11f4c19dd5f3558a1316b00a3518c88388d5ea893eed1ef8a3d482d0e40be6f3

Analysis

max time kernel
20s
max time network
10s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/09/2022, 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EXO_V5.exe
Size

4.0MB
MD5

1553d7bc2f09e7477e1e6dbb67199f94
SHA1

fe9f43aa44c6b4912a8403e6494b8ae27933dc8c
SHA256

11f4c19dd5f3558a1316b00a3518c88388d5ea893eed1ef8a3d482d0e40be6f3
SHA512

cd5433fbc94f548823d25ae4107d916d54fbc8ba3644d0b21115a2edf36a07f97f785d155061d177f934da0af14092cb5acaa494feffbfbd3986968eacc6892d
SSDEEP

98304:Fcs7PbvtLQkH1K5iUK7vgX7WFhMBdEXFCtMi0eRsKY:mYbWkVK5iO7diCt7E

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	EXO_V5.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	EXO_V5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	EXO_V5.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1752-54-0x000000013F060000-0x000000013FB5F000-memory.dmp	themida
behavioral1/memory/1752-55-0x000000013F060000-0x000000013FB5F000-memory.dmp	themida
behavioral1/memory/1752-56-0x000000013F060000-0x000000013FB5F000-memory.dmp	themida
behavioral1/memory/1752-57-0x000000013F060000-0x000000013FB5F000-memory.dmp	themida
behavioral1/memory/1752-58-0x000000013F060000-0x000000013FB5F000-memory.dmp	themida
behavioral1/memory/1752-60-0x000000013F060000-0x000000013FB5F000-memory.dmp	themida
behavioral1/memory/1752-126-0x000000013F060000-0x000000013FB5F000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EXO_V5.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1752	EXO_V5.exe

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1720	sc.exe
1968	sc.exe
1688	sc.exe
276	sc.exe
2184	sc.exe
1176	sc.exe
992	sc.exe
1524	sc.exe
1812	sc.exe

Kills process with taskkill 36 IoCs

evasion

pid	Process
1256	taskkill.exe
340	taskkill.exe
1616	taskkill.exe
1720	taskkill.exe
1604	taskkill.exe
2192	taskkill.exe
316	taskkill.exe
564	taskkill.exe
876	taskkill.exe
1512	taskkill.exe
1624	taskkill.exe
2208	taskkill.exe
1068	taskkill.exe
804	taskkill.exe
1284	taskkill.exe
992	taskkill.exe
988	taskkill.exe
688	taskkill.exe
1968	taskkill.exe
868	taskkill.exe
1668	taskkill.exe
1960	taskkill.exe
1776	taskkill.exe
1808	taskkill.exe
520	taskkill.exe
1984	taskkill.exe
1304	taskkill.exe
2200	taskkill.exe
564	taskkill.exe
468	taskkill.exe
960	taskkill.exe
1644	taskkill.exe
2228	taskkill.exe
432	taskkill.exe
1104	taskkill.exe
1536	taskkill.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	1968	taskkill.exe
Token: SeDebugPrivilege	868	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	804	taskkill.exe
Token: SeDebugPrivilege	1984	taskkill.exe
Token: SeDebugPrivilege	432	taskkill.exe
Token: SeDebugPrivilege	1104	taskkill.exe
Token: SeDebugPrivilege	564	taskkill.exe
Token: SeDebugPrivilege	1284	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	1808	taskkill.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	988	taskkill.exe
Token: SeDebugPrivilege	688	taskkill.exe
Token: SeDebugPrivilege	876	taskkill.exe
Token: SeDebugPrivilege	520	taskkill.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	564	taskkill.exe
Token: SeDebugPrivilege	340	taskkill.exe
Token: SeDebugPrivilege	1304	taskkill.exe
Token: SeDebugPrivilege	1068	taskkill.exe
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	468	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	960	taskkill.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	992	taskkill.exe
Token: SeDebugPrivilege	1256	taskkill.exe
Token: SeDebugPrivilege	2192	taskkill.exe
Token: SeDebugPrivilege	2208	taskkill.exe
Token: SeDebugPrivilege	2200	taskkill.exe
Token: SeDebugPrivilege	2228	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 520	1752	EXO_V5.exe	29
PID 1752 wrote to memory of 520	1752	EXO_V5.exe	29
PID 1752 wrote to memory of 520	1752	EXO_V5.exe	29
PID 1752 wrote to memory of 624	1752	EXO_V5.exe	30
PID 1752 wrote to memory of 624	1752	EXO_V5.exe	30
PID 1752 wrote to memory of 624	1752	EXO_V5.exe	30
PID 1752 wrote to memory of 1648	1752	EXO_V5.exe	32
PID 1752 wrote to memory of 1648	1752	EXO_V5.exe	32
PID 1752 wrote to memory of 1648	1752	EXO_V5.exe	32
PID 1752 wrote to memory of 1708	1752	EXO_V5.exe	31
PID 1752 wrote to memory of 1708	1752	EXO_V5.exe	31
PID 1752 wrote to memory of 1708	1752	EXO_V5.exe	31
PID 1752 wrote to memory of 1332	1752	EXO_V5.exe	33
PID 1752 wrote to memory of 1332	1752	EXO_V5.exe	33
PID 1752 wrote to memory of 1332	1752	EXO_V5.exe	33
PID 520 wrote to memory of 1968	520	cmd.exe	37
PID 520 wrote to memory of 1968	520	cmd.exe	37
PID 520 wrote to memory of 1968	520	cmd.exe	37
PID 1648 wrote to memory of 316	1648	cmd.exe	36
PID 1648 wrote to memory of 316	1648	cmd.exe	36
PID 1648 wrote to memory of 316	1648	cmd.exe	36
PID 624 wrote to memory of 1512	624	cmd.exe	35
PID 624 wrote to memory of 1512	624	cmd.exe	35
PID 624 wrote to memory of 1512	624	cmd.exe	35
PID 1752 wrote to memory of 916	1752	EXO_V5.exe	34
PID 1752 wrote to memory of 916	1752	EXO_V5.exe	34
PID 1752 wrote to memory of 916	1752	EXO_V5.exe	34
PID 1708 wrote to memory of 1176	1708	cmd.exe	39
PID 1708 wrote to memory of 1176	1708	cmd.exe	39
PID 1708 wrote to memory of 1176	1708	cmd.exe	39
PID 1752 wrote to memory of 1120	1752	EXO_V5.exe	38
PID 1752 wrote to memory of 1120	1752	EXO_V5.exe	38
PID 1752 wrote to memory of 1120	1752	EXO_V5.exe	38
PID 1332 wrote to memory of 868	1332	cmd.exe	40
PID 1332 wrote to memory of 868	1332	cmd.exe	40
PID 1332 wrote to memory of 868	1332	cmd.exe	40
PID 1120 wrote to memory of 1068	1120	cmd.exe	41
PID 1120 wrote to memory of 1068	1120	cmd.exe	41
PID 1120 wrote to memory of 1068	1120	cmd.exe	41
PID 1752 wrote to memory of 808	1752	EXO_V5.exe	43
PID 1752 wrote to memory of 808	1752	EXO_V5.exe	43
PID 1752 wrote to memory of 808	1752	EXO_V5.exe	43
PID 1752 wrote to memory of 1164	1752	EXO_V5.exe	45
PID 1752 wrote to memory of 1164	1752	EXO_V5.exe	45
PID 1752 wrote to memory of 1164	1752	EXO_V5.exe	45
PID 1752 wrote to memory of 1736	1752	EXO_V5.exe	44
PID 1752 wrote to memory of 1736	1752	EXO_V5.exe	44
PID 1752 wrote to memory of 1736	1752	EXO_V5.exe	44
PID 808 wrote to memory of 1776	808	cmd.exe	47
PID 808 wrote to memory of 1776	808	cmd.exe	47
PID 808 wrote to memory of 1776	808	cmd.exe	47
PID 1752 wrote to memory of 1828	1752	EXO_V5.exe	46
PID 1752 wrote to memory of 1828	1752	EXO_V5.exe	46
PID 1752 wrote to memory of 1828	1752	EXO_V5.exe	46
PID 1752 wrote to memory of 1724	1752	EXO_V5.exe	51
PID 1752 wrote to memory of 1724	1752	EXO_V5.exe	51
PID 1752 wrote to memory of 1724	1752	EXO_V5.exe	51
PID 1828 wrote to memory of 992	1828	cmd.exe	50
PID 1828 wrote to memory of 992	1828	cmd.exe	50
PID 1828 wrote to memory of 992	1828	cmd.exe	50
PID 1164 wrote to memory of 432	1164	cmd.exe	49
PID 1164 wrote to memory of 432	1164	cmd.exe	49
PID 1164 wrote to memory of 432	1164	cmd.exe	49
PID 1736 wrote to memory of 804	1736	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\EXO_V5.exe
"C:\Users\Admin\AppData\Local\Temp\EXO_V5.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1968
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- C:\Windows\system32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1176
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:316
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:868
- C:\Windows\system32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\EXO_V5.exe" MD5
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\EXO_V5.exe" MD5
    3⤵
    PID:1068
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1776
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:804
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:432
- C:\Windows\system32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:992
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:1724
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1984
- C:\Windows\system32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:1088
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1836
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1104
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:276
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1668
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:972
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:564
- C:\Windows\system32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:468
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1720
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:1656
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1284
- C:\Windows\system32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:556
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1096
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1644
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:240
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:876
- C:\Windows\system32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1416
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1968
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:1620
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:520
- C:\Windows\system32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:340
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1256
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:624
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1536
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1332
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:988
- C:\Windows\system32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1848
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1688
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:1348
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:688
- C:\Windows\system32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:1816
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:804
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:340
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:912
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:564
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:976
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1304
- C:\Windows\system32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1640
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1524
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:1516
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:468
- C:\Windows\system32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:240
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1088
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:960
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1176
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1288
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1616
- C:\Windows\system32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1568
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:276
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:316
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:992
- C:\Windows\system32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:664
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1660
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1720
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:956
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1256
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1712
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- C:\Windows\system32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1104
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1812
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:1120
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1068
- C:\Windows\system32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:1324
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2136
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2192
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2144
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2200
- C:\Windows\system32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:2176
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:2168
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2228
- C:\Windows\system32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2160
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2152

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
1⤵
- Launches sc.exe
PID:2184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1068-74-0x00000000FFD81000-0x00000000FFD83000-memory.dmp

Filesize
8KB

Download
memory/1752-58-0x000000013F060000-0x000000013FB5F000-memory.dmp

Filesize
11.0MB

Download
memory/1752-127-0x0000000077850000-0x00000000779F9000-memory.dmp

Filesize
1.7MB

Download
memory/1752-126-0x000000013F060000-0x000000013FB5F000-memory.dmp

Filesize
11.0MB

Download
memory/1752-54-0x000000013F060000-0x000000013FB5F000-memory.dmp

Filesize
11.0MB

Download
memory/1752-55-0x000000013F060000-0x000000013FB5F000-memory.dmp

Filesize
11.0MB

Download
memory/1752-57-0x000000013F060000-0x000000013FB5F000-memory.dmp

Filesize
11.0MB

Download
memory/1752-56-0x000000013F060000-0x000000013FB5F000-memory.dmp

Filesize
11.0MB

Download
memory/1752-60-0x000000013F060000-0x000000013FB5F000-memory.dmp

Filesize
11.0MB

Download
memory/1752-59-0x0000000077850000-0x00000000779F9000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads