c7cd7a8939eeeef530992a9ecd73c9874282009527657b7886a56122cba047bd

Analysis

max time kernel
150s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExeToolsVGBypass2PC.exe
Size

4.2MB
MD5

8675adcd1c579fbc35b39727ac782587
SHA1

310e6c01ada0529791cc0655359874ebf8f94d9d
SHA256

c7cd7a8939eeeef530992a9ecd73c9874282009527657b7886a56122cba047bd
SHA512

b063ee51782f722ba604ea90f92fa862b1b34e4d59d60ab61ecca466bca2793ee4e24f00390981963545cf59b34cfb308bd46872b1ff8b0326d33ae23dddbbc0
SSDEEP

98304:tM3sumlm7Kja4WS9WHV9I90dmlJktRHb945YQgM2:tmsnyJMd9hlCD79456M2

Score

9^/10

evasion execution themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ExeToolsVGBypass2PC.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ExeToolsVGBypass2PC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ExeToolsVGBypass2PC.exe

Themida packer 20 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/1856-0-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral2/memory/1856-4-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral2/memory/1856-2-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral2/memory/1856-5-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral2/memory/1856-3-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral2/memory/1856-6-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral2/memory/1856-7-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral2/memory/1856-8-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral2/memory/1856-9-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral2/memory/1856-10-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral2/memory/1856-11-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral2/memory/1856-12-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral2/memory/1856-13-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral2/memory/1856-14-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral2/memory/1856-15-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral2/memory/1856-16-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral2/memory/1856-17-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral2/memory/1856-18-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral2/memory/1856-19-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida
behavioral2/memory/1856-20-0x0000000140000000-0x0000000140AF1000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ExeToolsVGBypass2PC.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1856	ExeToolsVGBypass2PC.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4592	sc.exe
2540	sc.exe
3176	sc.exe
4916	sc.exe
3116	sc.exe
1332	sc.exe
1264	sc.exe
952	sc.exe

Kills process with taskkill 15 IoCs

evasion

pid	Process
1148	taskkill.exe
5032	taskkill.exe
3800	taskkill.exe
1004	taskkill.exe
852	taskkill.exe
4964	taskkill.exe
3028	taskkill.exe
3540	taskkill.exe
2564	taskkill.exe
4768	taskkill.exe
3880	taskkill.exe
4580	taskkill.exe
672	taskkill.exe
2140	taskkill.exe
3476	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe
1856	ExeToolsVGBypass2PC.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	852	taskkill.exe
Token: SeDebugPrivilege	3476	taskkill.exe
Token: SeDebugPrivilege	4768	taskkill.exe
Token: SeDebugPrivilege	1148	taskkill.exe
Token: SeDebugPrivilege	3880	taskkill.exe
Token: SeDebugPrivilege	4964	taskkill.exe
Token: SeDebugPrivilege	3028	taskkill.exe
Token: SeDebugPrivilege	4580	taskkill.exe
Token: SeDebugPrivilege	672	taskkill.exe
Token: SeDebugPrivilege	5032	taskkill.exe
Token: SeDebugPrivilege	3540	taskkill.exe
Token: SeDebugPrivilege	3800	taskkill.exe
Token: SeDebugPrivilege	2140	taskkill.exe
Token: SeDebugPrivilege	2564	taskkill.exe
Token: SeDebugPrivilege	1004	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 4000	1856	ExeToolsVGBypass2PC.exe	83
PID 1856 wrote to memory of 4000	1856	ExeToolsVGBypass2PC.exe	83
PID 1856 wrote to memory of 1976	1856	ExeToolsVGBypass2PC.exe	84
PID 1856 wrote to memory of 1976	1856	ExeToolsVGBypass2PC.exe	84
PID 1976 wrote to memory of 3740	1976	cmd.exe	85
PID 1976 wrote to memory of 3740	1976	cmd.exe	85
PID 1976 wrote to memory of 4516	1976	cmd.exe	87
PID 1976 wrote to memory of 4516	1976	cmd.exe	87
PID 4000 wrote to memory of 852	4000	cmd.exe	86
PID 4000 wrote to memory of 852	4000	cmd.exe	86
PID 1976 wrote to memory of 4476	1976	cmd.exe	88
PID 1976 wrote to memory of 4476	1976	cmd.exe	88
PID 1856 wrote to memory of 4732	1856	ExeToolsVGBypass2PC.exe	90
PID 1856 wrote to memory of 4732	1856	ExeToolsVGBypass2PC.exe	90
PID 4732 wrote to memory of 3476	4732	cmd.exe	91
PID 4732 wrote to memory of 3476	4732	cmd.exe	91
PID 1856 wrote to memory of 2180	1856	ExeToolsVGBypass2PC.exe	92
PID 1856 wrote to memory of 2180	1856	ExeToolsVGBypass2PC.exe	92
PID 2180 wrote to memory of 4916	2180	cmd.exe	93
PID 2180 wrote to memory of 4916	2180	cmd.exe	93
PID 1856 wrote to memory of 2052	1856	ExeToolsVGBypass2PC.exe	94
PID 1856 wrote to memory of 2052	1856	ExeToolsVGBypass2PC.exe	94
PID 2052 wrote to memory of 4768	2052	cmd.exe	95
PID 2052 wrote to memory of 4768	2052	cmd.exe	95
PID 1856 wrote to memory of 3708	1856	ExeToolsVGBypass2PC.exe	96
PID 1856 wrote to memory of 3708	1856	ExeToolsVGBypass2PC.exe	96
PID 3708 wrote to memory of 1148	3708	cmd.exe	97
PID 3708 wrote to memory of 1148	3708	cmd.exe	97
PID 1856 wrote to memory of 880	1856	ExeToolsVGBypass2PC.exe	98
PID 1856 wrote to memory of 880	1856	ExeToolsVGBypass2PC.exe	98
PID 880 wrote to memory of 3880	880	cmd.exe	99
PID 880 wrote to memory of 3880	880	cmd.exe	99
PID 1856 wrote to memory of 2820	1856	ExeToolsVGBypass2PC.exe	100
PID 1856 wrote to memory of 2820	1856	ExeToolsVGBypass2PC.exe	100
PID 2820 wrote to memory of 4964	2820	cmd.exe	101
PID 2820 wrote to memory of 4964	2820	cmd.exe	101
PID 1856 wrote to memory of 3720	1856	ExeToolsVGBypass2PC.exe	102
PID 1856 wrote to memory of 3720	1856	ExeToolsVGBypass2PC.exe	102
PID 3720 wrote to memory of 3028	3720	cmd.exe	103
PID 3720 wrote to memory of 3028	3720	cmd.exe	103
PID 1856 wrote to memory of 5012	1856	ExeToolsVGBypass2PC.exe	104
PID 1856 wrote to memory of 5012	1856	ExeToolsVGBypass2PC.exe	104
PID 5012 wrote to memory of 3116	5012	cmd.exe	105
PID 5012 wrote to memory of 3116	5012	cmd.exe	105
PID 1856 wrote to memory of 1260	1856	ExeToolsVGBypass2PC.exe	106
PID 1856 wrote to memory of 1260	1856	ExeToolsVGBypass2PC.exe	106
PID 1260 wrote to memory of 4580	1260	cmd.exe	107
PID 1260 wrote to memory of 4580	1260	cmd.exe	107
PID 1856 wrote to memory of 4968	1856	ExeToolsVGBypass2PC.exe	108
PID 1856 wrote to memory of 4968	1856	ExeToolsVGBypass2PC.exe	108
PID 4968 wrote to memory of 672	4968	cmd.exe	109
PID 4968 wrote to memory of 672	4968	cmd.exe	109
PID 1856 wrote to memory of 2956	1856	ExeToolsVGBypass2PC.exe	110
PID 1856 wrote to memory of 2956	1856	ExeToolsVGBypass2PC.exe	110
PID 2956 wrote to memory of 5032	2956	cmd.exe	111
PID 2956 wrote to memory of 5032	2956	cmd.exe	111
PID 1856 wrote to memory of 1420	1856	ExeToolsVGBypass2PC.exe	112
PID 1856 wrote to memory of 1420	1856	ExeToolsVGBypass2PC.exe	112
PID 1420 wrote to memory of 3540	1420	cmd.exe	113
PID 1420 wrote to memory of 3540	1420	cmd.exe	113
PID 1856 wrote to memory of 436	1856	ExeToolsVGBypass2PC.exe	114
PID 1856 wrote to memory of 436	1856	ExeToolsVGBypass2PC.exe	114
PID 436 wrote to memory of 3800	436	cmd.exe	115
PID 436 wrote to memory of 3800	436	cmd.exe	115

C:\Users\Admin\AppData\Local\Temp\ExeToolsVGBypass2PC.exe
"C:\Users\Admin\AppData\Local\Temp\ExeToolsVGBypass2PC.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\ExeToolsVGBypass2PC.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\ExeToolsVGBypass2PC.exe" MD5
    3⤵
    PID:3740
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:4516
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:4476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:4916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1792
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4664
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:408
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:3368
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:3184
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:1264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:2832
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:2844
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:4592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
  2⤵
  PID:2000
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:2540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
  2⤵
  PID:5000
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1856-0-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/1856-1-0x00007FF8CB990000-0x00007FF8CB992000-memory.dmp

Filesize
8KB

Download
memory/1856-4-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/1856-2-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/1856-5-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/1856-3-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/1856-6-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/1856-7-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/1856-8-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/1856-9-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/1856-10-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/1856-11-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/1856-12-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/1856-13-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/1856-14-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/1856-15-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/1856-16-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/1856-17-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/1856-18-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/1856-19-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download
memory/1856-20-0x0000000140000000-0x0000000140AF1000-memory.dmp

Filesize
10.9MB

Download