Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/07/2023, 16:58

General

  • Target

    m.vmp.exe

  • Size

    12.8MB

  • MD5

    9143eea9d3b98c66eea0624b95e399f5

  • SHA1

    e136b1aff73539ea13cf1b9abf23f996c9ac93f7

  • SHA256

    ab563cdc5365564bf2fb9cfcc24d555b1d7503b72b76284249e87c7fe0d29701

  • SHA512

    954cf0584bbb4ffd09be7518ec7aa0edba8d46147a089b5042dceb6478fa3406ccdadb7d8fbeb293e70d82b6fa988fa0546b90a8fbcb0ab10fee10337ac546f0

  • SSDEEP

    196608:2UA0BKIOC3XXSpeloS4Bm4EUtOzSiCg9nMRK4Hq9FOJ2JZ7kQE9cwKdc:2+XnXSpZS4RtOznMRK4IJp1uJ

Score
8/10

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Launches sc.exe 9 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 36 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\m.vmp.exe
    "C:\Users\Admin\AppData\Local\Temp\m.vmp.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:32
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:444
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4920
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
      2⤵
        PID:1280
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
          3⤵
          • Kills process with taskkill
          PID:1156
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
        2⤵
          PID:3836
          • C:\Windows\system32\taskkill.exe
            taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2532
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
          2⤵
            PID:5236
            • C:\Windows\system32\sc.exe
              sc stop HTTPDebuggerPro
              3⤵
              • Launches sc.exe
              PID:5252
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
            2⤵
              PID:5272
              • C:\Windows\system32\taskkill.exe
                taskkill /IM HTTPDebuggerSvc.exe /F
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:5292
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
              2⤵
                PID:5336
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c certutil -hashfile C:\Users\Admin\AppData\Local\Temp\m.vmp.exe MD5 >> C:\ProgramData\hash.txt
                2⤵
                  PID:5640
                  • C:\Windows\system32\certutil.exe
                    certutil -hashfile C:\Users\Admin\AppData\Local\Temp\m.vmp.exe MD5
                    3⤵
                      PID:5656
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                    2⤵
                      PID:5684
                      • C:\Windows\system32\taskkill.exe
                        taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                        3⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:5708
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                      2⤵
                        PID:5744
                        • C:\Windows\system32\taskkill.exe
                          taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                          3⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:5772
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                        2⤵
                          PID:5812
                          • C:\Windows\system32\taskkill.exe
                            taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                            3⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:5880
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                          2⤵
                            PID:6060
                            • C:\Windows\system32\sc.exe
                              sc stop HTTPDebuggerPro
                              3⤵
                              • Launches sc.exe
                              PID:6096
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                            2⤵
                              PID:6108
                              • C:\Windows\system32\taskkill.exe
                                taskkill /IM HTTPDebuggerSvc.exe /F
                                3⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:6124
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                              2⤵
                                PID:2092
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                2⤵
                                  PID:4600
                                  • C:\Windows\system32\taskkill.exe
                                    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                    3⤵
                                    • Kills process with taskkill
                                    PID:4756
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                  2⤵
                                    PID:5244
                                    • C:\Windows\system32\taskkill.exe
                                      taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                      3⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5304
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                    2⤵
                                      PID:2600
                                      • C:\Windows\system32\taskkill.exe
                                        taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                        3⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5652
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                      2⤵
                                        PID:5704
                                        • C:\Windows\system32\sc.exe
                                          sc stop HTTPDebuggerPro
                                          3⤵
                                          • Launches sc.exe
                                          PID:3368
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                        2⤵
                                          PID:5712
                                          • C:\Windows\system32\taskkill.exe
                                            taskkill /IM HTTPDebuggerSvc.exe /F
                                            3⤵
                                            • Kills process with taskkill
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:5696
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                          2⤵
                                            PID:5744
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                            2⤵
                                              PID:6128
                                              • C:\Windows\system32\taskkill.exe
                                                taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                                3⤵
                                                • Kills process with taskkill
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:3296
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                              2⤵
                                                PID:2968
                                                • C:\Windows\system32\taskkill.exe
                                                  taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                                  3⤵
                                                  • Kills process with taskkill
                                                  PID:972
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                                2⤵
                                                  PID:5164
                                                  • C:\Windows\system32\taskkill.exe
                                                    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                    3⤵
                                                    • Kills process with taskkill
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:5140
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                                  2⤵
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:4756
                                                  • C:\Windows\system32\sc.exe
                                                    sc stop HTTPDebuggerPro
                                                    3⤵
                                                    • Launches sc.exe
                                                    PID:5268
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                                  2⤵
                                                    PID:3340
                                                    • C:\Windows\system32\taskkill.exe
                                                      taskkill /IM HTTPDebuggerSvc.exe /F
                                                      3⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:4600
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                                    2⤵
                                                      PID:3288
                                                    • C:\Windows\system32\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                                      2⤵
                                                        PID:2756
                                                        • C:\Windows\system32\taskkill.exe
                                                          taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                                          3⤵
                                                          • Kills process with taskkill
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2484
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                                        2⤵
                                                          PID:8
                                                          • C:\Windows\system32\taskkill.exe
                                                            taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                                            3⤵
                                                            • Kills process with taskkill
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:4332
                                                        • C:\Windows\system32\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                                          2⤵
                                                            PID:212
                                                            • C:\Windows\system32\taskkill.exe
                                                              taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                              3⤵
                                                              • Kills process with taskkill
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:476
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                                            2⤵
                                                              PID:5332
                                                              • C:\Windows\system32\sc.exe
                                                                sc stop HTTPDebuggerPro
                                                                3⤵
                                                                • Launches sc.exe
                                                                PID:5716
                                                            • C:\Windows\system32\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                                              2⤵
                                                                PID:5684
                                                                • C:\Windows\system32\taskkill.exe
                                                                  taskkill /IM HTTPDebuggerSvc.exe /F
                                                                  3⤵
                                                                  • Kills process with taskkill
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:5688
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                                                2⤵
                                                                  PID:5428
                                                                • C:\Windows\system32\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                                                  2⤵
                                                                    PID:2960
                                                                    • C:\Windows\system32\taskkill.exe
                                                                      taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                                                      3⤵
                                                                      • Kills process with taskkill
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:4116
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                                                    2⤵
                                                                      PID:4256
                                                                      • C:\Windows\system32\taskkill.exe
                                                                        taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                                                        3⤵
                                                                        • Kills process with taskkill
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:5368
                                                                    • C:\Windows\system32\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                                                      2⤵
                                                                        PID:5456
                                                                        • C:\Windows\system32\taskkill.exe
                                                                          taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                                          3⤵
                                                                          • Kills process with taskkill
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:5528
                                                                      • C:\Windows\system32\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                                                        2⤵
                                                                          PID:5616
                                                                          • C:\Windows\system32\sc.exe
                                                                            sc stop HTTPDebuggerPro
                                                                            3⤵
                                                                            • Launches sc.exe
                                                                            PID:4512
                                                                        • C:\Windows\system32\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                                                          2⤵
                                                                            PID:5968
                                                                            • C:\Windows\system32\taskkill.exe
                                                                              taskkill /IM HTTPDebuggerSvc.exe /F
                                                                              3⤵
                                                                              • Kills process with taskkill
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:6008
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                                                            2⤵
                                                                              PID:6052
                                                                            • C:\Windows\system32\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                                                              2⤵
                                                                                PID:2668
                                                                                • C:\Windows\system32\taskkill.exe
                                                                                  taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                                                                  3⤵
                                                                                  • Kills process with taskkill
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:5808
                                                                              • C:\Windows\system32\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                                                                2⤵
                                                                                  PID:5844
                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                                                                    3⤵
                                                                                    • Kills process with taskkill
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:2380
                                                                                • C:\Windows\system32\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                                                                  2⤵
                                                                                    PID:4776
                                                                                    • C:\Windows\system32\taskkill.exe
                                                                                      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                                                      3⤵
                                                                                      • Kills process with taskkill
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:3112
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                                                                    2⤵
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:1156
                                                                                    • C:\Windows\system32\sc.exe
                                                                                      sc stop HTTPDebuggerPro
                                                                                      3⤵
                                                                                      • Launches sc.exe
                                                                                      PID:6116
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                                                                    2⤵
                                                                                      PID:2892
                                                                                      • C:\Windows\system32\taskkill.exe
                                                                                        taskkill /IM HTTPDebuggerSvc.exe /F
                                                                                        3⤵
                                                                                        • Kills process with taskkill
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:4112
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                                                                      2⤵
                                                                                        PID:4552
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                                                                        2⤵
                                                                                          PID:5080
                                                                                          • C:\Windows\system32\taskkill.exe
                                                                                            taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                                                                            3⤵
                                                                                            • Kills process with taskkill
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:5324
                                                                                        • C:\Windows\system32\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                                                                          2⤵
                                                                                            PID:3476
                                                                                            • C:\Windows\system32\taskkill.exe
                                                                                              taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                                                                              3⤵
                                                                                              • Kills process with taskkill
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:4016
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                                                                            2⤵
                                                                                              PID:560
                                                                                              • C:\Windows\system32\taskkill.exe
                                                                                                taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                                                                3⤵
                                                                                                • Kills process with taskkill
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:3592
                                                                                            • C:\Windows\system32\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                                                                              2⤵
                                                                                                PID:3908
                                                                                                • C:\Windows\system32\sc.exe
                                                                                                  sc stop HTTPDebuggerPro
                                                                                                  3⤵
                                                                                                  • Launches sc.exe
                                                                                                  PID:2804
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                                                                                2⤵
                                                                                                  PID:1488
                                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                                    taskkill /IM HTTPDebuggerSvc.exe /F
                                                                                                    3⤵
                                                                                                    • Kills process with taskkill
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:6100
                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                                                                                  2⤵
                                                                                                    PID:4716
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                                                                                    2⤵
                                                                                                      PID:5876
                                                                                                      • C:\Windows\system32\taskkill.exe
                                                                                                        taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                                                                                        3⤵
                                                                                                        • Kills process with taskkill
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:916
                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                                                                                      2⤵
                                                                                                        PID:1800
                                                                                                        • C:\Windows\system32\taskkill.exe
                                                                                                          taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                                                                                          3⤵
                                                                                                          • Kills process with taskkill
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:3660
                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                                                                                        2⤵
                                                                                                          PID:5260
                                                                                                          • C:\Windows\system32\taskkill.exe
                                                                                                            taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                                                                            3⤵
                                                                                                            • Kills process with taskkill
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:972
                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                                                                                          2⤵
                                                                                                            PID:5144
                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                              sc stop HTTPDebuggerPro
                                                                                                              3⤵
                                                                                                              • Launches sc.exe
                                                                                                              PID:4288
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                                                                                            2⤵
                                                                                                              PID:5396
                                                                                                              • C:\Windows\system32\taskkill.exe
                                                                                                                taskkill /IM HTTPDebuggerSvc.exe /F
                                                                                                                3⤵
                                                                                                                • Kills process with taskkill
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:5412
                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                                                                                              2⤵
                                                                                                                PID:5500
                                                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                                              1⤵
                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                              PID:760
                                                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                                                2⤵
                                                                                                                • Checks processor information in registry
                                                                                                                • Modifies registry class
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                • Suspicious use of FindShellTrayWindow
                                                                                                                • Suspicious use of SendNotifyMessage
                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                PID:5116
                                                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.0.206895569\294443323" -parentBuildID 20221007134813 -prefsHandle 1904 -prefMapHandle 1688 -prefsLen 20860 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b99291db-7334-4a0e-9a16-f5c931edf5f2} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 1580 1c845dc3858 gpu
                                                                                                                  3⤵
                                                                                                                    PID:4652
                                                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.1.1584009105\1867980576" -parentBuildID 20221007134813 -prefsHandle 2380 -prefMapHandle 2376 -prefsLen 20896 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ab31b8b-95c6-4bcd-a02d-5b2e6880d36f} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 2408 1c839170158 socket
                                                                                                                    3⤵
                                                                                                                    • Checks processor information in registry
                                                                                                                    PID:868
                                                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.2.964609667\909029581" -childID 1 -isForBrowser -prefsHandle 1736 -prefMapHandle 3016 -prefsLen 20999 -prefMapSize 232645 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa716299-5a86-4cde-aa72-83fbac1de746} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 2992 1c845d5e758 tab
                                                                                                                    3⤵
                                                                                                                      PID:4644
                                                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.3.706091603\585571053" -childID 2 -isForBrowser -prefsHandle 3564 -prefMapHandle 3560 -prefsLen 26359 -prefMapSize 232645 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {978a0849-8705-4e15-883d-3bb124cb8c62} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 3572 1c839169958 tab
                                                                                                                      3⤵
                                                                                                                        PID:4856
                                                                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.4.174813131\1364673430" -childID 3 -isForBrowser -prefsHandle 4736 -prefMapHandle 4732 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05db7623-d3e0-49fe-bccc-5db7cf5512e9} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 4748 1c84ba89d58 tab
                                                                                                                        3⤵
                                                                                                                          PID:4836
                                                                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.7.1883294102\433356350" -childID 6 -isForBrowser -prefsHandle 5544 -prefMapHandle 5548 -prefsLen 26497 -prefMapSize 232645 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {676a84fd-d372-48d7-80dd-4a9bbf78f68e} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 5536 1c8494a3a58 tab
                                                                                                                          3⤵
                                                                                                                            PID:5368
                                                                                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.6.544868926\1354800157" -childID 5 -isForBrowser -prefsHandle 5356 -prefMapHandle 5428 -prefsLen 26497 -prefMapSize 232645 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {babfe322-3a19-4233-b662-cb90a8dd4d00} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 5348 1c84851bb58 tab
                                                                                                                            3⤵
                                                                                                                              PID:5360
                                                                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.5.1001990686\1121557365" -childID 4 -isForBrowser -prefsHandle 5208 -prefMapHandle 5200 -prefsLen 26497 -prefMapSize 232645 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed8e25d4-2057-4107-8f45-68ab8578ae62} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 5216 1c839167e58 tab
                                                                                                                              3⤵
                                                                                                                                PID:5352
                                                                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.8.792751477\1754002986" -childID 7 -isForBrowser -prefsHandle 4552 -prefMapHandle 4548 -prefsLen 26672 -prefMapSize 232645 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4acdb291-3799-402d-84e0-42728ddc6a90} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 2848 1c848dd0558 tab
                                                                                                                                3⤵
                                                                                                                                  PID:5964
                                                                                                                            • C:\Windows\system32\werfault.exe
                                                                                                                              werfault.exe /h /shared Global\bd0f0affbce441509bab5bd916835f18 /t 1340 /p 32
                                                                                                                              1⤵
                                                                                                                                PID:416
                                                                                                                              • C:\Windows\system32\DllHost.exe
                                                                                                                                C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                                                                                                1⤵
                                                                                                                                  PID:2756
                                                                                                                                • C:\Windows\system32\WerFault.exe
                                                                                                                                  C:\Windows\system32\WerFault.exe -pss -s 540 -p 4736 -ip 4736
                                                                                                                                  1⤵
                                                                                                                                    PID:1292
                                                                                                                                  • C:\Windows\system32\WerFault.exe
                                                                                                                                    C:\Windows\system32\WerFault.exe -u -p 4736 -s 2016
                                                                                                                                    1⤵
                                                                                                                                    • Program crash
                                                                                                                                    PID:3272

                                                                                                                                  Network

                                                                                                                                  MITRE ATT&CK Enterprise v6

                                                                                                                                  Replay Monitor

                                                                                                                                  Loading Replay Monitor...

                                                                                                                                  Downloads

                                                                                                                                  • C:\ProgramData\hash.txt

                                                                                                                                    Filesize

                                                                                                                                    145B

                                                                                                                                    MD5

                                                                                                                                    c39166d09bc5ee7fbeaea5925bf897e9

                                                                                                                                    SHA1

                                                                                                                                    220d37298a0afc067a06e631e503039fdc11acc6

                                                                                                                                    SHA256

                                                                                                                                    25d6b50d4d6d65a91e852647f6b46456a61e92fc2d8fddc7ed46a44be6fdecbb

                                                                                                                                    SHA512

                                                                                                                                    5a95ebc317943f5899f3a3db8923de6715c8752830976d2b4dd96eff87706588d771fc81d0c10816a855023352307a13d0fa652d662b69c20a4458ff83986a41

                                                                                                                                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\05ypapi5.default-release\activity-stream.discovery_stream.json.tmp

                                                                                                                                    Filesize

                                                                                                                                    148KB

                                                                                                                                    MD5

                                                                                                                                    5df7109c1924f5bd5d97ab1d70d575f7

                                                                                                                                    SHA1

                                                                                                                                    1f38b9c2397bdc6c95fc0cbdf70142597d0fb837

                                                                                                                                    SHA256

                                                                                                                                    fea4e94432a5c054d4a19f8f4b49327a8b2ca4c806ec93e2949dc8b2f11fe65a

                                                                                                                                    SHA512

                                                                                                                                    29e1a0724c7026845bb358f4663237e514da129f552afda6e0eb9de5b537d0a8daca1b0d3aacbcdb0827e208992e1746be8f7d1fb4712d3ea6f9aeaab74509b5

                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\prefs-1.js

                                                                                                                                    Filesize

                                                                                                                                    6KB

                                                                                                                                    MD5

                                                                                                                                    0f61390d44f36b76e01217d62739a38e

                                                                                                                                    SHA1

                                                                                                                                    43f31e9b45b201146aabe160f6dad3d58facb3b7

                                                                                                                                    SHA256

                                                                                                                                    b3c067c4d3ff1da769e853f8585c8df3184ff5bbdb5d265e00a549daba151f51

                                                                                                                                    SHA512

                                                                                                                                    37397dd3095c074fad447fea7fa4654295178682427d0cf05904dc557a5f464a637b001046a59cf9cb25de6b46b196ec88cbaa66fae6fca342e9d65055b6a140

                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\prefs.js

                                                                                                                                    Filesize

                                                                                                                                    6KB

                                                                                                                                    MD5

                                                                                                                                    e3119fb5106903f22d471762ea523c30

                                                                                                                                    SHA1

                                                                                                                                    ebb794a54258c1b8cbb570deec2c0c9c3c07592c

                                                                                                                                    SHA256

                                                                                                                                    5a169b3f8d849cc22babeef39b9fae007cd473fa9418bd0cb036f65df1101ee2

                                                                                                                                    SHA512

                                                                                                                                    5cdd88813d6858dfacd5e2684ba99752f9e0c1e03a0aadd3bfd6c8b7fd76d856939b2d8cd474a29b0c84335169fcd3faaea725a63eab5a387a7a203a03135026

                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionCheckpoints.json.tmp

                                                                                                                                    Filesize

                                                                                                                                    259B

                                                                                                                                    MD5

                                                                                                                                    c8dc58eff0c029d381a67f5dca34a913

                                                                                                                                    SHA1

                                                                                                                                    3576807e793473bcbd3cf7d664b83948e3ec8f2d

                                                                                                                                    SHA256

                                                                                                                                    4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

                                                                                                                                    SHA512

                                                                                                                                    b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionstore-backups\recovery.jsonlz4

                                                                                                                                    Filesize

                                                                                                                                    1KB

                                                                                                                                    MD5

                                                                                                                                    1ca8aef71b8d7c17a44a420085243a46

                                                                                                                                    SHA1

                                                                                                                                    9ad57ecaebb2fa48544c797b1c38539d15f505d1

                                                                                                                                    SHA256

                                                                                                                                    07c2583a907aa1583d0ac915ebc485e093226645465f075f980f39e9912d37c8

                                                                                                                                    SHA512

                                                                                                                                    86066272b5df97a2207c6fd31a5b829894f74324eeeac6f69e0345904039fdf130092e00fae5d7a15e63c11ad33fe1979865e4b9e3f6955bac40d8b9d8d3537e

                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionstore.jsonlz4

                                                                                                                                    Filesize

                                                                                                                                    1KB

                                                                                                                                    MD5

                                                                                                                                    e80fec4ce3661a57e12d00648357efe8

                                                                                                                                    SHA1

                                                                                                                                    eb7940cac1ccc0007e42d410d7aab2e48fc1314b

                                                                                                                                    SHA256

                                                                                                                                    21665a0464900bbc2464cbca5064fee77cac0f4d8bd2239909bfb54e33d75dd4

                                                                                                                                    SHA512

                                                                                                                                    e41a46d69d7ba807ebeeb1118b507faf5c3b0b69af28186b480ad39a5735c8c3bff70a94e6bd62fe25f7506e63136be3e7da30dd49a0345c384df6a83a893c30

                                                                                                                                  • memory/32-137-0x00007FF603520000-0x00007FF604A5F000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    21.2MB

                                                                                                                                  • memory/32-196-0x00007FF603520000-0x00007FF604A5F000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    21.2MB

                                                                                                                                  • memory/32-133-0x00007FF603520000-0x00007FF604A5F000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    21.2MB

                                                                                                                                  • memory/32-136-0x00007FFA29360000-0x00007FFA29362000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    8KB

                                                                                                                                  • memory/32-135-0x00007FFA29350000-0x00007FFA29352000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    8KB

                                                                                                                                  • memory/32-354-0x00007FF603520000-0x00007FF604A5F000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    21.2MB