phorphiex | 4fa85000e62565501a8bfa3ad994fc6b18036bdb13b0554707a7b895df10f9a2

Analysis

max time kernel
149s
max time network
156s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10-06-2024 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe
Size

16.1MB
MD5

f14371b96093c609b697479c4a1eaac5
SHA1

5274a947d3833d08fad808d5ce2deeffe2765fe1
SHA256

4fa85000e62565501a8bfa3ad994fc6b18036bdb13b0554707a7b895df10f9a2
SHA512

a36adfc3367ed597015de263c61a12a5e337e69e752383bed0f88bece43d1ab074bb0b6d6ca67bbf2a774540785bbace795b4afcbd8e0a0a02f37e5f67548e80
SSDEEP

393216:HaXeImCdLacjZ5kbCkXExEK5s0srK5rqNkEbDST7:MhmMlNWbCwKe0s1bD

Score

10^/10

phorphiex xmrig evasion loader miner persistence trojan worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

http://91.202.233.141/

http://193.233.132.177/

http://5.42.96.117/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv

rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw

bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3

Attributes

mutex
ax765638x6xa
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36

Signatures

Modifies security service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

11BC.exesyslmgrsvc.exewinblpsrcs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	11BC.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	winblpsrcs.exe

Phorphiex payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\11BC.exe	family_phorphiex
\Users\Admin\AppData\Local\Temp\451524420.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

3192733039.exewupgrdsv.exe

description	pid	process	target process
PID 2112 created 1232	2112	3192733039.exe	Explorer.EXE
PID 2112 created 1232	2112	3192733039.exe	Explorer.EXE
PID 2280 created 1232	2280	wupgrdsv.exe	Explorer.EXE
PID 2280 created 1232	2280	wupgrdsv.exe	Explorer.EXE

Windows security bypass 2 TTPs 18 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

11BC.exesyslmgrsvc.exewinblpsrcs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	11BC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	11BC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winblpsrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winblpsrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	11BC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	winblpsrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winblpsrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	11BC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winblpsrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winblpsrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	11BC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	11BC.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\1960896f-fe61-4022-91af-84cde016c0f1.exe	INDICATOR_SUSPICIOUS_Binary_References_Browsers

XMRig Miner payload 11 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2280-202-0x000000013F150000-0x000000013F6C6000-memory.dmp	xmrig
behavioral1/memory/1748-231-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1748-244-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1748-249-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1748-256-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1748-271-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1748-273-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1748-275-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1748-276-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1748-277-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1748-278-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Downloads MZ/PE file

Executes dropped EXE 21 IoCs

Processes:

11BC.exe1960896f-fe61-4022-91af-84cde016c0f1.exe273F.exe451524420.exesyslmgrsvc.exe776016154.exe235093969.exe297627127.exe2936828421.exe3192733039.exe1899730867.exewupgrdsv.exe785419391.exe300321938.exewinblpsrcs.exe2439910671.exe1836736123.exe110201692.exe1573527148.exe2705218525.exe1763328081.exe

pid	process
2392	11BC.exe
2544	1960896f-fe61-4022-91af-84cde016c0f1.exe
2980	273F.exe
2076	451524420.exe
2352	syslmgrsvc.exe
1504	776016154.exe
1560	235093969.exe
1108	297627127.exe
3068	2936828421.exe
2112	3192733039.exe
2444	1899730867.exe
2280	wupgrdsv.exe
2604	785419391.exe
2828	300321938.exe
1124	winblpsrcs.exe
2036	2439910671.exe
580	1836736123.exe
788	110201692.exe
1516	1573527148.exe
2848	2705218525.exe
2668	1763328081.exe

Loads dropped DLL 29 IoCs

Processes:

2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe1960896f-fe61-4022-91af-84cde016c0f1.exeregsvr32.exeDllHost.exe11BC.exesyslmgrsvc.exe297627127.exetaskeng.exewinblpsrcs.exe

pid	process
2408	2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe
2408	2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe
2408	2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe
2544	1960896f-fe61-4022-91af-84cde016c0f1.exe
2544	1960896f-fe61-4022-91af-84cde016c0f1.exe
2780	regsvr32.exe
2544	1960896f-fe61-4022-91af-84cde016c0f1.exe
2544	1960896f-fe61-4022-91af-84cde016c0f1.exe
2544	1960896f-fe61-4022-91af-84cde016c0f1.exe
2488	DllHost.exe
2392	11BC.exe
2392	11BC.exe
2392	11BC.exe
2352	syslmgrsvc.exe
2352	syslmgrsvc.exe
2392	11BC.exe
2352	syslmgrsvc.exe
1108	297627127.exe
2392	11BC.exe
1436	taskeng.exe
2352	syslmgrsvc.exe
2392	11BC.exe
2352	syslmgrsvc.exe
1124	winblpsrcs.exe
2352	syslmgrsvc.exe
1124	winblpsrcs.exe
1124	winblpsrcs.exe
1124	winblpsrcs.exe
1124	winblpsrcs.exe

Windows security modification 2 TTPs 21 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

11BC.exesyslmgrsvc.exewinblpsrcs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	11BC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winblpsrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	11BC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	11BC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	11BC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	winblpsrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winblpsrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	11BC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	11BC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	winblpsrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	11BC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winblpsrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winblpsrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winblpsrcs.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

11BC.exe451524420.exe300321938.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysvratrel.exe"	11BC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysvratrel.exe"	11BC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syslmgrsvc.exe"	451524420.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Windows\\winblpsrcs.exe"	300321938.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wupgrdsv.exe

description pid process target process

PID 2280 set thread context of 1748 2280 wupgrdsv.exe notepad.exe

description	pid	process	target process
PID 2280 set thread context of 1748	2280	wupgrdsv.exe	notepad.exe

Drops file in Windows directory 6 IoCs

Processes:

300321938.exe11BC.exe451524420.exe

description	ioc	process
File opened for modification	C:\Windows\winblpsrcs.exe	300321938.exe
File created	C:\Windows\sysvratrel.exe	11BC.exe
File opened for modification	C:\Windows\sysvratrel.exe	11BC.exe
File created	C:\Windows\syslmgrsvc.exe	451524420.exe
File opened for modification	C:\Windows\syslmgrsvc.exe	451524420.exe
File created	C:\Windows\winblpsrcs.exe	300321938.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2792 schtasks.exe
1628 schtasks.exe

pid	process
2792	schtasks.exe
1628	schtasks.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F78F6DF-EC18-487A-9F89-7E1AF5313E89}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9C33BF73-F324-4875-A394-C6408D67C6EA}\ = "IToolbarStart"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB98134F-EADE-4ADC-95BF-587A5568918C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{98DCBB3A-F669-4BED-81A0-F975FCEC4D5F}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4DCC1187-5D8C-490A-8A26-E093D15009F1}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E77B33F9-61B9-4913-8BFE-12136791E21F}\ = "GeoIP Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78F1CEFC-E350-4ACC-B831-A62FD79628B6}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AEFAF143-E08F-47B0-B3ED-569C0C0A42EB}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0EA5836-36DB-483D-9925-5B5E13830387}\ = "ToolbarStart Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5172A176-4A3B-488D-BEEF-7261637B49D0}\ = "IGeoIP"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9C33BF73-F324-4875-A394-C6408D67C6EA}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9C33BF73-F324-4875-A394-C6408D67C6EA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98DCBB3A-F669-4BED-81A0-F975FCEC4D5F}\TypeLib\ = "{C20E9433-7988-4F4D-83DC-DD01AFEA709F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AE5FBD85-3B41-4370-B4B4-67E49F455F2D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AEFAF143-E08F-47B0-B3ED-569C0C0A42EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98DCBB3A-F669-4BED-81A0-F975FCEC4D5F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2860C0AD-EBCF-4D84-AB22-E6D16FB6DBA3}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F78F6DF-EC18-487A-9F89-7E1AF5313E89}\ = "InstallItemToolbar Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CEFB9717-3FCB-49F1-B860-10A71F87A9B4}\TypeLib\ = "{C20E9433-7988-4F4D-83DC-DD01AFEA709F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A66DEC6-E2EF-4538-89B6-9BC6CB07DE47}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{74077FEA-4703-46DE-8D11-DF02C8522F45}\InprocServer32\ = "C:\\ProgramData\\PDF Architect 8\\Installation\\Statistics.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{299F68A0-1ACB-4A48-BCB3-3E6F0E937348}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A53B699-6B67-48C0-B0FA-00B78BC62497}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D9FFF48-E815-46BA-9F83-9FC5D7E0ECAA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB98134F-EADE-4ADC-95BF-587A5568918C}\ = "IDownloadItemExternalApp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5071D282-CA64-4C10-A768-D65487224202}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7E58DC2E-EF79-4EED-AD03-D7C0C6DD8F08}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2860C0AD-EBCF-4D84-AB22-E6D16FB6DBA3}\ = "IOptionItemInfo"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2832BE8A-B2B3-4C6E-BAD6-2064ADDCCC13}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E77B33F9-61B9-4913-8BFE-12136791E21F}\AppID = "{43AA5A41-DF5E-43C1-96E9-82917AF857D6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AEFAF143-E08F-47B0-B3ED-569C0C0A42EB}\TypeLib\ = "{C20E9433-7988-4F4D-83DC-DD01AFEA709F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB98134F-EADE-4ADC-95BF-587A5568918C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{74077FEA-4703-46DE-8D11-DF02C8522F45}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5F3B540-7B68-4A85-941F-D49F6428ABA8}\AppID = "{43AA5A41-DF5E-43C1-96E9-82917AF857D6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4806C689-4A64-443B-A0F3-D2607868FE31}\ = "ISaveUserDataStruct"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F83A792A-DFF2-4B37-9C94-3CD05AD921E2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CEFB9717-3FCB-49F1-B860-10A71F87A9B4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B57AB967-0B96-41E7-930A-5D125C0CDE1D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2860C0AD-EBCF-4D84-AB22-E6D16FB6DBA3}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E6F6EB8-BE33-44D8-8C4F-59E4BF7245A8}\TypeLib\ = "{C20E9433-7988-4F4D-83DC-DD01AFEA709F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{299F68A0-1ACB-4A48-BCB3-3E6F0E937348}\TypeLib\ = "{C20E9433-7988-4F4D-83DC-DD01AFEA709F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A2B73845-2567-41E1-A349-36F902256EC8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB98134F-EADE-4ADC-95BF-587A5568918C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5071D282-CA64-4C10-A768-D65487224202}\TypeLib\ = "{C20E9433-7988-4F4D-83DC-DD01AFEA709F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4DCC1187-5D8C-490A-8A26-E093D15009F1}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F83A792A-DFF2-4B37-9C94-3CD05AD921E2}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1B8A4468-88E2-45F1-AE44-E35B1B96AAB6}\TypeLib\ = "{C20E9433-7988-4F4D-83DC-DD01AFEA709F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB98134F-EADE-4ADC-95BF-587A5568918C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B5F37043-6297-4DDD-9497-89510F7AC0F1}\ = "IInstallItemModule"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB98134F-EADE-4ADC-95BF-587A5568918C}\ = "IDownloadItemExternalApp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9C33BF73-F324-4875-A394-C6408D67C6EA}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F78F6DF-EC18-487A-9F89-7E1AF5313E89}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E876DC39-B292-4A7C-ADB7-A8A35C31DBCC}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1B8A4468-88E2-45F1-AE44-E35B1B96AAB6}\ = "IGeoIPStruct"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{03F30963-27B0-4532-930E-82E999BE4FCA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE554E4A-F654-40D3-8D51-FED3B58803BE}\ = "IDownloadItemToolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4DCC1187-5D8C-490A-8A26-E093D15009F1}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{255F00EE-79A9-4AC7-935D-8F76524D7B4A}\AppID = "{43AA5A41-DF5E-43C1-96E9-82917AF857D6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92049030-622C-4EC6-80C7-47A9A14775CA}\ = "ISaveUserDataStructLong"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B5F37043-6297-4DDD-9497-89510F7AC0F1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92049030-622C-4EC6-80C7-47A9A14775CA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77CBCC35-1A76-49BA-A6C6-89CFC04A380E}\ = "IInstallItemModule3_1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CEFB9717-3FCB-49F1-B860-10A71F87A9B4}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB98134F-EADE-4ADC-95BF-587A5568918C}\TypeLib\ = "{C20E9433-7988-4F4D-83DC-DD01AFEA709F}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

1960896f-fe61-4022-91af-84cde016c0f1.exe3192733039.exepowershell.exewupgrdsv.exepowershell.exe

pid	process
2544	1960896f-fe61-4022-91af-84cde016c0f1.exe
2544	1960896f-fe61-4022-91af-84cde016c0f1.exe
2112	3192733039.exe
2112	3192733039.exe
2776	powershell.exe
2112	3192733039.exe
2112	3192733039.exe
2280	wupgrdsv.exe
2280	wupgrdsv.exe
2228	powershell.exe
2280	wupgrdsv.exe
2280	wupgrdsv.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

syslmgrsvc.exe

pid process

2352 syslmgrsvc.exe

pid	process
2352	syslmgrsvc.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

msiexec.exepowershell.exepowershell.exenotepad.exe

description	pid	process
Token: SeRestorePrivilege	1892	msiexec.exe
Token: SeTakeOwnershipPrivilege	1892	msiexec.exe
Token: SeSecurityPrivilege	1892	msiexec.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeLockMemoryPrivilege	1748	notepad.exe
Token: SeLockMemoryPrivilege	1748	notepad.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

notepad.exe

pid	process
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

notepad.exe

pid	process
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe
1748	notepad.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

1960896f-fe61-4022-91af-84cde016c0f1.exe

pid process

2544 1960896f-fe61-4022-91af-84cde016c0f1.exe
2544 1960896f-fe61-4022-91af-84cde016c0f1.exe
2544 1960896f-fe61-4022-91af-84cde016c0f1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe1960896f-fe61-4022-91af-84cde016c0f1.exe11BC.exe451524420.exesyslmgrsvc.exe297627127.exepowershell.exetaskeng.exe

description	pid	process	target process
PID 2408 wrote to memory of 2392	2408	2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe	11BC.exe
PID 2408 wrote to memory of 2392	2408	2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe	11BC.exe
PID 2408 wrote to memory of 2392	2408	2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe	11BC.exe
PID 2408 wrote to memory of 2392	2408	2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe	11BC.exe
PID 2408 wrote to memory of 2544	2408	2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe	1960896f-fe61-4022-91af-84cde016c0f1.exe
PID 2408 wrote to memory of 2544	2408	2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe	1960896f-fe61-4022-91af-84cde016c0f1.exe
PID 2408 wrote to memory of 2544	2408	2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe	1960896f-fe61-4022-91af-84cde016c0f1.exe
PID 2408 wrote to memory of 2544	2408	2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe	1960896f-fe61-4022-91af-84cde016c0f1.exe
PID 2408 wrote to memory of 2544	2408	2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe	1960896f-fe61-4022-91af-84cde016c0f1.exe
PID 2408 wrote to memory of 2544	2408	2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe	1960896f-fe61-4022-91af-84cde016c0f1.exe
PID 2408 wrote to memory of 2544	2408	2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe	1960896f-fe61-4022-91af-84cde016c0f1.exe
PID 2544 wrote to memory of 2980	2544	1960896f-fe61-4022-91af-84cde016c0f1.exe	273F.exe
PID 2544 wrote to memory of 2980	2544	1960896f-fe61-4022-91af-84cde016c0f1.exe	273F.exe
PID 2544 wrote to memory of 2980	2544	1960896f-fe61-4022-91af-84cde016c0f1.exe	273F.exe
PID 2544 wrote to memory of 2980	2544	1960896f-fe61-4022-91af-84cde016c0f1.exe	273F.exe
PID 2544 wrote to memory of 2780	2544	1960896f-fe61-4022-91af-84cde016c0f1.exe	regsvr32.exe
PID 2544 wrote to memory of 2780	2544	1960896f-fe61-4022-91af-84cde016c0f1.exe	regsvr32.exe
PID 2544 wrote to memory of 2780	2544	1960896f-fe61-4022-91af-84cde016c0f1.exe	regsvr32.exe
PID 2544 wrote to memory of 2780	2544	1960896f-fe61-4022-91af-84cde016c0f1.exe	regsvr32.exe
PID 2544 wrote to memory of 2780	2544	1960896f-fe61-4022-91af-84cde016c0f1.exe	regsvr32.exe
PID 2544 wrote to memory of 2780	2544	1960896f-fe61-4022-91af-84cde016c0f1.exe	regsvr32.exe
PID 2544 wrote to memory of 2780	2544	1960896f-fe61-4022-91af-84cde016c0f1.exe	regsvr32.exe
PID 2392 wrote to memory of 2076	2392	11BC.exe	451524420.exe
PID 2392 wrote to memory of 2076	2392	11BC.exe	451524420.exe
PID 2392 wrote to memory of 2076	2392	11BC.exe	451524420.exe
PID 2392 wrote to memory of 2076	2392	11BC.exe	451524420.exe
PID 2076 wrote to memory of 2352	2076	451524420.exe	syslmgrsvc.exe
PID 2076 wrote to memory of 2352	2076	451524420.exe	syslmgrsvc.exe
PID 2076 wrote to memory of 2352	2076	451524420.exe	syslmgrsvc.exe
PID 2076 wrote to memory of 2352	2076	451524420.exe	syslmgrsvc.exe
PID 2392 wrote to memory of 1504	2392	11BC.exe	776016154.exe
PID 2392 wrote to memory of 1504	2392	11BC.exe	776016154.exe
PID 2392 wrote to memory of 1504	2392	11BC.exe	776016154.exe
PID 2392 wrote to memory of 1504	2392	11BC.exe	776016154.exe
PID 2352 wrote to memory of 1560	2352	syslmgrsvc.exe	235093969.exe
PID 2352 wrote to memory of 1560	2352	syslmgrsvc.exe	235093969.exe
PID 2352 wrote to memory of 1560	2352	syslmgrsvc.exe	235093969.exe
PID 2352 wrote to memory of 1560	2352	syslmgrsvc.exe	235093969.exe
PID 2392 wrote to memory of 1108	2392	11BC.exe	297627127.exe
PID 2392 wrote to memory of 1108	2392	11BC.exe	297627127.exe
PID 2392 wrote to memory of 1108	2392	11BC.exe	297627127.exe
PID 2392 wrote to memory of 1108	2392	11BC.exe	297627127.exe
PID 2352 wrote to memory of 3068	2352	syslmgrsvc.exe	2936828421.exe
PID 2352 wrote to memory of 3068	2352	syslmgrsvc.exe	2936828421.exe
PID 2352 wrote to memory of 3068	2352	syslmgrsvc.exe	2936828421.exe
PID 2352 wrote to memory of 3068	2352	syslmgrsvc.exe	2936828421.exe
PID 1108 wrote to memory of 2112	1108	297627127.exe	3192733039.exe
PID 1108 wrote to memory of 2112	1108	297627127.exe	3192733039.exe
PID 1108 wrote to memory of 2112	1108	297627127.exe	3192733039.exe
PID 1108 wrote to memory of 2112	1108	297627127.exe	3192733039.exe
PID 2392 wrote to memory of 2444	2392	11BC.exe	1899730867.exe
PID 2392 wrote to memory of 2444	2392	11BC.exe	1899730867.exe
PID 2392 wrote to memory of 2444	2392	11BC.exe	1899730867.exe
PID 2392 wrote to memory of 2444	2392	11BC.exe	1899730867.exe
PID 2776 wrote to memory of 2792	2776	powershell.exe	schtasks.exe
PID 2776 wrote to memory of 2792	2776	powershell.exe	schtasks.exe
PID 2776 wrote to memory of 2792	2776	powershell.exe	schtasks.exe
PID 1436 wrote to memory of 2280	1436	taskeng.exe	wupgrdsv.exe
PID 1436 wrote to memory of 2280	1436	taskeng.exe	wupgrdsv.exe
PID 1436 wrote to memory of 2280	1436	taskeng.exe	wupgrdsv.exe
PID 2352 wrote to memory of 2604	2352	syslmgrsvc.exe	785419391.exe
PID 2352 wrote to memory of 2604	2352	syslmgrsvc.exe	785419391.exe
PID 2352 wrote to memory of 2604	2352	syslmgrsvc.exe	785419391.exe
PID 2352 wrote to memory of 2604	2352	syslmgrsvc.exe	785419391.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Users\Admin\AppData\Local\Temp\11BC.exe
    "C:\Users\Admin\AppData\Local\Temp\11BC.exe"
    3⤵
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\451524420.exe
      C:\Users\Admin\AppData\Local\Temp\451524420.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:2076
    - - C:\Windows\syslmgrsvc.exe
        
        C:\Windows\syslmgrsvc.exe
        5⤵
        Modifies security service
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Suspicious behavior: SetClipboardViewer
        Suspicious use of WriteProcessMemory
        
        PID:2352
      - C:\Users\Admin\AppData\Local\Temp\235093969.exe
        
        C:\Users\Admin\AppData\Local\Temp\235093969.exe
        6⤵
        Executes dropped EXE
        
        PID:1560
      - C:\Users\Admin\AppData\Local\Temp\2936828421.exe
        
        C:\Users\Admin\AppData\Local\Temp\2936828421.exe
        6⤵
        Executes dropped EXE
        
        PID:3068
      - C:\Users\Admin\AppData\Local\Temp\785419391.exe
        
        C:\Users\Admin\AppData\Local\Temp\785419391.exe
        6⤵
        Executes dropped EXE
        
        PID:2604
      - C:\Users\Admin\AppData\Local\Temp\2439910671.exe
        
        C:\Users\Admin\AppData\Local\Temp\2439910671.exe
        6⤵
        Executes dropped EXE
        
        PID:2036
      - C:\Users\Admin\AppData\Local\Temp\110201692.exe
        
        C:\Users\Admin\AppData\Local\Temp\110201692.exe
        6⤵
        Executes dropped EXE
        
        PID:788
  - - C:\Users\Admin\AppData\Local\Temp\776016154.exe
      C:\Users\Admin\AppData\Local\Temp\776016154.exe
      4⤵
      Executes dropped EXE
      PID:1504
  - - C:\Users\Admin\AppData\Local\Temp\297627127.exe
      C:\Users\Admin\AppData\Local\Temp\297627127.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1108
    - - C:\Users\Admin\AppData\Local\Temp\3192733039.exe
        
        C:\Users\Admin\AppData\Local\Temp\3192733039.exe
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2112
  - - C:\Users\Admin\AppData\Local\Temp\1899730867.exe
      C:\Users\Admin\AppData\Local\Temp\1899730867.exe
      4⤵
      Executes dropped EXE
      PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\300321938.exe
      C:\Users\Admin\AppData\Local\Temp\300321938.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      PID:2828
    - - C:\Windows\winblpsrcs.exe
        
        C:\Windows\winblpsrcs.exe
        5⤵
        Modifies security service
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        
        PID:1124
      - C:\Users\Admin\AppData\Local\Temp\1836736123.exe
        
        C:\Users\Admin\AppData\Local\Temp\1836736123.exe
        6⤵
        Executes dropped EXE
        
        PID:580
      - C:\Users\Admin\AppData\Local\Temp\1573527148.exe
        
        C:\Users\Admin\AppData\Local\Temp\1573527148.exe
        6⤵
        Executes dropped EXE
        
        PID:1516
      - C:\Users\Admin\AppData\Local\Temp\2705218525.exe
        
        C:\Users\Admin\AppData\Local\Temp\2705218525.exe
        6⤵
        Executes dropped EXE
        
        PID:2848
      - C:\Users\Admin\AppData\Local\Temp\1763328081.exe
        
        C:\Users\Admin\AppData\Local\Temp\1763328081.exe
        6⤵
        Executes dropped EXE
        
        PID:2668
- - C:\Users\Admin\AppData\Local\Temp\1960896f-fe61-4022-91af-84cde016c0f1.exe
    C:\Users\Admin\AppData\Local\Temp\1960896f-fe61-4022-91af-84cde016c0f1.exe /update=start
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\273F.exe
      "C:\Users\Admin\AppData\Local\Temp\273F.exe"
      4⤵
      Executes dropped EXE
      PID:2980
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\ProgramData\PDF Architect 8\Installation\Statistics.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:2780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:2792
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
  2⤵
  PID:2668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1628
- C:\Windows\System32\notepad.exe
  C:\Windows\System32\notepad.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1748

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{43AA5A41-DF5E-43C1-96E9-82917AF857D6}
1⤵
- Loads dropped DLL
PID:2488

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\system32\taskeng.exe
taskeng.exe {21C769BA-E9F3-4324-BCCF-BDBD800300AD} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
  "C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\PDF Architect 8\Installation\Statistics.dll

Filesize
2.7MB

MD5
5ba200ea982b2e3e58eaf4099e35dfc4

SHA1
88101e0db52a4b9164ecf2d8689f3ab2a148f8a8

SHA256
7173f4282531a73991171ce00cb411f7eac7c123acc4814c7a08cd35a4016649

SHA512
d20ab79c0e5453ac919912308cb94ad9c6ed67a827c3038494bba2c3f02985d59f01c6586c5c19918ff78a4f46528bd99502f54db8ecdf722b331eccd6e37f3c

Download Submit
C:\ProgramData\PDF Architect 8\Installation\common-data.dat

Filesize
630B

MD5
4542b5fc5023df0100dc0cf8e65c73a0

SHA1
c391b2434c563a03c7d4185f1a9b1fd52a733cd2

SHA256
79a8209ae912a7efdc1b4ef427e07d9d73e4d6b637842072c7123bea0eefc670

SHA512
bbf366ab35dde1a65d69ef5fc248ab12d04fd13b098691345bd1d011c506ddf69080fbd36fd604820d64731895af2836f91d3a14bd45bf1c6a142c3f21412962

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
5563b3a80c29851fdc23ac15a51f4465

SHA1
c396ab4b7021d35191755a236058bea7eca8dc6b

SHA256
da725244df230f451bb9e10e719b618a618245474a9fd9907303c6a1b4306283

SHA512
61893b080c2f677ac700eb4a1ae8d4200a413ef57045261a4192ad1908bff8d4ec6d7cd6e3faeca0e7bf1fe28c9348081653b56d2d31bc8aa747bdea9d4ddf18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
6fccfbba28fbffe15df961b06a11593b

SHA1
37f73c2f65b724066511a6607c5a34978c464e43

SHA256
935a0cab6e8df423e867bc1505025c725ff0244630b0b0dfd402aef3e151b45b

SHA512
8ea9cd899a243159aed337c94a55bc819f787a1b3e27f906b27994b7f9b819f6b39674a7c0266e43e28dccb29a8195f3c926ed2b48cfbcf740dcb5dfa7378435

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6975b4ccc3c6c36920615dac748582db

SHA1
133202106325d830d1715cde4916be28ffe087d5

SHA256
eb6a23a7d2188fe184b7ab8b8c4c1f69548e5838245c7b56dbe0cf55686a1ada

SHA512
ff68329731b330ef724c3fdfda35741399b7dfb8cce25c04e942fb1d1211fbde11151cede59a9be5fc87ffa8e4bfefc9a4635440420498731ee506ee61443cf2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
e0b881000c4ae8e514df654ca2789444

SHA1
3380b501df18d5fdd8ff5157c6dd31a46d126895

SHA256
3d591fc1be440be7b654c82f39aaa625d14729574e56a45dcb859c96f4f498f7

SHA512
cb206c9d2358812c003a0064366cbaf0d21f1627a48c10821b43f38f0f789f4701d38d757a8c987eff7352c05cb7b45c0677dbc95d06eb653655992bc93d00c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1943025688.exe

Filesize
86KB

MD5
fe1e93f12cca3f7c0c897ef2084e1778

SHA1
fb588491ddad8b24ea555a6a2727e76cec1fade3

SHA256
2ebc4a92f4fdc27d4ab56e57058575a8b18adb076cbd30feea2ecdc8b7fcd41f

SHA512
36e0524c465187ae9ad207c724aee45bcd61cfd3fa66a79f9434d24fcbadc0a743834d5e808e6041f3bd88e75deb5afd34193574f005ed97e4b17c6b0388cb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\2705218525.exe

Filesize
8KB

MD5
9b8a3fb66b93c24c52e9c68633b00f37

SHA1
2a9290e32d1582217eac32b977961ada243ada9a

SHA256
8a169cf165f635ecb6c55cacecb2c202c5fc6ef5fa82ec9cdb7d4b0300f35293

SHA512
117da1ec9850212e4cafce6669c2cfffc8078627f5c3ccdfd6a1bf3bee2d351290071087a4c206578d23852fa5e69c2ebefd71905c85b1eaed4220932bb71a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2BD2.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
11a89e1b2cca704e5e616aed031fb208

SHA1
1e52915d76e503314735aa8138161d5ea99e592c

SHA256
f119b74a42b4840d10ad7db33ada6ad1a852b0400f4724d02ec8872d4c88f33b

SHA512
94642a0d608bab2b7562441694b1f5cd770d1ac04a1936621d1520cc86b2694567d708cad44afbe080e4e095ac7f5f71444fd0838f7b9b782c9295e7a696bb3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IM0H9EL1WJS5OG8WVU2N.temp

Filesize
7KB

MD5
8f1e8faea083528722abdf77fce3f845

SHA1
d737a13c0cfdbda4931f39c038bd4a15cc6a60d0

SHA256
283b36e25145c67f6c47aa5c4639178b9992f2cc46a4a32abd815fbc74518f29

SHA512
8b525f9ed26265f2597b98385b5f616d7630ba703d2305fd3e942cb1f09807a3a695d6cc2101d0bcb17a35b7064826bfa18ad68bfee1a24b429023f337069c7c

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
7e631638fb613dbf27559b1e6c50aafb

SHA1
f3d72235215a802fef052ba6cdb291672fb0624b

SHA256
30366ddca4330ef1ff34bedf0102fb70151336af4fb2ed5416c4417456a8564f

SHA512
b9e8544b51cef0169fda38fdf602fee259ca98768c286be4be735483187a2d07d9bf2b97a699c48e5f1100427647520d497c51f20085a70e12677dafa71d019c

Download Submit
\Users\Admin\AppData\Local\Temp\11BC.exe

Filesize
84KB

MD5
36010b83bccfcd1032971df9fc5082a1

SHA1
9967b83065e3ad82cd6c0c3b02cf08ab707fde3e

SHA256
99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98

SHA512
c8008923315d86c06b57e47d9bf81cec47cda0dec6d9f8aa57d7b4c57c7138997486a6f60eb0015bc99755afeb3d943bc8d9ba83dbb8c9219fa4990296de1def

Download Submit
\Users\Admin\AppData\Local\Temp\1836736123.exe

Filesize
8KB

MD5
87b22e975994246dc5b7c2a3adbf85a5

SHA1
1e6528987190f0f5188240cdac553388c39e8590

SHA256
17399263a05a9144c1571e8ef88175fd08c61a38e3fcb3a955279d4a2bb9a919

SHA512
58c33379879fc75679902d1fe3db0bf1c854151cb6e4bf10496a1d657a8778699be70976bd8bba1ddd3949b24b6ae44cbc0421dd0a8cea13ef5e00179d6599db

Download Submit
\Users\Admin\AppData\Local\Temp\1899730867.exe

Filesize
11KB

MD5
cafd277c4132f5d0f202e7ea07a27d5c

SHA1
72c8c16a94cce56a3e01d91bc1276dafc65b351d

SHA256
e5162fa594811f0f01fc76f4acbd9fe99b2265df9cfcbc346023f28775c19f1e

SHA512
7c87d1dec61b78e0f223e8f9fec019d96509813fa6d96129289aab00b2d6f05bf91fe1fafd680b7d9e746f4c2c8cbe48a3028bcaad479048d00d79a19f71b196

Download Submit
\Users\Admin\AppData\Local\Temp\1960896f-fe61-4022-91af-84cde016c0f1.exe

Filesize
16.1MB

MD5
f14371b96093c609b697479c4a1eaac5

SHA1
5274a947d3833d08fad808d5ce2deeffe2765fe1

SHA256
4fa85000e62565501a8bfa3ad994fc6b18036bdb13b0554707a7b895df10f9a2

SHA512
a36adfc3367ed597015de263c61a12a5e337e69e752383bed0f88bece43d1ab074bb0b6d6ca67bbf2a774540785bbace795b4afcbd8e0a0a02f37e5f67548e80

Download Submit
\Users\Admin\AppData\Local\Temp\297627127.exe

Filesize
10KB

MD5
c8cf446ead193a3807472fbd294c5f23

SHA1
2162f28c919222f75ce5f52e4bb1155255ae5368

SHA256
e5d12658a690c62af7d4fc7b26735affc7210e3bfb6b2241de1bf90aebdc0717

SHA512
fc94014fabf204ecd57990db4b05b81cbda0a314b621cbfa755296ddf5493ec55fb129d12eff5f92863d9f1d7fea679dc2aeb62baf898791448cb4fe34b595c1

Download Submit
\Users\Admin\AppData\Local\Temp\300321938.exe

Filesize
18KB

MD5
0aed3b7eae97833e810814ba810efce0

SHA1
b9de8d683d2b7193928c38bd7b92312d22d1968e

SHA256
a5b313b71318ae8e71ee73810fc385e7f73e64fd0109d450fa88b1775ca8d462

SHA512
f7fd73beecac1f4ee4d4af813b32088933770154814c4dd40b1c413fd135ff9c7be5e0d9a2e1c99d8bfcf51c764cb4265bfaa0bc370bd3b3ef4e06a7b06b5a16

Download Submit
\Users\Admin\AppData\Local\Temp\3192733039.exe

Filesize
5.4MB

MD5
41ab08c1955fce44bfd0c76a64d1945a

SHA1
2b9cb05f4de5d98c541d15175d7f0199cbdd0eea

SHA256
dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493

SHA512
38834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116

Download Submit
\Users\Admin\AppData\Local\Temp\451524420.exe

Filesize
93KB

MD5
a318cc45e79498b93e40d5e5b9b76be4

SHA1
4ebc9969cc3c330741c377e22a5fb0cdb8ce5fd5

SHA256
4b4e596641d0dd9eece8a24556fd1246056cbc315a79675a7400927858bbd7c2

SHA512
3131d627837a3cafdf532173ccadd4beff933ee3d5e050366153434b1394c4d57056b4d273ddb826a1a0478caa83e1f6e095e83366102ae1d3705ab2d3ec0e2c

Download Submit
\Users\Admin\AppData\Local\Temp\776016154.exe

Filesize
7KB

MD5
77eed2bbe1769686fbfaba7c0fca9f79

SHA1
d70bbf046b40f09420aa8938dcb49890db48f976

SHA256
94084872fe25303309a1a35fadae3b75ae99c9ffb94926e1c7640f8d3469d0e2

SHA512
e3e0d1d4f25553c13343bd80e59fcdfc690c20605f8ade8e86ba0eef9a6d20249f9f8f46b5fde494e781b2dcc28cc00c7143f8e425d8edcf2dfa6a2a03b89ec8

Download Submit
memory/1748-273-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1748-249-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1748-278-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1748-277-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1748-276-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1748-231-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1748-275-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1748-244-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1748-271-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1748-203-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/1748-256-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2112-171-0x000000013FBB0000-0x0000000140126000-memory.dmp

Filesize
5.5MB

Download
memory/2228-196-0x000000001B450000-0x000000001B732000-memory.dmp

Filesize
2.9MB

Download
memory/2228-197-0x0000000002190000-0x0000000002198000-memory.dmp

Filesize
32KB

Download
memory/2280-202-0x000000013F150000-0x000000013F6C6000-memory.dmp

Filesize
5.5MB

Download
memory/2776-166-0x0000000001E30000-0x0000000001E38000-memory.dmp

Filesize
32KB

Download
memory/2776-165-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download