avaddon | 1640dbb1202916848fa226c543ee4abf6a3c24f357548f4cfcb41319b153803e

Analysis

max time kernel
94s
max time network
85s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2025, 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.7z
Size

2.2MB
MD5

02ab46ad0f72ebf04bfc987b1c6cfd93
SHA1

1d319b9ecda6f4860bca276e00ed33c1e572f151
SHA256

1640dbb1202916848fa226c543ee4abf6a3c24f357548f4cfcb41319b153803e
SHA512

0949a55aca5d9d39061b219eb8e863e7c99abdc822747072d8b55d1ad9a3570f69419bde0bb957d414af1ff462fc6853b78a684f8fe2aa4eb142ffc27b5f5cbb
SSDEEP

49152:VS4oWqzZEwotFlMO+feUOqW2MjUp7d6wCuxfQzT:lBqzZEwoXli2z296

Score

10^/10

avaddon defense_evasion discovery ransomware themida trojan

Malware Config

Signatures

Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
ransomware avaddon
Avaddon family
avaddon

Avaddon payload 5 IoCs

resource	yara_rule
behavioral1/files/0x000200000001e770-29.dat	family_avaddon
behavioral1/memory/3516-30-0x0000000000200000-0x00000000006D7000-memory.dmp	family_avaddon
behavioral1/memory/3516-33-0x0000000000200000-0x00000000006D7000-memory.dmp	family_avaddon
behavioral1/memory/3516-32-0x0000000000200000-0x00000000006D7000-memory.dmp	family_avaddon
behavioral1/memory/3516-355-0x0000000000200000-0x00000000006D7000-memory.dmp	family_avaddon

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe

Renames multiple (149) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe

Executes dropped EXE 1 IoCs

pid	Process
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000200000001e770-29.dat	themida
behavioral1/memory/3516-30-0x0000000000200000-0x00000000006D7000-memory.dmp	themida
behavioral1/memory/3516-33-0x0000000000200000-0x00000000006D7000-memory.dmp	themida
behavioral1/memory/3516-32-0x0000000000200000-0x00000000006D7000-memory.dmp	themida
behavioral1/memory/3516-355-0x0000000000200000-0x00000000006D7000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-1279544337-3716153908-718418795-1000\desktop.ini	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
File opened (read-only)	\??\J:	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
File opened (read-only)	\??\L:	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
File opened (read-only)	\??\M:	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
File opened (read-only)	\??\N:	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
File opened (read-only)	\??\T:	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
File opened (read-only)	\??\A:	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
File opened (read-only)	\??\G:	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
File opened (read-only)	\??\I:	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
File opened (read-only)	\??\P:	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
File opened (read-only)	\??\Q:	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
File opened (read-only)	\??\B:	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
File opened (read-only)	\??\R:	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
File opened (read-only)	\??\S:	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
File opened (read-only)	\??\U:	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
File opened (read-only)	\??\W:	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
File opened (read-only)	\??\X:	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
File opened (read-only)	\??\Y:	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
File opened (read-only)	\??\Z:	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
File opened (read-only)	\??\H:	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
File opened (read-only)	\??\K:	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
File opened (read-only)	\??\O:	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
File opened (read-only)	\??\V:	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
File opened (read-only)	\??\F:	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
47	api.myip.com
48	api.myip.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\hr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\zh_HK\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\kn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\gu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\az\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\is\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\page_embed_script.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\sr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\be\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\ca\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\sk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\dasherSettingSchema.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\no\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\mr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\sv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\pa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\zu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\es_419\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\cs\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\tr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\nl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\lt\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\vi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\ru\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\de\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\hu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\ta\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\en_US\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\lo\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\uk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\th\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\ro\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\ko\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\hi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\ur\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\es\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\hy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\lv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\ml\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\el\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\fil\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\fa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\en_CA\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\id\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\bn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\si\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\fr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\bg\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\ja\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\zh_TW\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\kk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\eu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\am\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\ms\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\ne\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\my\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\da\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\cy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\128.png	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\offscreendocument_main.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\km\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5672_129597337\_locales\ar\messages.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133880839179241343"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1279544337-3716153908-718418795-1000\{8B148F9B-93EA-4A9B-A0CC-B735BC8EEBA1}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1220	7zFM.exe
5616	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5672	msedge.exe
5672	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1220	7zFM.exe
Token: 35	1220	7zFM.exe
Token: SeSecurityPrivilege	1220	7zFM.exe
Token: SeDebugPrivilege	4480	taskmgr.exe
Token: SeSystemProfilePrivilege	4480	taskmgr.exe
Token: SeCreateGlobalPrivilege	4480	taskmgr.exe
Token: SeDebugPrivilege	5616	taskmgr.exe
Token: SeSystemProfilePrivilege	5616	taskmgr.exe
Token: SeCreateGlobalPrivilege	5616	taskmgr.exe
Token: 33	4480	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4480	taskmgr.exe
Token: SeIncreaseQuotaPrivilege	724	wmic.exe
Token: SeSecurityPrivilege	724	wmic.exe
Token: SeTakeOwnershipPrivilege	724	wmic.exe
Token: SeLoadDriverPrivilege	724	wmic.exe
Token: SeSystemProfilePrivilege	724	wmic.exe
Token: SeSystemtimePrivilege	724	wmic.exe
Token: SeProfSingleProcessPrivilege	724	wmic.exe
Token: SeIncBasePriorityPrivilege	724	wmic.exe
Token: SeCreatePagefilePrivilege	724	wmic.exe
Token: SeBackupPrivilege	724	wmic.exe
Token: SeRestorePrivilege	724	wmic.exe
Token: SeShutdownPrivilege	724	wmic.exe
Token: SeDebugPrivilege	724	wmic.exe
Token: SeSystemEnvironmentPrivilege	724	wmic.exe
Token: SeRemoteShutdownPrivilege	724	wmic.exe
Token: SeUndockPrivilege	724	wmic.exe
Token: SeManageVolumePrivilege	724	wmic.exe
Token: 33	724	wmic.exe
Token: 34	724	wmic.exe
Token: 35	724	wmic.exe
Token: 36	724	wmic.exe
Token: SeIncreaseQuotaPrivilege	5484	wmic.exe
Token: SeSecurityPrivilege	5484	wmic.exe
Token: SeTakeOwnershipPrivilege	5484	wmic.exe
Token: SeLoadDriverPrivilege	5484	wmic.exe
Token: SeSystemProfilePrivilege	5484	wmic.exe
Token: SeSystemtimePrivilege	5484	wmic.exe
Token: SeProfSingleProcessPrivilege	5484	wmic.exe
Token: SeIncBasePriorityPrivilege	5484	wmic.exe
Token: SeCreatePagefilePrivilege	5484	wmic.exe
Token: SeBackupPrivilege	5484	wmic.exe
Token: SeRestorePrivilege	5484	wmic.exe
Token: SeShutdownPrivilege	5484	wmic.exe
Token: SeDebugPrivilege	5484	wmic.exe
Token: SeSystemEnvironmentPrivilege	5484	wmic.exe
Token: SeRemoteShutdownPrivilege	5484	wmic.exe
Token: SeUndockPrivilege	5484	wmic.exe
Token: SeManageVolumePrivilege	5484	wmic.exe
Token: 33	5484	wmic.exe
Token: 34	5484	wmic.exe
Token: 35	5484	wmic.exe
Token: 36	5484	wmic.exe
Token: SeIncreaseQuotaPrivilege	1348	wmic.exe
Token: SeSecurityPrivilege	1348	wmic.exe
Token: SeTakeOwnershipPrivilege	1348	wmic.exe
Token: SeLoadDriverPrivilege	1348	wmic.exe
Token: SeSystemProfilePrivilege	1348	wmic.exe
Token: SeSystemtimePrivilege	1348	wmic.exe
Token: SeProfSingleProcessPrivilege	1348	wmic.exe
Token: SeIncBasePriorityPrivilege	1348	wmic.exe
Token: SeCreatePagefilePrivilege	1348	wmic.exe
Token: SeBackupPrivilege	1348	wmic.exe
Token: SeRestorePrivilege	1348	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1220	7zFM.exe
1220	7zFM.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
5616	taskmgr.exe
4480	taskmgr.exe
5616	taskmgr.exe
4480	taskmgr.exe
5616	taskmgr.exe
4480	taskmgr.exe
5616	taskmgr.exe
4480	taskmgr.exe
5616	taskmgr.exe
4480	taskmgr.exe
5616	taskmgr.exe
4480	taskmgr.exe
5616	taskmgr.exe
4480	taskmgr.exe
5616	taskmgr.exe
4480	taskmgr.exe
5616	taskmgr.exe
4480	taskmgr.exe
5616	taskmgr.exe
4480	taskmgr.exe
5616	taskmgr.exe
4480	taskmgr.exe
5616	taskmgr.exe
4480	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
4480	taskmgr.exe
5616	taskmgr.exe
4480	taskmgr.exe
5616	taskmgr.exe
4480	taskmgr.exe
5616	taskmgr.exe
4480	taskmgr.exe
5616	taskmgr.exe
4480	taskmgr.exe
5616	taskmgr.exe
4480	taskmgr.exe
5616	taskmgr.exe
4480	taskmgr.exe
5616	taskmgr.exe
4480	taskmgr.exe
5616	taskmgr.exe
4480	taskmgr.exe
5616	taskmgr.exe
4480	taskmgr.exe
5616	taskmgr.exe
4480	taskmgr.exe
5616	taskmgr.exe
4480	taskmgr.exe
5616	taskmgr.exe
4480	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe
5616	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 5616	4480	taskmgr.exe	99
PID 4480 wrote to memory of 5616	4480	taskmgr.exe	99
PID 3516 wrote to memory of 724	3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe	103
PID 3516 wrote to memory of 724	3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe	103
PID 3516 wrote to memory of 724	3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe	103
PID 3516 wrote to memory of 5484	3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe	106
PID 3516 wrote to memory of 5484	3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe	106
PID 3516 wrote to memory of 5484	3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe	106
PID 3516 wrote to memory of 1348	3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe	108
PID 3516 wrote to memory of 1348	3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe	108
PID 3516 wrote to memory of 1348	3516	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe	108
PID 1512 wrote to memory of 5672	1512	msedge.exe	121
PID 1512 wrote to memory of 5672	1512	msedge.exe	121
PID 5672 wrote to memory of 5916	5672	msedge.exe	122
PID 5672 wrote to memory of 5916	5672	msedge.exe	122
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 1180	5672	msedge.exe	124
PID 5672 wrote to memory of 1180	5672	msedge.exe	124
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123
PID 5672 wrote to memory of 5352	5672	msedge.exe	123

System policy modification 1 TTPs 3 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1220

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5616

C:\Users\Admin\Desktop\HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
"C:\Users\Admin\Desktop\HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe"
1⤵
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3516
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:724
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5484
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Cy8_readme.html
1⤵
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument C:\Cy8_readme.html
  2⤵
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of WriteProcessMemory
  PID:5672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ffaff43f208,0x7ffaff43f214,0x7ffaff43f220
    3⤵
    PID:5916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1996,i,16356727614637306701,18258060903451465214,262144 --variations-seed-version --mojo-platform-channel-handle=1988 /prefetch:2
    3⤵
    PID:5352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=2124,i,16356727614637306701,18258060903451465214,262144 --variations-seed-version --mojo-platform-channel-handle=2140 /prefetch:3
    3⤵
    PID:1180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1932,i,16356727614637306701,18258060903451465214,262144 --variations-seed-version --mojo-platform-channel-handle=2552 /prefetch:8
    3⤵
    PID:4760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3476,i,16356727614637306701,18258060903451465214,262144 --variations-seed-version --mojo-platform-channel-handle=3536 /prefetch:1
    3⤵
    PID:5948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3496,i,16356727614637306701,18258060903451465214,262144 --variations-seed-version --mojo-platform-channel-handle=3592 /prefetch:1
    3⤵
    PID:4132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4892,i,16356727614637306701,18258060903451465214,262144 --variations-seed-version --mojo-platform-channel-handle=3464 /prefetch:8
    3⤵
    PID:2100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4908,i,16356727614637306701,18258060903451465214,262144 --variations-seed-version --mojo-platform-channel-handle=5064 /prefetch:8
    3⤵
    PID:5604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5392,i,16356727614637306701,18258060903451465214,262144 --variations-seed-version --mojo-platform-channel-handle=5404 /prefetch:8
    3⤵
    PID:5440
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5776,i,16356727614637306701,18258060903451465214,262144 --variations-seed-version --mojo-platform-channel-handle=5788 /prefetch:8
    3⤵
    PID:1168
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5776,i,16356727614637306701,18258060903451465214,262144 --variations-seed-version --mojo-platform-channel-handle=5788 /prefetch:8
    3⤵
    PID:2540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5952,i,16356727614637306701,18258060903451465214,262144 --variations-seed-version --mojo-platform-channel-handle=5988 /prefetch:8
    3⤵
    PID:3848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5968,i,16356727614637306701,18258060903451465214,262144 --variations-seed-version --mojo-platform-channel-handle=5980 /prefetch:8
    3⤵
    PID:3224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6152,i,16356727614637306701,18258060903451465214,262144 --variations-seed-version --mojo-platform-channel-handle=4304 /prefetch:8
    3⤵
    PID:1380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6168,i,16356727614637306701,18258060903451465214,262144 --variations-seed-version --mojo-platform-channel-handle=6212 /prefetch:8
    3⤵
    PID:2108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6024,i,16356727614637306701,18258060903451465214,262144 --variations-seed-version --mojo-platform-channel-handle=6080 /prefetch:8
    3⤵
    PID:2160

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:4224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Cy8_readme.html

Filesize
6KB

MD5
4100e3bc410016393dbacb7838103de5

SHA1
d27996a3b0682361aacde7fb0cb0a488f53f3f9d

SHA256
44f59787e996b2d3465d38d92eacb9058dc663ce5fe61d7cefe83f07b844c301

SHA512
ebcc3a96994fcc792160fa40aee4438d5601534d9592696e9fe4e306479fc8997eb29f3259eca7fa6a685a595340ad49fefa71783ad3da1a1c8f5d6af538a937

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
998db8a9f40f71e2f3d9e19aac4db4a9

SHA1
dade0e68faef54a59d68ae8cb3b8314b6947b6d7

SHA256
1b28744565eb600485d9800703f2fb635ecf4187036c12d47f86bbd1e078e06b

SHA512
0e66fd26a11507f78fb1b173fd50555dbd95b0d330e095cdd93206757c6af2780ece914a11a23cd4c840636a59470f44c6db35fa392303fb583806264e652016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
2b66d93c82a06797cdfd9df96a09e74a

SHA1
5f7eb526ee8a0c519b5d86c845fea8afd15b0c28

SHA256
d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954

SHA512
95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
f52dcfa859dec712ba28b434e11695ee

SHA1
607c178ca97efdaac775ed7769ea888976b9060f

SHA256
48e1595938d7396ac244970067d8a818bdd7f22dd691387c594a3120802972f6

SHA512
8bc2495a910c15be5cdf8ae4e59cc15f96a26e0de2bbdfb12e20ba4a94dd56e17cf6d284a177351fba953c540d4a043b6d248dea84df530b0d5b364c37a15c02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
b72a8c29865b5c68dc335186725245aa

SHA1
5ceccdbd003bb1f17598611014d593f20a07456a

SHA256
a50aeb9f7890280c5b685ff7add3d78295f9ceecbd2154c815b42401a8c3f1ae

SHA512
379d95186ec93bf74b34009f8952619bcbd0a9af0d823b473f8994c497be23e3ba1100625952e860d06629e58aecb72f8b0c1de21abd1ab5b13ac6eae9287859

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
2e26e0eb60ebfa0911291b10c83f9996

SHA1
77f681f5c20731bbf0e363d473865d9d985e3076

SHA256
87d8c033a000b613bad964a93f8a5f546aa3bcedd51a3d05a98df264bd530b54

SHA512
1e40447835d591f8789e9ddbf79185d5da2d4516c749428bed1aae14af148b81507eaf87781e7f171bb567ef72143de7ca3bfaecbea67d7340aa0ca4f0c356df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
23KB

MD5
88b39bb5df13e8e274ccbafa52e95adf

SHA1
4af587e443dd2ca5bdfc6d158925f9b6b87b012a

SHA256
751e34ec141c25500cbb85b0955b72b105deaff9ad30037c7de3e01f4a00aeea

SHA512
510e492b018cf10d081aa8f045f99e0c87c256a25d92c28fc0df4d80ddb53bb0cbf856171b9502620f67e717fb7a0cda7e5ec1ee3ea5d8cae4598378fd78a2d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
8e3b5ffe421a2bfcb71242fad2d73e6b

SHA1
34fe3e2fe8cffb2e3f829f73389c4f58d652f37f

SHA256
da21ea5e278a6046278a0303bf3b89a8f84ebf80760bd01b3874faa1c9635988

SHA512
74a1ecd99336a51ecaa31b19a3e2806103a264b7f187972fc54e2a61ff74abc1a535c7e8b221a3808e58e9f5b69baead387932b6ce494f0d0bc0d97763dc6dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
63bc91e44095989436f9ff6e44a495da

SHA1
420b9b550db65537ec7c8bec335a13ae88a091c5

SHA256
58be448336b63261a353789adcb7eb7d1a68e134b6a14511c4d794026350c2f0

SHA512
e988965a2ddf99c4c6aaeb55d5b6da3ee5bf7b40099f71b5f09e53520964c238b7461307d673a086eb1f01e948d79d16f001ee337fddc29d617bcc0d2d46d66a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
a5e14779fa2a5f630f91d1af963dba60

SHA1
429d9782f86544dd8daeaa5c4ffbbc5a6d76ce36

SHA256
3f7db73270d38fb32307a39cbd539086b3bf69959ee4343d24da8e8f70cf3fa1

SHA512
eea3a0d536d032158fee1a0b53c70c90758d38a74bdc40b3b27908d21dba6e589b653c7d3bf9e2efbf6b505001260dd000d781dc7915293db78828f15ba3cc27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
ca5ac72b5d58ccc1d77f4d176c3b7732

SHA1
625050884699c5765751c3b28ecaa1a8edef2fb5

SHA256
284041276c34ada62dd622686856e299bd8c741ae6bbfd1f76a51cd841fa53d7

SHA512
72716576e125de5aba56ecfc73095c94c89fc36cdba6f185227ed0067fe0344252b19d8d314a5275be1b16be5698fb97e1dea7eb4a96020dc6e289985bc2e92e

Download Submit
C:\Users\Admin\Desktop\HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe

Filesize
4.8MB

MD5
6ff1ca648505fe8bea6b4a26616b9722

SHA1
7020b4d9e700b697d507a61bffea12c9475a23d2

SHA256
7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365

SHA512
e65d67e22807e1a539997bd763fc6063226fce207c57b3b0316ef7640471f460016fa5f58feb006ff96dd7a2cf5bcff7c17f0af763e8518431fe13ce6d8c9db2

Download Submit
memory/3516-32-0x0000000000200000-0x00000000006D7000-memory.dmp

Filesize
4.8MB

Download
memory/3516-30-0x0000000000200000-0x00000000006D7000-memory.dmp

Filesize
4.8MB

Download
memory/3516-355-0x0000000000200000-0x00000000006D7000-memory.dmp

Filesize
4.8MB

Download
memory/3516-33-0x0000000000200000-0x00000000006D7000-memory.dmp

Filesize
4.8MB

Download
memory/4480-4-0x000001F302DF0000-0x000001F302DF1000-memory.dmp

Filesize
4KB

Download
memory/4480-2-0x000001F302DF0000-0x000001F302DF1000-memory.dmp

Filesize
4KB

Download
memory/4480-3-0x000001F302DF0000-0x000001F302DF1000-memory.dmp

Filesize
4KB

Download
memory/4480-14-0x000001F302DF0000-0x000001F302DF1000-memory.dmp

Filesize
4KB

Download
memory/4480-8-0x000001F302DF0000-0x000001F302DF1000-memory.dmp

Filesize
4KB

Download
memory/4480-9-0x000001F302DF0000-0x000001F302DF1000-memory.dmp

Filesize
4KB

Download
memory/4480-10-0x000001F302DF0000-0x000001F302DF1000-memory.dmp

Filesize
4KB

Download
memory/4480-11-0x000001F302DF0000-0x000001F302DF1000-memory.dmp

Filesize
4KB

Download
memory/4480-12-0x000001F302DF0000-0x000001F302DF1000-memory.dmp

Filesize
4KB

Download
memory/4480-13-0x000001F302DF0000-0x000001F302DF1000-memory.dmp

Filesize
4KB

Download