umbral | 0091be76fcfaadfb4d45f22ce3cb5189fd919ee89cfb901c9eed7f6a6aa61c6a

Analysis

max time kernel
548s
max time network
555s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 06:11

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

BALDI.exe
Size

5.6MB
MD5

8235f398b63cb2b0926edf528a56ad35
SHA1

668ff71112d6bf289b70659d063d524481c19b0f
SHA256

0091be76fcfaadfb4d45f22ce3cb5189fd919ee89cfb901c9eed7f6a6aa61c6a
SHA512

51cf7794ea120ebaad6d53b2722f35e57b1d28b5365e53a74d945f45d180d6a5bfe3b27f963485c53079103947e552c88631485ba49a160a4b09c9afd4a66674
SSDEEP

98304:3rd/2Kf8MIhWIcn1111DIgzO9QeMfXTjig8nuluLlKUORY+6Mrv:3rR2KfBIc1j1J8sfXvpQlHfE

Score

10^/10

umbral discovery evasion execution exploit persistence privilege_escalation ransomware stealer trojan

Malware Config

Signatures

Detect Umbral payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/5584-36-0x000001FAC6EE0000-0x000001FAC6F20000-memory.dmp family_umbral

resource	yara_rule
behavioral2/memory/5584-36-0x000001FAC6EE0000-0x000001FAC6F20000-memory.dmp	family_umbral

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

MrsMajor3.0 (1).exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\""	MrsMajor3.0 (1).exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

MrsMajor3.0 (1).exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MrsMajor3.0 (1).exe
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2036 powershell.exe
Disables Task Manager via registry modification
evasion
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

5036 takeown.exe
4348 icacls.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

5036 takeown.exe
4348 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

959 discord.com
960 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

950 ip-api.com

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MrsMajor3.0 (1).exe

pid	process
2036	powershell.exe

pid	process
5036	takeown.exe
4348	icacls.exe

pid	process
5036	takeown.exe
4348	icacls.exe

flow	ioc
959	discord.com
960	discord.com

flow	ioc
950	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

MrsMajor3.0 (1).exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\wlp.tmp"	MrsMajor3.0 (1).exe

Drops file in Windows directory 6 IoCs

Processes:

MrsMajor3.0 (1).exe

description	ioc	process
File opened for modification	C:\windows\winbase_base_procid_none\secureloc0x65\WinRapistI386.vbs	MrsMajor3.0 (1).exe
File opened for modification	C:\windows\winbase_base_procid_none\secureloc0x65\rcur.cur	MrsMajor3.0 (1).exe
File opened for modification	C:\windows\winbase_base_procid_none\secureloc0x65\ui65.exe	MrsMajor3.0 (1).exe
File opened for modification	C:\windows\winbase_base_procid_none\secureloc0x65\logonuiOWR.exe	MrsMajor3.0 (1).exe
File opened for modification	C:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe	MrsMajor3.0 (1).exe
File opened for modification	C:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	MrsMajor3.0 (1).exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exe

pid process

3172 wmic.exe

pid	process
3172	wmic.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "221"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{A2FEFCD6-AAF7-4B67-BADA-11579A3B07B5}	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

5076 NOTEPAD.EXE

pid	process
5076	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exetaskmgr.exe

pid	process
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

taskmgr.exeosk.exe

pid process

4720 taskmgr.exe
5396 osk.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

656

pid	process
4720	taskmgr.exe
5396	osk.exe

pid	process
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AUDIODG.EXEtaskmgr.exetaskmgr.exeUmbral.exepowershell.exepowershell.exepowershell.exepowershell.exewmic.exewmic.exe

description	pid	process
Token: 33	2108	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2108	AUDIODG.EXE
Token: SeDebugPrivilege	2964	taskmgr.exe
Token: SeSystemProfilePrivilege	2964	taskmgr.exe
Token: SeCreateGlobalPrivilege	2964	taskmgr.exe
Token: 33	2964	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2964	taskmgr.exe
Token: SeDebugPrivilege	4720	taskmgr.exe
Token: SeSystemProfilePrivilege	4720	taskmgr.exe
Token: SeCreateGlobalPrivilege	4720	taskmgr.exe
Token: SeDebugPrivilege	5584	Umbral.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	3316	powershell.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeIncreaseQuotaPrivilege	1988	wmic.exe
Token: SeSecurityPrivilege	1988	wmic.exe
Token: SeTakeOwnershipPrivilege	1988	wmic.exe
Token: SeLoadDriverPrivilege	1988	wmic.exe
Token: SeSystemProfilePrivilege	1988	wmic.exe
Token: SeSystemtimePrivilege	1988	wmic.exe
Token: SeProfSingleProcessPrivilege	1988	wmic.exe
Token: SeIncBasePriorityPrivilege	1988	wmic.exe
Token: SeCreatePagefilePrivilege	1988	wmic.exe
Token: SeBackupPrivilege	1988	wmic.exe
Token: SeRestorePrivilege	1988	wmic.exe
Token: SeShutdownPrivilege	1988	wmic.exe
Token: SeDebugPrivilege	1988	wmic.exe
Token: SeSystemEnvironmentPrivilege	1988	wmic.exe
Token: SeRemoteShutdownPrivilege	1988	wmic.exe
Token: SeUndockPrivilege	1988	wmic.exe
Token: SeManageVolumePrivilege	1988	wmic.exe
Token: 33	1988	wmic.exe
Token: 34	1988	wmic.exe
Token: 35	1988	wmic.exe
Token: 36	1988	wmic.exe
Token: SeIncreaseQuotaPrivilege	1988	wmic.exe
Token: SeSecurityPrivilege	1988	wmic.exe
Token: SeTakeOwnershipPrivilege	1988	wmic.exe
Token: SeLoadDriverPrivilege	1988	wmic.exe
Token: SeSystemProfilePrivilege	1988	wmic.exe
Token: SeSystemtimePrivilege	1988	wmic.exe
Token: SeProfSingleProcessPrivilege	1988	wmic.exe
Token: SeIncBasePriorityPrivilege	1988	wmic.exe
Token: SeCreatePagefilePrivilege	1988	wmic.exe
Token: SeBackupPrivilege	1988	wmic.exe
Token: SeRestorePrivilege	1988	wmic.exe
Token: SeShutdownPrivilege	1988	wmic.exe
Token: SeDebugPrivilege	1988	wmic.exe
Token: SeSystemEnvironmentPrivilege	1988	wmic.exe
Token: SeRemoteShutdownPrivilege	1988	wmic.exe
Token: SeUndockPrivilege	1988	wmic.exe
Token: SeManageVolumePrivilege	1988	wmic.exe
Token: 33	1988	wmic.exe
Token: 34	1988	wmic.exe
Token: 35	1988	wmic.exe
Token: 36	1988	wmic.exe
Token: SeIncreaseQuotaPrivilege	4616	wmic.exe
Token: SeSecurityPrivilege	4616	wmic.exe
Token: SeTakeOwnershipPrivilege	4616	wmic.exe
Token: SeLoadDriverPrivilege	4616	wmic.exe
Token: SeSystemProfilePrivilege	4616	wmic.exe
Token: SeSystemtimePrivilege	4616	wmic.exe
Token: SeProfSingleProcessPrivilege	4616	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exetaskmgr.exe

pid	process
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exetaskmgr.exe

pid	process
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe
4720	taskmgr.exe

Suspicious use of SetWindowsHookEx 24 IoCs

Processes:

osk.exeKernelLauncher.exeLogonUI.exe

pid	process
5396	osk.exe
5396	osk.exe
5396	osk.exe
5396	osk.exe
5396	osk.exe
5396	osk.exe
5396	osk.exe
5396	osk.exe
5396	osk.exe
5396	osk.exe
5396	osk.exe
5396	osk.exe
5396	osk.exe
5396	osk.exe
4968	KernelLauncher.exe
5396	osk.exe
5396	osk.exe
5396	osk.exe
5396	osk.exe
5396	osk.exe
5396	osk.exe
2100	LogonUI.exe
5396	osk.exe
5396	osk.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

ATBroker.exeUmbral.exeMrsMajor3.0 (1).exe

description	pid	process	target process
PID 5364 wrote to memory of 5396	5364	ATBroker.exe	osk.exe
PID 5364 wrote to memory of 5396	5364	ATBroker.exe	osk.exe
PID 5584 wrote to memory of 2036	5584	Umbral.exe	powershell.exe
PID 5584 wrote to memory of 2036	5584	Umbral.exe	powershell.exe
PID 5584 wrote to memory of 3932	5584	Umbral.exe	powershell.exe
PID 5584 wrote to memory of 3932	5584	Umbral.exe	powershell.exe
PID 5584 wrote to memory of 3316	5584	Umbral.exe	powershell.exe
PID 5584 wrote to memory of 3316	5584	Umbral.exe	powershell.exe
PID 5584 wrote to memory of 5096	5584	Umbral.exe	powershell.exe
PID 5584 wrote to memory of 5096	5584	Umbral.exe	powershell.exe
PID 5584 wrote to memory of 1988	5584	Umbral.exe	wmic.exe
PID 5584 wrote to memory of 1988	5584	Umbral.exe	wmic.exe
PID 5584 wrote to memory of 4616	5584	Umbral.exe	wmic.exe
PID 5584 wrote to memory of 4616	5584	Umbral.exe	wmic.exe
PID 5584 wrote to memory of 4300	5584	Umbral.exe	wmic.exe
PID 5584 wrote to memory of 4300	5584	Umbral.exe	wmic.exe
PID 5584 wrote to memory of 5148	5584	Umbral.exe	powershell.exe
PID 5584 wrote to memory of 5148	5584	Umbral.exe	powershell.exe
PID 5584 wrote to memory of 3172	5584	Umbral.exe	wmic.exe
PID 5584 wrote to memory of 3172	5584	Umbral.exe	wmic.exe
PID 4716 wrote to memory of 5036	4716	MrsMajor3.0 (1).exe	takeown.exe
PID 4716 wrote to memory of 5036	4716	MrsMajor3.0 (1).exe	takeown.exe
PID 4716 wrote to memory of 4348	4716	MrsMajor3.0 (1).exe	icacls.exe
PID 4716 wrote to memory of 4348	4716	MrsMajor3.0 (1).exe	icacls.exe
PID 4716 wrote to memory of 1808	4716	MrsMajor3.0 (1).exe	shutdown.exe
PID 4716 wrote to memory of 1808	4716	MrsMajor3.0 (1).exe	shutdown.exe

C:\Users\Admin\AppData\Local\Temp\BALDI.exe
"C:\Users\Admin\AppData\Local\Temp\BALDI.exe"
1⤵
PID:864

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x244 0x358
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1040 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:2836

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log
1⤵
- Opens file in notepad (likely ransom note)
PID:5076

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2828

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:1504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4076 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=752 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:4196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5048 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=4072 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:4996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5552 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:2100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=5608 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault5a44e155hb002h410bhb368h76a7d17218bb
1⤵
PID:4660

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:1624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5784 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:5328

C:\Windows\System32\ATBroker.exe
C:\Windows\System32\ATBroker.exe /start osk
1⤵
- Suspicious use of WriteProcessMemory
PID:5364

C:\Windows\System32\osk.exe
"C:\Windows\System32\osk.exe"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=5444 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:5428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6196 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:5688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=6348 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:5724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --mojo-platform-channel-handle=6544 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:5800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6352 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:5912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --mojo-platform-channel-handle=6404 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:6104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --mojo-platform-channel-handle=5360 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:4996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6736 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
- Modifies registry class
PID:3708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --mojo-platform-channel-handle=6800 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:5328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --mojo-platform-channel-handle=6424 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --mojo-platform-channel-handle=7092 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:5564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=6936 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:5628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --mojo-platform-channel-handle=7320 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7616 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:5672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7772 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:5516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --mojo-platform-channel-handle=7848 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:5892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --mojo-platform-channel-handle=6432 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:6092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --mojo-platform-channel-handle=7176 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:5152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --mojo-platform-channel-handle=8032 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:4416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --mojo-platform-channel-handle=6832 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:4568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --mojo-platform-channel-handle=6496 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:5352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --mojo-platform-channel-handle=8212 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:3532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --mojo-platform-channel-handle=8484 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:3636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --mojo-platform-channel-handle=8652 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:5676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --mojo-platform-channel-handle=8704 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:5272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --mojo-platform-channel-handle=8836 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:5384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --mojo-platform-channel-handle=9016 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:5056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --mojo-platform-channel-handle=8464 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --mojo-platform-channel-handle=9012 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:4900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --mojo-platform-channel-handle=8512 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:3168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --mojo-platform-channel-handle=8468 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:2136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --mojo-platform-channel-handle=8180 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:3336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=9004 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:3188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=8604 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:5724

C:\Users\Admin\AppData\Local\Temp\Temp1_misis major v3.zip\Furios\CRACK FURIOS\CRACK FURIOS\KernelLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_misis major v3.zip\Furios\CRACK FURIOS\CRACK FURIOS\KernelLauncher.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --mojo-platform-channel-handle=8892 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:5384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --mojo-platform-channel-handle=6136 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:3052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --mojo-platform-channel-handle=8968 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:2176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --mojo-platform-channel-handle=9152 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:5564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --mojo-platform-channel-handle=9208 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:5500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --mojo-platform-channel-handle=9152 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:1348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --mojo-platform-channel-handle=8292 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:5656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=7980 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:1472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=9676 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:1956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=9752 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:5676

C:\Users\Admin\Downloads\Umbral.exe
"C:\Users\Admin\Downloads\Umbral.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Umbral.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
2⤵
PID:4300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
2⤵
PID:5148

C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
2⤵
- Detects videocard installed
PID:3172

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=9396 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:1780

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=9396 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --mojo-platform-channel-handle=9572 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:3832

C:\Users\Admin\Downloads\Umbral.exe
"C:\Users\Admin\Downloads\Umbral.exe"
1⤵
PID:2916

C:\Users\Admin\Downloads\Umbral.exe
"C:\Users\Admin\Downloads\Umbral.exe"
1⤵
PID:852

C:\Users\Admin\Downloads\Umbral.exe
"C:\Users\Admin\Downloads\Umbral.exe"
1⤵
PID:976

C:\Users\Admin\Downloads\Umbral.exe
"C:\Users\Admin\Downloads\Umbral.exe"
1⤵
PID:1596

C:\Users\Admin\Downloads\Umbral.exe
"C:\Users\Admin\Downloads\Umbral.exe"
1⤵
PID:4892

C:\Users\Admin\Downloads\Umbral.exe
"C:\Users\Admin\Downloads\Umbral.exe"
1⤵
PID:3444

C:\Users\Admin\Downloads\Umbral.exe
"C:\Users\Admin\Downloads\Umbral.exe"
1⤵
PID:2036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --mojo-platform-channel-handle=10068 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:5268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --mojo-platform-channel-handle=9904 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1
1⤵
PID:2504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=10040 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:5868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=9792 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:5580

C:\Users\Admin\Downloads\MrsMajor3.0 (1).exe
"C:\Users\Admin\Downloads\MrsMajor3.0 (1).exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4716

C:\windows\system32\takeown.exe
"C:\windows\system32\takeown.exe" /f C:\
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5036

C:\windows\system32\icacls.exe
"C:\windows\system32\icacls.exe" C:\ /granted "Admin":F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4348

C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" /r /t 00
2⤵
PID:1808

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38f9855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2100

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log
Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a6b6fd491e63e43bb85df978ae75c74f

SHA1
5d5bcdc539420f7a1cf9531ddd1b3ea13d4ac48c

SHA256
b3d0ec5df3bf5ad44ab09cab8c9cb321f1cb314981720890cab3a652031a7c6b

SHA512
711dadc96bacb79742235e821a16454177d4ca547cbb653723ae9036ecdbcb719b530cd04e9fb40fd6a783f4445d5618baa2232ee6e7baf8ee85f081f154f34c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
948B

MD5
efe05055dc30f1da03bd1653594f8b0a

SHA1
8650a67ec9d1b8eed7caa4e4c86ebb8531bc7ba2

SHA256
10b3d946f07601b28c5cd6ee36fd0fffb41f3d96094a478d088ce30ebf9a694d

SHA512
5096856b34336cafbd2ee4dc4709bfa39c8794d8fc42777a460b79d52482b699013f237dfee2ecaf2b21487cc933b807bc5bad9b81f7070ba0dc4f6efcfa2f36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7164c3d7c57ebbaec233482f2e1cc1f1

SHA1
a767f48a2a10c216470d0782100828f0bed91579

SHA256
65ca843513f0f6ee03ae9b357fd6fea801a17ffe23c8a04777f8f06a5f0206ae

SHA512
bc09ee737727408fa5a969a6eb2be0be83d521e4f3f6c0567e4caa28f09de2794d413fbef52a5a7243fb49005d69ab56052ce417440d07beadbc6684cb362951

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kk2s1lxe.let.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/864-1-0x0000000000F90000-0x0000000001538000-memory.dmp

Filesize
5.7MB

Download
memory/864-0-0x00007FFD774B3000-0x00007FFD774B5000-memory.dmp

Filesize
8KB

Download
memory/864-5-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download
memory/864-4-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download
memory/864-3-0x00007FFD774B3000-0x00007FFD774B5000-memory.dmp

Filesize
8KB

Download
memory/864-2-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download
memory/2036-42-0x00000246E1450000-0x00000246E1472000-memory.dmp

Filesize
136KB

Download
memory/2964-14-0x000001C706790000-0x000001C706791000-memory.dmp

Filesize
4KB

Download
memory/2964-13-0x000001C706790000-0x000001C706791000-memory.dmp

Filesize
4KB

Download
memory/2964-6-0x000001C706790000-0x000001C706791000-memory.dmp

Filesize
4KB

Download
memory/2964-7-0x000001C706790000-0x000001C706791000-memory.dmp

Filesize
4KB

Download
memory/2964-12-0x000001C706790000-0x000001C706791000-memory.dmp

Filesize
4KB

Download
memory/2964-15-0x000001C706790000-0x000001C706791000-memory.dmp

Filesize
4KB

Download
memory/2964-16-0x000001C706790000-0x000001C706791000-memory.dmp

Filesize
4KB

Download
memory/2964-8-0x000001C706790000-0x000001C706791000-memory.dmp

Filesize
4KB

Download
memory/2964-18-0x000001C706790000-0x000001C706791000-memory.dmp

Filesize
4KB

Download
memory/2964-17-0x000001C706790000-0x000001C706791000-memory.dmp

Filesize
4KB

Download
memory/4716-116-0x0000000000BB0000-0x00000000021B4000-memory.dmp

Filesize
22.0MB

Download
memory/4720-30-0x000001D3C9360000-0x000001D3C9361000-memory.dmp

Filesize
4KB

Download
memory/4720-19-0x000001D3C9360000-0x000001D3C9361000-memory.dmp

Filesize
4KB

Download
memory/4720-31-0x000001D3C9360000-0x000001D3C9361000-memory.dmp

Filesize
4KB

Download
memory/4720-29-0x000001D3C9360000-0x000001D3C9361000-memory.dmp

Filesize
4KB

Download
memory/4720-28-0x000001D3C9360000-0x000001D3C9361000-memory.dmp

Filesize
4KB

Download
memory/4720-20-0x000001D3C9360000-0x000001D3C9361000-memory.dmp

Filesize
4KB

Download
memory/4720-21-0x000001D3C9360000-0x000001D3C9361000-memory.dmp

Filesize
4KB

Download
memory/4720-26-0x000001D3C9360000-0x000001D3C9361000-memory.dmp

Filesize
4KB

Download
memory/4720-27-0x000001D3C9360000-0x000001D3C9361000-memory.dmp

Filesize
4KB

Download
memory/5584-63-0x000001FAE14A0000-0x000001FAE14BE000-memory.dmp

Filesize
120KB

Download
memory/5584-36-0x000001FAC6EE0000-0x000001FAC6F20000-memory.dmp

Filesize
256KB

Download
memory/5584-99-0x000001FAE1660000-0x000001FAE1672000-memory.dmp

Filesize
72KB

Download
memory/5584-98-0x000001FAE14C0000-0x000001FAE14CA000-memory.dmp

Filesize
40KB

Download
memory/5584-62-0x000001FAE1610000-0x000001FAE1660000-memory.dmp

Filesize
320KB

Download
memory/5584-61-0x000001FAE1690000-0x000001FAE1706000-memory.dmp

Filesize
472KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads