ab563cdc5365564bf2fb9cfcc24d555b1d7503b72b76284249e87c7fe0d29701

Analysis

max time kernel
120s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2023, 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

m.vmp.exe
Size

12.8MB
MD5

9143eea9d3b98c66eea0624b95e399f5
SHA1

e136b1aff73539ea13cf1b9abf23f996c9ac93f7
SHA256

ab563cdc5365564bf2fb9cfcc24d555b1d7503b72b76284249e87c7fe0d29701
SHA512

954cf0584bbb4ffd09be7518ec7aa0edba8d46147a089b5042dceb6478fa3406ccdadb7d8fbeb293e70d82b6fa988fa0546b90a8fbcb0ab10fee10337ac546f0
SSDEEP

196608:2UA0BKIOC3XXSpeloS4Bm4EUtOzSiCg9nMRK4Hq9FOJ2JZ7kQE9cwKdc:2+XnXSpZS4RtOznMRK4IJp1uJ

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
32	m.vmp.exe
32	m.vmp.exe
32	m.vmp.exe

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6116	sc.exe
2804	sc.exe
6096	sc.exe
3368	sc.exe
5268	sc.exe
4512	sc.exe
5252	sc.exe
5716	sc.exe
4288	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3272	4736	WerFault.exe	37

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Kills process with taskkill 36 IoCs

evasion

pid	Process
5304	taskkill.exe
4600	taskkill.exe
4116	taskkill.exe
4016	taskkill.exe
6100	taskkill.exe
3660	taskkill.exe
5412	taskkill.exe
5652	taskkill.exe
3296	taskkill.exe
5368	taskkill.exe
6008	taskkill.exe
5688	taskkill.exe
5528	taskkill.exe
3112	taskkill.exe
4112	taskkill.exe
2532	taskkill.exe
5708	taskkill.exe
972	taskkill.exe
2484	taskkill.exe
5772	taskkill.exe
4332	taskkill.exe
476	taskkill.exe
5292	taskkill.exe
5880	taskkill.exe
6124	taskkill.exe
3592	taskkill.exe
4756	taskkill.exe
5696	taskkill.exe
5324	taskkill.exe
916	taskkill.exe
4920	taskkill.exe
2380	taskkill.exe
972	taskkill.exe
1156	taskkill.exe
5140	taskkill.exe
5808	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
32	m.vmp.exe
32	m.vmp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
32	m.vmp.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	4920	taskkill.exe
Token: SeDebugPrivilege	5116	firefox.exe
Token: SeDebugPrivilege	5116	firefox.exe
Token: SeDebugPrivilege	1156	cmd.exe
Token: SeDebugPrivilege	2532	taskkill.exe
Token: SeDebugPrivilege	5292	taskkill.exe
Token: SeDebugPrivilege	5708	taskkill.exe
Token: SeDebugPrivilege	5772	taskkill.exe
Token: SeDebugPrivilege	5880	taskkill.exe
Token: SeDebugPrivilege	6124	taskkill.exe
Token: SeDebugPrivilege	4756	cmd.exe
Token: SeDebugPrivilege	5304	taskkill.exe
Token: SeDebugPrivilege	5652	taskkill.exe
Token: SeDebugPrivilege	5696	taskkill.exe
Token: SeDebugPrivilege	3296	taskkill.exe
Token: SeDebugPrivilege	972	taskkill.exe
Token: SeDebugPrivilege	5140	taskkill.exe
Token: SeDebugPrivilege	4600	taskkill.exe
Token: SeDebugPrivilege	2484	taskkill.exe
Token: SeDebugPrivilege	4332	taskkill.exe
Token: SeDebugPrivilege	476	taskkill.exe
Token: SeDebugPrivilege	5688	taskkill.exe
Token: SeDebugPrivilege	4116	taskkill.exe
Token: SeDebugPrivilege	5368	taskkill.exe
Token: SeDebugPrivilege	5528	taskkill.exe
Token: SeDebugPrivilege	6008	taskkill.exe
Token: SeDebugPrivilege	5808	taskkill.exe
Token: SeDebugPrivilege	2380	taskkill.exe
Token: SeDebugPrivilege	3112	taskkill.exe
Token: SeDebugPrivilege	4112	taskkill.exe
Token: SeDebugPrivilege	5324	taskkill.exe
Token: SeDebugPrivilege	4016	taskkill.exe
Token: SeDebugPrivilege	3592	taskkill.exe
Token: SeDebugPrivilege	6100	taskkill.exe
Token: SeDebugPrivilege	916	taskkill.exe
Token: SeDebugPrivilege	3660	taskkill.exe
Token: SeDebugPrivilege	972	taskkill.exe
Token: SeDebugPrivilege	5412	taskkill.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5116	firefox.exe
5116	firefox.exe
5116	firefox.exe
5116	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5116	firefox.exe
5116	firefox.exe
5116	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5116	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 32 wrote to memory of 444	32	m.vmp.exe	89
PID 32 wrote to memory of 444	32	m.vmp.exe	89
PID 444 wrote to memory of 4920	444	cmd.exe	90
PID 444 wrote to memory of 4920	444	cmd.exe	90
PID 760 wrote to memory of 5116	760	firefox.exe	94
PID 760 wrote to memory of 5116	760	firefox.exe	94
PID 760 wrote to memory of 5116	760	firefox.exe	94
PID 760 wrote to memory of 5116	760	firefox.exe	94
PID 760 wrote to memory of 5116	760	firefox.exe	94
PID 760 wrote to memory of 5116	760	firefox.exe	94
PID 760 wrote to memory of 5116	760	firefox.exe	94
PID 760 wrote to memory of 5116	760	firefox.exe	94
PID 760 wrote to memory of 5116	760	firefox.exe	94
PID 760 wrote to memory of 5116	760	firefox.exe	94
PID 760 wrote to memory of 5116	760	firefox.exe	94
PID 5116 wrote to memory of 4652	5116	firefox.exe	96
PID 5116 wrote to memory of 4652	5116	firefox.exe	96
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97
PID 5116 wrote to memory of 868	5116	firefox.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\m.vmp.exe
"C:\Users\Admin\AppData\Local\Temp\m.vmp.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:32
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1280
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3836
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:5236
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:5252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:5272
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:5336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile C:\Users\Admin\AppData\Local\Temp\m.vmp.exe MD5 >> C:\ProgramData\hash.txt
  2⤵
  PID:5640
- - C:\Windows\system32\certutil.exe
    certutil -hashfile C:\Users\Admin\AppData\Local\Temp\m.vmp.exe MD5
    3⤵
    PID:5656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5684
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5744
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5812
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:6060
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:6096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:6108
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:2092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4600
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:4756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5244
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2600
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:5704
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:5712
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:5744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:6128
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2968
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5164
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4756
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:5268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:3340
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:3288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2756
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:8
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:212
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:5332
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:5716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:5684
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:5428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2960
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4256
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5456
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:5616
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:4512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:5968
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:6052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2668
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5844
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4776
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:6116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:2892
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:4552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5080
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3476
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:560
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:3908
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:1488
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:4716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5876
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1800
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5260
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:5144
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:4288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:5396
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:5500

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:760
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.0.206895569\294443323" -parentBuildID 20221007134813 -prefsHandle 1904 -prefMapHandle 1688 -prefsLen 20860 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b99291db-7334-4a0e-9a16-f5c931edf5f2} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 1580 1c845dc3858 gpu
    3⤵
    PID:4652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.1.1584009105\1867980576" -parentBuildID 20221007134813 -prefsHandle 2380 -prefMapHandle 2376 -prefsLen 20896 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ab31b8b-95c6-4bcd-a02d-5b2e6880d36f} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 2408 1c839170158 socket
    3⤵
    - Checks processor information in registry
    PID:868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.2.964609667\909029581" -childID 1 -isForBrowser -prefsHandle 1736 -prefMapHandle 3016 -prefsLen 20999 -prefMapSize 232645 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa716299-5a86-4cde-aa72-83fbac1de746} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 2992 1c845d5e758 tab
    3⤵
    PID:4644
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.3.706091603\585571053" -childID 2 -isForBrowser -prefsHandle 3564 -prefMapHandle 3560 -prefsLen 26359 -prefMapSize 232645 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {978a0849-8705-4e15-883d-3bb124cb8c62} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 3572 1c839169958 tab
    3⤵
    PID:4856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.4.174813131\1364673430" -childID 3 -isForBrowser -prefsHandle 4736 -prefMapHandle 4732 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05db7623-d3e0-49fe-bccc-5db7cf5512e9} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 4748 1c84ba89d58 tab
    3⤵
    PID:4836
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.7.1883294102\433356350" -childID 6 -isForBrowser -prefsHandle 5544 -prefMapHandle 5548 -prefsLen 26497 -prefMapSize 232645 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {676a84fd-d372-48d7-80dd-4a9bbf78f68e} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 5536 1c8494a3a58 tab
    3⤵
    PID:5368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.6.544868926\1354800157" -childID 5 -isForBrowser -prefsHandle 5356 -prefMapHandle 5428 -prefsLen 26497 -prefMapSize 232645 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {babfe322-3a19-4233-b662-cb90a8dd4d00} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 5348 1c84851bb58 tab
    3⤵
    PID:5360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.5.1001990686\1121557365" -childID 4 -isForBrowser -prefsHandle 5208 -prefMapHandle 5200 -prefsLen 26497 -prefMapSize 232645 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed8e25d4-2057-4107-8f45-68ab8578ae62} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 5216 1c839167e58 tab
    3⤵
    PID:5352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.8.792751477\1754002986" -childID 7 -isForBrowser -prefsHandle 4552 -prefMapHandle 4548 -prefsLen 26672 -prefMapSize 232645 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4acdb291-3799-402d-84e0-42728ddc6a90} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 2848 1c848dd0558 tab
    3⤵
    PID:5964

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\bd0f0affbce441509bab5bd916835f18 /t 1340 /p 32
1⤵
PID:416

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2756

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 4736 -ip 4736
1⤵
PID:1292

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4736 -s 2016
1⤵
- Program crash
PID:3272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hash.txt

Filesize
145B

MD5
c39166d09bc5ee7fbeaea5925bf897e9

SHA1
220d37298a0afc067a06e631e503039fdc11acc6

SHA256
25d6b50d4d6d65a91e852647f6b46456a61e92fc2d8fddc7ed46a44be6fdecbb

SHA512
5a95ebc317943f5899f3a3db8923de6715c8752830976d2b4dd96eff87706588d771fc81d0c10816a855023352307a13d0fa652d662b69c20a4458ff83986a41

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\05ypapi5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
148KB

MD5
5df7109c1924f5bd5d97ab1d70d575f7

SHA1
1f38b9c2397bdc6c95fc0cbdf70142597d0fb837

SHA256
fea4e94432a5c054d4a19f8f4b49327a8b2ca4c806ec93e2949dc8b2f11fe65a

SHA512
29e1a0724c7026845bb358f4663237e514da129f552afda6e0eb9de5b537d0a8daca1b0d3aacbcdb0827e208992e1746be8f7d1fb4712d3ea6f9aeaab74509b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\prefs-1.js

Filesize
6KB

MD5
0f61390d44f36b76e01217d62739a38e

SHA1
43f31e9b45b201146aabe160f6dad3d58facb3b7

SHA256
b3c067c4d3ff1da769e853f8585c8df3184ff5bbdb5d265e00a549daba151f51

SHA512
37397dd3095c074fad447fea7fa4654295178682427d0cf05904dc557a5f464a637b001046a59cf9cb25de6b46b196ec88cbaa66fae6fca342e9d65055b6a140

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\prefs.js

Filesize
6KB

MD5
e3119fb5106903f22d471762ea523c30

SHA1
ebb794a54258c1b8cbb570deec2c0c9c3c07592c

SHA256
5a169b3f8d849cc22babeef39b9fae007cd473fa9418bd0cb036f65df1101ee2

SHA512
5cdd88813d6858dfacd5e2684ba99752f9e0c1e03a0aadd3bfd6c8b7fd76d856939b2d8cd474a29b0c84335169fcd3faaea725a63eab5a387a7a203a03135026

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
1ca8aef71b8d7c17a44a420085243a46

SHA1
9ad57ecaebb2fa48544c797b1c38539d15f505d1

SHA256
07c2583a907aa1583d0ac915ebc485e093226645465f075f980f39e9912d37c8

SHA512
86066272b5df97a2207c6fd31a5b829894f74324eeeac6f69e0345904039fdf130092e00fae5d7a15e63c11ad33fe1979865e4b9e3f6955bac40d8b9d8d3537e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionstore.jsonlz4

Filesize
1KB

MD5
e80fec4ce3661a57e12d00648357efe8

SHA1
eb7940cac1ccc0007e42d410d7aab2e48fc1314b

SHA256
21665a0464900bbc2464cbca5064fee77cac0f4d8bd2239909bfb54e33d75dd4

SHA512
e41a46d69d7ba807ebeeb1118b507faf5c3b0b69af28186b480ad39a5735c8c3bff70a94e6bd62fe25f7506e63136be3e7da30dd49a0345c384df6a83a893c30

Download Submit
memory/32-137-0x00007FF603520000-0x00007FF604A5F000-memory.dmp

Filesize
21.2MB

Download
memory/32-196-0x00007FF603520000-0x00007FF604A5F000-memory.dmp

Filesize
21.2MB

Download
memory/32-133-0x00007FF603520000-0x00007FF604A5F000-memory.dmp

Filesize
21.2MB

Download
memory/32-136-0x00007FFA29360000-0x00007FFA29362000-memory.dmp

Filesize
8KB

Download
memory/32-135-0x00007FFA29350000-0x00007FFA29352000-memory.dmp

Filesize
8KB

Download
memory/32-354-0x00007FF603520000-0x00007FF604A5F000-memory.dmp

Filesize
21.2MB

Download