7da1fb99de280b8baf392e8d5a62026cf709b202bf78cc74652c3f84c90c929f

Resubmissions

25/04/2024, 08:25

240425-kbmxwaha9x 9

25/04/2024, 08:22

240425-j9jsfaha8w 9

Analysis

max time kernel
139s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 08:25

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-25T08:28:28Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240226-en/instance_5-dirty.qcow2\"}"

Report Analysis Logs

General

Target

Library.exe
Size

4.1MB
MD5

04ed10d94e5cd607770eecc9aee56105
SHA1

f43752eb19d1359efcc90e8b1e7078594beed40c
SHA256

7da1fb99de280b8baf392e8d5a62026cf709b202bf78cc74652c3f84c90c929f
SHA512

ff770a81822005bd0ff9b901cea3fc25d73daf06dafeaebf75cf2ba38841004fae6f6b102e6b34f215d1df5a647c1a398423ed32179ef1bb28b7562fa6036a27
SSDEEP

98304:+80h5vs4SZWnzJgKSF3UPDV/KQBR8rOI4i1q3:pGVs44WntglyCQwAz

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Library.exe

Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Library.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Library.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Library.exe

Executes dropped EXE 37 IoCs

pid	Process
4004	AMIDEWINx64.EXE
4344	AMIDEWINx64.EXE
3688	AMIDEWINx64.EXE
1132	AMIDEWINx64.EXE
4444	AMIDEWINx64.EXE
3772	AMIDEWINx64.EXE
3964	AMIDEWINx64.EXE
4928	AMIDEWINx64.EXE
3016	AMIDEWINx64.EXE
5040	AMIDEWINx64.EXE
1124	AMIDEWINx64.EXE
2960	AMIDEWINx64.EXE
3064	AMIDEWINx64.EXE
540	AMIDEWINx64.EXE
3868	AMIDEWINx64.EXE
3668	AMIDEWINx64.EXE
5072	AMIDEWINx64.EXE
3256	AMIDEWINx64.EXE
3680	AMIDEWINx64.EXE
416	AMIDEWINx64.EXE
2320	AMIDEWINx64.EXE
1244	AMIDEWINx64.EXE
2708	AMIDEWINx64.EXE
3088	Volumeid.exe
4124	Volumeid.exe
2984	Volumeid.exe
732	Volumeid.exe
3956	Volumeid.exe
4508	Volumeid.exe
4764	Volumeid.exe
3552	Volumeid.exe
4080	Volumeid.exe
4612	Volumeid.exe
1744	Volumeid.exe
4712	Volumeid.exe
4976	Volumeid.exe
2940	Volumeid.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/3960-12-0x0000000000210000-0x0000000000B4E000-memory.dmp	themida
behavioral1/memory/3960-13-0x0000000000210000-0x0000000000B4E000-memory.dmp	themida
behavioral1/memory/3960-220-0x0000000000210000-0x0000000000B4E000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Library.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
57	discord.com
59	discord.com
60	discord.com
67	discord.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3960	Library.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\AMIDEWINx64.EXE	Library.exe
File created	C:\Windows\Fonts\amigendrv64.sys	Library.exe
File created	C:\Windows\Fonts\amifldrv64.sys	Library.exe
File created	C:\Windows\IME\Volumeid.exe	Library.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4172	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "221"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{785249E1-E2F4-48CA-8021-5C5BAA973628}	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1672	msedge.exe
1672	msedge.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe

Suspicious behavior: LoadsDriver 23 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3960	Library.exe
Token: SeDebugPrivilege	416	taskmgr.exe
Token: SeSystemProfilePrivilege	416	taskmgr.exe
Token: SeCreateGlobalPrivilege	416	taskmgr.exe
Token: 33	416	taskmgr.exe
Token: SeIncBasePriorityPrivilege	416	taskmgr.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe

Suspicious use of SendNotifyMessage 45 IoCs

pid	Process
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe
416	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4604	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3960 wrote to memory of 4908	3960	Library.exe	100
PID 3960 wrote to memory of 4908	3960	Library.exe	100
PID 3960 wrote to memory of 3668	3960	Library.exe	101
PID 3960 wrote to memory of 3668	3960	Library.exe	101
PID 3960 wrote to memory of 3620	3960	Library.exe	102
PID 3960 wrote to memory of 3620	3960	Library.exe	102
PID 1672 wrote to memory of 4640	1672	msedge.exe	111
PID 1672 wrote to memory of 4640	1672	msedge.exe	111
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 688	1672	msedge.exe	112
PID 1672 wrote to memory of 1904	1672	msedge.exe	113
PID 1672 wrote to memory of 1904	1672	msedge.exe	113
PID 1672 wrote to memory of 4812	1672	msedge.exe	114
PID 1672 wrote to memory of 4812	1672	msedge.exe	114
PID 1672 wrote to memory of 4812	1672	msedge.exe	114

C:\Users\Admin\AppData\Local\Temp\Library.exe
"C:\Users\Admin\AppData\Local\Temp\Library.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/blammed
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://blammed.pro/
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/blammedsolutions
  2⤵
  PID:3620
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /IVN "ISBZ-MTPX"
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /IV "CZJW-ROXK"
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /SM "EGKR-XNYY"
  2⤵
  - Executes dropped EXE
  PID:3688
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /SP "LJPW-DKWV"
  2⤵
  - Executes dropped EXE
  PID:1132
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /SU "Auto"
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /SS "IFZE-WDBP"
  2⤵
  - Executes dropped EXE
  PID:3772
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /CSK "AMLQ-BKXP"
  2⤵
  - Executes dropped EXE
  PID:3964
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /CM "CBQV-UYCU"
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /SF "UCOC-DTUS"
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /BM "COOM-PSNB"
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /BP "EURL-CHWB"
  2⤵
  - Executes dropped EXE
  PID:1124
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /BV "LATC-UAAJ"
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /BT "DFKT-OZLG"
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /BLC "RTON-WLZJ"
  2⤵
  - Executes dropped EXE
  PID:540
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /PSN "NOQA-HQRM"
  2⤵
  - Executes dropped EXE
  PID:3868
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /PAT "FMQD-ZSYB"
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /PPN "OEIK-ITNF"
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /CS "ILTI-TJFA"
  2⤵
  - Executes dropped EXE
  PID:3256
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /CV "AJOF-JZCM"
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /CA "NYNB-IIGZ"
  2⤵
  - Executes dropped EXE
  PID:416
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /CO "VMZR-CPBT"
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /CT "BLSV-WJSW"
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /BS "HQCP-DSSO"
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" C: "BVXJ-FLWZ"
  2⤵
  - Executes dropped EXE
  PID:3088
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" D: "FUNH-KNXL"
  2⤵
  - Executes dropped EXE
  PID:4124
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" F: "IUEY-HHQE"
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" G: "FRTS-FQWD"
  2⤵
  - Executes dropped EXE
  PID:732
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" H: "UKQH-SRNP"
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" A: "PSQC-VLMU"
  2⤵
  - Executes dropped EXE
  PID:4508
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" E: "SRHI-NTHU"
  2⤵
  - Executes dropped EXE
  PID:4764
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" J: "FSDO-RDTO"
  2⤵
  - Executes dropped EXE
  PID:3552
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" K: "YKNZ-WQTQ"
  2⤵
  - Executes dropped EXE
  PID:4080
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" X: "GOIO-QOIU"
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" M: "FZAO-INPA"
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" N: "DVBZ-OZYL"
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" R: "YCEL-XMXC"
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" Q: "YQBZ-LSER"
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop winmgmt /y
  2⤵
  PID:2384
- - C:\Windows\SysWOW64\net.exe
    net stop winmgmt /y
    3⤵
    PID:2068
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop winmgmt /y
      4⤵
      PID:1408
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net start winmgmt /y
  2⤵
  PID:776
- - C:\Windows\SysWOW64\net.exe
    net start winmgmt /y
    3⤵
    PID:1532
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start winmgmt /y
      4⤵
      PID:5064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop winmgmt
  2⤵
  PID:3020
- - C:\Windows\SysWOW64\sc.exe
    sc stop winmgmt
    3⤵
    - Launches sc.exe
    PID:4172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3888 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:1
1⤵
PID:3784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3652 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:1
1⤵
PID:4876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=4676 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:1
1⤵
PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5832 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:1
1⤵
PID:3816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5728 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:4456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=4520 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:1
1⤵
PID:4256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=6072 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:1
1⤵
PID:4940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x260,0x7ffbe8ef2e98,0x7ffbe8ef2ea4,0x7ffbe8ef2eb0
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2260 --field-trial-handle=2264,i,16248398828712265721,13259726506180387650,262144 --variations-seed-version /prefetch:2
  2⤵
  PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2740 --field-trial-handle=2264,i,16248398828712265721,13259726506180387650,262144 --variations-seed-version /prefetch:3
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2636 --field-trial-handle=2264,i,16248398828712265721,13259726506180387650,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4028 --field-trial-handle=2264,i,16248398828712265721,13259726506180387650,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4028 --field-trial-handle=2264,i,16248398828712265721,13259726506180387650,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4548 --field-trial-handle=2264,i,16248398828712265721,13259726506180387650,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4588 --field-trial-handle=2264,i,16248398828712265721,13259726506180387650,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4648 --field-trial-handle=2264,i,16248398828712265721,13259726506180387650,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:4732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:3524

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:416

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa390d055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
6a597931d89cfa1bf2152bcf9ac28c1c

SHA1
fc2184d3cc2b6bc43cccd57b7d134094a1778af4

SHA256
4eb129ae2c7f609583d2367dd9b708a23b45e51a5be8247febd68e9c2f07a78b

SHA512
57a6ee8ac6e9b5cbcee78cea8ce54645ae407338d5adbf143b2018d0c6028e6af2d088ca54cf83385d153368482c30d70ada881f66eae8c1ef761f347038d1c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
afbd4ed0c51774ae6deb45fbe30a2969

SHA1
205ebf273f620a8f39e6a2be890109e90d065186

SHA256
590a14b4696c7e0686716a8621c65dc145b56b4daa4ad97d6c5de41f781a949d

SHA512
441ff894514a63551c54f01b258669c78e0f24e7adbe72991dbf0d2886cc1f6b477dcb9fcbd09207eafd907609a52b0bfa16cbc2ffbf37222e69837006b896e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
08b1e1ccd884a5d9d7bfd7b669aa5217

SHA1
b35f2e98361af87f308dac202701f31840fc372b

SHA256
266660d88a653eb7ea7d539e2eef64cdb5db9f1d778139817b0835ee77c3eb6b

SHA512
ef2173aea5565565c53aa90400af22d182a359a29a74d9f009213d9bf050a70afc11978ec401352e14a4c791f126523b5127c36a389674fc77f4fc1199af1f9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
30KB

MD5
d5d2552929f3e1eecc970b5356a33739

SHA1
3714ae53cb5942669d783466ddc64fefa33ceee6

SHA256
3db60a494c06f9ec92f9691f3f2b07b6f23eee29fac260dd6963e5079c114a76

SHA512
2f5289aff3dec62cbc02c9c2b812ac94ce081b803f10b44274768458d050ba3d199c7fb9482f64b8acc203544042f429c1cfdb58e939845111ac08aa30d2df0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
59KB

MD5
345da7a1f38363fce5f48c7f6bd0c98b

SHA1
b5d992dcabdc4d659e610385f6e74c07ea4ba706

SHA256
f55bbc401fcdd2b164b166fd75108e84d1549893918c7f47c135fe04acc347be

SHA512
c38c97de4c41dab027978bd493a44b9bae69eb8b45c5733afa808bd43177d9ae7c81ea1a9a63958c638b8a6de1eed462cde1c01b1884002eca3a78fe30465cd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
48KB

MD5
68dbf6dd8e175277e0ada511c7583e38

SHA1
b25a88846fa0061acc5434d3674610c2f61bbfbb

SHA256
ff74f79ad19f8f1c8e717329c1524c178d610587aedfedf275ee65ed1d298a7e

SHA512
a798a23bad12085b8bbfb7deba88e528873c1e3f5d12a85da7fee61a03895aba967803ed492b322cd9759ab449ed8350611e9257a86ef6616715163ae6b023ce

Download Submit
C:\Windows\Fonts\AMIDEWINx64.EXE

Filesize
377KB

MD5
64ae4aa4904d3b259dda8cc53769064f

SHA1
24be8fb54afd8182652819b9a307b6f66f3fc58d

SHA256
2c67fb6eb81630c917f08295e4ff3b5f777cb41b26f7b09dc36d79f089e61bc4

SHA512
6c16d2bc23c20a7456b4db7136e1bb5fcee9cbf83a73d8de507b7b3ffc618f81f020cde638d2cd1ef5f154541b745a2a0e27b4c654683a21571183f7a1bffd16

Download Submit
C:\Windows\IME\Volumeid.exe

Filesize
228KB

MD5
4d867033b27c8a603de4885b449c4923

SHA1
f1ace1a241bab6efb3c7059a68b6e9bbe258da83

SHA256
22a2484d7fa799e6e71e310141614884f3bc8dad8ac749b6f1c475b5398a72f3

SHA512
b5d6d4a58d8780a43e69964f80525905224fa020c0032e637cd25557097e331f63d156cceaaacfe1a692ca8cea8d8bd1b219468b6b8e4827c90febe1535a5702

Download Submit
memory/416-228-0x0000016B281E0000-0x0000016B281E1000-memory.dmp

Filesize
4KB

Download
memory/416-229-0x0000016B281E0000-0x0000016B281E1000-memory.dmp

Filesize
4KB

Download
memory/416-230-0x0000016B281E0000-0x0000016B281E1000-memory.dmp

Filesize
4KB

Download
memory/416-231-0x0000016B281E0000-0x0000016B281E1000-memory.dmp

Filesize
4KB

Download
memory/416-232-0x0000016B281E0000-0x0000016B281E1000-memory.dmp

Filesize
4KB

Download
memory/416-233-0x0000016B281E0000-0x0000016B281E1000-memory.dmp

Filesize
4KB

Download
memory/416-234-0x0000016B281E0000-0x0000016B281E1000-memory.dmp

Filesize
4KB

Download
memory/416-222-0x0000016B281E0000-0x0000016B281E1000-memory.dmp

Filesize
4KB

Download
memory/416-223-0x0000016B281E0000-0x0000016B281E1000-memory.dmp

Filesize
4KB

Download
memory/416-224-0x0000016B281E0000-0x0000016B281E1000-memory.dmp

Filesize
4KB

Download
memory/3960-92-0x0000000075FD0000-0x00000000760C0000-memory.dmp

Filesize
960KB

Download
memory/3960-2-0x0000000075FD0000-0x00000000760C0000-memory.dmp

Filesize
960KB

Download
memory/3960-12-0x0000000000210000-0x0000000000B4E000-memory.dmp

Filesize
9.2MB

Download
memory/3960-26-0x0000000075FD0000-0x00000000760C0000-memory.dmp

Filesize
960KB

Download
memory/3960-9-0x0000000076FC4000-0x0000000076FC6000-memory.dmp

Filesize
8KB

Download
memory/3960-8-0x0000000075FD0000-0x00000000760C0000-memory.dmp

Filesize
960KB

Download
memory/3960-6-0x0000000075FD0000-0x00000000760C0000-memory.dmp

Filesize
960KB

Download
memory/3960-90-0x0000000075FD0000-0x00000000760C0000-memory.dmp

Filesize
960KB

Download
memory/3960-91-0x0000000075FD0000-0x00000000760C0000-memory.dmp

Filesize
960KB

Download
memory/3960-13-0x0000000000210000-0x0000000000B4E000-memory.dmp

Filesize
9.2MB

Download
memory/3960-7-0x0000000075FD0000-0x00000000760C0000-memory.dmp

Filesize
960KB

Download
memory/3960-5-0x0000000075FD0000-0x00000000760C0000-memory.dmp

Filesize
960KB

Download
memory/3960-4-0x0000000075FD0000-0x00000000760C0000-memory.dmp

Filesize
960KB

Download
memory/3960-3-0x0000000075FD0000-0x00000000760C0000-memory.dmp

Filesize
960KB

Download
memory/3960-121-0x0000000005C40000-0x0000000005C50000-memory.dmp

Filesize
64KB

Download
memory/3960-27-0x0000000075FD0000-0x00000000760C0000-memory.dmp

Filesize
960KB

Download
memory/3960-0-0x0000000000210000-0x0000000000B4E000-memory.dmp

Filesize
9.2MB

Download
memory/3960-1-0x0000000075FD0000-0x00000000760C0000-memory.dmp

Filesize
960KB

Download
memory/3960-220-0x0000000000210000-0x0000000000B4E000-memory.dmp

Filesize
9.2MB

Download
memory/3960-221-0x0000000075FD0000-0x00000000760C0000-memory.dmp

Filesize
960KB

Download
memory/3960-25-0x0000000075FD0000-0x00000000760C0000-memory.dmp

Filesize
960KB

Download
memory/3960-23-0x0000000007730000-0x00000000077CC000-memory.dmp

Filesize
624KB

Download
memory/3960-22-0x0000000075FD0000-0x00000000760C0000-memory.dmp

Filesize
960KB

Download
memory/3960-21-0x0000000075FD0000-0x00000000760C0000-memory.dmp

Filesize
960KB

Download
memory/3960-20-0x0000000000210000-0x0000000000B4E000-memory.dmp

Filesize
9.2MB

Download
memory/3960-19-0x0000000005C40000-0x0000000005C50000-memory.dmp

Filesize
64KB

Download
memory/3960-17-0x00000000067B0000-0x0000000006B86000-memory.dmp

Filesize
3.8MB

Download
memory/3960-16-0x0000000005BB0000-0x0000000005BBA000-memory.dmp

Filesize
40KB

Download
memory/3960-15-0x0000000005B00000-0x0000000005B92000-memory.dmp

Filesize
584KB

Download
memory/3960-14-0x0000000006200000-0x00000000067A4000-memory.dmp

Filesize
5.6MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads