11f4c19dd5f3558a1316b00a3518c88388d5ea893eed1ef8a3d482d0e40be6f3

Analysis

max time kernel
30s
max time network
30s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2022 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EXO_V5.exe
Size

4.0MB
MD5

1553d7bc2f09e7477e1e6dbb67199f94
SHA1

fe9f43aa44c6b4912a8403e6494b8ae27933dc8c
SHA256

11f4c19dd5f3558a1316b00a3518c88388d5ea893eed1ef8a3d482d0e40be6f3
SHA512

cd5433fbc94f548823d25ae4107d916d54fbc8ba3644d0b21115a2edf36a07f97f785d155061d177f934da0af14092cb5acaa494feffbfbd3986968eacc6892d
SSDEEP

98304:Fcs7PbvtLQkH1K5iUK7vgX7WFhMBdEXFCtMi0eRsKY:mYbWkVK5iO7diCt7E

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	EXO_V5.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	EXO_V5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	EXO_V5.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/1056-132-0x00007FF62F630000-0x00007FF63012F000-memory.dmp	themida
behavioral2/memory/1056-134-0x00007FF62F630000-0x00007FF63012F000-memory.dmp	themida
behavioral2/memory/1056-135-0x00007FF62F630000-0x00007FF63012F000-memory.dmp	themida
behavioral2/memory/1056-136-0x00007FF62F630000-0x00007FF63012F000-memory.dmp	themida
behavioral2/memory/1056-137-0x00007FF62F630000-0x00007FF63012F000-memory.dmp	themida
behavioral2/memory/1056-138-0x00007FF62F630000-0x00007FF63012F000-memory.dmp	themida
behavioral2/memory/1056-139-0x00007FF62F630000-0x00007FF63012F000-memory.dmp	themida
behavioral2/memory/1056-204-0x00007FF62F630000-0x00007FF63012F000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EXO_V5.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1056	EXO_V5.exe

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2336	sc.exe
8	sc.exe
2988	sc.exe
4668	sc.exe
2924	sc.exe
2336	sc.exe
4348	sc.exe
3308	sc.exe
1840	sc.exe

Kills process with taskkill 36 IoCs

evasion

pid	Process
4308	taskkill.exe
1212	taskkill.exe
1116	taskkill.exe
3872	taskkill.exe
2408	taskkill.exe
3224	taskkill.exe
1208	taskkill.exe
1952	taskkill.exe
2412	taskkill.exe
4728	taskkill.exe
4356	taskkill.exe
4320	taskkill.exe
2172	taskkill.exe
1924	taskkill.exe
1004	taskkill.exe
4940	taskkill.exe
3888	taskkill.exe
1544	taskkill.exe
5008	taskkill.exe
3204	taskkill.exe
4304	taskkill.exe
3132	taskkill.exe
2972	taskkill.exe
2236	taskkill.exe
2224	taskkill.exe
4232	taskkill.exe
1520	taskkill.exe
1556	taskkill.exe
380	taskkill.exe
3228	taskkill.exe
3776	taskkill.exe
4056	taskkill.exe
3932	taskkill.exe
3756	taskkill.exe
2200	taskkill.exe
4624	taskkill.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	1520	taskkill.exe
Token: SeDebugPrivilege	1208	taskkill.exe
Token: SeDebugPrivilege	3132	taskkill.exe
Token: SeDebugPrivilege	2172	taskkill.exe
Token: SeDebugPrivilege	1004	taskkill.exe
Token: SeDebugPrivilege	1924	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	380	taskkill.exe
Token: SeDebugPrivilege	4940	taskkill.exe
Token: SeDebugPrivilege	2408	taskkill.exe
Token: SeDebugPrivilege	2972	taskkill.exe
Token: SeDebugPrivilege	3228	taskkill.exe
Token: SeDebugPrivilege	3776	taskkill.exe
Token: SeDebugPrivilege	3756	taskkill.exe
Token: SeDebugPrivilege	4308	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	4356	taskkill.exe
Token: SeDebugPrivilege	4728	taskkill.exe
Token: SeDebugPrivilege	4056	taskkill.exe
Token: SeDebugPrivilege	1544	taskkill.exe
Token: SeDebugPrivilege	3888	taskkill.exe
Token: SeDebugPrivilege	5008	taskkill.exe
Token: SeDebugPrivilege	1212	taskkill.exe
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeDebugPrivilege	4320	taskkill.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	2200	taskkill.exe
Token: SeDebugPrivilege	3204	taskkill.exe
Token: SeDebugPrivilege	4232	taskkill.exe
Token: SeDebugPrivilege	3932	taskkill.exe
Token: SeDebugPrivilege	4304	taskkill.exe
Token: SeDebugPrivilege	3872	taskkill.exe
Token: SeDebugPrivilege	3224	taskkill.exe
Token: SeDebugPrivilege	1116	taskkill.exe
Token: SeDebugPrivilege	4624	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 1300	1056	EXO_V5.exe	83
PID 1056 wrote to memory of 1300	1056	EXO_V5.exe	83
PID 1056 wrote to memory of 1296	1056	EXO_V5.exe	84
PID 1056 wrote to memory of 1296	1056	EXO_V5.exe	84
PID 1056 wrote to memory of 3816	1056	EXO_V5.exe	85
PID 1056 wrote to memory of 3816	1056	EXO_V5.exe	85
PID 1056 wrote to memory of 3248	1056	EXO_V5.exe	86
PID 1056 wrote to memory of 3248	1056	EXO_V5.exe	86
PID 1300 wrote to memory of 1556	1300	cmd.exe	89
PID 1300 wrote to memory of 1556	1300	cmd.exe	89
PID 1056 wrote to memory of 1480	1056	EXO_V5.exe	87
PID 1056 wrote to memory of 1480	1056	EXO_V5.exe	87
PID 3816 wrote to memory of 1208	3816	cmd.exe	90
PID 3816 wrote to memory of 1208	3816	cmd.exe	90
PID 1296 wrote to memory of 1520	1296	cmd.exe	88
PID 1296 wrote to memory of 1520	1296	cmd.exe	88
PID 1056 wrote to memory of 116	1056	EXO_V5.exe	92
PID 1056 wrote to memory of 116	1056	EXO_V5.exe	92
PID 3248 wrote to memory of 4348	3248	cmd.exe	91
PID 3248 wrote to memory of 4348	3248	cmd.exe	91
PID 1056 wrote to memory of 228	1056	EXO_V5.exe	93
PID 1056 wrote to memory of 228	1056	EXO_V5.exe	93
PID 1480 wrote to memory of 3132	1480	cmd.exe	95
PID 1480 wrote to memory of 3132	1480	cmd.exe	95
PID 228 wrote to memory of 2508	228	cmd.exe	94
PID 228 wrote to memory of 2508	228	cmd.exe	94
PID 1056 wrote to memory of 2452	1056	EXO_V5.exe	97
PID 1056 wrote to memory of 2452	1056	EXO_V5.exe	97
PID 1056 wrote to memory of 1248	1056	EXO_V5.exe	98
PID 1056 wrote to memory of 1248	1056	EXO_V5.exe	98
PID 1056 wrote to memory of 1732	1056	EXO_V5.exe	99
PID 1056 wrote to memory of 1732	1056	EXO_V5.exe	99
PID 1056 wrote to memory of 4532	1056	EXO_V5.exe	100
PID 1056 wrote to memory of 4532	1056	EXO_V5.exe	100
PID 1056 wrote to memory of 3156	1056	EXO_V5.exe	102
PID 1056 wrote to memory of 3156	1056	EXO_V5.exe	102
PID 1056 wrote to memory of 3572	1056	EXO_V5.exe	101
PID 1056 wrote to memory of 3572	1056	EXO_V5.exe	101
PID 2452 wrote to memory of 1004	2452	cmd.exe	107
PID 2452 wrote to memory of 1004	2452	cmd.exe	107
PID 1248 wrote to memory of 2172	1248	cmd.exe	103
PID 1248 wrote to memory of 2172	1248	cmd.exe	103
PID 4532 wrote to memory of 3308	4532	cmd.exe	106
PID 4532 wrote to memory of 3308	4532	cmd.exe	106
PID 1732 wrote to memory of 1924	1732	cmd.exe	104
PID 1732 wrote to memory of 1924	1732	cmd.exe	104
PID 3156 wrote to memory of 1952	3156	cmd.exe	105
PID 3156 wrote to memory of 1952	3156	cmd.exe	105
PID 1056 wrote to memory of 3032	1056	EXO_V5.exe	108
PID 1056 wrote to memory of 3032	1056	EXO_V5.exe	108
PID 1056 wrote to memory of 3416	1056	EXO_V5.exe	109
PID 1056 wrote to memory of 3416	1056	EXO_V5.exe	109
PID 1056 wrote to memory of 4228	1056	EXO_V5.exe	110
PID 1056 wrote to memory of 4228	1056	EXO_V5.exe	110
PID 1056 wrote to memory of 3688	1056	EXO_V5.exe	111
PID 1056 wrote to memory of 3688	1056	EXO_V5.exe	111
PID 1056 wrote to memory of 4172	1056	EXO_V5.exe	112
PID 1056 wrote to memory of 4172	1056	EXO_V5.exe	112
PID 1056 wrote to memory of 2460	1056	EXO_V5.exe	113
PID 1056 wrote to memory of 2460	1056	EXO_V5.exe	113
PID 3416 wrote to memory of 380	3416	cmd.exe	115
PID 3416 wrote to memory of 380	3416	cmd.exe	115
PID 3688 wrote to memory of 2336	3688	cmd.exe	116
PID 3688 wrote to memory of 2336	3688	cmd.exe	116

C:\Users\Admin\AppData\Local\Temp\EXO_V5.exe
"C:\Users\Admin\AppData\Local\Temp\EXO_V5.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1556
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3816
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1208
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:4348
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3132
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\EXO_V5.exe" MD5
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\EXO_V5.exe" MD5
    3⤵
    PID:2508
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1004
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3308
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:3572
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3032
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4940
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:380
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4228
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2408
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2336
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:4172
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:2460
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2440
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3776
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1920
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2412
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2564
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3228
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1844
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1840
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:1832
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4356
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:2204
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3056
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4728
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2812
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3756
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4556
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4308
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1640
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:8
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:4580
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4056
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:4664
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1932
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1212
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4508
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1544
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1380
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3888
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:3984
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:4668
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:792
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4320
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:1548
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:224
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5008
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:220
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3204
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:116
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1116
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1256
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2336
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:3632
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3872
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:2068
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1836
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4624
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5060
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4304
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1964
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3932
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:1456
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:60
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4232
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1532
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2988
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:2172
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:2804
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3224
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1064
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2924
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3320
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2976
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2200
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:732
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/8-196-0x0000000000000000-mapping.dmp

Download
memory/116-148-0x0000000000000000-mapping.dmp

Download
memory/228-150-0x0000000000000000-mapping.dmp

Download
memory/380-170-0x0000000000000000-mapping.dmp

Download
memory/792-201-0x0000000000000000-mapping.dmp

Download
memory/1004-159-0x0000000000000000-mapping.dmp

Download
memory/1056-136-0x00007FF62F630000-0x00007FF63012F000-memory.dmp

Filesize
11.0MB

Download
memory/1056-139-0x00007FF62F630000-0x00007FF63012F000-memory.dmp

Filesize
11.0MB

Download
memory/1056-138-0x00007FF62F630000-0x00007FF63012F000-memory.dmp

Filesize
11.0MB

Download
memory/1056-137-0x00007FF62F630000-0x00007FF63012F000-memory.dmp

Filesize
11.0MB

Download
memory/1056-205-0x00007FFA505B0000-0x00007FFA507A5000-memory.dmp

Filesize
2.0MB

Download
memory/1056-204-0x00007FF62F630000-0x00007FF63012F000-memory.dmp

Filesize
11.0MB

Download
memory/1056-132-0x00007FF62F630000-0x00007FF63012F000-memory.dmp

Filesize
11.0MB

Download
memory/1056-135-0x00007FF62F630000-0x00007FF63012F000-memory.dmp

Filesize
11.0MB

Download
memory/1056-134-0x00007FF62F630000-0x00007FF63012F000-memory.dmp

Filesize
11.0MB

Download
memory/1056-133-0x00007FFA505B0000-0x00007FFA507A5000-memory.dmp

Filesize
2.0MB

Download
memory/1208-146-0x0000000000000000-mapping.dmp

Download
memory/1248-154-0x0000000000000000-mapping.dmp

Download
memory/1296-141-0x0000000000000000-mapping.dmp

Download
memory/1300-140-0x0000000000000000-mapping.dmp

Download
memory/1380-195-0x0000000000000000-mapping.dmp

Download
memory/1480-145-0x0000000000000000-mapping.dmp

Download
memory/1520-147-0x0000000000000000-mapping.dmp

Download
memory/1548-202-0x0000000000000000-mapping.dmp

Download
memory/1556-144-0x0000000000000000-mapping.dmp

Download
memory/1640-184-0x0000000000000000-mapping.dmp

Download
memory/1732-155-0x0000000000000000-mapping.dmp

Download
memory/1832-179-0x0000000000000000-mapping.dmp

Download
memory/1840-198-0x0000000000000000-mapping.dmp

Download
memory/1844-178-0x0000000000000000-mapping.dmp

Download
memory/1920-176-0x0000000000000000-mapping.dmp

Download
memory/1924-162-0x0000000000000000-mapping.dmp

Download
memory/1932-192-0x0000000000000000-mapping.dmp

Download
memory/1952-163-0x0000000000000000-mapping.dmp

Download
memory/2172-160-0x0000000000000000-mapping.dmp

Download
memory/2204-180-0x0000000000000000-mapping.dmp

Download
memory/2336-171-0x0000000000000000-mapping.dmp

Download
memory/2408-173-0x0000000000000000-mapping.dmp

Download
memory/2412-190-0x0000000000000000-mapping.dmp

Download
memory/2440-175-0x0000000000000000-mapping.dmp

Download
memory/2452-153-0x0000000000000000-mapping.dmp

Download
memory/2460-169-0x0000000000000000-mapping.dmp

Download
memory/2508-152-0x0000000000000000-mapping.dmp

Download
memory/2564-177-0x0000000000000000-mapping.dmp

Download
memory/2812-182-0x0000000000000000-mapping.dmp

Download
memory/2972-174-0x0000000000000000-mapping.dmp

Download
memory/3032-164-0x0000000000000000-mapping.dmp

Download
memory/3056-181-0x0000000000000000-mapping.dmp

Download
memory/3132-151-0x0000000000000000-mapping.dmp

Download
memory/3156-157-0x0000000000000000-mapping.dmp

Download
memory/3228-187-0x0000000000000000-mapping.dmp

Download
memory/3248-143-0x0000000000000000-mapping.dmp

Download
memory/3308-161-0x0000000000000000-mapping.dmp

Download
memory/3416-165-0x0000000000000000-mapping.dmp

Download
memory/3572-158-0x0000000000000000-mapping.dmp

Download
memory/3688-167-0x0000000000000000-mapping.dmp

Download
memory/3756-189-0x0000000000000000-mapping.dmp

Download
memory/3776-188-0x0000000000000000-mapping.dmp

Download
memory/3816-142-0x0000000000000000-mapping.dmp

Download
memory/3888-203-0x0000000000000000-mapping.dmp

Download
memory/3984-200-0x0000000000000000-mapping.dmp

Download
memory/4056-199-0x0000000000000000-mapping.dmp

Download
memory/4172-168-0x0000000000000000-mapping.dmp

Download
memory/4228-166-0x0000000000000000-mapping.dmp

Download
memory/4308-191-0x0000000000000000-mapping.dmp

Download
memory/4348-149-0x0000000000000000-mapping.dmp

Download
memory/4356-193-0x0000000000000000-mapping.dmp

Download
memory/4508-194-0x0000000000000000-mapping.dmp

Download
memory/4532-156-0x0000000000000000-mapping.dmp

Download
memory/4556-183-0x0000000000000000-mapping.dmp

Download
memory/4580-185-0x0000000000000000-mapping.dmp

Download
memory/4664-186-0x0000000000000000-mapping.dmp

Download
memory/4728-197-0x0000000000000000-mapping.dmp

Download
memory/4940-172-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads