Analysis

  • max time kernel
    20s
  • max time network
    10s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    07/09/2022, 21:01

General

  • Target

    EXO_V5.exe

  • Size

    4.0MB

  • MD5

    1553d7bc2f09e7477e1e6dbb67199f94

  • SHA1

    fe9f43aa44c6b4912a8403e6494b8ae27933dc8c

  • SHA256

    11f4c19dd5f3558a1316b00a3518c88388d5ea893eed1ef8a3d482d0e40be6f3

  • SHA512

    cd5433fbc94f548823d25ae4107d916d54fbc8ba3644d0b21115a2edf36a07f97f785d155061d177f934da0af14092cb5acaa494feffbfbd3986968eacc6892d

  • SSDEEP

    98304:Fcs7PbvtLQkH1K5iUK7vgX7WFhMBdEXFCtMi0eRsKY:mYbWkVK5iO7diCt7E

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Stops running service(s) 3 TTPs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 7 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Launches sc.exe 9 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Kills process with taskkill 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\EXO_V5.exe
    "C:\Users\Admin\AppData\Local\Temp\EXO_V5.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Windows\system32\cmd.exe
      cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:520
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1968
    • C:\Windows\system32\cmd.exe
      cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:624
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1512
    • C:\Windows\system32\cmd.exe
      cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Windows\system32\sc.exe
        sc stop HTTPDebuggerPro
        3⤵
        • Launches sc.exe
        PID:1176
    • C:\Windows\system32\cmd.exe
      cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:316
    • C:\Windows\system32\cmd.exe
      cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1332
      • C:\Windows\system32\taskkill.exe
        taskkill /IM HTTPDebuggerSvc.exe /F
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:868
    • C:\Windows\system32\cmd.exe
      cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
      2⤵
        PID:916
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\EXO_V5.exe" MD5
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1120
        • C:\Windows\system32\certutil.exe
          certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\EXO_V5.exe" MD5
          3⤵
            PID:1068
        • C:\Windows\system32\cmd.exe
          cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:808
          • C:\Windows\system32\taskkill.exe
            taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1776
        • C:\Windows\system32\cmd.exe
          cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1736
          • C:\Windows\system32\taskkill.exe
            taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:804
        • C:\Windows\system32\cmd.exe
          cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1164
          • C:\Windows\system32\taskkill.exe
            taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:432
        • C:\Windows\system32\cmd.exe
          cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1828
          • C:\Windows\system32\sc.exe
            sc stop HTTPDebuggerPro
            3⤵
            • Launches sc.exe
            PID:992
        • C:\Windows\system32\cmd.exe
          cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
          2⤵
            PID:1724
            • C:\Windows\system32\taskkill.exe
              taskkill /IM HTTPDebuggerSvc.exe /F
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1984
          • C:\Windows\system32\cmd.exe
            cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
            2⤵
              PID:1088
            • C:\Windows\system32\cmd.exe
              cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
              2⤵
                PID:1836
                • C:\Windows\system32\taskkill.exe
                  taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                  3⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1104
              • C:\Windows\system32\cmd.exe
                cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                2⤵
                  PID:276
                  • C:\Windows\system32\taskkill.exe
                    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                    3⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1668
                • C:\Windows\system32\cmd.exe
                  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                  2⤵
                    PID:972
                    • C:\Windows\system32\taskkill.exe
                      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                      3⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:564
                  • C:\Windows\system32\cmd.exe
                    cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                    2⤵
                      PID:468
                      • C:\Windows\system32\sc.exe
                        sc stop HTTPDebuggerPro
                        3⤵
                        • Launches sc.exe
                        PID:1720
                    • C:\Windows\system32\cmd.exe
                      cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                      2⤵
                        PID:1656
                        • C:\Windows\system32\taskkill.exe
                          taskkill /IM HTTPDebuggerSvc.exe /F
                          3⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1284
                      • C:\Windows\system32\cmd.exe
                        cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                        2⤵
                          PID:556
                        • C:\Windows\system32\cmd.exe
                          cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                          2⤵
                            PID:1096
                            • C:\Windows\system32\taskkill.exe
                              taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                              3⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1624
                          • C:\Windows\system32\cmd.exe
                            cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                            2⤵
                              PID:1644
                              • C:\Windows\system32\taskkill.exe
                                taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                3⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1808
                            • C:\Windows\system32\cmd.exe
                              cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                              2⤵
                                PID:240
                                • C:\Windows\system32\taskkill.exe
                                  taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                  3⤵
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:876
                              • C:\Windows\system32\cmd.exe
                                cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                2⤵
                                  PID:1416
                                  • C:\Windows\system32\sc.exe
                                    sc stop HTTPDebuggerPro
                                    3⤵
                                    • Launches sc.exe
                                    PID:1968
                                • C:\Windows\system32\cmd.exe
                                  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                  2⤵
                                    PID:1620
                                    • C:\Windows\system32\taskkill.exe
                                      taskkill /IM HTTPDebuggerSvc.exe /F
                                      3⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:520
                                  • C:\Windows\system32\cmd.exe
                                    cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                    2⤵
                                      PID:340
                                    • C:\Windows\system32\cmd.exe
                                      cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                      2⤵
                                        PID:1256
                                        • C:\Windows\system32\taskkill.exe
                                          taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                          3⤵
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1604
                                      • C:\Windows\system32\cmd.exe
                                        cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                        2⤵
                                          PID:624
                                          • C:\Windows\system32\taskkill.exe
                                            taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                            3⤵
                                            • Kills process with taskkill
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1536
                                        • C:\Windows\system32\cmd.exe
                                          cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                          2⤵
                                            PID:1332
                                            • C:\Windows\system32\taskkill.exe
                                              taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                              3⤵
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:988
                                          • C:\Windows\system32\cmd.exe
                                            cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                            2⤵
                                              PID:1848
                                              • C:\Windows\system32\sc.exe
                                                sc stop HTTPDebuggerPro
                                                3⤵
                                                • Launches sc.exe
                                                PID:1688
                                            • C:\Windows\system32\cmd.exe
                                              cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                              2⤵
                                                PID:1348
                                                • C:\Windows\system32\taskkill.exe
                                                  taskkill /IM HTTPDebuggerSvc.exe /F
                                                  3⤵
                                                  • Kills process with taskkill
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:688
                                              • C:\Windows\system32\cmd.exe
                                                cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                                2⤵
                                                  PID:1816
                                                • C:\Windows\system32\cmd.exe
                                                  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                                  2⤵
                                                    PID:804
                                                    • C:\Windows\system32\taskkill.exe
                                                      taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                                      3⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:340
                                                  • C:\Windows\system32\cmd.exe
                                                    cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                                    2⤵
                                                      PID:912
                                                      • C:\Windows\system32\taskkill.exe
                                                        taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                                        3⤵
                                                        • Kills process with taskkill
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:564
                                                    • C:\Windows\system32\cmd.exe
                                                      cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                                      2⤵
                                                        PID:976
                                                        • C:\Windows\system32\taskkill.exe
                                                          taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                          3⤵
                                                          • Kills process with taskkill
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1304
                                                      • C:\Windows\system32\cmd.exe
                                                        cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                                        2⤵
                                                          PID:1640
                                                          • C:\Windows\system32\sc.exe
                                                            sc stop HTTPDebuggerPro
                                                            3⤵
                                                            • Launches sc.exe
                                                            PID:1524
                                                        • C:\Windows\system32\cmd.exe
                                                          cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                                          2⤵
                                                            PID:1516
                                                            • C:\Windows\system32\taskkill.exe
                                                              taskkill /IM HTTPDebuggerSvc.exe /F
                                                              3⤵
                                                              • Kills process with taskkill
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:468
                                                          • C:\Windows\system32\cmd.exe
                                                            cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                                            2⤵
                                                              PID:240
                                                            • C:\Windows\system32\cmd.exe
                                                              cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                                              2⤵
                                                                PID:1088
                                                                • C:\Windows\system32\taskkill.exe
                                                                  taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                                                  3⤵
                                                                  • Kills process with taskkill
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:960
                                                              • C:\Windows\system32\cmd.exe
                                                                cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                                                2⤵
                                                                  PID:1176
                                                                  • C:\Windows\system32\taskkill.exe
                                                                    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                                                    3⤵
                                                                    • Kills process with taskkill
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1644
                                                                • C:\Windows\system32\cmd.exe
                                                                  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                                                  2⤵
                                                                    PID:1288
                                                                    • C:\Windows\system32\taskkill.exe
                                                                      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                                      3⤵
                                                                      • Kills process with taskkill
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:1616
                                                                  • C:\Windows\system32\cmd.exe
                                                                    cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                                                    2⤵
                                                                      PID:1568
                                                                      • C:\Windows\system32\sc.exe
                                                                        sc stop HTTPDebuggerPro
                                                                        3⤵
                                                                        • Launches sc.exe
                                                                        PID:276
                                                                    • C:\Windows\system32\cmd.exe
                                                                      cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                                                      2⤵
                                                                        PID:316
                                                                        • C:\Windows\system32\taskkill.exe
                                                                          taskkill /IM HTTPDebuggerSvc.exe /F
                                                                          3⤵
                                                                          • Kills process with taskkill
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:992
                                                                      • C:\Windows\system32\cmd.exe
                                                                        cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                                                        2⤵
                                                                          PID:664
                                                                        • C:\Windows\system32\cmd.exe
                                                                          cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                                                          2⤵
                                                                            PID:1660
                                                                            • C:\Windows\system32\taskkill.exe
                                                                              taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                                                              3⤵
                                                                              • Kills process with taskkill
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:1720
                                                                          • C:\Windows\system32\cmd.exe
                                                                            cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                                                            2⤵
                                                                              PID:956
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                                                                3⤵
                                                                                • Kills process with taskkill
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:1256
                                                                            • C:\Windows\system32\cmd.exe
                                                                              cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                                                              2⤵
                                                                                PID:1712
                                                                                • C:\Windows\system32\taskkill.exe
                                                                                  taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                                                  3⤵
                                                                                  • Kills process with taskkill
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:1960
                                                                              • C:\Windows\system32\cmd.exe
                                                                                cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                                                                2⤵
                                                                                  PID:1104
                                                                                  • C:\Windows\system32\sc.exe
                                                                                    sc stop HTTPDebuggerPro
                                                                                    3⤵
                                                                                    • Launches sc.exe
                                                                                    PID:1812
                                                                                • C:\Windows\system32\cmd.exe
                                                                                  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                                                                  2⤵
                                                                                    PID:1120
                                                                                    • C:\Windows\system32\taskkill.exe
                                                                                      taskkill /IM HTTPDebuggerSvc.exe /F
                                                                                      3⤵
                                                                                      • Kills process with taskkill
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:1068
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                                                                    2⤵
                                                                                      PID:1324
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                                                                      2⤵
                                                                                        PID:2136
                                                                                        • C:\Windows\system32\taskkill.exe
                                                                                          taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                                                                          3⤵
                                                                                          • Kills process with taskkill
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2192
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                                                                        2⤵
                                                                                          PID:2144
                                                                                          • C:\Windows\system32\taskkill.exe
                                                                                            taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                                                                            3⤵
                                                                                            • Kills process with taskkill
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2200
                                                                                        • C:\Windows\system32\cmd.exe
                                                                                          cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                                                                          2⤵
                                                                                            PID:2176
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                                                                            2⤵
                                                                                              PID:2168
                                                                                              • C:\Windows\system32\taskkill.exe
                                                                                                taskkill /IM HTTPDebuggerSvc.exe /F
                                                                                                3⤵
                                                                                                • Kills process with taskkill
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:2228
                                                                                            • C:\Windows\system32\cmd.exe
                                                                                              cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                                                                              2⤵
                                                                                                PID:2160
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                                                                                2⤵
                                                                                                  PID:2152
                                                                                              • C:\Windows\system32\taskkill.exe
                                                                                                taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                                                                1⤵
                                                                                                • Kills process with taskkill
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:2208
                                                                                              • C:\Windows\system32\sc.exe
                                                                                                sc stop HTTPDebuggerPro
                                                                                                1⤵
                                                                                                • Launches sc.exe
                                                                                                PID:2184

                                                                                              Network

                                                                                              MITRE ATT&CK Enterprise v6

                                                                                              Replay Monitor

                                                                                              Loading Replay Monitor...

                                                                                              Downloads

                                                                                              • memory/1068-74-0x00000000FFD81000-0x00000000FFD83000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                              • memory/1752-58-0x000000013F060000-0x000000013FB5F000-memory.dmp

                                                                                                Filesize

                                                                                                11.0MB

                                                                                              • memory/1752-127-0x0000000077850000-0x00000000779F9000-memory.dmp

                                                                                                Filesize

                                                                                                1.7MB

                                                                                              • memory/1752-126-0x000000013F060000-0x000000013FB5F000-memory.dmp

                                                                                                Filesize

                                                                                                11.0MB

                                                                                              • memory/1752-54-0x000000013F060000-0x000000013FB5F000-memory.dmp

                                                                                                Filesize

                                                                                                11.0MB

                                                                                              • memory/1752-55-0x000000013F060000-0x000000013FB5F000-memory.dmp

                                                                                                Filesize

                                                                                                11.0MB

                                                                                              • memory/1752-57-0x000000013F060000-0x000000013FB5F000-memory.dmp

                                                                                                Filesize

                                                                                                11.0MB

                                                                                              • memory/1752-56-0x000000013F060000-0x000000013FB5F000-memory.dmp

                                                                                                Filesize

                                                                                                11.0MB

                                                                                              • memory/1752-60-0x000000013F060000-0x000000013FB5F000-memory.dmp

                                                                                                Filesize

                                                                                                11.0MB

                                                                                              • memory/1752-59-0x0000000077850000-0x00000000779F9000-memory.dmp

                                                                                                Filesize

                                                                                                1.7MB