c7cd7a8939eeeef530992a9ecd73c9874282009527657b7886a56122cba047bd

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExeToolsVGBypass2PC.exe
Size

4.2MB
MD5

8675adcd1c579fbc35b39727ac782587
SHA1

310e6c01ada0529791cc0655359874ebf8f94d9d
SHA256

c7cd7a8939eeeef530992a9ecd73c9874282009527657b7886a56122cba047bd
SHA512

b063ee51782f722ba604ea90f92fa862b1b34e4d59d60ab61ecca466bca2793ee4e24f00390981963545cf59b34cfb308bd46872b1ff8b0326d33ae23dddbbc0
SSDEEP

98304:tM3sumlm7Kja4WS9WHV9I90dmlJktRHb945YQgM2:tmsnyJMd9hlCD79456M2

Score

9^/10

evasion execution themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ExeToolsVGBypass2PC.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ExeToolsVGBypass2PC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ExeToolsVGBypass2PC.exe

Themida packer 20 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/580-0-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral1/memory/580-5-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral1/memory/580-4-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral1/memory/580-3-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral1/memory/580-2-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral1/memory/580-6-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral1/memory/580-7-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral1/memory/580-8-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral1/memory/580-9-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral1/memory/580-10-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral1/memory/580-11-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral1/memory/580-12-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral1/memory/580-13-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral1/memory/580-14-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral1/memory/580-15-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral1/memory/580-16-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral1/memory/580-17-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral1/memory/580-18-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral1/memory/580-19-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral1/memory/580-20-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ExeToolsVGBypass2PC.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
580	ExeToolsVGBypass2PC.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2404	sc.exe
2704	sc.exe
2192	sc.exe
2976	sc.exe
608	sc.exe
2272	sc.exe
3040	sc.exe
2092	sc.exe

Kills process with taskkill 15 IoCs

evasion

pid	Process
2616	taskkill.exe
2880	taskkill.exe
2776	taskkill.exe
3024	taskkill.exe
1512	taskkill.exe
2892	taskkill.exe
292	taskkill.exe
1956	taskkill.exe
2916	taskkill.exe
1244	taskkill.exe
2700	taskkill.exe
2904	taskkill.exe
1196	taskkill.exe
2624	taskkill.exe
2820	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe
580	ExeToolsVGBypass2PC.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	taskkill.exe
Token: SeDebugPrivilege	2616	taskkill.exe
Token: SeDebugPrivilege	2880	taskkill.exe
Token: SeDebugPrivilege	2892	taskkill.exe
Token: SeDebugPrivilege	2624	taskkill.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	292	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	3024	taskkill.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	2916	taskkill.exe
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	2904	taskkill.exe
Token: SeDebugPrivilege	1196	taskkill.exe
Token: SeDebugPrivilege	1244	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 580 wrote to memory of 3044	580	ExeToolsVGBypass2PC.exe	32
PID 580 wrote to memory of 3044	580	ExeToolsVGBypass2PC.exe	32
PID 580 wrote to memory of 3044	580	ExeToolsVGBypass2PC.exe	32
PID 580 wrote to memory of 1580	580	ExeToolsVGBypass2PC.exe	33
PID 580 wrote to memory of 1580	580	ExeToolsVGBypass2PC.exe	33
PID 580 wrote to memory of 1580	580	ExeToolsVGBypass2PC.exe	33
PID 3044 wrote to memory of 2700	3044	cmd.exe	34
PID 3044 wrote to memory of 2700	3044	cmd.exe	34
PID 3044 wrote to memory of 2700	3044	cmd.exe	34
PID 1580 wrote to memory of 2008	1580	cmd.exe	35
PID 1580 wrote to memory of 2008	1580	cmd.exe	35
PID 1580 wrote to memory of 2008	1580	cmd.exe	35
PID 1580 wrote to memory of 2032	1580	cmd.exe	36
PID 1580 wrote to memory of 2032	1580	cmd.exe	36
PID 1580 wrote to memory of 2032	1580	cmd.exe	36
PID 1580 wrote to memory of 2716	1580	cmd.exe	37
PID 1580 wrote to memory of 2716	1580	cmd.exe	37
PID 1580 wrote to memory of 2716	1580	cmd.exe	37
PID 580 wrote to memory of 2732	580	ExeToolsVGBypass2PC.exe	39
PID 580 wrote to memory of 2732	580	ExeToolsVGBypass2PC.exe	39
PID 580 wrote to memory of 2732	580	ExeToolsVGBypass2PC.exe	39
PID 2732 wrote to memory of 2616	2732	cmd.exe	40
PID 2732 wrote to memory of 2616	2732	cmd.exe	40
PID 2732 wrote to memory of 2616	2732	cmd.exe	40
PID 580 wrote to memory of 2972	580	ExeToolsVGBypass2PC.exe	41
PID 580 wrote to memory of 2972	580	ExeToolsVGBypass2PC.exe	41
PID 580 wrote to memory of 2972	580	ExeToolsVGBypass2PC.exe	41
PID 2972 wrote to memory of 2976	2972	cmd.exe	42
PID 2972 wrote to memory of 2976	2972	cmd.exe	42
PID 2972 wrote to memory of 2976	2972	cmd.exe	42
PID 580 wrote to memory of 3008	580	ExeToolsVGBypass2PC.exe	43
PID 580 wrote to memory of 3008	580	ExeToolsVGBypass2PC.exe	43
PID 580 wrote to memory of 3008	580	ExeToolsVGBypass2PC.exe	43
PID 3008 wrote to memory of 2880	3008	cmd.exe	44
PID 3008 wrote to memory of 2880	3008	cmd.exe	44
PID 3008 wrote to memory of 2880	3008	cmd.exe	44
PID 580 wrote to memory of 2656	580	ExeToolsVGBypass2PC.exe	45
PID 580 wrote to memory of 2656	580	ExeToolsVGBypass2PC.exe	45
PID 580 wrote to memory of 2656	580	ExeToolsVGBypass2PC.exe	45
PID 2656 wrote to memory of 2892	2656	cmd.exe	46
PID 2656 wrote to memory of 2892	2656	cmd.exe	46
PID 2656 wrote to memory of 2892	2656	cmd.exe	46
PID 580 wrote to memory of 2604	580	ExeToolsVGBypass2PC.exe	47
PID 580 wrote to memory of 2604	580	ExeToolsVGBypass2PC.exe	47
PID 580 wrote to memory of 2604	580	ExeToolsVGBypass2PC.exe	47
PID 2604 wrote to memory of 2624	2604	cmd.exe	48
PID 2604 wrote to memory of 2624	2604	cmd.exe	48
PID 2604 wrote to memory of 2624	2604	cmd.exe	48
PID 580 wrote to memory of 2728	580	ExeToolsVGBypass2PC.exe	49
PID 580 wrote to memory of 2728	580	ExeToolsVGBypass2PC.exe	49
PID 580 wrote to memory of 2728	580	ExeToolsVGBypass2PC.exe	49
PID 2728 wrote to memory of 2776	2728	cmd.exe	50
PID 2728 wrote to memory of 2776	2728	cmd.exe	50
PID 2728 wrote to memory of 2776	2728	cmd.exe	50
PID 580 wrote to memory of 840	580	ExeToolsVGBypass2PC.exe	51
PID 580 wrote to memory of 840	580	ExeToolsVGBypass2PC.exe	51
PID 580 wrote to memory of 840	580	ExeToolsVGBypass2PC.exe	51
PID 840 wrote to memory of 292	840	cmd.exe	52
PID 840 wrote to memory of 292	840	cmd.exe	52
PID 840 wrote to memory of 292	840	cmd.exe	52
PID 580 wrote to memory of 1036	580	ExeToolsVGBypass2PC.exe	53
PID 580 wrote to memory of 1036	580	ExeToolsVGBypass2PC.exe	53
PID 580 wrote to memory of 1036	580	ExeToolsVGBypass2PC.exe	53
PID 1036 wrote to memory of 608	1036	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\ExeToolsVGBypass2PC.exe
"C:\Users\Admin\AppData\Local\Temp\ExeToolsVGBypass2PC.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\ExeToolsVGBypass2PC.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\ExeToolsVGBypass2PC.exe" MD5
    3⤵
    PID:2008
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:2032
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:2716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2808
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2844
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2596
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2832
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2348
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1432
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1988
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1516
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2460
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:768
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:3040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:3036
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:2192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:2408
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:2092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
  2⤵
  PID:1920
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:2704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
  2⤵
  PID:2520
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/580-0-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/580-1-0x00000000773D0000-0x00000000773D2000-memory.dmp

Filesize
8KB

Download
memory/580-5-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/580-4-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/580-3-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/580-2-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/580-6-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/580-7-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/580-8-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/580-9-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/580-10-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/580-11-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/580-12-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/580-13-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/580-14-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/580-15-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/580-16-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/580-17-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/580-18-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/580-19-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/580-20-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download