teslacrypt | f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
15-03-2024 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
Size

404KB
MD5

bdd2a639e52983f0f43258adb81155fb
SHA1

2bc75f3f6ef2b5e3b27a2d19147b20419dae9e98
SHA256

f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2
SHA512

7932fe904ef26310f1751a79de9a6e3c9b994dbea9ff53789ca77ea8f3b5a918789abd77c4e0d02056f05176729ed5129fb92c7e6583134f1309e443b5da25db
SSDEEP

12288:0RLMuc1QJZwH2d1QkOOf7RkoBSQBDHtUCxS:0pu1Q9HlOOyUSQgCo

Score

10^/10

teslacrypt persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+iduoy.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/A2AAA0431DE04030 2. http://kkd47eh4hdjshb5t.angortra.at/A2AAA0431DE04030 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/A2AAA0431DE04030 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/A2AAA0431DE04030 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/A2AAA0431DE04030 http://kkd47eh4hdjshb5t.angortra.at/A2AAA0431DE04030 http://ytrest84y5i456hghadefdsd.pontogrot.com/A2AAA0431DE04030 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/A2AAA0431DE04030

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/A2AAA0431DE04030

http://kkd47eh4hdjshb5t.angortra.at/A2AAA0431DE04030

http://ytrest84y5i456hghadefdsd.pontogrot.com/A2AAA0431DE04030

http://xlowfznrg4wf7dli.ONION/A2AAA0431DE04030

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (406) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2820 cmd.exe

pid	process
2820	cmd.exe

Drops startup file 3 IoCs

Processes:

avcbetatljtv.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+iduoy.png	avcbetatljtv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+iduoy.txt	avcbetatljtv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+iduoy.html	avcbetatljtv.exe

Executes dropped EXE 2 IoCs

Processes:

avcbetatljtv.exeavcbetatljtv.exe

pid process

2732 avcbetatljtv.exe
2248 avcbetatljtv.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2732	avcbetatljtv.exe
2248	avcbetatljtv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

avcbetatljtv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\pijiyesguuyi = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\avcbetatljtv.exe\""	avcbetatljtv.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exeavcbetatljtv.exe

description	pid	process	target process
PID 2292 set thread context of 2004	2292	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
PID 2732 set thread context of 2248	2732	avcbetatljtv.exe	avcbetatljtv.exe

Drops file in Program Files directory 64 IoCs

Processes:

avcbetatljtv.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	avcbetatljtv.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ko.pak	avcbetatljtv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\Recovery+iduoy.txt	avcbetatljtv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\5.png	avcbetatljtv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\Recovery+iduoy.txt	avcbetatljtv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Recovery+iduoy.png	avcbetatljtv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\Recovery+iduoy.png	avcbetatljtv.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\Recovery+iduoy.png	avcbetatljtv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\Recovery+iduoy.html	avcbetatljtv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\Recovery+iduoy.txt	avcbetatljtv.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\it-IT\Recovery+iduoy.txt	avcbetatljtv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\Recovery+iduoy.png	avcbetatljtv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg.png	avcbetatljtv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\Recovery+iduoy.png	avcbetatljtv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\Recovery+iduoy.html	avcbetatljtv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\Recovery+iduoy.txt	avcbetatljtv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png	avcbetatljtv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\Recovery+iduoy.txt	avcbetatljtv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\init.js	avcbetatljtv.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\Recovery+iduoy.txt	avcbetatljtv.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\Recovery+iduoy.txt	avcbetatljtv.exe
File opened for modification	C:\Program Files\Java\jre7\lib\amd64\Recovery+iduoy.html	avcbetatljtv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\Recovery+iduoy.html	avcbetatljtv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\Recovery+iduoy.txt	avcbetatljtv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\Recovery+iduoy.html	avcbetatljtv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\Recovery+iduoy.html	avcbetatljtv.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\Recovery+iduoy.png	avcbetatljtv.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\Recovery+iduoy.txt	avcbetatljtv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\Recovery+iduoy.html	avcbetatljtv.exe
File opened for modification	C:\Program Files\Windows Journal\es-ES\Recovery+iduoy.txt	avcbetatljtv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_Off.png	avcbetatljtv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt	avcbetatljtv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Recovery+iduoy.png	avcbetatljtv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\Recovery+iduoy.html	avcbetatljtv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\Recovery+iduoy.html	avcbetatljtv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\Recovery+iduoy.html	avcbetatljtv.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\Recovery+iduoy.png	avcbetatljtv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv	avcbetatljtv.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\fr-FR\Recovery+iduoy.png	avcbetatljtv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\RSSFeeds.css	avcbetatljtv.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Recovery+iduoy.txt	avcbetatljtv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png	avcbetatljtv.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\fr-FR\Recovery+iduoy.txt	avcbetatljtv.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\Recovery+iduoy.txt	avcbetatljtv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\Recovery+iduoy.txt	avcbetatljtv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv	avcbetatljtv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\Recovery+iduoy.png	avcbetatljtv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\Recovery+iduoy.html	avcbetatljtv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\Recovery+iduoy.png	avcbetatljtv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\Recovery+iduoy.txt	avcbetatljtv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_rest.png	avcbetatljtv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\Recovery+iduoy.html	avcbetatljtv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\Recovery+iduoy.txt	avcbetatljtv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Recovery+iduoy.txt	avcbetatljtv.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\Recovery+iduoy.png	avcbetatljtv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\Recovery+iduoy.png	avcbetatljtv.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\Recovery+iduoy.html	avcbetatljtv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\Recovery+iduoy.txt	avcbetatljtv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\Recovery+iduoy.html	avcbetatljtv.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\Recovery+iduoy.txt	avcbetatljtv.exe
File opened for modification	C:\Program Files\Java\jre7\lib\amd64\Recovery+iduoy.png	avcbetatljtv.exe
File opened for modification	C:\Program Files\Java\Recovery+iduoy.html	avcbetatljtv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\Recovery+iduoy.html	avcbetatljtv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\Recovery+iduoy.txt	avcbetatljtv.exe

Drops file in Windows directory 2 IoCs

Processes:

f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe

description	ioc	process
File created	C:\Windows\avcbetatljtv.exe	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
File opened for modification	C:\Windows\avcbetatljtv.exe	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc233000000000200000000001066000000010000200000005353e9a27ba0e8c2dd82645584eebc093b41369a695be1edf369ed0c014033f5000000000e8000000002000020000000b423d1017e1b56eaa17ce72a0558129c3e9530bae38e24a6ca18a2b5e1a9b9aa900000002e88f664d61c6f0e6fa608d50ccc7c90eee685ec8943b53dc4a2ffda5d6132032d8a3064cebe1cc406c959da842edaa6c471be4262b9a0c60257b57178f3134b507181789c7a07e8b0f4c8301f8892f58118910d54bb2a12334fb0c90e8cde1bb638329089eae540ab43a65e7541d7fe6734a9ce39132a54aade25ffc58cd5f5a8c853557ebdd25dd83884180861168c40000000e34b81cf8fb995d4c1e075c6b66992940295cf4aae383db7f01ead581fd801c69f48d7e337a40d502b2f1b7c22c21f06cb1069ddf1a7faf35c77b5cdbf97cd13	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000b846e75e2d3fe3082f96b06017e246a18f803b3d3aa5b00afcb88ba54088a540000000000e800000000200002000000040d738320f0276b95440677499b7aa5c6e7c4e286604c37d69d2b7d9668b3e4a20000000776bda3a0b4a4591d7ab8d1def7d80883218ffe6a6234be87d2a069a89f62eb04000000087a9e29ca388ef982cd766a2b6ce85da3fdf67d82dd1097f08b059c04bfdab7b0ef249ba7bbf5298657139d8785f7a5cdf1792bb4888cd2a034eafa195881aff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50597d2b7476da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5705C991-E267-11EE-9BF8-4A0EF18FE26D} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

avcbetatljtv.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	avcbetatljtv.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	avcbetatljtv.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	avcbetatljtv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	avcbetatljtv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	avcbetatljtv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	avcbetatljtv.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2300 NOTEPAD.EXE

pid	process
2300	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

avcbetatljtv.exe

pid	process
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe
2248	avcbetatljtv.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exeavcbetatljtv.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2004	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
Token: SeDebugPrivilege	2248	avcbetatljtv.exe
Token: SeIncreaseQuotaPrivilege	2816	WMIC.exe
Token: SeSecurityPrivilege	2816	WMIC.exe
Token: SeTakeOwnershipPrivilege	2816	WMIC.exe
Token: SeLoadDriverPrivilege	2816	WMIC.exe
Token: SeSystemProfilePrivilege	2816	WMIC.exe
Token: SeSystemtimePrivilege	2816	WMIC.exe
Token: SeProfSingleProcessPrivilege	2816	WMIC.exe
Token: SeIncBasePriorityPrivilege	2816	WMIC.exe
Token: SeCreatePagefilePrivilege	2816	WMIC.exe
Token: SeBackupPrivilege	2816	WMIC.exe
Token: SeRestorePrivilege	2816	WMIC.exe
Token: SeShutdownPrivilege	2816	WMIC.exe
Token: SeDebugPrivilege	2816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2816	WMIC.exe
Token: SeRemoteShutdownPrivilege	2816	WMIC.exe
Token: SeUndockPrivilege	2816	WMIC.exe
Token: SeManageVolumePrivilege	2816	WMIC.exe
Token: 33	2816	WMIC.exe
Token: 34	2816	WMIC.exe
Token: 35	2816	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2948	WMIC.exe
Token: SeSecurityPrivilege	2948	WMIC.exe
Token: SeTakeOwnershipPrivilege	2948	WMIC.exe
Token: SeLoadDriverPrivilege	2948	WMIC.exe
Token: SeSystemProfilePrivilege	2948	WMIC.exe
Token: SeSystemtimePrivilege	2948	WMIC.exe
Token: SeProfSingleProcessPrivilege	2948	WMIC.exe
Token: SeIncBasePriorityPrivilege	2948	WMIC.exe
Token: SeCreatePagefilePrivilege	2948	WMIC.exe
Token: SeBackupPrivilege	2948	WMIC.exe
Token: SeRestorePrivilege	2948	WMIC.exe
Token: SeShutdownPrivilege	2948	WMIC.exe
Token: SeDebugPrivilege	2948	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2948	WMIC.exe
Token: SeRemoteShutdownPrivilege	2948	WMIC.exe
Token: SeUndockPrivilege	2948	WMIC.exe
Token: SeManageVolumePrivilege	2948	WMIC.exe
Token: 33	2948	WMIC.exe
Token: 34	2948	WMIC.exe
Token: 35	2948	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

1196 iexplore.exe
2296 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1196 iexplore.exe
1196 iexplore.exe
2568 IEXPLORE.EXE
2568 IEXPLORE.EXE

pid	process
1196	iexplore.exe
2296	DllHost.exe

pid	process
1196	iexplore.exe
1196	iexplore.exe
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exef848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exeavcbetatljtv.exeavcbetatljtv.exeiexplore.exe

description	pid	process	target process
PID 2292 wrote to memory of 2004	2292	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
PID 2292 wrote to memory of 2004	2292	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
PID 2292 wrote to memory of 2004	2292	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
PID 2292 wrote to memory of 2004	2292	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
PID 2292 wrote to memory of 2004	2292	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
PID 2292 wrote to memory of 2004	2292	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
PID 2292 wrote to memory of 2004	2292	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
PID 2292 wrote to memory of 2004	2292	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
PID 2292 wrote to memory of 2004	2292	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
PID 2292 wrote to memory of 2004	2292	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
PID 2292 wrote to memory of 2004	2292	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
PID 2004 wrote to memory of 2732	2004	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	avcbetatljtv.exe
PID 2004 wrote to memory of 2732	2004	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	avcbetatljtv.exe
PID 2004 wrote to memory of 2732	2004	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	avcbetatljtv.exe
PID 2004 wrote to memory of 2732	2004	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	avcbetatljtv.exe
PID 2004 wrote to memory of 2820	2004	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	cmd.exe
PID 2004 wrote to memory of 2820	2004	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	cmd.exe
PID 2004 wrote to memory of 2820	2004	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	cmd.exe
PID 2004 wrote to memory of 2820	2004	f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe	cmd.exe
PID 2732 wrote to memory of 2248	2732	avcbetatljtv.exe	avcbetatljtv.exe
PID 2732 wrote to memory of 2248	2732	avcbetatljtv.exe	avcbetatljtv.exe
PID 2732 wrote to memory of 2248	2732	avcbetatljtv.exe	avcbetatljtv.exe
PID 2732 wrote to memory of 2248	2732	avcbetatljtv.exe	avcbetatljtv.exe
PID 2732 wrote to memory of 2248	2732	avcbetatljtv.exe	avcbetatljtv.exe
PID 2732 wrote to memory of 2248	2732	avcbetatljtv.exe	avcbetatljtv.exe
PID 2732 wrote to memory of 2248	2732	avcbetatljtv.exe	avcbetatljtv.exe
PID 2732 wrote to memory of 2248	2732	avcbetatljtv.exe	avcbetatljtv.exe
PID 2732 wrote to memory of 2248	2732	avcbetatljtv.exe	avcbetatljtv.exe
PID 2732 wrote to memory of 2248	2732	avcbetatljtv.exe	avcbetatljtv.exe
PID 2732 wrote to memory of 2248	2732	avcbetatljtv.exe	avcbetatljtv.exe
PID 2248 wrote to memory of 2816	2248	avcbetatljtv.exe	WMIC.exe
PID 2248 wrote to memory of 2816	2248	avcbetatljtv.exe	WMIC.exe
PID 2248 wrote to memory of 2816	2248	avcbetatljtv.exe	WMIC.exe
PID 2248 wrote to memory of 2816	2248	avcbetatljtv.exe	WMIC.exe
PID 2248 wrote to memory of 2300	2248	avcbetatljtv.exe	NOTEPAD.EXE
PID 2248 wrote to memory of 2300	2248	avcbetatljtv.exe	NOTEPAD.EXE
PID 2248 wrote to memory of 2300	2248	avcbetatljtv.exe	NOTEPAD.EXE
PID 2248 wrote to memory of 2300	2248	avcbetatljtv.exe	NOTEPAD.EXE
PID 2248 wrote to memory of 1196	2248	avcbetatljtv.exe	iexplore.exe
PID 2248 wrote to memory of 1196	2248	avcbetatljtv.exe	iexplore.exe
PID 2248 wrote to memory of 1196	2248	avcbetatljtv.exe	iexplore.exe
PID 2248 wrote to memory of 1196	2248	avcbetatljtv.exe	iexplore.exe
PID 1196 wrote to memory of 2568	1196	iexplore.exe	IEXPLORE.EXE
PID 1196 wrote to memory of 2568	1196	iexplore.exe	IEXPLORE.EXE
PID 1196 wrote to memory of 2568	1196	iexplore.exe	IEXPLORE.EXE
PID 1196 wrote to memory of 2568	1196	iexplore.exe	IEXPLORE.EXE
PID 2248 wrote to memory of 2948	2248	avcbetatljtv.exe	WMIC.exe
PID 2248 wrote to memory of 2948	2248	avcbetatljtv.exe	WMIC.exe
PID 2248 wrote to memory of 2948	2248	avcbetatljtv.exe	WMIC.exe
PID 2248 wrote to memory of 2948	2248	avcbetatljtv.exe	WMIC.exe
PID 2248 wrote to memory of 1748	2248	avcbetatljtv.exe	cmd.exe
PID 2248 wrote to memory of 1748	2248	avcbetatljtv.exe	cmd.exe
PID 2248 wrote to memory of 1748	2248	avcbetatljtv.exe	cmd.exe
PID 2248 wrote to memory of 1748	2248	avcbetatljtv.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

avcbetatljtv.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	avcbetatljtv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	avcbetatljtv.exe

C:\Users\Admin\AppData\Local\Temp\f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
"C:\Users\Admin\AppData\Local\Temp\f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe
  "C:\Users\Admin\AppData\Local\Temp\f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\avcbetatljtv.exe
    C:\Windows\avcbetatljtv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\avcbetatljtv.exe
      C:\Windows\avcbetatljtv.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2248
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:2300
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1196
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1196 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2568
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\AVCBET~1.EXE
        5⤵
        
        PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\F848B2~1.EXE
    3⤵
    - Deletes itself
    PID:2820

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+iduoy.html

Filesize
9KB

MD5
37ad9b94715ff38f0f3a91d5829f179f

SHA1
cfb8d186de4543c5e7dc549bab553aca42f933a1

SHA256
cd2b139914574d5474ba197b4e8599d25507380c54aaf0ff928dcfe7f184f1b8

SHA512
8eb3f58a172b5a32647c05b9939f64e6b9482e226a224303c7a4e7499d06177a308f9649732291f181b77b78bf1a99e3f11d4831fb3720027fba4c6870087830

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+iduoy.png

Filesize
62KB

MD5
3a832463d7f708d21d93ad90e61af7b5

SHA1
1299550d75d813c87a83db1ced76f1fc9d62f3a7

SHA256
0179340e9f999479b5902d3d2af042af25eb01f87242ed20ea7ad0b282ca3dc4

SHA512
cc4a216b8f0d59d73d553543d4b29b440f5087769ba0b6ea2d91359be9a4dcb25d1bbe43d4d4ea8580dc1bd21a397acae002830f32d4dbab6324b5b51ba33551

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+iduoy.txt

Filesize
1KB

MD5
29b4bcbe00a2fe8cc4fc8c46bd235e4e

SHA1
15c8ffaca904d69aeee45a21916f69bec17a1bc9

SHA256
f0c81cbdf7452483694691df7a74fd3e90cfa1b6418adc9bfb80f16af4626c5b

SHA512
9e8aa3395f493af61d80bced808a376c1689e4fb87f244544d70ef333141b62a2e8c291b340d34fa42779a83d7960367c92a5ed02c8038c9456860e74adb6ca6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
ae815303798575a5c7718054eeaf5fc1

SHA1
a34e3c335ee993170f6e599158f57425e3c0a274

SHA256
8ba175692ab02aa77722886c054f1e8afdc6aecd08a180273cc11d75aaa8809c

SHA512
689e10e592825899c5eace583b957983a0765bee104b0295e70bb7d8ace825a05f606c095d49da7489edf69595de42aae282b41352405fea01127a1fa0fb7af0

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
49ca06c6d90ad28956c7d1ea7fbe6425

SHA1
76b4e67dfb01ab299e293cbca8753a6ed47774ba

SHA256
469b907aadd69cb7520b151ba1d099b5eedea002a9ef5720172ceabeaae554f7

SHA512
aab1f5b4e37352473701757d0287a5302e492589caed80014c44847d83eea7dca972423aa7ee71348a3e8042d280fbf1a18ef6f2730ccc5d2c62c5919ecd2175

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
b637044666587fd4601bc5fb29499f53

SHA1
180d9bbff1c2177fb845cb7da7f9b68cc8bc3736

SHA256
007e6424c2774660837b77baa1c77c32481ef753e887e1d478fc56d3c5ad315a

SHA512
503c41659f642a9591e34debea43bdc4b910386f167604a98266b9bb9dbf60fb10cc606195fab835b80a6f1bd15de155fdb34ee5d12ae3cdecf61b0450308e4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eeedcef7f13f8d196af63b6a9f7cf89f

SHA1
acacaead6bf9f6e2432864f4ece465a256f61da8

SHA256
797b77f33d93a9f5b5edf504a6f282e22f1837c493411bf97b0a7a8e7fd02e00

SHA512
1337f2c15ddec3c3f7a5de594a305c7a4f2a421710b5d513c1b70ce594ca0f84a96b151ac3287f8ba78233b5d010e728ce012a6cba10f6fa8d5af1fd21809d4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
96c4e63d0c043e78b1a02a87d9be2335

SHA1
992674fac72344539780d25845e0de5f9d582524

SHA256
203564f0fd4ace97781110f45596d727614c11783a05679396072b67ed76225d

SHA512
1f802f927f33f24cd01b577d2b76aa6d5532bed0bb15b24bd0f7de30c666da004f7b814bdd288ba367b10efc8453f91b7c5b336e448f6f0ae890742ed25916d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
77d66d23add1c272c21b9b668fd36b00

SHA1
db7118c34270c6e19fb30068b570c6aa6fbae97f

SHA256
391756e32ea7d11e25604cd47aa7cb3f053160ab5958018ef46cdff23dea1733

SHA512
d40ab082176ed93f2aab756d8621be1426297282c67a5eaf309b171b4836cc984f4b6f81b525d8a9c855f7a816a3d169fa1b45903af82a7636cecd142d2b852e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
32d0fd1a171f05b626b190148c244ca2

SHA1
aa02280e0db946348c0325191fd35eec83704b0d

SHA256
78745381c0d8887430f424b2b9b2166c4610590c04b496167a20ac524d3b9a7c

SHA512
9f416341103512adf53dbef3ef784a5ad00a7c820422d7507004e6d1ba8907cb49b9cc7d0682e128552f56c7ed9118524316989356b02a9734c39a7e5d3a5e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar263D.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Windows\avcbetatljtv.exe

Filesize
404KB

MD5
bdd2a639e52983f0f43258adb81155fb

SHA1
2bc75f3f6ef2b5e3b27a2d19147b20419dae9e98

SHA256
f848b22438735517f13797b61a78b4563ce2166e1d19c7b18c05c4bdff4a8cd2

SHA512
7932fe904ef26310f1751a79de9a6e3c9b994dbea9ff53789ca77ea8f3b5a918789abd77c4e0d02056f05176729ed5129fb92c7e6583134f1309e443b5da25db

Download Submit
memory/2004-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2004-22-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2004-21-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2004-30-0x0000000002750000-0x0000000002BE2000-memory.dmp

Filesize
4.6MB

Download
memory/2004-31-0x0000000002750000-0x0000000002BE2000-memory.dmp

Filesize
4.6MB

Download
memory/2004-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2004-32-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2004-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2004-14-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2004-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2004-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2004-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2004-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2248-58-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2248-6060-0x0000000003370000-0x0000000003372000-memory.dmp

Filesize
8KB

Download
memory/2248-6395-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2248-56-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2248-55-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2248-54-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2248-53-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2248-6394-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2248-2417-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2248-5324-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2248-6054-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2248-60-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2248-6069-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2248-6068-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2248-6067-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2292-20-0x00000000001F0000-0x00000000001F3000-memory.dmp

Filesize
12KB

Download
memory/2292-4-0x00000000024D0000-0x0000000002962000-memory.dmp

Filesize
4.6MB

Download
memory/2292-2-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/2292-0-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/2292-1-0x00000000001F0000-0x00000000001F3000-memory.dmp

Filesize
12KB

Download
memory/2296-6063-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2296-6061-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2296-6514-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2732-33-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download