1cc7c5968d8bb64fb741c13772986779834eca8293d230cd88aa305c304e89c2

General

Target

modest-menu_v0.9.10/modest-menu.exe
Size

14.3MB
MD5

f0851119cec15d35a8f206f1ba446f86
SHA1

5ff263672af7e81a344846b3bce1ff4e59f8b6cd
SHA256

19a82f12d86829e768d226c0ec5e20a664f349d1bbabd3aaeade3ff3d7237282
SHA512

2ccbe9d55b59bc22ce615f23a09baa66d15e88f7c44e8f5561c54b410d02cb309d40865fd22694470fc9cfbda69ad12fb699427778347e49db63d60a341cf5ea
SSDEEP

393216:rO4LKZjqtG+kh/JUwReHLsLjbeeE8KohlBM2Dd1rzO:rrKZjLhDUHimEJhD

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

modest-menu.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ modest-menu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	modest-menu.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

modest-menu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	modest-menu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	modest-menu.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3268-0-0x00007FF7E81C0000-0x00007FF7EA5EF000-memory.dmp	themida
behavioral2/memory/3268-2-0x00007FF7E81C0000-0x00007FF7EA5EF000-memory.dmp	themida
behavioral2/memory/3268-3-0x00007FF7E81C0000-0x00007FF7EA5EF000-memory.dmp	themida
behavioral2/memory/3268-4-0x00007FF7E81C0000-0x00007FF7EA5EF000-memory.dmp	themida
behavioral2/memory/3268-5-0x00007FF7E81C0000-0x00007FF7EA5EF000-memory.dmp	themida
behavioral2/memory/3268-6-0x00007FF7E81C0000-0x00007FF7EA5EF000-memory.dmp	themida
behavioral2/memory/3268-7-0x00007FF7E81C0000-0x00007FF7EA5EF000-memory.dmp	themida
behavioral2/memory/3268-8-0x00007FF7E81C0000-0x00007FF7EA5EF000-memory.dmp	themida
behavioral2/memory/3268-9-0x00007FF7E81C0000-0x00007FF7EA5EF000-memory.dmp	themida
behavioral2/memory/3268-11-0x00007FF7E81C0000-0x00007FF7EA5EF000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

modest-menu.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA modest-menu.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

modest-menu.exe

pid process

3268 modest-menu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	modest-menu.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

modest-menu.exetaskmgr.exe

pid	process
3268	modest-menu.exe
3268	modest-menu.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

4124 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

taskmgr.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4124	taskmgr.exe
Token: SeSystemProfilePrivilege	4124	taskmgr.exe
Token: SeCreateGlobalPrivilege	4124	taskmgr.exe
Token: SeSecurityPrivilege	4124	taskmgr.exe
Token: SeTakeOwnershipPrivilege	4124	taskmgr.exe
Token: SeBackupPrivilege	224	svchost.exe
Token: SeRestorePrivilege	224	svchost.exe
Token: SeSecurityPrivilege	224	svchost.exe
Token: SeTakeOwnershipPrivilege	224	svchost.exe
Token: 35	224	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe
4124	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3532 wrote to memory of 4620	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4620	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4636	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 3068	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 3068	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 5112	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 5112	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 5112	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 5112	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 5112	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 5112	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 5112	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 5112	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 5112	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 5112	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 5112	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 5112	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 5112	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 5112	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 5112	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 5112	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 5112	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 5112	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 5112	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 5112	3532	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\modest-menu_v0.9.10\modest-menu.exe
"C:\Users\Admin\AppData\Local\Temp\modest-menu_v0.9.10\modest-menu.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3268

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.bing.com/search?q=wjmc8h.exe wjmc8h.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9f3b346f8,0x7ff9f3b34708,0x7ff9f3b34718
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,4977133901673207691,5455532475658407933,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,4977133901673207691,5455532475658407933,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,4977133901673207691,5455532475658407933,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4977133901673207691,5455532475658407933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4977133901673207691,5455532475658407933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4977133901673207691,5455532475658407933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:4356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
184c5c7572a6b42b329aae4e94e9b801

SHA1
adc61339fa23296b5271ac2b7e0de1d7390c4e12

SHA256
ce44f115c3b1677a95d69195266225da59f4dd8cd9d57fd713df35b91cc564b1

SHA512
692f524f7b95da9ef6e247772dc5e949fa3aa34a61675fa5c59698583c1708f0aecf454a06f8deb8bdd7690fce5bc9c76bd2a544ea6354fda15a924480eee820

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f132effa02ee97594b38968825d5612a

SHA1
d9ea91f8b5ed9c19bb10b6a3df55668a27f92b5e

SHA256
c851b798af2dc8aedc2ed45dab653888cf545422e88228213ecde21d0611b13f

SHA512
45084fb218637dd498174eec9821548202be63c4b49929897ec82fb2418a2705dd5ed8d7d0a15d8d8bcefc39abf2b7c7162f5c45cdf4fff34e5737c9c93de1f0

Download Submit
\??\pipe\LOCAL\crashpad_3532_VUWQQFITBJWSIZIX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3268-6-0x00007FF7E81C0000-0x00007FF7EA5EF000-memory.dmp

Filesize
36.2MB

Download
memory/3268-4-0x00007FF7E81C0000-0x00007FF7EA5EF000-memory.dmp

Filesize
36.2MB

Download
memory/3268-5-0x00007FF7E81C0000-0x00007FF7EA5EF000-memory.dmp

Filesize
36.2MB

Download
memory/3268-3-0x00007FF7E81C0000-0x00007FF7EA5EF000-memory.dmp

Filesize
36.2MB

Download
memory/3268-7-0x00007FF7E81C0000-0x00007FF7EA5EF000-memory.dmp

Filesize
36.2MB

Download
memory/3268-8-0x00007FF7E81C0000-0x00007FF7EA5EF000-memory.dmp

Filesize
36.2MB

Download
memory/3268-9-0x00007FF7E81C0000-0x00007FF7EA5EF000-memory.dmp

Filesize
36.2MB

Download
memory/3268-11-0x00007FF7E81C0000-0x00007FF7EA5EF000-memory.dmp

Filesize
36.2MB

Download
memory/3268-12-0x00007FFA10A90000-0x00007FFA10C85000-memory.dmp

Filesize
2.0MB

Download
memory/3268-0-0x00007FF7E81C0000-0x00007FF7EA5EF000-memory.dmp

Filesize
36.2MB

Download
memory/3268-2-0x00007FF7E81C0000-0x00007FF7EA5EF000-memory.dmp

Filesize
36.2MB

Download
memory/3268-1-0x00007FFA10A90000-0x00007FFA10C85000-memory.dmp

Filesize
2.0MB

Download
memory/4124-15-0x000001A6387D0000-0x000001A6387D1000-memory.dmp

Filesize
4KB

Download
memory/4124-25-0x000001A6387D0000-0x000001A6387D1000-memory.dmp

Filesize
4KB

Download
memory/4124-24-0x000001A6387D0000-0x000001A6387D1000-memory.dmp

Filesize
4KB

Download
memory/4124-23-0x000001A6387D0000-0x000001A6387D1000-memory.dmp

Filesize
4KB

Download
memory/4124-22-0x000001A6387D0000-0x000001A6387D1000-memory.dmp

Filesize
4KB

Download
memory/4124-21-0x000001A6387D0000-0x000001A6387D1000-memory.dmp

Filesize
4KB

Download
memory/4124-19-0x000001A6387D0000-0x000001A6387D1000-memory.dmp

Filesize
4KB

Download
memory/4124-26-0x000001A6380C0000-0x000001A6380D0000-memory.dmp

Filesize
64KB

Download
memory/4124-32-0x000001A638120000-0x000001A638130000-memory.dmp

Filesize
64KB

Download
memory/4124-20-0x000001A6387D0000-0x000001A6387D1000-memory.dmp

Filesize
4KB

Download
memory/4124-13-0x000001A6387D0000-0x000001A6387D1000-memory.dmp

Filesize
4KB

Download
memory/4124-14-0x000001A6387D0000-0x000001A6387D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads