIC.exe
Token: SeDebugPrivilege	1672	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1672	WMIC.exe
Token: SeRemoteShutdownPrivilege	1672	WMIC.exe
Token: SeUndockPrivilege	1672	WMIC.exe
Token: SeManageVolumePrivilege	1672	WMIC.exe
Token: 33	1672	WMIC.exe
Token: 34	1672	WMIC.exe
Token: 35	1672	WMIC.exe
Token: SeBackupPrivilege	2488	wbengine.exe
Token: SeRestorePrivilege	2488	wbengine.exe
Token: SeSecurityPrivilege	2488	wbengine.exe
Token: SeIncreaseQuotaPrivilege	1408	WMIC.exe
Token: SeSecurityPrivilege	1408	WMIC.exe
Token: SeTakeOwnershipPrivilege	1408	WMIC.exe
Token: SeLoadDriverPrivilege	1408	WMIC.exe
Token: SeSystemProfilePrivilege	1408	WMIC.exe
Token: SeSystemtimePrivilege	1408	WMIC.exe
Token: SeProfSingleProcessPrivilege	1408	WMIC.exe
Token: SeIncBasePriorityPrivilege	1408	WMIC.exe
Token: SeCreatePagefilePrivilege	1408	WMIC.exe
Token: SeBackupPrivilege	1408	WMIC.exe
Token: SeRestorePrivilege	1408	WMIC.exe
Token: SeShutdownPrivilege	1408	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe750eN.exe750eN.execmd.execmd.exe

description	pid	Process	procid_target
PID 2444 wrote to memory of 2488	2444	757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe	28
PID 2444 wrote to memory of 2488	2444	757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe	28
PID 2444 wrote to memory of 2488	2444	757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe	28
PID 2444 wrote to memory of 2488	2444	757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe	28
PID 2444 wrote to memory of 2488	2444	757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe	28
PID 2444 wrote to memory of 2488	2444	757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe	28
PID 2444 wrote to memory of 2488	2444	757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe	28
PID 2444 wrote to memory of 2488	2444	757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe	28
PID 2444 wrote to memory of 2488	2444	757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe	28
PID 2488 wrote to memory of 876	2488	757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe	30
PID 2488 wrote to memory of 876	2488	757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe	30
PID 2488 wrote to memory of 876	2488	757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe	30
PID 2488 wrote to memory of 876	2488	757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe	30
PID 2488 wrote to memory of 876	2488	757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe	30
PID 2488 wrote to memory of 876	2488	757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe	30
PID 2128 wrote to memory of 1488	2128	750eN.exe	38
PID 2128 wrote to memory of 1488	2128	750eN.exe	38
PID 2128 wrote to memory of 1488	2128	750eN.exe	38
PID 2128 wrote to memory of 1488	2128	750eN.exe	38
PID 2128 wrote to memory of 1488	2128	750eN.exe	38
PID 2128 wrote to memory of 1488	2128	750eN.exe	38
PID 2128 wrote to memory of 1488	2128	750eN.exe	38
PID 2128 wrote to memory of 1488	2128	750eN.exe	38
PID 2128 wrote to memory of 1488	2128	750eN.exe	38
PID 2128 wrote to memory of 1488	2128	750eN.exe	38
PID 2128 wrote to memory of 1488	2128	750eN.exe	38
PID 1488 wrote to memory of 2452	1488	750eN.exe	42
PID 1488 wrote to memory of 2452	1488	750eN.exe	42
PID 1488 wrote to memory of 2452	1488	750eN.exe	42
PID 1488 wrote to memory of 2452	1488	750eN.exe	42
PID 1488 wrote to memory of 1516	1488	750eN.exe	40
PID 1488 wrote to memory of 1516	1488	750eN.exe	40
PID 1488 wrote to memory of 1516	1488	750eN.exe	40
PID 1488 wrote to memory of 1516	1488	750eN.exe	40
PID 1516 wrote to memory of 2496	1516	cmd.exe	44
PID 1516 wrote to memory of 2496	1516	cmd.exe	44
PID 1516 wrote to memory of 2496	1516	cmd.exe	44
PID 2452 wrote to memory of 2344	2452	cmd.exe	45
PID 2452 wrote to memory of 2344	2452	cmd.exe	45
PID 2452 wrote to memory of 2344	2452	cmd.exe	45
PID 1516 wrote to memory of 1748	1516	cmd.exe	47
PID 1516 wrote to memory of 1748	1516	cmd.exe	47
PID 1516 wrote to memory of 1748	1516	cmd.exe	47
PID 2452 wrote to memory of 1672	2452	cmd.exe	49
PID 2452 wrote to memory of 1672	2452	cmd.exe	49
PID 2452 wrote to memory of 1672	2452	cmd.exe	49
PID 2452 wrote to memory of 4000	2452	cmd.exe	51
PID 2452 wrote to memory of 4000	2452	cmd.exe	51
PID 2452 wrote to memory of 4000	2452	cmd.exe	51
PID 2452 wrote to memory of 4008	2452	cmd.exe	52
PID 2452 wrote to memory of 4008	2452	cmd.exe	52
PID 2452 wrote to memory of 4008	2452	cmd.exe	52
PID 2452 wrote to memory of 4016	2452	cmd.exe	53
PID 2452 wrote to memory of 4016	2452	cmd.exe	53
PID 2452 wrote to memory of 4016	2452	cmd.exe	53
PID 1488 wrote to memory of 2320	1488	750eN.exe	58
PID 1488 wrote to memory of 2320	1488	750eN.exe	58
PID 1488 wrote to memory of 2320	1488	750eN.exe	58
PID 1488 wrote to memory of 2320	1488	750eN.exe	58
PID 1488 wrote to memory of 3348	1488	750eN.exe	59
PID 1488 wrote to memory of 3348	1488	750eN.exe	59
PID 1488 wrote to memory of 3348	1488	750eN.exe	59
PID 1488 wrote to memory of 3348	1488	750eN.exe	59
PID 1488 wrote to memory of 3052	1488	750eN.exe	60

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
PID:1316
- C:\Users\Admin\AppData\Local\Temp\757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe
  "C:\Users\Admin\AppData\Local\Temp\757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Users\Admin\AppData\Local\Temp\757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe
    C:\Users\Admin\AppData\Local\Temp\757d49bcb32274b98a8d473b4a9cff31291760a0209745fe20582a0346c3d634.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2488
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  - Deletes itself
  - Suspicious behavior: EnumeratesProcesses
  PID:876

C:\Users\Admin\AppData\Local\Microsoft\46g.exe
"C:\Users\Admin\AppData\Local\Microsoft\46g.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Users\Admin\AppData\Local\Microsoft\42C.exe
"C:\Users\Admin\AppData\Local\Microsoft\42C.exe"
1⤵
- Executes dropped EXE
PID:2268

C:\Users\Admin\AppData\Local\Microsoft\750eN.exe
"C:\Users\Admin\AppData\Local\Microsoft\750eN.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Microsoft\750eN.exe
  C:\Users\Admin\AppData\Local\Microsoft\750eN.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Users\Admin\AppData\Local\Microsoft\750eN.exe
    "C:\Users\Admin\AppData\Local\Microsoft\750eN.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:1752
  - - C:\Users\Admin\AppData\Local\Microsoft\750eN.exe
      C:\Users\Admin\AppData\Local\Microsoft\750eN.exe
      4⤵
      Executes dropped EXE
      PID:1632
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set currentprofile state off
      4⤵
      Modifies Windows Firewall
      PID:2496
  - - C:\Windows\system32\netsh.exe
      netsh firewall set opmode mode=disable
      4⤵
      Modifies Windows Firewall
      PID:1748
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2344
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1672
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:4000
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:4008
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:4016
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
    3⤵
    - Modifies Internet Explorer settings
    PID:2320
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
    3⤵
    - Modifies Internet Explorer settings
    PID:3348
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
    3⤵
    - Modifies Internet Explorer settings
    PID:3052
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"
    3⤵
    - Modifies Internet Explorer settings
    PID:1660
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:2908
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:876
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1408
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3520
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3896
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:3628

C:\Users\Admin\AppData\Local\Microsoft\-7024H.exe
"C:\Users\Admin\AppData\Local\Microsoft\-7024H.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4080

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[C145F53C-3483].[[email protected]].8base

Filesize
143.1MB

MD5
8e9a02afa487c2091aa3bad4cf1f7f2d

SHA1
85d350761ce217427c95380282040da3bcc346ea

SHA256
2f4380dff4d4eae4248cf3c2c6028c6bc0d3687e67a393000ce200e144e014be

SHA512
973508a47c928aa72d804e310d43663673e1368b012002462e16c428029da28a8ca5f453f8e9dfc8067fd6cf2ad31c3586b69945701c20947d9dc1eb668db629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\-7024H.exe

Filesize
972KB

MD5
47256545cece43ea73fe4ec88302dc56

SHA1
66580efe3eb9e7103212ae914232b653443197f4

SHA256
3c67a185e46d3670081925a950f92fd596e6a3e1e89ce5b15986593f35a58430

SHA512
b85e0d83102737b25e3e44b1c0d27716672ed80e4fe4da723c288427661d4d758bb21430e15a54ca023af1b782da32e6e5599f19291a01b27ec872a46e8d6697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\-7024H.exe

Filesize
972KB

MD5
47256545cece43ea73fe4ec88302dc56

SHA1
66580efe3eb9e7103212ae914232b653443197f4

SHA256
3c67a185e46d3670081925a950f92fd596e6a3e1e89ce5b15986593f35a58430

SHA512
b85e0d83102737b25e3e44b1c0d27716672ed80e4fe4da723c288427661d4d758bb21430e15a54ca023af1b782da32e6e5599f19291a01b27ec872a46e8d6697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\42C.exe

Filesize
863KB

MD5
f6e85642fc09e19439f74e1ee1898a26

SHA1
ad145352ea54048915731d5a67e811859d1fb7d5

SHA256
7cf2bc581c27ed9df235303a4306d875f54a62715f842cd98a6aa8d8afb873f5

SHA512
6cc95d9b43ad0db94caee19fabb61fb4f3e062cfeb84b318750a28f3a31f9f3f01b156a413d16d9a09cf1f48085337cd5643827a896c50f7e94b10c103cc7166

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\42C.exe

Filesize
863KB

MD5
f6e85642fc09e19439f74e1ee1898a26

SHA1
ad145352ea54048915731d5a67e811859d1fb7d5

SHA256
7cf2bc581c27ed9df235303a4306d875f54a62715f842cd98a6aa8d8afb873f5

SHA512
6cc95d9b43ad0db94caee19fabb61fb4f3e062cfeb84b318750a28f3a31f9f3f01b156a413d16d9a09cf1f48085337cd5643827a896c50f7e94b10c103cc7166

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\46g.exe

Filesize
252KB

MD5
754824bc45c86a9f9ead00ece1841faa

SHA1
0f0a2374fb400f7995880208e4af6fc4705795ca

SHA256
538d19dc992df1d967a95ac3071aefb205d686eb975e05a2ded7d0579a35e03f

SHA512
ab3f2769e9d0821680198882a48a59a4dd40aa5db725133e06efff99149c2dced2e098b66ada732d1ed8a8d1343bb35477b649d638a79a1d4e7c3c4f3fbfbde8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\46g.exe

Filesize
252KB

MD5
754824bc45c86a9f9ead00ece1841faa

SHA1
0f0a2374fb400f7995880208e4af6fc4705795ca

SHA256
538d19dc992df1d967a95ac3071aefb205d686eb975e05a2ded7d0579a35e03f

SHA512
ab3f2769e9d0821680198882a48a59a4dd40aa5db725133e06efff99149c2dced2e098b66ada732d1ed8a8d1343bb35477b649d638a79a1d4e7c3c4f3fbfbde8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\750eN.exe

Filesize
982KB

MD5
99c0b4a65e1062bb44126f15551d5c19

SHA1
9280c2e84fa0dd7512418b6e4523844a56fe384d

SHA256
6cb41c5e8379cc137f64c91f5aaaf88da43b3d13791f12884bedd5a81a83b8d2

SHA512
408703b913c2e49308c0f48becca4be56a9c2a574ccbab00351c927f9ce751a3d5bbd76e21714f67748a66a263f788058691703b8a39e8c5a0061da9da4fad81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\750eN.exe

Filesize
982KB

MD5
99c0b4a65e1062bb44126f15551d5c19

SHA1
9280c2e84fa0dd7512418b6e4523844a56fe384d

SHA256
6cb41c5e8379cc137f64c91f5aaaf88da43b3d13791f12884bedd5a81a83b8d2

SHA512
408703b913c2e49308c0f48becca4be56a9c2a574ccbab00351c927f9ce751a3d5bbd76e21714f67748a66a263f788058691703b8a39e8c5a0061da9da4fad81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\750eN.exe

Filesize
982KB

MD5
99c0b4a65e1062bb44126f15551d5c19

SHA1
9280c2e84fa0dd7512418b6e4523844a56fe384d

SHA256
6cb41c5e8379cc137f64c91f5aaaf88da43b3d13791f12884bedd5a81a83b8d2

SHA512
408703b913c2e49308c0f48becca4be56a9c2a574ccbab00351c927f9ce751a3d5bbd76e21714f67748a66a263f788058691703b8a39e8c5a0061da9da4fad81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\750eN.exe

Filesize
982KB

MD5
99c0b4a65e1062bb44126f15551d5c19

SHA1
9280c2e84fa0dd7512418b6e4523844a56fe384d

SHA256
6cb41c5e8379cc137f64c91f5aaaf88da43b3d13791f12884bedd5a81a83b8d2

SHA512
408703b913c2e49308c0f48becca4be56a9c2a574ccbab00351c927f9ce751a3d5bbd76e21714f67748a66a263f788058691703b8a39e8c5a0061da9da4fad81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\750eN.exe

Filesize
982KB

MD5
99c0b4a65e1062bb44126f15551d5c19

SHA1
9280c2e84fa0dd7512418b6e4523844a56fe384d

SHA256
6cb41c5e8379cc137f64c91f5aaaf88da43b3d13791f12884bedd5a81a83b8d2

SHA512
408703b913c2e49308c0f48becca4be56a9c2a574ccbab00351c927f9ce751a3d5bbd76e21714f67748a66a263f788058691703b8a39e8c5a0061da9da4fad81

Download Submit
C:\Users\Admin\Desktop\info.hta

Filesize
5KB

MD5
1af1f6ce5c1fd763b78be7ed2032bfde

SHA1
2c92ee89a7179e1dcf7beefcb48e2381a50d16ce

SHA256
7bdb07d3bd35e0cc09665a5c5e452ea7eab9ee59084f3e65ca4a646baac94f5f

SHA512
8c350a7050e9aaad532ddfa973cebaa36dc3484faff72cbbe4afa536d07febc339b0dd73670c2eb1e1e2b22f7822558f8b84b7926aa89aa9142650755fde636e

Download Submit
C:\info.hta

Filesize
5KB

MD5
1af1f6ce5c1fd763b78be7ed2032bfde

SHA1
2c92ee89a7179e1dcf7beefcb48e2381a50d16ce

SHA256
7bdb07d3bd35e0cc09665a5c5e452ea7eab9ee59084f3e65ca4a646baac94f5f

SHA512
8c350a7050e9aaad532ddfa973cebaa36dc3484faff72cbbe4afa536d07febc339b0dd73670c2eb1e1e2b22f7822558f8b84b7926aa89aa9142650755fde636e

Download Submit
C:\info.hta

Filesize
5KB

MD5
1af1f6ce5c1fd763b78be7ed2032bfde

SHA1
2c92ee89a7179e1dcf7beefcb48e2381a50d16ce

SHA256
7bdb07d3bd35e0cc09665a5c5e452ea7eab9ee59084f3e65ca4a646baac94f5f

SHA512
8c350a7050e9aaad532ddfa973cebaa36dc3484faff72cbbe4afa536d07febc339b0dd73670c2eb1e1e2b22f7822558f8b84b7926aa89aa9142650755fde636e

Download Submit
C:\users\public\desktop\info.hta

Filesize
5KB

MD5
1af1f6ce5c1fd763b78be7ed2032bfde

SHA1
2c92ee89a7179e1dcf7beefcb48e2381a50d16ce

SHA256
7bdb07d3bd35e0cc09665a5c5e452ea7eab9ee59084f3e65ca4a646baac94f5f

SHA512
8c350a7050e9aaad532ddfa973cebaa36dc3484faff72cbbe4afa536d07febc339b0dd73670c2eb1e1e2b22f7822558f8b84b7926aa89aa9142650755fde636e

Download Submit
F:\info.hta

Filesize
5KB

MD5
1af1f6ce5c1fd763b78be7ed2032bfde

SHA1
2c92ee89a7179e1dcf7beefcb48e2381a50d16ce

SHA256
7bdb07d3bd35e0cc09665a5c5e452ea7eab9ee59084f3e65ca4a646baac94f5f

SHA512
8c350a7050e9aaad532ddfa973cebaa36dc3484faff72cbbe4afa536d07febc339b0dd73670c2eb1e1e2b22f7822558f8b84b7926aa89aa9142650755fde636e

Download Submit
\Users\Admin\AppData\Local\Microsoft\46g.exe

Filesize
252KB

MD5
754824bc45c86a9f9ead00ece1841faa

SHA1
0f0a2374fb400f7995880208e4af6fc4705795ca

SHA256
538d19dc992df1d967a95ac3071aefb205d686eb975e05a2ded7d0579a35e03f

SHA512
ab3f2769e9d0821680198882a48a59a4dd40aa5db725133e06efff99149c2dced2e098b66ada732d1ed8a8d1343bb35477b649d638a79a1d4e7c3c4f3fbfbde8

Download Submit
\Users\Admin\AppData\Local\Microsoft\46g.exe

Filesize
252KB

MD5
754824bc45c86a9f9ead00ece1841faa

SHA1
0f0a2374fb400f7995880208e4af6fc4705795ca

SHA256
538d19dc992df1d967a95ac3071aefb205d686eb975e05a2ded7d0579a35e03f

SHA512
ab3f2769e9d0821680198882a48a59a4dd40aa5db725133e06efff99149c2dced2e098b66ada732d1ed8a8d1343bb35477b649d638a79a1d4e7c3c4f3fbfbde8

Download Submit
memory/828-2227-0x0000000000020000-0x000000000011A000-memory.dmp

Filesize
1000KB

Download
memory/828-2244-0x0000000004200000-0x00000000042BA000-memory.dmp

Filesize
744KB

Download
memory/828-2425-0x0000000004DF0000-0x0000000004E30000-memory.dmp

Filesize
256KB

Download
memory/828-2400-0x0000000073650000-0x0000000073D3E000-memory.dmp

Filesize
6.9MB

Download
memory/828-2236-0x0000000004DF0000-0x0000000004E30000-memory.dmp

Filesize
256KB

Download
memory/828-2232-0x0000000073650000-0x0000000073D3E000-memory.dmp

Filesize
6.9MB

Download
memory/876-1179-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/876-2655-0x00000000776A0000-0x0000000077849000-memory.dmp

Filesize
1.7MB

Download
memory/876-1176-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/876-1157-0x0000000000060000-0x0000000000063000-memory.dmp

Filesize
12KB

Download
memory/876-1183-0x00000000776A0000-0x0000000077849000-memory.dmp

Filesize
1.7MB

Download
memory/876-1203-0x00000000776A0000-0x0000000077849000-memory.dmp

Filesize
1.7MB

Download
memory/876-1200-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/876-2653-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/876-1171-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/876-1188-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/1488-2363-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1488-2649-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1632-14253-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1752-14254-0x0000000073650000-0x0000000073D3E000-memory.dmp

Filesize
6.9MB

Download
memory/1752-14219-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1752-2367-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/1752-2366-0x0000000073650000-0x0000000073D3E000-memory.dmp

Filesize
6.9MB

Download
memory/1752-2747-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/1752-2645-0x0000000073650000-0x0000000073D3E000-memory.dmp

Filesize
6.9MB

Download
memory/2128-2339-0x0000000000630000-0x0000000000666000-memory.dmp

Filesize
216KB

Download
memory/2128-2313-0x00000000005A0000-0x00000000005E0000-memory.dmp

Filesize
256KB

Download
memory/2128-1202-0x0000000073650000-0x0000000073D3E000-memory.dmp

Filesize
6.9MB

Download
memory/2128-1201-0x00000000002F0000-0x00000000003EC000-memory.dmp

Filesize
1008KB

Download
memory/2128-2364-0x0000000073650000-0x0000000073D3E000-memory.dmp

Filesize
6.9MB

Download
memory/2128-1204-0x00000000005A0000-0x00000000005E0000-memory.dmp

Filesize
256KB

Download
memory/2128-2334-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2128-1205-0x0000000005C70000-0x0000000005D2C000-memory.dmp

Filesize
752KB

Download
memory/2128-2234-0x0000000073650000-0x0000000073D3E000-memory.dmp

Filesize
6.9MB

Download
memory/2220-2228-0x000007FEF5600000-0x000007FEF5FEC000-memory.dmp

Filesize
9.9MB

Download
memory/2220-1336-0x000000001BF30000-0x000000001BFB0000-memory.dmp

Filesize
512KB

Download
memory/2220-1195-0x0000000000340000-0x0000000000384000-memory.dmp

Filesize
272KB

Download
memory/2220-2357-0x000000001BF30000-0x000000001BFB0000-memory.dmp

Filesize
512KB

Download
memory/2220-2373-0x000000001BF30000-0x000000001BFB0000-memory.dmp

Filesize
512KB

Download
memory/2220-2781-0x000000001BF30000-0x000000001BFB0000-memory.dmp

Filesize
512KB

Download
memory/2220-1199-0x000007FEF5600000-0x000007FEF5FEC000-memory.dmp

Filesize
9.9MB

Download
memory/2444-100-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-92-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-112-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-118-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-114-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-116-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-1134-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2444-108-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-1133-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2444-1135-0x00000000042A0000-0x000000000430A000-memory.dmp

Filesize
424KB

Download
memory/2444-1136-0x0000000004C50000-0x0000000004C9C000-memory.dmp

Filesize
304KB

Download
memory/2444-110-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-106-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-104-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-1137-0x0000000004D80000-0x0000000004DC0000-memory.dmp

Filesize
256KB

Download
memory/2444-102-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-1150-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2444-54-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2444-98-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-55-0x0000000004D80000-0x0000000004DC0000-memory.dmp

Filesize
256KB

Download
memory/2444-56-0x0000000005C40000-0x0000000005D2E000-memory.dmp

Filesize
952KB

Download
memory/2444-53-0x0000000000A70000-0x0000000000B9E000-memory.dmp

Filesize
1.2MB

Download
memory/2444-57-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-96-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-94-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-120-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-58-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-90-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-88-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-82-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-60-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-84-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-86-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-80-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-78-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-76-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-70-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-72-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-74-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-62-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-66-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-68-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2444-64-0x0000000005C40000-0x0000000005D28000-memory.dmp

Filesize
928KB

Download
memory/2488-1153-0x0000000001FA0000-0x00000000023A0000-memory.dmp

Filesize
4.0MB

Download
memory/2488-1164-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2488-1166-0x0000000001FA0000-0x00000000023A0000-memory.dmp

Filesize
4.0MB

Download
memory/2488-1167-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2488-1168-0x0000000001FA0000-0x00000000023A0000-memory.dmp

Filesize
4.0MB

Download
memory/2488-1149-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2488-1155-0x0000000001FA0000-0x00000000023A0000-memory.dmp

Filesize
4.0MB

Download