hxxps://drive[.]proton[.]me/urls/G6EWGR2E10#ShHyZoPBGvWA

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.proton.me/urls/G6EWGR2E10#ShHyZoPBGvWA

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5976	sc.exe
2768	sc.exe
3736	sc.exe
3596	sc.exe

Kills process with taskkill 16 IoCs

evasion

pid	Process
4104	taskkill.exe
4152	taskkill.exe
5316	taskkill.exe
3448	taskkill.exe
2316	taskkill.exe
2212	taskkill.exe
2976	taskkill.exe
3372	taskkill.exe
5528	taskkill.exe
6012	taskkill.exe
6004	taskkill.exe
5992	taskkill.exe
5692	taskkill.exe
5984	taskkill.exe
5648	taskkill.exe
4144	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5732	Unlock tool (Newest).exe
5732	Unlock tool (Newest).exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	6012	taskkill.exe
Token: SeDebugPrivilege	6004	taskkill.exe
Token: SeDebugPrivilege	5992	taskkill.exe
Token: SeDebugPrivilege	5984	taskkill.exe
Token: SeDebugPrivilege	2316	taskkill.exe
Token: SeDebugPrivilege	5316	taskkill.exe
Token: SeDebugPrivilege	4152	taskkill.exe
Token: SeDebugPrivilege	2212	taskkill.exe
Token: SeDebugPrivilege	3372	taskkill.exe
Token: SeDebugPrivilege	2976	taskkill.exe
Token: SeDebugPrivilege	3448	taskkill.exe
Token: SeDebugPrivilege	5648	taskkill.exe
Token: SeDebugPrivilege	5528	taskkill.exe
Token: SeDebugPrivilege	4144	taskkill.exe
Token: SeDebugPrivilege	4104	taskkill.exe
Token: SeDebugPrivilege	5692	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5732	Unlock tool (Newest).exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5732 wrote to memory of 5844	5732	Unlock tool (Newest).exe	125
PID 5732 wrote to memory of 5844	5732	Unlock tool (Newest).exe	125
PID 5732 wrote to memory of 5852	5732	Unlock tool (Newest).exe	126
PID 5732 wrote to memory of 5852	5732	Unlock tool (Newest).exe	126
PID 5732 wrote to memory of 5860	5732	Unlock tool (Newest).exe	127
PID 5732 wrote to memory of 5860	5732	Unlock tool (Newest).exe	127
PID 5732 wrote to memory of 5868	5732	Unlock tool (Newest).exe	128
PID 5732 wrote to memory of 5868	5732	Unlock tool (Newest).exe	128
PID 5732 wrote to memory of 5876	5732	Unlock tool (Newest).exe	129
PID 5732 wrote to memory of 5876	5732	Unlock tool (Newest).exe	129
PID 5732 wrote to memory of 5884	5732	Unlock tool (Newest).exe	130
PID 5732 wrote to memory of 5884	5732	Unlock tool (Newest).exe	130
PID 5732 wrote to memory of 5892	5732	Unlock tool (Newest).exe	131
PID 5732 wrote to memory of 5892	5732	Unlock tool (Newest).exe	131
PID 5868 wrote to memory of 5976	5868	cmd.exe	132
PID 5868 wrote to memory of 5976	5868	cmd.exe	132
PID 5876 wrote to memory of 5984	5876	cmd.exe	135
PID 5876 wrote to memory of 5984	5876	cmd.exe	135
PID 5852 wrote to memory of 5992	5852	cmd.exe	133
PID 5852 wrote to memory of 5992	5852	cmd.exe	133
PID 5844 wrote to memory of 6004	5844	cmd.exe	134
PID 5844 wrote to memory of 6004	5844	cmd.exe	134
PID 5860 wrote to memory of 6012	5860	cmd.exe	136
PID 5860 wrote to memory of 6012	5860	cmd.exe	136
PID 5892 wrote to memory of 6024	5892	cmd.exe	137
PID 5892 wrote to memory of 6024	5892	cmd.exe	137
PID 5732 wrote to memory of 3848	5732	Unlock tool (Newest).exe	138
PID 5732 wrote to memory of 3848	5732	Unlock tool (Newest).exe	138
PID 5732 wrote to memory of 4784	5732	Unlock tool (Newest).exe	139
PID 5732 wrote to memory of 4784	5732	Unlock tool (Newest).exe	139
PID 5732 wrote to memory of 5192	5732	Unlock tool (Newest).exe	140
PID 5732 wrote to memory of 5192	5732	Unlock tool (Newest).exe	140
PID 5732 wrote to memory of 5132	5732	Unlock tool (Newest).exe	141
PID 5732 wrote to memory of 5132	5732	Unlock tool (Newest).exe	141
PID 5732 wrote to memory of 5140	5732	Unlock tool (Newest).exe	142
PID 5732 wrote to memory of 5140	5732	Unlock tool (Newest).exe	142
PID 5732 wrote to memory of 5144	5732	Unlock tool (Newest).exe	143
PID 5732 wrote to memory of 5144	5732	Unlock tool (Newest).exe	143
PID 3848 wrote to memory of 4152	3848	cmd.exe	144
PID 3848 wrote to memory of 4152	3848	cmd.exe	144
PID 5192 wrote to memory of 2316	5192	cmd.exe	145
PID 5192 wrote to memory of 2316	5192	cmd.exe	145
PID 5140 wrote to memory of 5316	5140	cmd.exe	146
PID 5140 wrote to memory of 5316	5140	cmd.exe	146
PID 5132 wrote to memory of 2768	5132	cmd.exe	147
PID 5132 wrote to memory of 2768	5132	cmd.exe	147
PID 4784 wrote to memory of 2212	4784	cmd.exe	148
PID 4784 wrote to memory of 2212	4784	cmd.exe	148
PID 5732 wrote to memory of 2744	5732	Unlock tool (Newest).exe	149
PID 5732 wrote to memory of 2744	5732	Unlock tool (Newest).exe	149
PID 5732 wrote to memory of 1708	5732	Unlock tool (Newest).exe	150
PID 5732 wrote to memory of 1708	5732	Unlock tool (Newest).exe	150
PID 5732 wrote to memory of 5104	5732	Unlock tool (Newest).exe	151
PID 5732 wrote to memory of 5104	5732	Unlock tool (Newest).exe	151
PID 5732 wrote to memory of 2992	5732	Unlock tool (Newest).exe	152
PID 5732 wrote to memory of 2992	5732	Unlock tool (Newest).exe	152
PID 5732 wrote to memory of 208	5732	Unlock tool (Newest).exe	153
PID 5732 wrote to memory of 208	5732	Unlock tool (Newest).exe	153
PID 5732 wrote to memory of 1664	5732	Unlock tool (Newest).exe	154
PID 5732 wrote to memory of 1664	5732	Unlock tool (Newest).exe	154
PID 5732 wrote to memory of 5332	5732	Unlock tool (Newest).exe	155
PID 5732 wrote to memory of 5332	5732	Unlock tool (Newest).exe	155
PID 5732 wrote to memory of 5292	5732	Unlock tool (Newest).exe	156
PID 5732 wrote to memory of 5292	5732	Unlock tool (Newest).exe	156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.proton.me/urls/G6EWGR2E10#ShHyZoPBGvWA
1⤵
PID:3996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4864 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
1⤵
PID:832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4496 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
1⤵
PID:2196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5744 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5740 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
1⤵
PID:1192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3884 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:1496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulte8979744h9cf5h4f6fhbff9h2b6cc242392d
1⤵
PID:1740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=3884 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:5376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=6064 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:5432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=5716 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
1⤵
PID:5440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=6644 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
1⤵
PID:5552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5512 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:5628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=6892 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:5644

C:\Users\Admin\Downloads\Unlock tool (Newest).exe
"C:\Users\Admin\Downloads\Unlock tool (Newest).exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5732
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5844
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6004
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5852
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5992
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5860
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6012
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5868
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:5976
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5876
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5984
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:5884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Downloads\Unlock tool (Newest).exe" MD5
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5892
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\Downloads\Unlock tool (Newest).exe" MD5
    3⤵
    PID:6024
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3848
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4152
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2212
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5192
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2316
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5132
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2768
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5140
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5316
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:5144
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2744
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3372
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1708
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2976
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5104
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4104
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2992
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3596
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:208
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5692
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:1664
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5332
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4144
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5292
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3448
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2436
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5648
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1740
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3736
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:5212
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5528
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:5180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5732-0-0x00007FF61F90B000-0x00007FF620015000-memory.dmp

Filesize
7.0MB

Download
memory/5732-1-0x00007FFCC1590000-0x00007FFCC1592000-memory.dmp

Filesize
8KB

Download
memory/5732-2-0x00007FF61F820000-0x00007FF6209E1000-memory.dmp

Filesize
17.8MB

Download
memory/5732-6-0x00007FF61F820000-0x00007FF6209E1000-memory.dmp

Filesize
17.8MB

Download
memory/5732-7-0x00007FF61F820000-0x00007FF6209E1000-memory.dmp

Filesize
17.8MB

Download
memory/5732-8-0x00007FF61F90B000-0x00007FF620015000-memory.dmp

Filesize
7.0MB

Download
memory/5732-9-0x00007FF61F820000-0x00007FF6209E1000-memory.dmp

Filesize
17.8MB

Download