hxxps://files[.]multimc[.]org/downloads/mmc-develop-win32[.]zip

Resubmissions

17-12-2024 13:27

241217-qqcy4s1mhk 10

17-12-2024 13:19

241217-qkp2gsznft 7

17-12-2024 13:14

241217-qgv4bsznat 7

17-12-2024 13:06

241217-qb3k8azlh1 4

Analysis

max time kernel
238s
max time network
249s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
17-12-2024 13:14

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://files.multimc.org/downloads/mmc-develop-win32.zip

Score

7^/10

defense_evasion discovery evasion trojan upx

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DB.EXE

Executes dropped EXE 5 IoCs

pid	Process
1680	AV.EXE
4676	AV2.EXE
2884	DB.EXE
4596	EN.EXE
2460	SB.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DB.EXE

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
45	raw.githubusercontent.com

System Binary Proxy Execution: Verclsid 1 TTPs 1 IoCs

Adversaries may abuse Verclsid to proxy execution of malicious code.

defense_evasion

Verclsid

T1218.012

pid	Process
3220	verclsid.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tsa.crt	AV.EXE

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001c00000002ab5a-505.dat	upx
behavioral1/files/0x004600000002ab5b-515.dat	upx
behavioral1/memory/2884-540-0x0000000000670000-0x0000000000703000-memory.dmp	upx
behavioral1/memory/2884-537-0x0000000000670000-0x0000000000703000-memory.dmp	upx
behavioral1/memory/2884-541-0x0000000000670000-0x0000000000703000-memory.dmp	upx
behavioral1/memory/2884-532-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/4596-533-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/4596-567-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EN.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MultiMC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\mmc-develop-win32.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Ana.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
404	msedge.exe
404	msedge.exe
2216	msedge.exe
2216	msedge.exe
1116	identity_helper.exe
1116	identity_helper.exe
3852	msedge.exe
3852	msedge.exe
5036	msedge.exe
5036	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
4564	msedge.exe
4564	msedge.exe
2884	DB.EXE
2884	DB.EXE
2884	DB.EXE
2884	DB.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	DB.EXE

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 1136	2216	msedge.exe	77
PID 2216 wrote to memory of 1136	2216	msedge.exe	77
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 2364	2216	msedge.exe	78
PID 2216 wrote to memory of 404	2216	msedge.exe	79
PID 2216 wrote to memory of 404	2216	msedge.exe	79
PID 2216 wrote to memory of 4936	2216	msedge.exe	80
PID 2216 wrote to memory of 4936	2216	msedge.exe	80
PID 2216 wrote to memory of 4936	2216	msedge.exe	80
PID 2216 wrote to memory of 4936	2216	msedge.exe	80
PID 2216 wrote to memory of 4936	2216	msedge.exe	80
PID 2216 wrote to memory of 4936	2216	msedge.exe	80
PID 2216 wrote to memory of 4936	2216	msedge.exe	80
PID 2216 wrote to memory of 4936	2216	msedge.exe	80
PID 2216 wrote to memory of 4936	2216	msedge.exe	80
PID 2216 wrote to memory of 4936	2216	msedge.exe	80
PID 2216 wrote to memory of 4936	2216	msedge.exe	80
PID 2216 wrote to memory of 4936	2216	msedge.exe	80
PID 2216 wrote to memory of 4936	2216	msedge.exe	80
PID 2216 wrote to memory of 4936	2216	msedge.exe	80
PID 2216 wrote to memory of 4936	2216	msedge.exe	80
PID 2216 wrote to memory of 4936	2216	msedge.exe	80
PID 2216 wrote to memory of 4936	2216	msedge.exe	80
PID 2216 wrote to memory of 4936	2216	msedge.exe	80
PID 2216 wrote to memory of 4936	2216	msedge.exe	80
PID 2216 wrote to memory of 4936	2216	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://files.multimc.org/downloads/mmc-develop-win32.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffde3d33cb8,0x7ffde3d33cc8,0x7ffde3d33cd8
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,10167892593450380720,11514281715131029141,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,10167892593450380720,11514281715131029141,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,10167892593450380720,11514281715131029141,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,10167892593450380720,11514281715131029141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,10167892593450380720,11514281715131029141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,10167892593450380720,11514281715131029141,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,10167892593450380720,11514281715131029141,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4072 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,10167892593450380720,11514281715131029141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1936,10167892593450380720,11514281715131029141,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,10167892593450380720,11514281715131029141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2980 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,10167892593450380720,11514281715131029141,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,10167892593450380720,11514281715131029141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,10167892593450380720,11514281715131029141,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,10167892593450380720,11514281715131029141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,10167892593450380720,11514281715131029141,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1896 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,10167892593450380720,11514281715131029141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,10167892593450380720,11514281715131029141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2500 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,10167892593450380720,11514281715131029141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,10167892593450380720,11514281715131029141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6720 /prefetch:1
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,10167892593450380720,11514281715131029141,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5324 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,10167892593450380720,11514281715131029141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,10167892593450380720,11514281715131029141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,10167892593450380720,11514281715131029141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1936,10167892593450380720,11514281715131029141,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1936,10167892593450380720,11514281715131029141,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3932 /prefetch:8
  2⤵
  PID:3560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2092

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2948

C:\Users\Admin\AppData\Local\Temp\Temp1_mmc-develop-win32.zip\MultiMC\MultiMC.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_mmc-develop-win32.zip\MultiMC\MultiMC.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:780

C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected]"
1⤵
- System Location Discovery: System Language Discovery
PID:3900
- C:\Users\Admin\AppData\Local\Temp\AV.EXE
  "C:\Users\Admin\AppData\Local\Temp\AV.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1680
- - C:\Windows\SysWOW64\verclsid.exe
    "C:\Windows\system32\verclsid.exe" /S /C {F5FB2C77-0E2F-4A16-A381-3E560C68BC83} /I {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} /X 0x401
    3⤵
    - System Binary Proxy Execution: Verclsid
    PID:3220
- C:\Users\Admin\AppData\Local\Temp\AV2.EXE
  "C:\Users\Admin\AppData\Local\Temp\AV2.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4676
- C:\Users\Admin\AppData\Local\Temp\DB.EXE
  "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    /c C:\Users\Admin\AppData\Local\Temp\~unins4859.bat "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
    3⤵
    PID:1236
- C:\Users\Admin\AppData\Local\Temp\EN.EXE
  "C:\Users\Admin\AppData\Local\Temp\EN.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4596
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\EN.EXE > nul
    3⤵
    PID:568
- C:\Users\Admin\AppData\Local\Temp\SB.EXE
  "C:\Users\Admin\AppData\Local\Temp\SB.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

System Binary Proxy Execution

T1218

Verclsid

T1218.012

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
003b92b33b2eb97e6c1a0929121829b8

SHA1
6f18e96c7a2e07fb5a80acb3c9916748fd48827a

SHA256
8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54

SHA512
18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
051a939f60dced99602add88b5b71f58

SHA1
a71acd61be911ff6ff7e5a9e5965597c8c7c0765

SHA256
2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10

SHA512
a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e82b1240288f95c0e36ce3d2a6c94c55

SHA1
9c11872b5d0a3d7b07f9d08ccea6049a7e9efc92

SHA256
1df70c84eee566064e06b01c6a786cddfd62630eb815db6d2a60ec7edc1fa859

SHA512
9731e776f000bf2b465425ebc7a2be879811108cd77887c5f200947ab35510cd3e5664bafbd7624eb06798fe024f26f41446a5d03c1183622f31d01b9fb4fc24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3ea968cd1ca1458d987a6879b13d0726

SHA1
5c8d5df0d6a932bd6ec11f337ebb3d1c7e77bb20

SHA256
fcdf174223a0e05cc2c583590e6e8fa5bb8d159522a2402cc5af013dac3b2d2e

SHA512
3e1509652236fdaf81e6198b6b02ba73d5b3b5b9b388f860dbb5e3289f27e1ac630fdc8b51abc6015f72fafedf8a5be2d9ad3e04954f38418a7b7bd5e2fc6dc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
546B

MD5
0a82eeba6ebfd054ddb8d7c862150b25

SHA1
21e4271d06b1d75dcf2c8e8eddbfd2cec6655e45

SHA256
8a2c79456a4311151eb59b4812ee58a6251514bac6b85ad48989752e1fc42137

SHA512
4601e110b8eda319fedb736f32ef340badee15ede685fc223d13ab243d5b9f2a253e0fa432b39599f98d205cb88bec1d91bf6a999582f9980043912cb10ee55b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
475B

MD5
0542640304dd8942cc4a9b3999eaa771

SHA1
fbfabc7884c71d5d53b31dd6554f8035373bf7f6

SHA256
a143d8ccf38ae554d969d9d00c1916c8ba15cc66732275c868418acf8f7733a5

SHA512
ace53c28b7a74a320030aff7d0007f3b52d9706e0a575aba0b1002bb92d4c680e6d6bd4c7010a0fc83485d18d0412cfdc699e5c784340f3aaec6089aae837e02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
174b4d4b2f7643cfdb67edb154fcd173

SHA1
d05d39e54e5f009cc07a9ea0080901f4799ba6fd

SHA256
7c326eddab301691b33a896c5429201cdea8a414ce7dbc8997cb578f36b7be34

SHA512
1607a89ea7c455d4d4bc36db9b4395da49a6757ab113f4e274ba1d4861063f22a9e116c0430b1114c5633177edf5cdfb688808a109bbb4ac2ace4c05f4e5514b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f7adf2d02d8267615a26c0169c45d1d3

SHA1
5532d8caf2d32451590d77637e7871488a7b3ad5

SHA256
1b5bdeec51becc82260d63c54a2359d1bcdaf7b4d1a02e8611240e3cb5ac3416

SHA512
a0a4af8feca03df2c53ad77d8c7acc31ad88d3f7a1970b9f115c0a572afd6130a4891c1744ac1906b2736a8bfde4443e455190c000c5bab573c5b73a58ff9730

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
670bb28b0118e908267a55118e077903

SHA1
1767b0140de97b22a3c9f7403365161f86a023b6

SHA256
8ba6eb604d78b5e60f8cc23980ce5ca13bfccaf0bc6c24f347d7a6485fc8389a

SHA512
f714369ea77099ad325ececba0f0af68c3f50bdb5621d60f4c19568403f07908086073e0d3de763cb80d3f71d12c49949155fc6de7c9bf27580e5153906cb32c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9a76a39d4ace3a183c746dcabb3ff2d7

SHA1
7c13e650dee9f2de376ca28ac9123d613bab2a59

SHA256
94a4cb2605f014806ca0026aa42137cee2a72f6d3ba0677a3ca4d90cc7c727d3

SHA512
911215b9c98a75e3fc192b709b80f028f2433751a20e5b87c3eaf21611e47c0900e131d9a3ad981270f60bd78e203d6da4f02a12e57ab5950f38625bf538b153

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b9cd2235b370d7d22ec0bb9e119bd0ea

SHA1
10fcf27328087881dcf68a621f99f3de4ec19a9f

SHA256
8259a427fbb064c802b584023605097d5d70c83cba3a499911396097e31ceb54

SHA512
0e85fe828affc06aa06338b48a2a768b854953d3e6bc1e349f9a79a1cc6aae05d67be4dec607d90fe4468dffd447e426eaaa04e66a49115b399aca69476bb80b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f8cf0c6c802c3ab0ac2b582d3463ece4

SHA1
a3288a7d1594fd3a11c55d5c597855aa142a4f5c

SHA256
3ddb2da62140f6b123e8d1d30299b56afa67b96109bbab7e646e6ea50d34bcf1

SHA512
83c90c9dda9a4002b652021ef1ec5868089ac688cb98a5aef89a36f4107451fedf572ec6e1fcda614a56b4018f3a7da670d18d2da4009e4dc984206f470f85e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
03165e937dbed60c57fb531b154ece62

SHA1
adaed294a7de3ae042602cab44508654a01b2e2f

SHA256
3e01853131fd36b306b2572ae313d713f3c6afc4a8ff8e1415a80dea4158b239

SHA512
6a8c50d29f20076c6ab411947b4b4c9ee32c397f0a4154648fbf80de400c5c347077babe918b1796fc09639f94a621a941c8f5c987ae0d34b40120846dc1265d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a4670.TMP

Filesize
538B

MD5
429b0d5f7beb537887e9f754e6311331

SHA1
693434f8f5353b5f107c331eb77a221b1c185e40

SHA256
576368de9f040c94e79b7b0b394974010b6fd3dcf60e42af0c1e677387b3c930

SHA512
f39ee354fcd712886d24310b58e9575378c17c6e043cd2357fdcd1bbbeadcc073a4aea0931ca7aac2bebe9df48f5f4728447c41894cc7181f6a22b41fff75921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
74359272ff2a6cf7f1a1b6324fecf572

SHA1
ae0e051d1ac8fb6855ebefb8dfb1e763c3f6ea4e

SHA256
3cdd067f83a533e5f80fe70665b73d3ceee6e7d783f65097063772a17f728592

SHA512
e9a2d5ef0a2564705bb43a1a605341c269a8ba0a19a66a13fcbe512083196bedeb08a30775af1852051d85ed8ddc08887f81d06235aa882e376767e38de32a4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d6a813403807c0087829d56f3dc63bcf

SHA1
a49aaf47b7e7ec752945153cc2ee322c2e7909ae

SHA256
fb9cd2df470aacd6cac99a89b6a429586201e0a34c4abd1053388a364d1b83c5

SHA512
0b0f8db2d2749d488719e94e995961e1113a6a41af3ec77b9d286dfe916080137e76d8628a50c51dbb38d2e6c13108c782043679dcd523d84aa9382166588dee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cdf006110c0f3fe3fe55341715f0dae4

SHA1
7293c7f819076ecdecd91a586bb74a2444f02746

SHA256
06358f31940fa445f3c8f1c13108234f29fec6387a7bfe5546c77d5524613d0c

SHA512
705ac604654f1002d6ce21171a5a85af9cc51625aa074ff16b18859b4fd1ee30bdef5ab5f4c29a67c119b59f7e32a80789e1bb0fd97dc26b82466d0f1117a9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV.EXE

Filesize
1.1MB

MD5
f284568010505119f479617a2e7dc189

SHA1
e23707625cce0035e3c1d2255af1ed326583a1ea

SHA256
26c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1

SHA512
ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV2.EXE

Filesize
368KB

MD5
014578edb7da99e5ba8dd84f5d26dfd5

SHA1
df56d701165a480e925a153856cbc3ab799c5a04

SHA256
4ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529

SHA512
bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB.EXE

Filesize
243KB

MD5
c6746a62feafcb4fca301f606f7101fa

SHA1
e09cd1382f9ceec027083b40e35f5f3d184e485f

SHA256
b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6

SHA512
ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642

Download Submit
C:\Users\Admin\AppData\Local\Temp\EN.EXE

Filesize
6KB

MD5
621f2279f69686e8547e476b642b6c46

SHA1
66f486cd566f86ab16015fe74f50d4515decce88

SHA256
c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38

SHA512
068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB.EXE

Filesize
149KB

MD5
fe731b4c6684d643eb5b55613ef9ed31

SHA1
cfafe2a14f5413278304920154eb467f7c103c80

SHA256
e7953daad7a68f8634ded31a21a31f0c2aa394ca9232e2f980321f7b69176496

SHA512
f7756d69138df6d3b0ffa47bdf274e5fd8aab4fff9d68abe403728c8497ac58e0f3d28d41710de715f57b7a2b5daa2dd7e04450f19c6d013a08f543bd6fc9c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SB.EXE

Filesize
224KB

MD5
9252e1be9776af202d6ad5c093637022

SHA1
6cc686d837cd633d9c2e8bc1eaba5fc364bf71d8

SHA256
ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6

SHA512
98b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\~unins4859.bat

Filesize
49B

MD5
9e0a2f5ab30517809b95a1ff1dd98c53

SHA1
5c1eefdf10e67d1e9216e2e3f5e92352d583c9ce

SHA256
97ac9fee75a1f7b63b3115e9c4fb9dda80b1caba26d2fb51325670dee261fe32

SHA512
e959cc1fd48fb1cccf135a697924c775a3812bab211fc7f9b00c5a9d617261d84c5d6f7cb548774c1e8f46811b06ca39c5603d0e10cbcb7b805f9abbe49b9b42

Download Submit
C:\Users\Admin\Downloads\Ana.zip

Filesize
1.8MB

MD5
cb6e4f6660706c29035189f8aacfe3f8

SHA1
7dd1e37a50d4bd7488a3966b8c7c2b99bba2c037

SHA256
3341abf6dbefb8aec171f3766a4a23f323ff207e1b031946ee4dbe6dbb2d45a4

SHA512
66c3351ce069a85c9a1b648d64883176983acd34c0d5ca78b5138b7edc2890b34408e8e6fa235258d98c105113d1978a68a15262d6523a82abb004f78b06de38

Download Submit
C:\Users\Admin\Downloads\Ana.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\mmc-develop-win32.zip

Filesize
13.5MB

MD5
380be19040cb6a051b6723d8b67a5785

SHA1
f957c51199969d92f1f0c8889690da16d62938a9

SHA256
28061938a1282f8ec3d5e45b0780126e4db95de29d88c2d99bf7fc4767ba9554

SHA512
fb2f495f1a57a726a9ad68a1dd0633c2090c9f2f44002567d171e3d8001fc8bd15d57e92a837d9474cf52c4f2492254bfcf07d0a70c7c5638f7d05750b2bc8df

Download Submit
C:\Users\Admin\Downloads\mmc-develop-win32.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\SysWOW64\tsa.crt

Filesize
1010B

MD5
6e630504be525e953debd0ce831b9aa0

SHA1
edfa47b3edf98af94954b5b0850286a324608503

SHA256
2563fe2f793f119a1bae5cca6eab9d8c20409aa1f1e0db341c623e1251244ef5

SHA512
bbcf285309a4d5605e19513c77ef077a4c451cbef04e3cbdfec6d15cc157a9800a7ff6f70964b0452ddb939ff50766e887904eda06a9999fdedf5b2e8776ebd2

Download Submit
memory/2884-541-0x0000000000670000-0x0000000000703000-memory.dmp

Filesize
588KB

Download
memory/2884-532-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2884-537-0x0000000000670000-0x0000000000703000-memory.dmp

Filesize
588KB

Download
memory/2884-540-0x0000000000670000-0x0000000000703000-memory.dmp

Filesize
588KB

Download
memory/4596-533-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4596-567-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads