Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
13/07/2023, 16:58
Static task
static1
Behavioral task
behavioral1
Sample
m.vmp.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
m.vmp.exe
Resource
win10v2004-20230703-en
General
-
Target
m.vmp.exe
-
Size
12.8MB
-
MD5
9143eea9d3b98c66eea0624b95e399f5
-
SHA1
e136b1aff73539ea13cf1b9abf23f996c9ac93f7
-
SHA256
ab563cdc5365564bf2fb9cfcc24d555b1d7503b72b76284249e87c7fe0d29701
-
SHA512
954cf0584bbb4ffd09be7518ec7aa0edba8d46147a089b5042dceb6478fa3406ccdadb7d8fbeb293e70d82b6fa988fa0546b90a8fbcb0ab10fee10337ac546f0
-
SSDEEP
196608:2UA0BKIOC3XXSpeloS4Bm4EUtOzSiCg9nMRK4Hq9FOJ2JZ7kQE9cwKdc:2+XnXSpZS4RtOznMRK4IJp1uJ
Malware Config
Signatures
-
Stops running service(s) 3 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 32 m.vmp.exe 32 m.vmp.exe 32 m.vmp.exe -
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 6116 sc.exe 2804 sc.exe 6096 sc.exe 3368 sc.exe 5268 sc.exe 4512 sc.exe 5252 sc.exe 5716 sc.exe 4288 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3272 4736 WerFault.exe 37 -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Kills process with taskkill 36 IoCs
pid Process 5304 taskkill.exe 4600 taskkill.exe 4116 taskkill.exe 4016 taskkill.exe 6100 taskkill.exe 3660 taskkill.exe 5412 taskkill.exe 5652 taskkill.exe 3296 taskkill.exe 5368 taskkill.exe 6008 taskkill.exe 5688 taskkill.exe 5528 taskkill.exe 3112 taskkill.exe 4112 taskkill.exe 2532 taskkill.exe 5708 taskkill.exe 972 taskkill.exe 2484 taskkill.exe 5772 taskkill.exe 4332 taskkill.exe 476 taskkill.exe 5292 taskkill.exe 5880 taskkill.exe 6124 taskkill.exe 3592 taskkill.exe 4756 taskkill.exe 5696 taskkill.exe 5324 taskkill.exe 916 taskkill.exe 4920 taskkill.exe 2380 taskkill.exe 972 taskkill.exe 1156 taskkill.exe 5140 taskkill.exe 5808 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 32 m.vmp.exe 32 m.vmp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 32 m.vmp.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: SeDebugPrivilege 4920 taskkill.exe Token: SeDebugPrivilege 5116 firefox.exe Token: SeDebugPrivilege 5116 firefox.exe Token: SeDebugPrivilege 1156 cmd.exe Token: SeDebugPrivilege 2532 taskkill.exe Token: SeDebugPrivilege 5292 taskkill.exe Token: SeDebugPrivilege 5708 taskkill.exe Token: SeDebugPrivilege 5772 taskkill.exe Token: SeDebugPrivilege 5880 taskkill.exe Token: SeDebugPrivilege 6124 taskkill.exe Token: SeDebugPrivilege 4756 cmd.exe Token: SeDebugPrivilege 5304 taskkill.exe Token: SeDebugPrivilege 5652 taskkill.exe Token: SeDebugPrivilege 5696 taskkill.exe Token: SeDebugPrivilege 3296 taskkill.exe Token: SeDebugPrivilege 972 taskkill.exe Token: SeDebugPrivilege 5140 taskkill.exe Token: SeDebugPrivilege 4600 taskkill.exe Token: SeDebugPrivilege 2484 taskkill.exe Token: SeDebugPrivilege 4332 taskkill.exe Token: SeDebugPrivilege 476 taskkill.exe Token: SeDebugPrivilege 5688 taskkill.exe Token: SeDebugPrivilege 4116 taskkill.exe Token: SeDebugPrivilege 5368 taskkill.exe Token: SeDebugPrivilege 5528 taskkill.exe Token: SeDebugPrivilege 6008 taskkill.exe Token: SeDebugPrivilege 5808 taskkill.exe Token: SeDebugPrivilege 2380 taskkill.exe Token: SeDebugPrivilege 3112 taskkill.exe Token: SeDebugPrivilege 4112 taskkill.exe Token: SeDebugPrivilege 5324 taskkill.exe Token: SeDebugPrivilege 4016 taskkill.exe Token: SeDebugPrivilege 3592 taskkill.exe Token: SeDebugPrivilege 6100 taskkill.exe Token: SeDebugPrivilege 916 taskkill.exe Token: SeDebugPrivilege 3660 taskkill.exe Token: SeDebugPrivilege 972 taskkill.exe Token: SeDebugPrivilege 5412 taskkill.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 5116 firefox.exe 5116 firefox.exe 5116 firefox.exe 5116 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 5116 firefox.exe 5116 firefox.exe 5116 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5116 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 32 wrote to memory of 444 32 m.vmp.exe 89 PID 32 wrote to memory of 444 32 m.vmp.exe 89 PID 444 wrote to memory of 4920 444 cmd.exe 90 PID 444 wrote to memory of 4920 444 cmd.exe 90 PID 760 wrote to memory of 5116 760 firefox.exe 94 PID 760 wrote to memory of 5116 760 firefox.exe 94 PID 760 wrote to memory of 5116 760 firefox.exe 94 PID 760 wrote to memory of 5116 760 firefox.exe 94 PID 760 wrote to memory of 5116 760 firefox.exe 94 PID 760 wrote to memory of 5116 760 firefox.exe 94 PID 760 wrote to memory of 5116 760 firefox.exe 94 PID 760 wrote to memory of 5116 760 firefox.exe 94 PID 760 wrote to memory of 5116 760 firefox.exe 94 PID 760 wrote to memory of 5116 760 firefox.exe 94 PID 760 wrote to memory of 5116 760 firefox.exe 94 PID 5116 wrote to memory of 4652 5116 firefox.exe 96 PID 5116 wrote to memory of 4652 5116 firefox.exe 96 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 PID 5116 wrote to memory of 868 5116 firefox.exe 97 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\m.vmp.exe"C:\Users\Admin\AppData\Local\Temp\m.vmp.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:1280
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
PID:1156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:3836
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:5236
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:5252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:5272
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:5336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile C:\Users\Admin\AppData\Local\Temp\m.vmp.exe MD5 >> C:\ProgramData\hash.txt2⤵PID:5640
-
C:\Windows\system32\certutil.execertutil -hashfile C:\Users\Admin\AppData\Local\Temp\m.vmp.exe MD53⤵PID:5656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:5684
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:5744
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:5812
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:6060
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:6096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:6108
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:2092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:4600
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
PID:4756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:5244
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:2600
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:5704
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:3368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:5712
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:5744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:6128
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:2968
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
PID:972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:5164
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of AdjustPrivilegeToken
PID:4756 -
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:5268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:3340
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:3288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:2756
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:8
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:212
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:5332
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:5716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:5684
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:5428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:2960
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:4256
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:5456
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:5616
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:4512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:5968
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:6052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:2668
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:5844
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:4776
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of AdjustPrivilegeToken
PID:1156 -
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:6116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:2892
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:4552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:5080
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:3476
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:560
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:3908
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:2804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:1488
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:4716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:5876
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:1800
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:5260
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:5144
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:4288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:5396
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:5500
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.0.206895569\294443323" -parentBuildID 20221007134813 -prefsHandle 1904 -prefMapHandle 1688 -prefsLen 20860 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b99291db-7334-4a0e-9a16-f5c931edf5f2} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 1580 1c845dc3858 gpu3⤵PID:4652
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.1.1584009105\1867980576" -parentBuildID 20221007134813 -prefsHandle 2380 -prefMapHandle 2376 -prefsLen 20896 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ab31b8b-95c6-4bcd-a02d-5b2e6880d36f} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 2408 1c839170158 socket3⤵
- Checks processor information in registry
PID:868
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.2.964609667\909029581" -childID 1 -isForBrowser -prefsHandle 1736 -prefMapHandle 3016 -prefsLen 20999 -prefMapSize 232645 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa716299-5a86-4cde-aa72-83fbac1de746} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 2992 1c845d5e758 tab3⤵PID:4644
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.3.706091603\585571053" -childID 2 -isForBrowser -prefsHandle 3564 -prefMapHandle 3560 -prefsLen 26359 -prefMapSize 232645 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {978a0849-8705-4e15-883d-3bb124cb8c62} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 3572 1c839169958 tab3⤵PID:4856
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.4.174813131\1364673430" -childID 3 -isForBrowser -prefsHandle 4736 -prefMapHandle 4732 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05db7623-d3e0-49fe-bccc-5db7cf5512e9} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 4748 1c84ba89d58 tab3⤵PID:4836
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.7.1883294102\433356350" -childID 6 -isForBrowser -prefsHandle 5544 -prefMapHandle 5548 -prefsLen 26497 -prefMapSize 232645 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {676a84fd-d372-48d7-80dd-4a9bbf78f68e} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 5536 1c8494a3a58 tab3⤵PID:5368
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.6.544868926\1354800157" -childID 5 -isForBrowser -prefsHandle 5356 -prefMapHandle 5428 -prefsLen 26497 -prefMapSize 232645 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {babfe322-3a19-4233-b662-cb90a8dd4d00} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 5348 1c84851bb58 tab3⤵PID:5360
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.5.1001990686\1121557365" -childID 4 -isForBrowser -prefsHandle 5208 -prefMapHandle 5200 -prefsLen 26497 -prefMapSize 232645 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed8e25d4-2057-4107-8f45-68ab8578ae62} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 5216 1c839167e58 tab3⤵PID:5352
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.8.792751477\1754002986" -childID 7 -isForBrowser -prefsHandle 4552 -prefMapHandle 4548 -prefsLen 26672 -prefMapSize 232645 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4acdb291-3799-402d-84e0-42728ddc6a90} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 2848 1c848dd0558 tab3⤵PID:5964
-
-
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\bd0f0affbce441509bab5bd916835f18 /t 1340 /p 321⤵PID:416
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:2756
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 540 -p 4736 -ip 47361⤵PID:1292
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4736 -s 20161⤵
- Program crash
PID:3272
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145B
MD5c39166d09bc5ee7fbeaea5925bf897e9
SHA1220d37298a0afc067a06e631e503039fdc11acc6
SHA25625d6b50d4d6d65a91e852647f6b46456a61e92fc2d8fddc7ed46a44be6fdecbb
SHA5125a95ebc317943f5899f3a3db8923de6715c8752830976d2b4dd96eff87706588d771fc81d0c10816a855023352307a13d0fa652d662b69c20a4458ff83986a41
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\05ypapi5.default-release\activity-stream.discovery_stream.json.tmp
Filesize148KB
MD55df7109c1924f5bd5d97ab1d70d575f7
SHA11f38b9c2397bdc6c95fc0cbdf70142597d0fb837
SHA256fea4e94432a5c054d4a19f8f4b49327a8b2ca4c806ec93e2949dc8b2f11fe65a
SHA51229e1a0724c7026845bb358f4663237e514da129f552afda6e0eb9de5b537d0a8daca1b0d3aacbcdb0827e208992e1746be8f7d1fb4712d3ea6f9aeaab74509b5
-
Filesize
6KB
MD50f61390d44f36b76e01217d62739a38e
SHA143f31e9b45b201146aabe160f6dad3d58facb3b7
SHA256b3c067c4d3ff1da769e853f8585c8df3184ff5bbdb5d265e00a549daba151f51
SHA51237397dd3095c074fad447fea7fa4654295178682427d0cf05904dc557a5f464a637b001046a59cf9cb25de6b46b196ec88cbaa66fae6fca342e9d65055b6a140
-
Filesize
6KB
MD5e3119fb5106903f22d471762ea523c30
SHA1ebb794a54258c1b8cbb570deec2c0c9c3c07592c
SHA2565a169b3f8d849cc22babeef39b9fae007cd473fa9418bd0cb036f65df1101ee2
SHA5125cdd88813d6858dfacd5e2684ba99752f9e0c1e03a0aadd3bfd6c8b7fd76d856939b2d8cd474a29b0c84335169fcd3faaea725a63eab5a387a7a203a03135026
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionCheckpoints.json.tmp
Filesize259B
MD5c8dc58eff0c029d381a67f5dca34a913
SHA13576807e793473bcbd3cf7d664b83948e3ec8f2d
SHA2564c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17
SHA512b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD51ca8aef71b8d7c17a44a420085243a46
SHA19ad57ecaebb2fa48544c797b1c38539d15f505d1
SHA25607c2583a907aa1583d0ac915ebc485e093226645465f075f980f39e9912d37c8
SHA51286066272b5df97a2207c6fd31a5b829894f74324eeeac6f69e0345904039fdf130092e00fae5d7a15e63c11ad33fe1979865e4b9e3f6955bac40d8b9d8d3537e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionstore.jsonlz4
Filesize1KB
MD5e80fec4ce3661a57e12d00648357efe8
SHA1eb7940cac1ccc0007e42d410d7aab2e48fc1314b
SHA25621665a0464900bbc2464cbca5064fee77cac0f4d8bd2239909bfb54e33d75dd4
SHA512e41a46d69d7ba807ebeeb1118b507faf5c3b0b69af28186b480ad39a5735c8c3bff70a94e6bd62fe25f7506e63136be3e7da30dd49a0345c384df6a83a893c30