388769ea6f4ed04706cc102c0d02b1259ff57529a41ee87ef7d51f7590c5642e

Analysis

max time kernel
143s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/04/2024, 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RezModz-MW3.exe
Size

8.5MB
MD5

4358194f20913b55a8e65020b02e8f18
SHA1

a1221ac03bae90d38766cdfa1cc80a1255bd6416
SHA256

388769ea6f4ed04706cc102c0d02b1259ff57529a41ee87ef7d51f7590c5642e
SHA512

39e9d5b404d862cbcd6cfd7d0f4ab7b4810777aac7ed1a4b096ebe61bd900788d8ccccc36fb865378c7ae354a8c9d73f0ba1f190fcaa553cbcf9f97f49257ad8
SSDEEP

196608:VSoIZLMURHc00UBXmSiWG3wP3eVfrfyFOdw:VSoItFcoBq3qeV+FN

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	RezModz-MW3.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RezModz-MW3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RezModz-MW3.exe

Themida packer 19 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1692-0-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral1/memory/1692-2-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral1/memory/1692-3-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral1/memory/1692-4-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral1/memory/1692-5-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral1/memory/1692-6-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral1/memory/1692-7-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral1/memory/1692-9-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral1/memory/1692-10-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral1/memory/1692-11-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral1/memory/1692-12-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral1/memory/1692-13-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral1/memory/1692-14-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral1/memory/1692-15-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral1/memory/1692-16-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral1/memory/1692-17-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral1/memory/1692-18-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral1/memory/1692-19-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral1/memory/1692-20-0x0000000140000000-0x00000001415DF000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RezModz-MW3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1692	RezModz-MW3.exe

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1964	sc.exe
1776	sc.exe
3028	sc.exe
2020	sc.exe
2376	sc.exe
2576	sc.exe
2968	sc.exe

Kills process with taskkill 28 IoCs

evasion

pid	Process
2988	taskkill.exe
1728	taskkill.exe
2636	taskkill.exe
2284	taskkill.exe
1948	taskkill.exe
2124	taskkill.exe
1800	taskkill.exe
3032	taskkill.exe
2060	taskkill.exe
1148	taskkill.exe
2064	taskkill.exe
2812	taskkill.exe
1824	taskkill.exe
1508	taskkill.exe
2704	taskkill.exe
2916	taskkill.exe
2500	taskkill.exe
1960	taskkill.exe
1796	taskkill.exe
2292	taskkill.exe
1560	taskkill.exe
1648	taskkill.exe
2352	taskkill.exe
3044	taskkill.exe
1288	taskkill.exe
1008	taskkill.exe
2940	taskkill.exe
3036	taskkill.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	3044	taskkill.exe
Token: SeDebugPrivilege	2704	taskkill.exe
Token: SeDebugPrivilege	2988	taskkill.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeDebugPrivilege	2500	taskkill.exe
Token: SeDebugPrivilege	2124	taskkill.exe
Token: SeDebugPrivilege	1288	taskkill.exe
Token: SeDebugPrivilege	2916	taskkill.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	2060	taskkill.exe
Token: SeDebugPrivilege	2064	taskkill.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	1008	taskkill.exe
Token: SeDebugPrivilege	1148	taskkill.exe
Token: SeDebugPrivilege	2812	taskkill.exe
Token: SeDebugPrivilege	2940	taskkill.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	3032	taskkill.exe
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	2636	taskkill.exe
Token: SeDebugPrivilege	2352	taskkill.exe
Token: SeDebugPrivilege	3036	taskkill.exe
Token: SeDebugPrivilege	2292	taskkill.exe
Token: SeDebugPrivilege	2284	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2512	1692	RezModz-MW3.exe	29
PID 1692 wrote to memory of 2512	1692	RezModz-MW3.exe	29
PID 1692 wrote to memory of 2512	1692	RezModz-MW3.exe	29
PID 1692 wrote to memory of 1820	1692	RezModz-MW3.exe	30
PID 1692 wrote to memory of 1820	1692	RezModz-MW3.exe	30
PID 1692 wrote to memory of 1820	1692	RezModz-MW3.exe	30
PID 1692 wrote to memory of 928	1692	RezModz-MW3.exe	31
PID 1692 wrote to memory of 928	1692	RezModz-MW3.exe	31
PID 1692 wrote to memory of 928	1692	RezModz-MW3.exe	31
PID 1692 wrote to memory of 2772	1692	RezModz-MW3.exe	32
PID 1692 wrote to memory of 2772	1692	RezModz-MW3.exe	32
PID 1692 wrote to memory of 2772	1692	RezModz-MW3.exe	32
PID 1692 wrote to memory of 2936	1692	RezModz-MW3.exe	33
PID 1692 wrote to memory of 2936	1692	RezModz-MW3.exe	33
PID 1692 wrote to memory of 2936	1692	RezModz-MW3.exe	33
PID 1692 wrote to memory of 2144	1692	RezModz-MW3.exe	34
PID 1692 wrote to memory of 2144	1692	RezModz-MW3.exe	34
PID 1692 wrote to memory of 2144	1692	RezModz-MW3.exe	34
PID 1692 wrote to memory of 2280	1692	RezModz-MW3.exe	35
PID 1692 wrote to memory of 2280	1692	RezModz-MW3.exe	35
PID 1692 wrote to memory of 2280	1692	RezModz-MW3.exe	35
PID 2512 wrote to memory of 2988	2512	cmd.exe	36
PID 2512 wrote to memory of 2988	2512	cmd.exe	36
PID 2512 wrote to memory of 2988	2512	cmd.exe	36
PID 2936 wrote to memory of 1948	2936	cmd.exe	37
PID 2936 wrote to memory of 1948	2936	cmd.exe	37
PID 2936 wrote to memory of 1948	2936	cmd.exe	37
PID 928 wrote to memory of 3044	928	cmd.exe	38
PID 928 wrote to memory of 3044	928	cmd.exe	38
PID 928 wrote to memory of 3044	928	cmd.exe	38
PID 2280 wrote to memory of 2568	2280	cmd.exe	39
PID 2280 wrote to memory of 2568	2280	cmd.exe	39
PID 2280 wrote to memory of 2568	2280	cmd.exe	39
PID 2772 wrote to memory of 2576	2772	cmd.exe	40
PID 2772 wrote to memory of 2576	2772	cmd.exe	40
PID 2772 wrote to memory of 2576	2772	cmd.exe	40
PID 1820 wrote to memory of 2704	1820	cmd.exe	41
PID 1820 wrote to memory of 2704	1820	cmd.exe	41
PID 1820 wrote to memory of 2704	1820	cmd.exe	41
PID 1692 wrote to memory of 2216	1692	RezModz-MW3.exe	43
PID 1692 wrote to memory of 2216	1692	RezModz-MW3.exe	43
PID 1692 wrote to memory of 2216	1692	RezModz-MW3.exe	43
PID 1692 wrote to memory of 2484	1692	RezModz-MW3.exe	44
PID 1692 wrote to memory of 2484	1692	RezModz-MW3.exe	44
PID 1692 wrote to memory of 2484	1692	RezModz-MW3.exe	44
PID 1692 wrote to memory of 2732	1692	RezModz-MW3.exe	45
PID 1692 wrote to memory of 2732	1692	RezModz-MW3.exe	45
PID 1692 wrote to memory of 2732	1692	RezModz-MW3.exe	45
PID 1692 wrote to memory of 2428	1692	RezModz-MW3.exe	46
PID 1692 wrote to memory of 2428	1692	RezModz-MW3.exe	46
PID 1692 wrote to memory of 2428	1692	RezModz-MW3.exe	46
PID 1692 wrote to memory of 2436	1692	RezModz-MW3.exe	47
PID 1692 wrote to memory of 2436	1692	RezModz-MW3.exe	47
PID 1692 wrote to memory of 2436	1692	RezModz-MW3.exe	47
PID 1692 wrote to memory of 2444	1692	RezModz-MW3.exe	48
PID 1692 wrote to memory of 2444	1692	RezModz-MW3.exe	48
PID 1692 wrote to memory of 2444	1692	RezModz-MW3.exe	48
PID 2216 wrote to memory of 2500	2216	cmd.exe	49
PID 2216 wrote to memory of 2500	2216	cmd.exe	49
PID 2216 wrote to memory of 2500	2216	cmd.exe	49
PID 2484 wrote to memory of 2916	2484	cmd.exe	50
PID 2484 wrote to memory of 2916	2484	cmd.exe	50
PID 2484 wrote to memory of 2916	2484	cmd.exe	50
PID 2428 wrote to memory of 2968	2428	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\RezModz-MW3.exe
"C:\Users\Admin\AppData\Local\Temp\RezModz-MW3.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2988
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3044
- C:\Windows\system32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2576
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- C:\Windows\system32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:2144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RezModz-MW3.exe" MD5
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RezModz-MW3.exe" MD5
    3⤵
    PID:2568
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2500
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2916
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2732
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1288
- C:\Windows\system32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2968
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:2436
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2124
- C:\Windows\system32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:2444
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2628
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2060
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:816
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1728
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2652
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2064
- C:\Windows\system32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1276
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1964
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:2660
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- C:\Windows\system32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:1492
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1408
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1560
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:620
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1148
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1516
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1648
- C:\Windows\system32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:824
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1776
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:1740
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1008
- C:\Windows\system32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:2244
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2760
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2792
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:936
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1800
- C:\Windows\system32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2388
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2020
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:2272
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1796
- C:\Windows\system32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:2524
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2136
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2868
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3032
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2928
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1824
- C:\Windows\system32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2856
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3028
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:1712
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2636
- C:\Windows\system32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:2896
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2844
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3036
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1236
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2352
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1100
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
- C:\Windows\system32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2044
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2376
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:896
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2284
- C:\Windows\system32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1692-0-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/1692-1-0x0000000076FA0000-0x0000000077149000-memory.dmp

Filesize
1.7MB

Download
memory/1692-2-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/1692-3-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/1692-4-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/1692-5-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/1692-6-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/1692-7-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/1692-8-0x0000000076FA0000-0x0000000077149000-memory.dmp

Filesize
1.7MB

Download
memory/1692-9-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/1692-10-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/1692-11-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/1692-12-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/1692-13-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/1692-14-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/1692-15-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/1692-16-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/1692-17-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/1692-18-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/1692-19-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/1692-20-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads