b2b7d96216d875fb341fac6c974dc9852057660a24963782c84cb9179141419f

Analysis

max time kernel
47s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2022 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vision Spoofer - Run me as ADMIN.exe
Size

26KB
MD5

69a5e2ee3c51fbc861a219c02f7a1cc3
SHA1

ac608bf8c0a18130c799e5d1bf8670d1b09e8274
SHA256

b2b7d96216d875fb341fac6c974dc9852057660a24963782c84cb9179141419f
SHA512

f5399a925b12398486899a36a982ad168c07b14e6a14c50015440cb7470679a0d02297af845fda0a8f51d8b9e08336ecb3d61edd60f7e01fa956527ed1fceeff
SSDEEP

768:5KfV9VcYqCzylar/3DB1qx8Ztmjnt1KI3ngU:YVJz1Km03Lg

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1348	sc.exe
4048	sc.exe
3928	sc.exe
1212	sc.exe
2792	sc.exe
1700	sc.exe
4856	sc.exe
4924	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4780	4484	WerFault.exe	15

Kills process with taskkill 48 IoCs

evasion

pid	Process
3508	taskkill.exe
3200	taskkill.exe
3192	taskkill.exe
4356	taskkill.exe
3484	taskkill.exe
3100	taskkill.exe
4216	taskkill.exe
4224	taskkill.exe
2172	taskkill.exe
448	taskkill.exe
2692	taskkill.exe
3192	taskkill.exe
4296	taskkill.exe
4068	taskkill.exe
1296	taskkill.exe
4896	taskkill.exe
4084	taskkill.exe
2692	taskkill.exe
4512	taskkill.exe
4756	taskkill.exe
3200	taskkill.exe
3456	taskkill.exe
1832	taskkill.exe
1672	taskkill.exe
4920	taskkill.exe
4136	taskkill.exe
4188	taskkill.exe
4220	taskkill.exe
4076	taskkill.exe
4944	taskkill.exe
220	taskkill.exe
224	taskkill.exe
1564	taskkill.exe
1092	taskkill.exe
1548	taskkill.exe
2248	taskkill.exe
716	taskkill.exe
3488	taskkill.exe
1864	taskkill.exe
4952	taskkill.exe
1216	taskkill.exe
5012	taskkill.exe
3736	taskkill.exe
2952	taskkill.exe
5092	taskkill.exe
4732	taskkill.exe
1952	taskkill.exe
4204	taskkill.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	4356	taskkill.exe
Token: SeDebugPrivilege	448	taskkill.exe
Token: SeDebugPrivilege	4920	taskkill.exe
Token: SeDebugPrivilege	4136	taskkill.exe
Token: SeDebugPrivilege	4188	taskkill.exe
Token: SeDebugPrivilege	5092	taskkill.exe
Token: SeDebugPrivilege	2692	taskkill.exe
Token: SeDebugPrivilege	3508	taskkill.exe
Token: SeDebugPrivilege	3200	taskkill.exe
Token: SeDebugPrivilege	3192	taskkill.exe
Token: SeDebugPrivilege	3484	taskkill.exe
Token: SeDebugPrivilege	716	taskkill.exe
Token: SeDebugPrivilege	3488	taskkill.exe
Token: SeDebugPrivilege	4512	taskkill.exe
Token: SeDebugPrivilege	4732	taskkill.exe
Token: SeDebugPrivilege	3100	taskkill.exe
Token: SeDebugPrivilege	4952	taskkill.exe
Token: SeDebugPrivilege	4296	taskkill.exe
Token: SeDebugPrivilege	1216	taskkill.exe
Token: SeDebugPrivilege	4216	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	4068	taskkill.exe
Token: SeDebugPrivilege	4220	taskkill.exe
Token: SeDebugPrivilege	1296	taskkill.exe
Token: SeDebugPrivilege	4224	taskkill.exe
Token: SeDebugPrivilege	4076	taskkill.exe
Token: SeDebugPrivilege	4896	taskkill.exe
Token: SeDebugPrivilege	4944	taskkill.exe
Token: SeDebugPrivilege	4084	taskkill.exe
Token: SeDebugPrivilege	1864	taskkill.exe
Token: SeDebugPrivilege	2172	taskkill.exe
Token: SeDebugPrivilege	4756	taskkill.exe
Token: SeDebugPrivilege	220	taskkill.exe
Token: SeDebugPrivilege	224	taskkill.exe
Token: SeDebugPrivilege	2692	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	3200	taskkill.exe
Token: SeDebugPrivilege	3456	taskkill.exe
Token: SeDebugPrivilege	3192	taskkill.exe
Token: SeDebugPrivilege	5012	taskkill.exe
Token: SeDebugPrivilege	1832	taskkill.exe
Token: SeDebugPrivilege	1672	taskkill.exe
Token: SeDebugPrivilege	3736	taskkill.exe
Token: SeDebugPrivilege	1092	taskkill.exe
Token: SeDebugPrivilege	4204	taskkill.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	2952	taskkill.exe
Token: SeDebugPrivilege	2248	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 4500	4692	Vision Spoofer - Run me as ADMIN.exe	85
PID 4692 wrote to memory of 4500	4692	Vision Spoofer - Run me as ADMIN.exe	85
PID 4500 wrote to memory of 4356	4500	cmd.exe	86
PID 4500 wrote to memory of 4356	4500	cmd.exe	86
PID 4692 wrote to memory of 384	4692	Vision Spoofer - Run me as ADMIN.exe	87
PID 4692 wrote to memory of 384	4692	Vision Spoofer - Run me as ADMIN.exe	87
PID 384 wrote to memory of 448	384	cmd.exe	88
PID 384 wrote to memory of 448	384	cmd.exe	88
PID 4692 wrote to memory of 4256	4692	Vision Spoofer - Run me as ADMIN.exe	89
PID 4692 wrote to memory of 4256	4692	Vision Spoofer - Run me as ADMIN.exe	89
PID 4256 wrote to memory of 4920	4256	cmd.exe	90
PID 4256 wrote to memory of 4920	4256	cmd.exe	90
PID 4692 wrote to memory of 2172	4692	Vision Spoofer - Run me as ADMIN.exe	91
PID 4692 wrote to memory of 2172	4692	Vision Spoofer - Run me as ADMIN.exe	91
PID 2172 wrote to memory of 3928	2172	cmd.exe	93
PID 2172 wrote to memory of 3928	2172	cmd.exe	93
PID 4692 wrote to memory of 1688	4692	Vision Spoofer - Run me as ADMIN.exe	92
PID 4692 wrote to memory of 1688	4692	Vision Spoofer - Run me as ADMIN.exe	92
PID 1688 wrote to memory of 4136	1688	cmd.exe	94
PID 1688 wrote to memory of 4136	1688	cmd.exe	94
PID 4692 wrote to memory of 536	4692	Vision Spoofer - Run me as ADMIN.exe	95
PID 4692 wrote to memory of 536	4692	Vision Spoofer - Run me as ADMIN.exe	95
PID 536 wrote to memory of 4188	536	cmd.exe	96
PID 536 wrote to memory of 4188	536	cmd.exe	96
PID 4692 wrote to memory of 216	4692	Vision Spoofer - Run me as ADMIN.exe	97
PID 4692 wrote to memory of 216	4692	Vision Spoofer - Run me as ADMIN.exe	97
PID 216 wrote to memory of 5092	216	cmd.exe	98
PID 216 wrote to memory of 5092	216	cmd.exe	98
PID 4692 wrote to memory of 2524	4692	Vision Spoofer - Run me as ADMIN.exe	99
PID 4692 wrote to memory of 2524	4692	Vision Spoofer - Run me as ADMIN.exe	99
PID 2524 wrote to memory of 2692	2524	cmd.exe	100
PID 2524 wrote to memory of 2692	2524	cmd.exe	100
PID 4692 wrote to memory of 3808	4692	Vision Spoofer - Run me as ADMIN.exe	101
PID 4692 wrote to memory of 3808	4692	Vision Spoofer - Run me as ADMIN.exe	101
PID 3808 wrote to memory of 3508	3808	cmd.exe	102
PID 3808 wrote to memory of 3508	3808	cmd.exe	102
PID 4692 wrote to memory of 1644	4692	Vision Spoofer - Run me as ADMIN.exe	103
PID 4692 wrote to memory of 1644	4692	Vision Spoofer - Run me as ADMIN.exe	103
PID 1644 wrote to memory of 3200	1644	cmd.exe	104
PID 1644 wrote to memory of 3200	1644	cmd.exe	104
PID 4692 wrote to memory of 3184	4692	Vision Spoofer - Run me as ADMIN.exe	105
PID 4692 wrote to memory of 3184	4692	Vision Spoofer - Run me as ADMIN.exe	105
PID 3184 wrote to memory of 1212	3184	cmd.exe	106
PID 3184 wrote to memory of 1212	3184	cmd.exe	106
PID 4692 wrote to memory of 3328	4692	Vision Spoofer - Run me as ADMIN.exe	107
PID 4692 wrote to memory of 3328	4692	Vision Spoofer - Run me as ADMIN.exe	107
PID 3328 wrote to memory of 3192	3328	cmd.exe	108
PID 3328 wrote to memory of 3192	3328	cmd.exe	108
PID 4692 wrote to memory of 1664	4692	Vision Spoofer - Run me as ADMIN.exe	109
PID 4692 wrote to memory of 1664	4692	Vision Spoofer - Run me as ADMIN.exe	109
PID 1664 wrote to memory of 3484	1664	cmd.exe	110
PID 1664 wrote to memory of 3484	1664	cmd.exe	110
PID 4692 wrote to memory of 3032	4692	Vision Spoofer - Run me as ADMIN.exe	111
PID 4692 wrote to memory of 3032	4692	Vision Spoofer - Run me as ADMIN.exe	111
PID 3032 wrote to memory of 716	3032	cmd.exe	112
PID 3032 wrote to memory of 716	3032	cmd.exe	112
PID 4692 wrote to memory of 3428	4692	Vision Spoofer - Run me as ADMIN.exe	113
PID 4692 wrote to memory of 3428	4692	Vision Spoofer - Run me as ADMIN.exe	113
PID 3428 wrote to memory of 3488	3428	cmd.exe	114
PID 3428 wrote to memory of 3488	3428	cmd.exe	114
PID 4692 wrote to memory of 3908	4692	Vision Spoofer - Run me as ADMIN.exe	115
PID 4692 wrote to memory of 3908	4692	Vision Spoofer - Run me as ADMIN.exe	115
PID 3908 wrote to memory of 4512	3908	cmd.exe	116
PID 3908 wrote to memory of 4512	3908	cmd.exe	116

C:\Users\Admin\AppData\Local\Temp\Vision Spoofer - Run me as ADMIN.exe
"C:\Users\Admin\AppData\Local\Temp\Vision Spoofer - Run me as ADMIN.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ksdumperclient.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ksdumperclient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im folderviewerud.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im folderviewerud.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ksdumperclient.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ksdumperclient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im folderviewerud.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im folderviewerud.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3328
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ksdumperclient.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3428
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ksdumperclient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im folderviewerud.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im folderviewerud.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:820
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2472
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4560
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5048
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3568
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ksdumperclient.exe >nul 2>&1
  2⤵
  PID:1500
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ksdumperclient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im folderviewerud.exe >nul 2>&1
  2⤵
  PID:1088
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im folderviewerud.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:1712
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:5060
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2424
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2136
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4648
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ksdumperclient.exe >nul 2>&1
  2⤵
  PID:1736
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ksdumperclient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im folderviewerud.exe >nul 2>&1
  2⤵
  PID:3948
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im folderviewerud.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:4824
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:4788
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:4856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4500
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3284
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4620
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ksdumperclient.exe >nul 2>&1
  2⤵
  PID:3928
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ksdumperclient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im folderviewerud.exe >nul 2>&1
  2⤵
  PID:2680
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im folderviewerud.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:344
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:3520
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:4924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5036
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3764
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1440
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 2
  2⤵
  PID:3532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ksdumperclient.exe >nul 2>&1
  2⤵
  PID:4268
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ksdumperclient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im folderviewerud.exe >nul 2>&1
  2⤵
  PID:4196
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im folderviewerud.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:2364
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2220
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4300
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4628
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ksdumperclient.exe >nul 2>&1
  2⤵
  PID:4796
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ksdumperclient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im folderviewerud.exe >nul 2>&1
  2⤵
  PID:3688
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im folderviewerud.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:2780
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1340
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:4048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:672
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1708
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2548
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2248

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 4484 -ip 4484
1⤵
PID:2120

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4484 -s 488
1⤵
- Program crash
PID:4780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/216-144-0x0000000000000000-mapping.dmp

Download
memory/384-134-0x0000000000000000-mapping.dmp

Download
memory/448-135-0x0000000000000000-mapping.dmp

Download
memory/536-142-0x0000000000000000-mapping.dmp

Download
memory/716-159-0x0000000000000000-mapping.dmp

Download
memory/820-164-0x0000000000000000-mapping.dmp

Download
memory/928-175-0x0000000000000000-mapping.dmp

Download
memory/1088-178-0x0000000000000000-mapping.dmp

Download
memory/1212-153-0x0000000000000000-mapping.dmp

Download
memory/1216-177-0x0000000000000000-mapping.dmp

Download
memory/1296-189-0x0000000000000000-mapping.dmp

Download
memory/1500-176-0x0000000000000000-mapping.dmp

Download
memory/1644-150-0x0000000000000000-mapping.dmp

Download
memory/1664-156-0x0000000000000000-mapping.dmp

Download
memory/1688-140-0x0000000000000000-mapping.dmp

Download
memory/1700-183-0x0000000000000000-mapping.dmp

Download
memory/1712-180-0x0000000000000000-mapping.dmp

Download
memory/1736-190-0x0000000000000000-mapping.dmp

Download
memory/1952-181-0x0000000000000000-mapping.dmp

Download
memory/2136-186-0x0000000000000000-mapping.dmp

Download
memory/2172-138-0x0000000000000000-mapping.dmp

Download
memory/2424-184-0x0000000000000000-mapping.dmp

Download
memory/2472-166-0x0000000000000000-mapping.dmp

Download
memory/2524-146-0x0000000000000000-mapping.dmp

Download
memory/2692-147-0x0000000000000000-mapping.dmp

Download
memory/2792-167-0x0000000000000000-mapping.dmp

Download
memory/3032-158-0x0000000000000000-mapping.dmp

Download
memory/3100-169-0x0000000000000000-mapping.dmp

Download
memory/3184-152-0x0000000000000000-mapping.dmp

Download
memory/3192-155-0x0000000000000000-mapping.dmp

Download
memory/3200-151-0x0000000000000000-mapping.dmp

Download
memory/3328-154-0x0000000000000000-mapping.dmp

Download
memory/3428-160-0x0000000000000000-mapping.dmp

Download
memory/3484-157-0x0000000000000000-mapping.dmp

Download
memory/3488-161-0x0000000000000000-mapping.dmp

Download
memory/3508-149-0x0000000000000000-mapping.dmp

Download
memory/3568-172-0x0000000000000000-mapping.dmp

Download
memory/3808-148-0x0000000000000000-mapping.dmp

Download
memory/3908-162-0x0000000000000000-mapping.dmp

Download
memory/3928-139-0x0000000000000000-mapping.dmp

Download
memory/3948-192-0x0000000000000000-mapping.dmp

Download
memory/4068-185-0x0000000000000000-mapping.dmp

Download
memory/4076-193-0x0000000000000000-mapping.dmp

Download
memory/4128-174-0x0000000000000000-mapping.dmp

Download
memory/4136-141-0x0000000000000000-mapping.dmp

Download
memory/4188-143-0x0000000000000000-mapping.dmp

Download
memory/4216-179-0x0000000000000000-mapping.dmp

Download
memory/4220-187-0x0000000000000000-mapping.dmp

Download
memory/4224-191-0x0000000000000000-mapping.dmp

Download
memory/4256-136-0x0000000000000000-mapping.dmp

Download
memory/4296-173-0x0000000000000000-mapping.dmp

Download
memory/4356-133-0x0000000000000000-mapping.dmp

Download
memory/4500-132-0x0000000000000000-mapping.dmp

Download
memory/4512-163-0x0000000000000000-mapping.dmp

Download
memory/4560-168-0x0000000000000000-mapping.dmp

Download
memory/4648-188-0x0000000000000000-mapping.dmp

Download
memory/4732-165-0x0000000000000000-mapping.dmp

Download
memory/4824-194-0x0000000000000000-mapping.dmp

Download
memory/4896-195-0x0000000000000000-mapping.dmp

Download
memory/4920-137-0x0000000000000000-mapping.dmp

Download
memory/4952-171-0x0000000000000000-mapping.dmp

Download
memory/5048-170-0x0000000000000000-mapping.dmp

Download
memory/5060-182-0x0000000000000000-mapping.dmp

Download
memory/5092-145-0x0000000000000000-mapping.dmp

Download