Analysis Overview
SHA256
c1de91c5094d5821b7493dd8db39b14a2c286b3b14215b5e90e97527d1864bd7
Threat Level: Known bad
The file lxJWhxw.exe was found to be: Known bad.
Malicious Activity Summary
BazarBackdoor
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Bazar/Team9 Backdoor payload
Nirsoft
Downloads MZ/PE file
Stops running service(s)
Executes dropped EXE
Loads dropped DLL
Themida packer
Checks BIOS information in registry
Checks whether UAC is enabled
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Launches sc.exe
Drops file in Program Files directory
Program crash
Enumerates physical storage devices
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: RenamesItself
Kills process with taskkill
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
NTFS ADS
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-09-08 18:17
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-08 18:17
Reported
2022-09-08 18:19
Platform
win10v2004-20220812-en
Max time kernel
93s
Max time network
97s
Command Line
Signatures
BazarBackdoor
Bazar/Team9 Backdoor payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Downloads\update.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\update.exe | N/A |
| N/A | N/A | N/A | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Downloads\update.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Downloads\update.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\certutil.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\update.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Downloads\update.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\update.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\0f8a992d-16af-451a-8a6d-ed79b25556ad.tmp | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220908201816.pma | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Kills process with taskkill
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 21839.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\update.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\update.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe
"C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe" MD5
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/920160935023362120/1016575229683834940/update.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc59846f8,0x7ffcc5984708,0x7ffcc5984718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3076 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5128 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5408 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5528 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff655505460,0x7ff655505470,0x7ff655505480
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6340 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6372 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\update.exe
"C:\Users\Admin\Downloads\update.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 5584 -ip 5584
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5584 -s 752
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Downloads\update.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\unnamed_logs.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\un.ini
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1264 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 172.64.136.33:443 | keyauth.win | tcp |
| N/A | 127.0.0.1:49829 | tcp | |
| N/A | 127.0.0.1:49831 | tcp | |
| US | 8.8.8.8:53 | nav.smartscreen.microsoft.com | udp |
| NL | 20.73.130.64:443 | nav.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | smartscreen-prod.microsoft.com | udp |
| IE | 20.82.250.189:443 | smartscreen-prod.microsoft.com | tcp |
| IE | 20.82.250.189:443 | smartscreen-prod.microsoft.com | tcp |
| IE | 20.82.250.189:443 | smartscreen-prod.microsoft.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| NL | 20.73.130.64:443 | nav.smartscreen.microsoft.com | tcp |
| US | 204.79.197.200:443 | www.bing.com | tcp |
| NL | 20.73.130.64:443 | nav.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | nav.smartscreen.microsoft.com | udp |
| IE | 20.82.250.189:443 | nav.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | udp |
| US | 13.107.21.200:443 | www.bing.com | tcp |
| US | 204.79.197.239:443 | tcp | |
| NL | 95.101.78.82:80 | tcp | |
| NL | 95.101.78.82:80 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 104.80.225.205:443 | tcp | |
| FR | 51.11.192.48:443 | tcp | |
| US | 8.8.4.4:443 | dns.google | udp |
| NL | 23.73.0.144:443 | tcp | |
| NL | 23.73.0.144:443 | tcp | |
| NL | 23.73.0.144:443 | assets.msn.com | tcp |
| NL | 23.73.0.144:443 | assets.msn.com | tcp |
| NL | 23.73.0.144:443 | tcp | |
| NL | 65.9.86.26:443 | tcp | |
| FR | 2.22.22.128:443 | tcp | |
| IE | 20.234.93.27:443 | tcp | |
| US | 204.79.197.200:443 | www.bing.com | tcp |
| US | 204.79.197.239:443 | tcp | |
| NL | 104.109.143.22:443 | deff.nelreports.net | tcp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 172.64.136.33:443 | keyauth.win | tcp |
| US | 172.64.136.33:443 | keyauth.win | tcp |
| N/A | 127.0.0.1:50413 | tcp | |
| N/A | 127.0.0.1:50415 | tcp | |
| N/A | 127.0.0.1:50418 | tcp | |
| N/A | 127.0.0.1:50420 | tcp | |
| N/A | 127.0.0.1:50423 | tcp | |
| N/A | 127.0.0.1:50425 | tcp | |
| US | 172.64.136.33:443 | keyauth.win | tcp |
| US | 204.79.197.239:443 | tcp | |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| NL | 104.109.143.5:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
memory/4476-132-0x00007FF686CB0000-0x00007FF687A37000-memory.dmp
memory/4476-133-0x00007FFCE2BF0000-0x00007FFCE2DE5000-memory.dmp
memory/4476-134-0x00007FF686CB0000-0x00007FF687A37000-memory.dmp
memory/4476-135-0x00007FF686CB0000-0x00007FF687A37000-memory.dmp
memory/4476-136-0x00007FF686CB0000-0x00007FF687A37000-memory.dmp
memory/4476-137-0x00007FF686CB0000-0x00007FF687A37000-memory.dmp
memory/4476-139-0x00007FFCA2C70000-0x00007FFCA2C80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HookLib.dll
| MD5 | 9c236122ccef6d656ab48148c0aff1db |
| SHA1 | e34489ce487a26a81feb394720e757b5275e6909 |
| SHA256 | ad9b423d81d1a1799809039445e6d3051224e49725ba1485a779fbcd56beeefb |
| SHA512 | 8ee11b7bf06e9860229005687bcfc20fd0836bb5e0f2796936a0086281a4a21a8b74740456700f2ea1ff3c9fd5d2b5a79c034805101aeb984bafaae72479f97c |
memory/4476-140-0x00007FFCA2C70000-0x00007FFCA2C80000-memory.dmp
memory/4476-141-0x00007FF686CB0000-0x00007FF687A37000-memory.dmp
memory/4476-142-0x00007FF686CB0000-0x00007FF687A37000-memory.dmp
memory/4476-143-0x00007FF686CB0000-0x00007FF687A37000-memory.dmp
memory/3408-144-0x0000000000000000-mapping.dmp
memory/3648-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\HookLib.dll
| MD5 | 9c236122ccef6d656ab48148c0aff1db |
| SHA1 | e34489ce487a26a81feb394720e757b5275e6909 |
| SHA256 | ad9b423d81d1a1799809039445e6d3051224e49725ba1485a779fbcd56beeefb |
| SHA512 | 8ee11b7bf06e9860229005687bcfc20fd0836bb5e0f2796936a0086281a4a21a8b74740456700f2ea1ff3c9fd5d2b5a79c034805101aeb984bafaae72479f97c |
memory/5000-147-0x0000000000000000-mapping.dmp
memory/5084-148-0x0000000000000000-mapping.dmp
memory/2664-149-0x0000000000000000-mapping.dmp
memory/3192-150-0x0000000000000000-mapping.dmp
memory/2692-151-0x0000000000000000-mapping.dmp
memory/1160-152-0x0000000000000000-mapping.dmp
memory/4304-153-0x0000000000000000-mapping.dmp
memory/2104-154-0x0000000000000000-mapping.dmp
memory/1152-155-0x0000000000000000-mapping.dmp
memory/3124-156-0x0000000000000000-mapping.dmp
memory/4504-157-0x0000000000000000-mapping.dmp
memory/4256-158-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\HookLib.dll
| MD5 | 9c236122ccef6d656ab48148c0aff1db |
| SHA1 | e34489ce487a26a81feb394720e757b5275e6909 |
| SHA256 | ad9b423d81d1a1799809039445e6d3051224e49725ba1485a779fbcd56beeefb |
| SHA512 | 8ee11b7bf06e9860229005687bcfc20fd0836bb5e0f2796936a0086281a4a21a8b74740456700f2ea1ff3c9fd5d2b5a79c034805101aeb984bafaae72479f97c |
memory/2924-160-0x0000000000000000-mapping.dmp
memory/3920-161-0x0000000000000000-mapping.dmp
memory/1556-162-0x0000000000000000-mapping.dmp
memory/1456-163-0x0000000000000000-mapping.dmp
memory/3856-164-0x0000000000000000-mapping.dmp
memory/4272-165-0x0000000000000000-mapping.dmp
memory/2232-166-0x0000000000000000-mapping.dmp
memory/2092-167-0x0000000000000000-mapping.dmp
memory/1984-168-0x0000000000000000-mapping.dmp
memory/3604-169-0x0000000000000000-mapping.dmp
memory/3952-170-0x0000000000000000-mapping.dmp
memory/3960-171-0x0000000000000000-mapping.dmp
memory/4336-172-0x0000000000000000-mapping.dmp
memory/5008-173-0x0000000000000000-mapping.dmp
memory/2600-174-0x0000000000000000-mapping.dmp
memory/1972-175-0x0000000000000000-mapping.dmp
memory/3524-176-0x0000000000000000-mapping.dmp
memory/4484-177-0x0000000000000000-mapping.dmp
memory/4804-178-0x0000000000000000-mapping.dmp
memory/4480-179-0x0000000000000000-mapping.dmp
memory/4964-180-0x0000000000000000-mapping.dmp
memory/4020-181-0x0000000000000000-mapping.dmp
memory/2344-182-0x0000000000000000-mapping.dmp
memory/4808-183-0x0000000000000000-mapping.dmp
memory/1960-184-0x0000000000000000-mapping.dmp
memory/1888-185-0x0000000000000000-mapping.dmp
memory/3284-186-0x0000000000000000-mapping.dmp
memory/3984-187-0x0000000000000000-mapping.dmp
memory/4148-188-0x0000000000000000-mapping.dmp
memory/2168-189-0x0000000000000000-mapping.dmp
memory/4048-190-0x0000000000000000-mapping.dmp
memory/4684-191-0x0000000000000000-mapping.dmp
memory/3012-192-0x0000000000000000-mapping.dmp
memory/3028-193-0x0000000000000000-mapping.dmp
memory/1100-194-0x0000000000000000-mapping.dmp
memory/3148-195-0x0000000000000000-mapping.dmp
memory/3408-196-0x0000000000000000-mapping.dmp
memory/208-197-0x0000000000000000-mapping.dmp
memory/4244-198-0x0000000000000000-mapping.dmp
memory/4600-199-0x0000000000000000-mapping.dmp
memory/4108-200-0x0000000000000000-mapping.dmp
memory/1968-201-0x0000000000000000-mapping.dmp
memory/2312-202-0x0000000000000000-mapping.dmp
memory/2328-203-0x0000000000000000-mapping.dmp
memory/1892-204-0x0000000000000000-mapping.dmp
memory/940-205-0x0000000000000000-mapping.dmp
memory/4320-206-0x0000000000000000-mapping.dmp
memory/2148-207-0x0000000000000000-mapping.dmp
memory/3576-208-0x0000000000000000-mapping.dmp
memory/2404-209-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\HookLib.dll
| MD5 | 9c236122ccef6d656ab48148c0aff1db |
| SHA1 | e34489ce487a26a81feb394720e757b5275e6909 |
| SHA256 | ad9b423d81d1a1799809039445e6d3051224e49725ba1485a779fbcd56beeefb |
| SHA512 | 8ee11b7bf06e9860229005687bcfc20fd0836bb5e0f2796936a0086281a4a21a8b74740456700f2ea1ff3c9fd5d2b5a79c034805101aeb984bafaae72479f97c |
C:\Users\Admin\AppData\Local\Temp\HookLib.dll
| MD5 | 9c236122ccef6d656ab48148c0aff1db |
| SHA1 | e34489ce487a26a81feb394720e757b5275e6909 |
| SHA256 | ad9b423d81d1a1799809039445e6d3051224e49725ba1485a779fbcd56beeefb |
| SHA512 | 8ee11b7bf06e9860229005687bcfc20fd0836bb5e0f2796936a0086281a4a21a8b74740456700f2ea1ff3c9fd5d2b5a79c034805101aeb984bafaae72479f97c |
memory/3956-214-0x00007FFCA2C70000-0x00007FFCA2C80000-memory.dmp
memory/4476-215-0x00007FF686CB0000-0x00007FF687A37000-memory.dmp
memory/4476-217-0x00007FFCE2BF0000-0x00007FFCE2DE5000-memory.dmp
memory/4476-218-0x00007FF686CB0000-0x00007FF687A37000-memory.dmp
memory/4476-219-0x00007FFCE2BF0000-0x00007FFCE2DE5000-memory.dmp
\??\pipe\LOCAL\crashpad_2104_JGOLCTIAJJGBICJP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\Downloads\update.exe
| MD5 | 27e4dfcae59564bd73bdf7bc2f10e51e |
| SHA1 | 48aedbe1072bfc093d814c589e21c8696cf58a85 |
| SHA256 | 43216e30e4f15418a8a9b037206a81a771944bcc93ca547fc7a52185dd121960 |
| SHA512 | 24ac1071354637e8de0728cc1edd1927d69a19e10d3858289a063a2df73615b04d9a2214a7d5b8dd13f927cd3968c74101e08b1c9493eb71fddd8fc1a8e02ad9 |
C:\Users\Admin\Downloads\update.exe
| MD5 | 27e4dfcae59564bd73bdf7bc2f10e51e |
| SHA1 | 48aedbe1072bfc093d814c589e21c8696cf58a85 |
| SHA256 | 43216e30e4f15418a8a9b037206a81a771944bcc93ca547fc7a52185dd121960 |
| SHA512 | 24ac1071354637e8de0728cc1edd1927d69a19e10d3858289a063a2df73615b04d9a2214a7d5b8dd13f927cd3968c74101e08b1c9493eb71fddd8fc1a8e02ad9 |
memory/5476-232-0x00007FF67C540000-0x00007FF67D310000-memory.dmp
memory/5476-233-0x00007FF67C540000-0x00007FF67D310000-memory.dmp
memory/5476-234-0x00007FF67C540000-0x00007FF67D310000-memory.dmp
memory/5476-235-0x00007FFCE2BF0000-0x00007FFCE2DE5000-memory.dmp
memory/5476-236-0x00007FF67C540000-0x00007FF67D310000-memory.dmp
memory/5476-237-0x00007FF67C540000-0x00007FF67D310000-memory.dmp
memory/5476-239-0x00007FFCA2C70000-0x00007FFCA2C80000-memory.dmp
memory/5476-240-0x00007FFCA2C70000-0x00007FFCA2C80000-memory.dmp
C:\Users\Admin\Downloads\HookLib.dll
| MD5 | 98f49c27634711f0af5e9535b13179f5 |
| SHA1 | 4267af836b75278f22724a6864525efd60597781 |
| SHA256 | 9afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16 |
| SHA512 | 409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad |
memory/5476-243-0x00007FF67C540000-0x00007FF67D310000-memory.dmp
memory/5476-244-0x00007FF67C540000-0x00007FF67D310000-memory.dmp
memory/5476-245-0x00007FF67C540000-0x00007FF67D310000-memory.dmp
C:\Users\Admin\Downloads\HookLib.dll
| MD5 | 98f49c27634711f0af5e9535b13179f5 |
| SHA1 | 4267af836b75278f22724a6864525efd60597781 |
| SHA256 | 9afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16 |
| SHA512 | 409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad |
C:\Users\Admin\Downloads\HookLib.dll
| MD5 | 98f49c27634711f0af5e9535b13179f5 |
| SHA1 | 4267af836b75278f22724a6864525efd60597781 |
| SHA256 | 9afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16 |
| SHA512 | 409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad |
C:\Users\Admin\Downloads\HookLib.dll
| MD5 | 98f49c27634711f0af5e9535b13179f5 |
| SHA1 | 4267af836b75278f22724a6864525efd60597781 |
| SHA256 | 9afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16 |
| SHA512 | 409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad |
C:\Users\Admin\Downloads\HookLib.dll
| MD5 | 98f49c27634711f0af5e9535b13179f5 |
| SHA1 | 4267af836b75278f22724a6864525efd60597781 |
| SHA256 | 9afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16 |
| SHA512 | 409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad |
C:\Users\Admin\Downloads\HookLib.dll
| MD5 | 98f49c27634711f0af5e9535b13179f5 |
| SHA1 | 4267af836b75278f22724a6864525efd60597781 |
| SHA256 | 9afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16 |
| SHA512 | 409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad |
memory/5476-253-0x00007FF67C540000-0x00007FF67D310000-memory.dmp
memory/5476-254-0x00007FFCE2BF0000-0x00007FFCE2DE5000-memory.dmp
memory/5476-255-0x00007FFCA2C70000-0x00007FFCA2C80000-memory.dmp
memory/5476-256-0x00007FFCE2BF0000-0x00007FFCE2DE5000-memory.dmp
memory/5476-258-0x00007FF67C540000-0x00007FF67D310000-memory.dmp
C:\Users\Admin\Downloads\unnamed_logs.txt
| MD5 | 05c4899eba745278b926db74dc76aa61 |
| SHA1 | cb9259fcaefad8ab82513ba37fb270e99f7f4c4b |
| SHA256 | cc9e82a234856466b859ba9a8d2c59835ecb5bbb2aca740b74fea8a9778855f2 |
| SHA512 | c01c2687e48142de6bcbacf209c8804099679cc71ac19bd1d15c7ce0977f5438126658a6e9fa6143c36986bc7ea28dd91698a26f07b5d144bff8e337ed7a9cfe |