Overview

overview

10

Static

static

3

perm.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    63s
  • max time network
    65s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    15-12-2024 13:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    perm.exe

  • Size

    4.6MB

  • MD5

    cd15473be3b87cf2f089fe3a652d0d08

  • SHA1

    5fecdc548d7c9e134940509d4b002dd36deda1ef

  • SHA256

    27088c28c0f31bf50d35890675acb14a9da0b2bf574a03c79040e640bd1fbe96

  • SHA512

    cdd2f2dbc59942999082bd62bd869b66bf80b525d7b7244cb6527540bb288a50844f6d078f21c319d6888d02efca5a73ed054c16a544958ef40e215a54336477

  • SSDEEP

    98304:1d7m+ij9HD0+jCihNRkl/W6aG/wcKnfu8NUT6KM:u+y4ihkl/Wo/afHP9

Score
10/10
redlinesectopratxwormdiscoveryevasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • Detect Xworm Payload 1 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Sectoprat family
    sectoprat
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Launches sc.exe 9 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 37 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\perm.exe
    "C:\Users\Admin\AppData\Local\Temp\perm.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im HTTPDebuggerUI.exe
        3⤵
        • Kills process with taskkill
        PID:3716
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im HTTPDebuggerSvc.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        PID:4072
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c taskkill /f /im Ida64.exe >nul 2>&1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4844
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Ida64.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        PID:4272
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c taskkill /f /im OllyDbg.exe >nul 2>&1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2408
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im OllyDbg.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        PID:1920
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c taskkill /f /im Dbg64.exe >nul 2>&1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4336
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Dbg64.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        PID:4776
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c taskkill /f /im Dbg32.exe >nul 2>&1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3420
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Dbg32.exe
        3⤵
        • Kills process with taskkill
        PID:2964
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3120
      • C:\Windows\SysWOW64\sc.exe
        sc stop HTTPDebuggerPro
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:3316
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        PID:548
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3112
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        PID:4268
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        PID:4648
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3644
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im HTTPDebuggerUI.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        PID:2176
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4544
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im HTTPDebuggerSvc.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        PID:4300
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1
      2⤵
        PID:524
        • C:\Windows\SysWOW64\sc.exe
          sc stop HTTPDebuggerPro
          3⤵
          • Launches sc.exe
          PID:1120
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
        2⤵
        • System Location Discovery: System Language Discovery
        PID:3084
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
          3⤵
          • Kills process with taskkill
          PID:4908
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
        2⤵
          PID:2140
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
            3⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            PID:2748
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1736
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
            3⤵
            • Kills process with taskkill
            PID:3288
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1
          2⤵
          • System Location Discovery: System Language Discovery
          PID:2724
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T
            3⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            PID:4924
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1
          2⤵
          • System Location Discovery: System Language Discovery
          PID:3164
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T
            3⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            PID:3108
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1
          2⤵
            PID:956
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T
              3⤵
              • Kills process with taskkill
              PID:1676
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
            2⤵
              PID:3448
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                3⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                PID:3768
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
              2⤵
              • System Location Discovery: System Language Discovery
              PID:3208
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                3⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                PID:3668
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
              2⤵
                PID:2112
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
                  3⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  PID:2592
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
                2⤵
                • System Location Discovery: System Language Discovery
                PID:4632
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
                  3⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  PID:3224
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
                2⤵
                  PID:1212
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
                    3⤵
                    • System Location Discovery: System Language Discovery
                    • Kills process with taskkill
                    PID:4120
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:2492
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                    3⤵
                    • System Location Discovery: System Language Discovery
                    • Kills process with taskkill
                    PID:4516
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
                  2⤵
                    PID:3028
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
                      3⤵
                      • System Location Discovery: System Language Discovery
                      • Kills process with taskkill
                      PID:2848
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1
                    2⤵
                      PID:668
                      • C:\Windows\SysWOW64\sc.exe
                        sc stop HTTPDebuggerPro
                        3⤵
                        • Launches sc.exe
                        • System Location Discovery: System Language Discovery
                        PID:3540
                    • C:\Windows\SysWOW64\cmd.exe
                      "cmd.exe" /c sc stop HTTPDebuggerProSdk >nul 2>&1
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:3856
                      • C:\Windows\SysWOW64\sc.exe
                        sc stop HTTPDebuggerProSdk
                        3⤵
                        • Launches sc.exe
                        • System Location Discovery: System Language Discovery
                        PID:4636
                    • C:\Windows\SysWOW64\cmd.exe
                      "cmd.exe" /c sc stop KProcessHacker3 >nul 2>&1
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:4572
                      • C:\Windows\SysWOW64\sc.exe
                        sc stop KProcessHacker3
                        3⤵
                        • Launches sc.exe
                        • System Location Discovery: System Language Discovery
                        PID:5112
                    • C:\Windows\SysWOW64\cmd.exe
                      "cmd.exe" /c sc stop KProcessHacker2 >nul 2>&1
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:4432
                      • C:\Windows\SysWOW64\sc.exe
                        sc stop KProcessHacker2
                        3⤵
                        • Launches sc.exe
                        • System Location Discovery: System Language Discovery
                        PID:3848
                    • C:\Windows\SysWOW64\cmd.exe
                      "cmd.exe" /c sc stop KProcessHacker1 >nul 2>&1
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:412
                      • C:\Windows\System32\Conhost.exe
                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        3⤵
                          PID:2964
                        • C:\Windows\SysWOW64\sc.exe
                          sc stop KProcessHacker1
                          3⤵
                          • Launches sc.exe
                          PID:4092
                      • C:\Windows\SysWOW64\cmd.exe
                        "cmd.exe" /c sc stop wireshark >nul 2>&1
                        2⤵
                          PID:2124
                          • C:\Windows\System32\Conhost.exe
                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            3⤵
                              PID:3316
                            • C:\Windows\SysWOW64\sc.exe
                              sc stop wireshark
                              3⤵
                              • Launches sc.exe
                              • System Location Discovery: System Language Discovery
                              PID:3992
                          • C:\Windows\SysWOW64\cmd.exe
                            "cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
                            2⤵
                            • System Location Discovery: System Language Discovery
                            PID:1624
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /f /im HTTPDebuggerUI.exe
                              3⤵
                              • System Location Discovery: System Language Discovery
                              • Kills process with taskkill
                              PID:3248
                          • C:\Windows\SysWOW64\cmd.exe
                            "cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
                            2⤵
                              PID:2596
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /f /im HTTPDebuggerSvc.exe
                                3⤵
                                • System Location Discovery: System Language Discovery
                                • Kills process with taskkill
                                PID:3112
                            • C:\Windows\SysWOW64\cmd.exe
                              "cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1
                              2⤵
                              • System Location Discovery: System Language Discovery
                              PID:400
                              • C:\Windows\SysWOW64\sc.exe
                                sc stop HTTPDebuggerPro
                                3⤵
                                • Launches sc.exe
                                PID:2268
                            • C:\Windows\SysWOW64\cmd.exe
                              "cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
                              2⤵
                              • System Location Discovery: System Language Discovery
                              PID:2652
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
                                3⤵
                                • System Location Discovery: System Language Discovery
                                • Kills process with taskkill
                                PID:2484
                            • C:\Windows\SysWOW64\cmd.exe
                              "cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                              2⤵
                              • System Location Discovery: System Language Discovery
                              PID:4004
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                3⤵
                                • System Location Discovery: System Language Discovery
                                • Kills process with taskkill
                                PID:1068
                            • C:\Windows\SysWOW64\cmd.exe
                              "cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
                              2⤵
                                PID:4564
                                • C:\Windows\SysWOW64\taskkill.exe
                                  taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
                                  3⤵
                                  • Kills process with taskkill
                                  PID:2988
                              • C:\Windows\SysWOW64\cmd.exe
                                "cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1
                                2⤵
                                • System Location Discovery: System Language Discovery
                                PID:1448
                                • C:\Windows\SysWOW64\taskkill.exe
                                  taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T
                                  3⤵
                                  • System Location Discovery: System Language Discovery
                                  • Kills process with taskkill
                                  PID:1032
                              • C:\Windows\SysWOW64\cmd.exe
                                "cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1
                                2⤵
                                • System Location Discovery: System Language Discovery
                                PID:3228
                                • C:\Windows\SysWOW64\taskkill.exe
                                  taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T
                                  3⤵
                                  • Kills process with taskkill
                                  PID:2224
                              • C:\Windows\SysWOW64\cmd.exe
                                "cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1
                                2⤵
                                • System Location Discovery: System Language Discovery
                                PID:2656
                                • C:\Windows\SysWOW64\taskkill.exe
                                  taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T
                                  3⤵
                                  • Kills process with taskkill
                                  PID:936
                              • C:\Windows\SysWOW64\cmd.exe
                                "cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                2⤵
                                  PID:1960
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                    3⤵
                                    • Kills process with taskkill
                                    PID:2724
                                • C:\Windows\SysWOW64\cmd.exe
                                  "cmd.exe" /c taskkill /FI "IMAGENAME eq die*" /IM * /F /T >nul 2>&1
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:3704
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /FI "IMAGENAME eq die*" /IM * /F /T
                                    3⤵
                                    • Kills process with taskkill
                                    PID:896
                                • C:\Windows\SysWOW64\cmd.exe
                                  "cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:1084
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /f /im HTTPDebuggerSvc.exe
                                    3⤵
                                    • System Location Discovery: System Language Discovery
                                    • Kills process with taskkill
                                    PID:956
                                • C:\Windows\SysWOW64\cmd.exe
                                  "cmd.exe" /c taskkill /f /im HTTPDebugger.exe >nul 2>&1
                                  2⤵
                                    PID:1636
                                    • C:\Windows\SysWOW64\taskkill.exe
                                      taskkill /f /im HTTPDebugger.exe
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      • Kills process with taskkill
                                      PID:3448
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "cmd.exe" /c taskkill /f /im FolderChangesView.exe >nul 2>&1
                                    2⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:4344
                                    • C:\Windows\SysWOW64\taskkill.exe
                                      taskkill /f /im FolderChangesView.exe
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      • Kills process with taskkill
                                      PID:3812

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • memory/1204-0-0x000000007533E000-0x000000007533F000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1204-1-0x0000000000B60000-0x0000000000FFE000-memory.dmp

                                  Filesize

                                  4.6MB

                                  Download

                                • memory/1204-2-0x0000000075330000-0x0000000075AE1000-memory.dmp

                                  Filesize

                                  7.7MB

                                  Download

                                • memory/1204-3-0x0000000005A40000-0x0000000005AD4000-memory.dmp

                                  Filesize

                                  592KB

                                  Download

                                • memory/1204-4-0x0000000005D40000-0x0000000005DA6000-memory.dmp

                                  Filesize

                                  408KB

                                  Download

                                • memory/1204-5-0x0000000006360000-0x0000000006906000-memory.dmp

                                  Filesize

                                  5.6MB

                                  Download

                                • memory/1204-6-0x000000007533E000-0x000000007533F000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1204-7-0x0000000075330000-0x0000000075AE1000-memory.dmp

                                  Filesize

                                  7.7MB

                                  Download