388769ea6f4ed04706cc102c0d02b1259ff57529a41ee87ef7d51f7590c5642e

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2024, 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RezModz-MW3.exe
Size

8.5MB
MD5

4358194f20913b55a8e65020b02e8f18
SHA1

a1221ac03bae90d38766cdfa1cc80a1255bd6416
SHA256

388769ea6f4ed04706cc102c0d02b1259ff57529a41ee87ef7d51f7590c5642e
SHA512

39e9d5b404d862cbcd6cfd7d0f4ab7b4810777aac7ed1a4b096ebe61bd900788d8ccccc36fb865378c7ae354a8c9d73f0ba1f190fcaa553cbcf9f97f49257ad8
SSDEEP

196608:VSoIZLMURHc00UBXmSiWG3wP3eVfrfyFOdw:VSoItFcoBq3qeV+FN

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	RezModz-MW3.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RezModz-MW3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RezModz-MW3.exe

Themida packer 19 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/3912-0-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral2/memory/3912-2-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral2/memory/3912-3-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral2/memory/3912-4-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral2/memory/3912-5-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral2/memory/3912-6-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral2/memory/3912-7-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral2/memory/3912-8-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral2/memory/3912-10-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral2/memory/3912-11-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral2/memory/3912-12-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral2/memory/3912-13-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral2/memory/3912-14-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral2/memory/3912-15-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral2/memory/3912-16-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral2/memory/3912-17-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral2/memory/3912-18-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral2/memory/3912-19-0x0000000140000000-0x00000001415DF000-memory.dmp	themida
behavioral2/memory/3912-20-0x0000000140000000-0x00000001415DF000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RezModz-MW3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3912	RezModz-MW3.exe

Launches sc.exe 13 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1148	sc.exe
5920	sc.exe
1912	sc.exe
4548	sc.exe
4068	sc.exe
5204	sc.exe
5288	sc.exe
1540	sc.exe
416	sc.exe
5748	sc.exe
1372	sc.exe
416	sc.exe
5800	sc.exe

Kills process with taskkill 52 IoCs

evasion

pid	Process
5676	taskkill.exe
5876	taskkill.exe
4856	taskkill.exe
5624	taskkill.exe
2576	taskkill.exe
4872	taskkill.exe
4524	taskkill.exe
2112	taskkill.exe
5196	taskkill.exe
5740	taskkill.exe
5116	taskkill.exe
2540	taskkill.exe
5848	taskkill.exe
3796	taskkill.exe
5808	taskkill.exe
3236	taskkill.exe
1316	taskkill.exe
4368	taskkill.exe
2244	taskkill.exe
2820	taskkill.exe
752	taskkill.exe
4164	taskkill.exe
2876	taskkill.exe
624	taskkill.exe
5204	taskkill.exe
4440	taskkill.exe
4164	taskkill.exe
2540	taskkill.exe
4332	taskkill.exe
1288	taskkill.exe
5956	taskkill.exe
2060	taskkill.exe
4856	taskkill.exe
5792	taskkill.exe
2732	taskkill.exe
2244	taskkill.exe
5820	taskkill.exe
4548	taskkill.exe
5140	taskkill.exe
2732	taskkill.exe
5840	taskkill.exe
1584	taskkill.exe
5768	taskkill.exe
4496	taskkill.exe
4856	taskkill.exe
4440	taskkill.exe
1628	taskkill.exe
2172	taskkill.exe
4796	taskkill.exe
4564	taskkill.exe
5948	taskkill.exe
2876	taskkill.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeDebugPrivilege	4164	taskkill.exe
Token: SeDebugPrivilege	2540	taskkill.exe
Token: SeDebugPrivilege	1628	taskkill.exe
Token: SeDebugPrivilege	2172	taskkill.exe
Token: SeDebugPrivilege	2244	taskkill.exe
Token: SeDebugPrivilege	752	taskkill.exe
Token: SeDebugPrivilege	2732	taskkill.exe
Token: SeDebugPrivilege	1288	taskkill.exe
Token: SeDebugPrivilege	4164	taskkill.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	4856	taskkill.exe
Token: SeDebugPrivilege	5116	taskkill.exe
Token: SeDebugPrivilege	1316	taskkill.exe
Token: SeDebugPrivilege	2540	taskkill.exe
Token: SeDebugPrivilege	2876	taskkill.exe
Token: SeDebugPrivilege	2244	taskkill.exe
Token: SeDebugPrivilege	2060	taskkill.exe
Token: SeDebugPrivilege	4856	taskkill.exe
Token: SeDebugPrivilege	4796	taskkill.exe
Token: SeDebugPrivilege	4548	taskkill.exe
Token: SeDebugPrivilege	2732	taskkill.exe
Token: SeDebugPrivilege	2876	taskkill.exe
Token: SeDebugPrivilege	2576	taskkill.exe
Token: SeDebugPrivilege	4872	taskkill.exe
Token: SeDebugPrivilege	4524	taskkill.exe
Token: SeDebugPrivilege	4856	taskkill.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	4564	taskkill.exe
Token: SeDebugPrivilege	2112	taskkill.exe
Token: SeDebugPrivilege	4440	taskkill.exe
Token: SeDebugPrivilege	3796	taskkill.exe
Token: SeDebugPrivilege	4332	taskkill.exe
Token: SeDebugPrivilege	624	taskkill.exe
Token: SeDebugPrivilege	4368	taskkill.exe
Token: SeDebugPrivilege	5140	taskkill.exe
Token: SeDebugPrivilege	5196	taskkill.exe
Token: SeDebugPrivilege	5676	taskkill.exe
Token: SeDebugPrivilege	5624	taskkill.exe
Token: SeDebugPrivilege	5740	taskkill.exe
Token: SeDebugPrivilege	5792	taskkill.exe
Token: SeDebugPrivilege	5768	taskkill.exe
Token: SeDebugPrivilege	5808	taskkill.exe
Token: SeDebugPrivilege	5840	taskkill.exe
Token: SeDebugPrivilege	5820	taskkill.exe
Token: SeDebugPrivilege	5876	taskkill.exe
Token: SeDebugPrivilege	5848	taskkill.exe
Token: SeDebugPrivilege	5956	taskkill.exe
Token: SeDebugPrivilege	5948	taskkill.exe
Token: SeDebugPrivilege	5204	taskkill.exe
Token: SeDebugPrivilege	3236	taskkill.exe
Token: SeDebugPrivilege	4440	taskkill.exe
Token: SeDebugPrivilege	4496	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 3092	3912	RezModz-MW3.exe	100
PID 3912 wrote to memory of 3092	3912	RezModz-MW3.exe	100
PID 3912 wrote to memory of 5032	3912	RezModz-MW3.exe	101
PID 3912 wrote to memory of 5032	3912	RezModz-MW3.exe	101
PID 3912 wrote to memory of 1104	3912	RezModz-MW3.exe	102
PID 3912 wrote to memory of 1104	3912	RezModz-MW3.exe	102
PID 3912 wrote to memory of 1568	3912	RezModz-MW3.exe	103
PID 3912 wrote to memory of 1568	3912	RezModz-MW3.exe	103
PID 3912 wrote to memory of 2076	3912	RezModz-MW3.exe	104
PID 3912 wrote to memory of 2076	3912	RezModz-MW3.exe	104
PID 3912 wrote to memory of 924	3912	RezModz-MW3.exe	105
PID 3912 wrote to memory of 924	3912	RezModz-MW3.exe	105
PID 5032 wrote to memory of 4164	5032	cmd.exe	106
PID 5032 wrote to memory of 4164	5032	cmd.exe	106
PID 3912 wrote to memory of 5100	3912	RezModz-MW3.exe	107
PID 3912 wrote to memory of 5100	3912	RezModz-MW3.exe	107
PID 5100 wrote to memory of 636	5100	cmd.exe	108
PID 5100 wrote to memory of 636	5100	cmd.exe	108
PID 3092 wrote to memory of 2540	3092	cmd.exe	109
PID 3092 wrote to memory of 2540	3092	cmd.exe	109
PID 1104 wrote to memory of 1628	1104	cmd.exe	110
PID 1104 wrote to memory of 1628	1104	cmd.exe	110
PID 1568 wrote to memory of 1148	1568	cmd.exe	111
PID 1568 wrote to memory of 1148	1568	cmd.exe	111
PID 2076 wrote to memory of 2172	2076	cmd.exe	112
PID 2076 wrote to memory of 2172	2076	cmd.exe	112
PID 3912 wrote to memory of 4368	3912	RezModz-MW3.exe	114
PID 3912 wrote to memory of 4368	3912	RezModz-MW3.exe	114
PID 3912 wrote to memory of 1700	3912	RezModz-MW3.exe	153
PID 3912 wrote to memory of 1700	3912	RezModz-MW3.exe	153
PID 3912 wrote to memory of 368	3912	RezModz-MW3.exe	116
PID 3912 wrote to memory of 368	3912	RezModz-MW3.exe	116
PID 3912 wrote to memory of 2332	3912	RezModz-MW3.exe	134
PID 3912 wrote to memory of 2332	3912	RezModz-MW3.exe	134
PID 4368 wrote to memory of 2244	4368	cmd.exe	147
PID 4368 wrote to memory of 2244	4368	cmd.exe	147
PID 3912 wrote to memory of 2936	3912	RezModz-MW3.exe	183
PID 3912 wrote to memory of 2936	3912	RezModz-MW3.exe	183
PID 3912 wrote to memory of 3624	3912	RezModz-MW3.exe	172
PID 3912 wrote to memory of 3624	3912	RezModz-MW3.exe	172
PID 1700 wrote to memory of 752	1700	cmd.exe	121
PID 1700 wrote to memory of 752	1700	cmd.exe	121
PID 2332 wrote to memory of 1912	2332	cmd.exe	132
PID 2332 wrote to memory of 1912	2332	cmd.exe	132
PID 368 wrote to memory of 2732	368	cmd.exe	165
PID 368 wrote to memory of 2732	368	cmd.exe	165
PID 2936 wrote to memory of 1288	2936	cmd.exe	124
PID 2936 wrote to memory of 1288	2936	cmd.exe	124
PID 3912 wrote to memory of 1820	3912	RezModz-MW3.exe	126
PID 3912 wrote to memory of 1820	3912	RezModz-MW3.exe	126
PID 3912 wrote to memory of 636	3912	RezModz-MW3.exe	127
PID 3912 wrote to memory of 636	3912	RezModz-MW3.exe	127
PID 3912 wrote to memory of 5100	3912	RezModz-MW3.exe	128
PID 3912 wrote to memory of 5100	3912	RezModz-MW3.exe	128
PID 3912 wrote to memory of 3232	3912	RezModz-MW3.exe	129
PID 3912 wrote to memory of 3232	3912	RezModz-MW3.exe	129
PID 3912 wrote to memory of 3624	3912	RezModz-MW3.exe	172
PID 3912 wrote to memory of 3624	3912	RezModz-MW3.exe	172
PID 3912 wrote to memory of 4760	3912	RezModz-MW3.exe	131
PID 3912 wrote to memory of 4760	3912	RezModz-MW3.exe	131
PID 3912 wrote to memory of 1912	3912	RezModz-MW3.exe	132
PID 3912 wrote to memory of 1912	3912	RezModz-MW3.exe	132
PID 3912 wrote to memory of 4872	3912	RezModz-MW3.exe	169
PID 3912 wrote to memory of 4872	3912	RezModz-MW3.exe	169

C:\Users\Admin\AppData\Local\Temp\RezModz-MW3.exe
"C:\Users\Admin\AppData\Local\Temp\RezModz-MW3.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2540
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4164
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1628
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1148
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RezModz-MW3.exe" MD5
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RezModz-MW3.exe" MD5
    3⤵
    PID:636
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2244
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:752
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1912
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1288
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:3624
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1820
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:636
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1316
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5100
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4164
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:3232
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1540
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:3624
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2244
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:4760
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1912
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2540
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4872
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1584
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2332
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5116
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:3928
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:4548
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:1252
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4856
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:956
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2228
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4856
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3836
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4548
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2848
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4872
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1768
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:416
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:4432
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2576
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:1700
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4180
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2076
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1216
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2060
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1568
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:4068
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:4564
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4796
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:2900
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4584
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4524
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3624
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4068
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4856
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2604
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1372
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:624
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4564
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:1592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1584
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4760
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4368
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4528
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3796
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3692
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4332
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1912
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:416
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:4692
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2112
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:4856
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3816
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5140
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4044
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5196
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5032
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:624
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2732
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:5204
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:4524
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4440
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:1460
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5416
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5840
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5424
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5740
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5432
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5792
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:5440
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:5800
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:5448
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5956
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:5456
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5464
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5948
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5472
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5808
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5480
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5848
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:5488
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:5748
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:5496
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5820
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:5504
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5512
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5768
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5520
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5624
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5528
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5676
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:5536
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:5920
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:5544
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5876
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:5552
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:6116
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5204
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:6124
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3236
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:6132
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4496
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:6140
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:5288
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:5128
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4440
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:5240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4808

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe c4cef03a1b3c8d7486d117337373c81c ghZmkImWJEydL8BtGahoTg.0.1.0.0.0
1⤵
PID:2936

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4436 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:8
1⤵
PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3912-0-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/3912-1-0x00007FFC05B10000-0x00007FFC05D05000-memory.dmp

Filesize
2.0MB

Download
memory/3912-2-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/3912-3-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/3912-4-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/3912-5-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/3912-6-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/3912-7-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/3912-8-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/3912-9-0x00007FFC05B10000-0x00007FFC05D05000-memory.dmp

Filesize
2.0MB

Download
memory/3912-10-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/3912-11-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/3912-12-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/3912-13-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/3912-14-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/3912-15-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/3912-16-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/3912-17-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/3912-18-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/3912-19-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download
memory/3912-20-0x0000000140000000-0x00000001415DF000-memory.dmp

Filesize
21.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads