8e5971238652431a8eed55deedb8d559db5d26636824a85a0f8801bfa9f5d720

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11/12/2023, 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23ed3662b0fbfec8d88ca6d7beafe382.exe
Size

3.8MB
MD5

23ed3662b0fbfec8d88ca6d7beafe382
SHA1

a8af20412467c13a4177b07e46fca75131e2ced0
SHA256

8e5971238652431a8eed55deedb8d559db5d26636824a85a0f8801bfa9f5d720
SHA512

e998c2172894dc7dd65121941612f6bc3bef201613647a513304dec92b2699453a83523beb071430994b87aafae72481c3429c4172b02a8c03ec2139deb70d9d
SSDEEP

98304:zujsFI5HAqETzDNWR2ekUKSTeaPGNatg:zujse1wwR2xULeCG4t

Score

9^/10

aspackv2 evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	A Spoofer.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000900000001447e-1.dat	aspack_v212_v242
behavioral1/memory/2088-12-0x00000000002B0000-0x00000000002B9000-memory.dmp	aspack_v212_v242

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	A Spoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	A Spoofer.exe

Executes dropped EXE 4 IoCs

pid	Process
2176	HlNZMT.exe
2600	A Spoofer.exe
2628	svchost (1).exe
1376	Process not Found

Loads dropped DLL 10 IoCs

pid	Process
2088	23ed3662b0fbfec8d88ca6d7beafe382.exe
2088	23ed3662b0fbfec8d88ca6d7beafe382.exe
2088	23ed3662b0fbfec8d88ca6d7beafe382.exe
2900	Process not Found
2088	23ed3662b0fbfec8d88ca6d7beafe382.exe
636	WerFault.exe
636	WerFault.exe
636	WerFault.exe
636	WerFault.exe
636	WerFault.exe

Themida packer 15 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0009000000014825-20.dat	themida
behavioral1/files/0x0009000000014825-18.dat	themida
behavioral1/memory/2600-29-0x000000013F2B0000-0x000000013FC98000-memory.dmp	themida
behavioral1/files/0x0009000000014825-31.dat	themida
behavioral1/files/0x0009000000014825-16.dat	themida
behavioral1/memory/2600-80-0x000000013F2B0000-0x000000013FC98000-memory.dmp	themida
behavioral1/memory/2600-83-0x000000013F2B0000-0x000000013FC98000-memory.dmp	themida
behavioral1/memory/2600-84-0x000000013F2B0000-0x000000013FC98000-memory.dmp	themida
behavioral1/memory/2600-82-0x000000013F2B0000-0x000000013FC98000-memory.dmp	themida
behavioral1/memory/2600-86-0x000000013F2B0000-0x000000013FC98000-memory.dmp	themida
behavioral1/memory/2600-85-0x000000013F2B0000-0x000000013FC98000-memory.dmp	themida
behavioral1/files/0x0009000000014825-87.dat	themida
behavioral1/memory/2600-88-0x000000013F2B0000-0x000000013FC98000-memory.dmp	themida
behavioral1/memory/2600-89-0x000000013F2B0000-0x000000013FC98000-memory.dmp	themida
behavioral1/memory/2600-91-0x000000013F2B0000-0x000000013FC98000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	A Spoofer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2600	A Spoofer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	HlNZMT.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	HlNZMT.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	HlNZMT.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	HlNZMT.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	HlNZMT.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	HlNZMT.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	HlNZMT.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	HlNZMT.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	HlNZMT.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	HlNZMT.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	HlNZMT.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	HlNZMT.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	HlNZMT.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE	HlNZMT.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	HlNZMT.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	HlNZMT.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	HlNZMT.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	HlNZMT.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	HlNZMT.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	HlNZMT.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	HlNZMT.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	HlNZMT.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	HlNZMT.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	HlNZMT.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\misc.exe	HlNZMT.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE	HlNZMT.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	HlNZMT.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	HlNZMT.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	HlNZMT.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	HlNZMT.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	HlNZMT.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	HlNZMT.exe

Launches sc.exe 20 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2072	sc.exe
2104	sc.exe
2684	sc.exe
1468	sc.exe
1732	sc.exe
2100	sc.exe
2236	sc.exe
2428	sc.exe
268	sc.exe
2920	sc.exe
2984	sc.exe
1596	sc.exe
2364	sc.exe
1156	sc.exe
2500	sc.exe
2808	sc.exe
2912	sc.exe
1856	sc.exe
1264	sc.exe
2184	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
636	2628	WerFault.exe	29

Kills process with taskkill 23 IoCs

evasion

pid	Process
2320	taskkill.exe
276	taskkill.exe
2888	taskkill.exe
2036	taskkill.exe
2360	taskkill.exe
2572	taskkill.exe
716	taskkill.exe
2180	taskkill.exe
2792	taskkill.exe
2932	taskkill.exe
2940	taskkill.exe
2324	taskkill.exe
3012	taskkill.exe
2068	taskkill.exe
1788	taskkill.exe
2680	taskkill.exe
2968	taskkill.exe
1568	taskkill.exe
2416	taskkill.exe
1660	taskkill.exe
2012	taskkill.exe
1388	taskkill.exe
680	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	taskkill.exe
Token: SeDebugPrivilege	2320	taskkill.exe
Token: SeDebugPrivilege	680	taskkill.exe
Token: SeDebugPrivilege	276	taskkill.exe
Token: SeDebugPrivilege	1388	taskkill.exe
Token: SeDebugPrivilege	2324	taskkill.exe
Token: SeDebugPrivilege	716	taskkill.exe
Token: SeDebugPrivilege	2416	taskkill.exe
Token: SeDebugPrivilege	2068	taskkill.exe
Token: SeDebugPrivilege	1788	taskkill.exe
Token: SeDebugPrivilege	1568	taskkill.exe
Token: SeDebugPrivilege	2888	taskkill.exe
Token: SeDebugPrivilege	2572	taskkill.exe
Token: SeDebugPrivilege	2360	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	2012	taskkill.exe
Token: SeDebugPrivilege	2180	taskkill.exe
Token: SeDebugPrivilege	2968	taskkill.exe
Token: SeDebugPrivilege	2792	taskkill.exe
Token: SeDebugPrivilege	2940	taskkill.exe
Token: SeDebugPrivilege	2932	taskkill.exe
Token: SeDebugPrivilege	2680	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2176	2088	23ed3662b0fbfec8d88ca6d7beafe382.exe	28
PID 2088 wrote to memory of 2176	2088	23ed3662b0fbfec8d88ca6d7beafe382.exe	28
PID 2088 wrote to memory of 2176	2088	23ed3662b0fbfec8d88ca6d7beafe382.exe	28
PID 2088 wrote to memory of 2176	2088	23ed3662b0fbfec8d88ca6d7beafe382.exe	28
PID 2088 wrote to memory of 2600	2088	23ed3662b0fbfec8d88ca6d7beafe382.exe	31
PID 2088 wrote to memory of 2600	2088	23ed3662b0fbfec8d88ca6d7beafe382.exe	31
PID 2088 wrote to memory of 2600	2088	23ed3662b0fbfec8d88ca6d7beafe382.exe	31
PID 2088 wrote to memory of 2600	2088	23ed3662b0fbfec8d88ca6d7beafe382.exe	31
PID 2088 wrote to memory of 2628	2088	23ed3662b0fbfec8d88ca6d7beafe382.exe	29
PID 2088 wrote to memory of 2628	2088	23ed3662b0fbfec8d88ca6d7beafe382.exe	29
PID 2088 wrote to memory of 2628	2088	23ed3662b0fbfec8d88ca6d7beafe382.exe	29
PID 2088 wrote to memory of 2628	2088	23ed3662b0fbfec8d88ca6d7beafe382.exe	29
PID 2628 wrote to memory of 636	2628	svchost (1).exe	33
PID 2628 wrote to memory of 636	2628	svchost (1).exe	33
PID 2628 wrote to memory of 636	2628	svchost (1).exe	33
PID 2628 wrote to memory of 636	2628	svchost (1).exe	33
PID 2176 wrote to memory of 2748	2176	HlNZMT.exe	72
PID 2176 wrote to memory of 2748	2176	HlNZMT.exe	72
PID 2176 wrote to memory of 2748	2176	HlNZMT.exe	72
PID 2176 wrote to memory of 2748	2176	HlNZMT.exe	72
PID 2600 wrote to memory of 2824	2600	A Spoofer.exe	40
PID 2600 wrote to memory of 2824	2600	A Spoofer.exe	40
PID 2600 wrote to memory of 2824	2600	A Spoofer.exe	40
PID 2600 wrote to memory of 3024	2600	A Spoofer.exe	36
PID 2600 wrote to memory of 3024	2600	A Spoofer.exe	36
PID 2600 wrote to memory of 3024	2600	A Spoofer.exe	36
PID 3024 wrote to memory of 2788	3024	cmd.exe	60
PID 3024 wrote to memory of 2788	3024	cmd.exe	60
PID 3024 wrote to memory of 2788	3024	cmd.exe	60
PID 3024 wrote to memory of 2484	3024	cmd.exe	38
PID 3024 wrote to memory of 2484	3024	cmd.exe	38
PID 3024 wrote to memory of 2484	3024	cmd.exe	38
PID 3024 wrote to memory of 2984	3024	cmd.exe	59
PID 3024 wrote to memory of 2984	3024	cmd.exe	59
PID 3024 wrote to memory of 2984	3024	cmd.exe	59
PID 2600 wrote to memory of 3004	2600	A Spoofer.exe	41
PID 2600 wrote to memory of 3004	2600	A Spoofer.exe	41
PID 2600 wrote to memory of 3004	2600	A Spoofer.exe	41
PID 3004 wrote to memory of 3012	3004	cmd.exe	139
PID 3004 wrote to memory of 3012	3004	cmd.exe	139
PID 3004 wrote to memory of 3012	3004	cmd.exe	139
PID 2600 wrote to memory of 1640	2600	A Spoofer.exe	138
PID 2600 wrote to memory of 1640	2600	A Spoofer.exe	138
PID 2600 wrote to memory of 1640	2600	A Spoofer.exe	138
PID 1640 wrote to memory of 2320	1640	cmd.exe	137
PID 1640 wrote to memory of 2320	1640	cmd.exe	137
PID 1640 wrote to memory of 2320	1640	cmd.exe	137
PID 2600 wrote to memory of 1892	2600	A Spoofer.exe	43
PID 2600 wrote to memory of 1892	2600	A Spoofer.exe	43
PID 2600 wrote to memory of 1892	2600	A Spoofer.exe	43
PID 1892 wrote to memory of 268	1892	cmd.exe	141
PID 1892 wrote to memory of 268	1892	cmd.exe	141
PID 1892 wrote to memory of 268	1892	cmd.exe	141
PID 2600 wrote to memory of 604	2600	A Spoofer.exe	135
PID 2600 wrote to memory of 604	2600	A Spoofer.exe	135
PID 2600 wrote to memory of 604	2600	A Spoofer.exe	135
PID 604 wrote to memory of 680	604	cmd.exe	134
PID 604 wrote to memory of 680	604	cmd.exe	134
PID 604 wrote to memory of 680	604	cmd.exe	134
PID 2600 wrote to memory of 1404	2600	A Spoofer.exe	133
PID 2600 wrote to memory of 1404	2600	A Spoofer.exe	133
PID 2600 wrote to memory of 1404	2600	A Spoofer.exe	133
PID 1404 wrote to memory of 276	1404	cmd.exe	44
PID 1404 wrote to memory of 276	1404	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\23ed3662b0fbfec8d88ca6d7beafe382.exe
"C:\Users\Admin\AppData\Local\Temp\23ed3662b0fbfec8d88ca6d7beafe382.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\HlNZMT.exe
  C:\Users\Admin\AppData\Local\Temp\HlNZMT.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\6e5548e8.bat" "
    3⤵
    PID:2748
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2680
- C:\Users\Admin\AppData\Local\Temp\svchost (1).exe
  "C:\Users\Admin\AppData\Local\Temp\svchost (1).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 532
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:636
- C:\Users\Admin\AppData\Local\Temp\A Spoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\A Spoofer.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\A Spoofer.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:2984
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:2484
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\A Spoofer.exe" MD5
      4⤵
      PID:2788
    - - C:\Windows\system32\sc.exe
        
        sc stop npf
        5⤵
        Launches sc.exe
        
        PID:2984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c color 3
    3⤵
    PID:2824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerUI.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Windows\system32\sc.exe
      sc stop HTTPDebuggerPro
      4⤵
      Launches sc.exe
      PID:268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq loldbg*" /IM * /F /T >nul 2>&1
    3⤵
    PID:1888
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq loldbg*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
    3⤵
    PID:2292
  - - C:\Windows\system32\sc.exe
      sc stop wireshark
      4⤵
      Launches sc.exe
      PID:2100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
    3⤵
    PID:1664
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerUI.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2752
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
    3⤵
    PID:2788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
    3⤵
    PID:2532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
    3⤵
    PID:884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
    3⤵
    PID:2784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
    3⤵
    PID:2648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
    3⤵
    PID:2876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
    3⤵
    PID:3068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
    3⤵
    PID:2644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
    3⤵
    PID:1656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
    3⤵
    PID:1588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
    3⤵
    PID:2216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
    3⤵
    PID:948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
    3⤵
    PID:888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
    3⤵
    PID:1768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
    3⤵
    PID:2348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop ESEADriver2 >nul 2>&1
    3⤵
    PID:2928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop FACEIT >nul 2>&1
    3⤵
    PID:2924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
    3⤵
    PID:2196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
    3⤵
    PID:2112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
    3⤵
    PID:912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
    3⤵
    PID:1164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
    3⤵
    PID:1904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop ESEADriver2 >nul 2>&1
    3⤵
    PID:660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop FACEIT >nul 2>&1
    3⤵
    PID:984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
    3⤵
    PID:952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1
    3⤵
    PID:3040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1
    3⤵
    PID:816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
    3⤵
    PID:1396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1640

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:276

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
1⤵
PID:1428

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
1⤵
- Launches sc.exe
PID:2920

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
1⤵
- Launches sc.exe
PID:2500

C:\Windows\system32\sc.exe
sc stop wireshark
1⤵
- Launches sc.exe
PID:2684

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
1⤵
- Launches sc.exe
PID:2808

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
1⤵
- Launches sc.exe
PID:1468

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
1⤵
- Launches sc.exe
PID:1856

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
1⤵
- Launches sc.exe
PID:2912

C:\Windows\system32\sc.exe
sc stop npf
1⤵
- Launches sc.exe
PID:1596

C:\Windows\system32\sc.exe
sc stop wireshark
1⤵
- Launches sc.exe
PID:1264

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
1⤵
- Launches sc.exe
PID:2184

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
1⤵
- Launches sc.exe
PID:1732

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
1⤵
- Launches sc.exe
PID:2072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
1⤵
PID:1692

C:\Windows\system32\net.exe
net stop ESEADriver2
1⤵
PID:2004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
1⤵
PID:2200

C:\Windows\system32\net.exe
net stop FACEIT
1⤵
PID:1992

C:\Windows\system32\sc.exe
sc stop npf
1⤵
- Launches sc.exe
PID:2364

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
1⤵
- Launches sc.exe
PID:2236

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
1⤵
- Launches sc.exe
PID:1156

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
1⤵
- Launches sc.exe
PID:2428

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
1⤵
- Launches sc.exe
PID:2104

C:\Windows\system32\net.exe
net stop ESEADriver2
1⤵
PID:1820

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
1⤵
PID:764

C:\Windows\system32\net.exe
net stop FACEIT
1⤵
PID:1168

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:716

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZJ7490B\k2[1].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\03447797.exe

Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e5548e8.bat

Filesize
187B

MD5
e903906b898600563359c07188e06962

SHA1
fcf8d47c1ec6876c5d08a92e1a1d3072075e7adf

SHA256
73a106c879243acac4b5a247e7f450c076242d42e59004d8c1ef3d53ba093786

SHA512
268097d4011be6e98a2787b34696658426bda229f60350fad6f36f473b836c02c24018a2b5759e34caec40964b1458aa61962139b0582359e8c70241df1d01b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\A Spoofer.exe

Filesize
439KB

MD5
5c7a4037328badba18d899fdc96833e9

SHA1
a4d94340907c194c1957841baf397e7a34fc7a0d

SHA256
8ed44f803993a3e6b87e3278fa31c95a978aa99160fd13866d8cd122fcb2189e

SHA512
b974b2a95968b2498712d4a96c69708fba17e6b374905d252f2bfe55471a7af10a3f91367abf113e2e9d064da740dc2e14f95d7bea25e1c7ec40df446e93148b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A Spoofer.exe

Filesize
40KB

MD5
9f6c543ef8a0003e75130e52f3cf9693

SHA1
5063e57888ec1761eea9176c991ce5d51064df05

SHA256
670a39028e93551b3111dc0467ca61fd3d77f83416e0712a08ae3a04058400ed

SHA512
29e65a61efb9b88d61e924adb69f8cce9c9c4764e7574650cbfd0554eb9fb8cbb576165efd5165ae2b244addf6c1465b826494ccc3e64af4756be4f8383f96be

Download Submit
\Users\Admin\AppData\Local\Temp\A Spoofer.exe

Filesize
732KB

MD5
5249a9f18b5fede7db6854829f1dad09

SHA1
03bba2ba7bf6773ce2532fdcd4f2c2fca1863fdf

SHA256
149f1b668de513c7e97bfc5374fc7eec4d5234fa6482aaba11d0ec25b23e0478

SHA512
bf7529ec038041cc82084144fd874cf694ff6e775fa697e0fa0cda9fed9472c30cd06d18a055a91ca864316d4fa9788248b34a01174152957be4273f86bfddfa

Download Submit
\Users\Admin\AppData\Local\Temp\A Spoofer.exe

Filesize
455KB

MD5
41de130650596c6d619aef6f172ab498

SHA1
78ed0cbe2ddfc1558232499497de377702e29322

SHA256
379847136b65618cd412d799185db86b4f567f136942697d44cb0d1ab1de9dc4

SHA512
9f4476d32d625c0bc48822b06bd5b260192329d8c7ce71a9dd5958f1cdbc7bbde24fed40dfe92a87f84725800669b913ea5a2d855373901c81be3b8a1fd322e1

Download Submit
\Users\Admin\AppData\Local\Temp\A Spoofer.exe

Filesize
463KB

MD5
61d713f548824bb4a1de1824157802c2

SHA1
bc9fccd4c44c07b86b53bce7c7994933860fd8c3

SHA256
5e49f2f433a743c05a6dce9b25277ea242440dac10f38557cd2723696bb1ed56

SHA512
a615863d591f4ae125d921eb727479a732d146d03740365b7032389d216f9c8cdc918fb4c4f42103f2baef717cb3f0da5217673618b4c02e97423d1a8ec5ce35

Download Submit
\Users\Admin\AppData\Local\Temp\HlNZMT.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Users\Admin\AppData\Local\Temp\svchost (1).exe

Filesize
12KB

MD5
2809afedb009820f1328dee5c64196da

SHA1
714caf18b6772b1bf4cc12237f314dfcdb699ee5

SHA256
00c77acecb6928e60ed7818fd3623d1a6b34cdd5cfa5327fedd2c91633392bc1

SHA512
c9b1235c7a96034fbf4020662636d92c867e4a2602643dffc4a33d7cbf867d439f80327e57c97e42b1e9a6b6c7215a03c541c5478980169e1d22dd7f78c07406

Download Submit
memory/2088-25-0x0000000003420000-0x0000000003E08000-memory.dmp

Filesize
9.9MB

Download
memory/2088-7-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2088-12-0x00000000002B0000-0x00000000002B9000-memory.dmp

Filesize
36KB

Download
memory/2088-26-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2088-10-0x00000000002B0000-0x00000000002B9000-memory.dmp

Filesize
36KB

Download
memory/2176-11-0x0000000000AA0000-0x0000000000AA9000-memory.dmp

Filesize
36KB

Download
memory/2176-78-0x0000000000AA0000-0x0000000000AA9000-memory.dmp

Filesize
36KB

Download
memory/2600-81-0x0000000077970000-0x0000000077B19000-memory.dmp

Filesize
1.7MB

Download
memory/2600-82-0x000000013F2B0000-0x000000013FC98000-memory.dmp

Filesize
9.9MB

Download
memory/2600-33-0x0000000000110000-0x0000000000130000-memory.dmp

Filesize
128KB

Download
memory/2600-80-0x000000013F2B0000-0x000000013FC98000-memory.dmp

Filesize
9.9MB

Download
memory/2600-29-0x000000013F2B0000-0x000000013FC98000-memory.dmp

Filesize
9.9MB

Download
memory/2600-83-0x000000013F2B0000-0x000000013FC98000-memory.dmp

Filesize
9.9MB

Download
memory/2600-84-0x000000013F2B0000-0x000000013FC98000-memory.dmp

Filesize
9.9MB

Download
memory/2600-92-0x0000000077970000-0x0000000077B19000-memory.dmp

Filesize
1.7MB

Download
memory/2600-86-0x000000013F2B0000-0x000000013FC98000-memory.dmp

Filesize
9.9MB

Download
memory/2600-85-0x000000013F2B0000-0x000000013FC98000-memory.dmp

Filesize
9.9MB

Download
memory/2600-91-0x000000013F2B0000-0x000000013FC98000-memory.dmp

Filesize
9.9MB

Download
memory/2600-88-0x000000013F2B0000-0x000000013FC98000-memory.dmp

Filesize
9.9MB

Download
memory/2600-89-0x000000013F2B0000-0x000000013FC98000-memory.dmp

Filesize
9.9MB

Download
memory/2628-90-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download
memory/2628-30-0x00000000011F0000-0x00000000011FA000-memory.dmp

Filesize
40KB

Download
memory/2628-32-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads