Analysis
-
max time kernel
39s -
max time network
42s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
14-09-2022 17:50
Behavioral task
behavioral1
Sample
update.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
update.exe
Resource
win10v2004-20220812-en
General
-
Target
update.exe
-
Size
7.6MB
-
MD5
38d2e3ad694e5221b828441d82d6172d
-
SHA1
02e58b9fccb8fb01339c5f24aa26d656db389bcd
-
SHA256
3e8f5d33715f69f5297ca2750d9a9ed491749f009455217626b16f3b268dbcaf
-
SHA512
e96ca478921cb272f3b246e83b1b7a695638fb001dd05348ef4861b1842a2c49bccc4864867f99439e262fa983202056c196a2508597e2c83f4350683d5e6ea8
-
SSDEEP
196608:Bry4z4fbI39lVt1nRMT2cZlpbhQaQ9HQhMWuKej4ifJj/Fv4wkB1S:44z4MD1nS2YlUz9wTuD5/Fv4wcM
Malware Config
Signatures
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
Bazar/Team9 Backdoor payload 6 IoCs
resource yara_rule behavioral2/memory/4956-136-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp BazarBackdoorVar3 behavioral2/memory/4956-137-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp BazarBackdoorVar3 behavioral2/memory/4956-141-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp BazarBackdoorVar3 behavioral2/memory/4956-142-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp BazarBackdoorVar3 behavioral2/memory/4956-143-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp BazarBackdoorVar3 behavioral2/memory/4956-216-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp BazarBackdoorVar3 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ update.exe -
Nirsoft 6 IoCs
resource yara_rule behavioral2/memory/4956-136-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp Nirsoft behavioral2/memory/4956-137-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp Nirsoft behavioral2/memory/4956-141-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp Nirsoft behavioral2/memory/4956-142-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp Nirsoft behavioral2/memory/4956-143-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp Nirsoft behavioral2/memory/4956-216-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp Nirsoft -
Executes dropped EXE 1 IoCs
pid Process 2416 Process not Found -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion update.exe -
Loads dropped DLL 3 IoCs
pid Process 4956 update.exe 1716 Process not Found 768 certutil.exe -
resource yara_rule behavioral2/memory/4956-132-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp themida behavioral2/memory/4956-134-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp themida behavioral2/memory/4956-135-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp themida behavioral2/memory/4956-136-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp themida behavioral2/memory/4956-137-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp themida behavioral2/memory/4956-141-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp themida behavioral2/memory/4956-142-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp themida behavioral2/memory/4956-143-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp themida behavioral2/memory/4956-216-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA update.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4956 update.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e016c754-1de6-4335-bb84-ce8afc38d962.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220914195126.pma setup.exe -
Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5020 sc.exe 4032 sc.exe 1216 sc.exe 3008 sc.exe 3496 sc.exe 2476 sc.exe 2708 sc.exe 756 sc.exe 1172 sc.exe 2908 sc.exe 5024 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Kills process with taskkill 50 IoCs
pid Process 32 taskkill.exe 3792 taskkill.exe 2112 taskkill.exe 4268 taskkill.exe 764 taskkill.exe 1180 taskkill.exe 3212 taskkill.exe 4328 taskkill.exe 3964 taskkill.exe 4896 taskkill.exe 1380 taskkill.exe 3892 taskkill.exe 4660 taskkill.exe 4260 taskkill.exe 1168 taskkill.exe 3580 taskkill.exe 904 taskkill.exe 3496 taskkill.exe 2168 taskkill.exe 4224 taskkill.exe 1356 taskkill.exe 2804 taskkill.exe 764 taskkill.exe 3740 taskkill.exe 3884 taskkill.exe 4148 taskkill.exe 3148 taskkill.exe 2236 taskkill.exe 4520 taskkill.exe 992 taskkill.exe 2056 taskkill.exe 4248 taskkill.exe 4384 taskkill.exe 2068 taskkill.exe 5028 taskkill.exe 2208 taskkill.exe 404 taskkill.exe 1620 taskkill.exe 2620 taskkill.exe 5060 taskkill.exe 1476 taskkill.exe 1376 taskkill.exe 4592 taskkill.exe 4028 taskkill.exe 3176 taskkill.exe 3972 taskkill.exe 2128 taskkill.exe 2700 taskkill.exe 3588 taskkill.exe 3608 taskkill.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings msedge.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2132 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4956 update.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 764 cmd.exe Token: SeDebugPrivilege 404 cmd.exe Token: SeDebugPrivilege 3892 taskkill.exe Token: SeDebugPrivilege 1356 taskkill.exe Token: SeDebugPrivilege 1620 taskkill.exe Token: SeDebugPrivilege 1180 taskkill.exe Token: SeDebugPrivilege 4660 cmd.exe Token: SeDebugPrivilege 3588 msedge.exe Token: SeDebugPrivilege 2804 taskkill.exe Token: SeDebugPrivilege 3212 taskkill.exe Token: SeDebugPrivilege 1168 taskkill.exe Token: SeDebugPrivilege 4520 taskkill.exe Token: SeDebugPrivilege 4028 taskkill.exe Token: SeDebugPrivilege 3580 taskkill.exe Token: SeDebugPrivilege 1376 msedge.exe Token: SeDebugPrivilege 4592 taskkill.exe Token: SeDebugPrivilege 3608 taskkill.exe Token: SeDebugPrivilege 4328 taskkill.exe Token: SeDebugPrivilege 904 taskkill.exe Token: SeDebugPrivilege 3964 taskkill.exe Token: SeDebugPrivilege 992 msedge.exe Token: SeDebugPrivilege 764 svchost.exe Token: SeDebugPrivilege 3496 taskkill.exe Token: SeDebugPrivilege 2056 taskkill.exe Token: SeDebugPrivilege 4248 taskkill.exe Token: SeDebugPrivilege 32 taskkill.exe Token: SeDebugPrivilege 3792 taskkill.exe Token: SeDebugPrivilege 3176 taskkill.exe Token: SeDebugPrivilege 3740 taskkill.exe Token: SeDebugPrivilege 2112 taskkill.exe Token: SeDebugPrivilege 4384 taskkill.exe Token: SeDebugPrivilege 4896 taskkill.exe Token: SeDebugPrivilege 2620 taskkill.exe Token: SeDebugPrivilege 4224 taskkill.exe Token: SeDebugPrivilege 2236 taskkill.exe Token: SeDebugPrivilege 3884 msedge.exe Token: SeDebugPrivilege 1380 taskkill.exe Token: SeDebugPrivilege 4260 taskkill.exe Token: SeDebugPrivilege 2168 taskkill.exe Token: SeDebugPrivilege 3148 taskkill.exe Token: SeDebugPrivilege 4148 taskkill.exe Token: SeDebugPrivilege 3972 setup.exe Token: SeDebugPrivilege 2068 taskkill.exe Token: SeDebugPrivilege 5060 taskkill.exe Token: SeDebugPrivilege 2128 taskkill.exe Token: SeDebugPrivilege 2700 taskkill.exe Token: SeDebugPrivilege 5028 taskkill.exe Token: SeDebugPrivilege 1476 taskkill.exe Token: SeDebugPrivilege 2208 taskkill.exe Token: SeDebugPrivilege 4268 taskkill.exe -
Suspicious use of FindShellTrayWindow 11 IoCs
pid Process 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4956 update.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4956 wrote to memory of 8 4956 update.exe 84 PID 4956 wrote to memory of 8 4956 update.exe 84 PID 8 wrote to memory of 764 8 cmd.exe 138 PID 8 wrote to memory of 764 8 cmd.exe 138 PID 4956 wrote to memory of 3044 4956 update.exe 86 PID 4956 wrote to memory of 3044 4956 update.exe 86 PID 3044 wrote to memory of 404 3044 cmd.exe 185 PID 3044 wrote to memory of 404 3044 cmd.exe 185 PID 4956 wrote to memory of 1216 4956 update.exe 186 PID 4956 wrote to memory of 1216 4956 update.exe 186 PID 1216 wrote to memory of 3496 1216 sc.exe 140 PID 1216 wrote to memory of 3496 1216 sc.exe 140 PID 4956 wrote to memory of 2128 4956 update.exe 189 PID 4956 wrote to memory of 2128 4956 update.exe 189 PID 2128 wrote to memory of 3892 2128 taskkill.exe 89 PID 2128 wrote to memory of 3892 2128 taskkill.exe 89 PID 4956 wrote to memory of 2244 4956 update.exe 93 PID 4956 wrote to memory of 2244 4956 update.exe 93 PID 2244 wrote to memory of 1356 2244 cmd.exe 92 PID 2244 wrote to memory of 1356 2244 cmd.exe 92 PID 4956 wrote to memory of 4004 4956 update.exe 97 PID 4956 wrote to memory of 4004 4956 update.exe 97 PID 4004 wrote to memory of 1620 4004 cmd.exe 96 PID 4004 wrote to memory of 1620 4004 cmd.exe 96 PID 4956 wrote to memory of 432 4956 update.exe 98 PID 4956 wrote to memory of 432 4956 update.exe 98 PID 432 wrote to memory of 1180 432 cmd.exe 99 PID 432 wrote to memory of 1180 432 cmd.exe 99 PID 4956 wrote to memory of 3176 4956 update.exe 151 PID 4956 wrote to memory of 3176 4956 update.exe 151 PID 3176 wrote to memory of 4660 3176 taskkill.exe 152 PID 3176 wrote to memory of 4660 3176 taskkill.exe 152 PID 4956 wrote to memory of 2360 4956 update.exe 101 PID 4956 wrote to memory of 2360 4956 update.exe 101 PID 2360 wrote to memory of 2908 2360 cmd.exe 104 PID 2360 wrote to memory of 2908 2360 cmd.exe 104 PID 4956 wrote to memory of 1856 4956 update.exe 103 PID 4956 wrote to memory of 1856 4956 update.exe 103 PID 1856 wrote to memory of 3588 1856 cmd.exe 203 PID 1856 wrote to memory of 3588 1856 cmd.exe 203 PID 4956 wrote to memory of 1020 4956 update.exe 105 PID 4956 wrote to memory of 1020 4956 update.exe 105 PID 1020 wrote to memory of 2804 1020 cmd.exe 106 PID 1020 wrote to memory of 2804 1020 cmd.exe 106 PID 4956 wrote to memory of 816 4956 update.exe 108 PID 4956 wrote to memory of 816 4956 update.exe 108 PID 816 wrote to memory of 3212 816 cmd.exe 107 PID 816 wrote to memory of 3212 816 cmd.exe 107 PID 4956 wrote to memory of 464 4956 update.exe 227 PID 4956 wrote to memory of 464 4956 update.exe 227 PID 464 wrote to memory of 1168 464 msedge.exe 111 PID 464 wrote to memory of 1168 464 msedge.exe 111 PID 4956 wrote to memory of 2620 4956 update.exe 216 PID 4956 wrote to memory of 2620 4956 update.exe 216 PID 2620 wrote to memory of 4520 2620 taskkill.exe 112 PID 2620 wrote to memory of 4520 2620 taskkill.exe 112 PID 4956 wrote to memory of 3504 4956 update.exe 134 PID 4956 wrote to memory of 3504 4956 update.exe 134 PID 3504 wrote to memory of 2476 3504 cmd.exe 133 PID 3504 wrote to memory of 2476 3504 cmd.exe 133 PID 4956 wrote to memory of 2236 4956 update.exe 213 PID 4956 wrote to memory of 2236 4956 update.exe 213 PID 2236 wrote to memory of 4028 2236 taskkill.exe 127 PID 2236 wrote to memory of 4028 2236 taskkill.exe 127
Processes
-
C:\Users\Admin\AppData\Local\Temp\update.exe"C:\Users\Admin\AppData\Local\Temp\update.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
PID:764
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
PID:404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵PID:2128
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:1216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:2908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵PID:3176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵PID:464
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵PID:2236
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:4228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵PID:1000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵PID:4484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:1512
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:5024 -
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
PID:4032
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵PID:4988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵PID:1124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:4148
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵PID:2644
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵PID:4944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵PID:2620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵PID:4488
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
- Suspicious use of WriteProcessMemory
PID:1216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:4216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵PID:2136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵PID:5060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵PID:3392
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:32
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵PID:2208
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:3208
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:2708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of AdjustPrivilegeToken
PID:4660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:3684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵PID:4860
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:3696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵PID:4000
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵PID:3532
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\update.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵PID:2320
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\update.exe" MD53⤵
- Loads dropped DLL
PID:768
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:4240
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:4380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:536
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:756
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:1512
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:1688
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵PID:4640
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:5024
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:2060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵PID:4944
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:1100
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
- Suspicious use of AdjustPrivilegeToken
PID:404 -
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:4488
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:4824
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:1040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵PID:8
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵PID:1444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:3244
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:3008
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1004583252671070339/1018436239373893632/xxxx.txt2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3588 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:23⤵
- Suspicious use of AdjustPrivilegeToken
PID:3884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:33⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3000 /prefetch:83⤵
- Suspicious use of WriteProcessMemory
PID:464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:13⤵
- Suspicious use of AdjustPrivilegeToken
PID:992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:13⤵PID:4816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5352 /prefetch:83⤵PID:1452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5204 /prefetch:83⤵PID:3800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:13⤵PID:2708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5536 /prefetch:83⤵PID:2736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:83⤵PID:3084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:83⤵PID:1836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3972 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7fb065460,0x7ff7fb065470,0x7ff7fb0654804⤵PID:2148
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\xxxx.txt3⤵
- Opens file in notepad (likely ransom note)
PID:2132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:83⤵PID:1716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:13⤵PID:1944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:13⤵PID:1548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵PID:5016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:3956
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:4056
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:3004
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:2088
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:3472
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:3256
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:3428
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:464
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:3660
-
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro1⤵
- Launches sc.exe
PID:3496
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1356
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe1⤵
- Kills process with taskkill
PID:4660 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176
-
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T1⤵
- Kills process with taskkill
PID:3588 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa35446f8,0x7ffaa3544708,0x7ffaa35447182⤵PID:3340
-
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3212
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4520
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3580
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T1⤵
- Kills process with taskkill
PID:1376
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4592
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3608
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro1⤵
- Launches sc.exe
PID:2476
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe1⤵
- Kills process with taskkill
PID:992
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe1⤵
- Kills process with taskkill
PID:764 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
-
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3496
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4248
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro1⤵
- Launches sc.exe
PID:5020
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3740
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F1⤵
- Kills process with taskkill
PID:3884
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4148
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3148
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1380
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T1⤵
- Kills process with taskkill
PID:3972
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5060
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5028
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2208
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4268
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro1⤵
- Launches sc.exe
PID:1172
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4224
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:2088
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:912
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:4988
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:1216
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
- Suspicious use of AdjustPrivilegeToken
PID:764
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD598f49c27634711f0af5e9535b13179f5
SHA14267af836b75278f22724a6864525efd60597781
SHA2569afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16
SHA512409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad
-
Filesize
46KB
MD598f49c27634711f0af5e9535b13179f5
SHA14267af836b75278f22724a6864525efd60597781
SHA2569afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16
SHA512409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad
-
Filesize
46KB
MD598f49c27634711f0af5e9535b13179f5
SHA14267af836b75278f22724a6864525efd60597781
SHA2569afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16
SHA512409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad
-
Filesize
46KB
MD598f49c27634711f0af5e9535b13179f5
SHA14267af836b75278f22724a6864525efd60597781
SHA2569afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16
SHA512409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad
-
Filesize
46KB
MD598f49c27634711f0af5e9535b13179f5
SHA14267af836b75278f22724a6864525efd60597781
SHA2569afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16
SHA512409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad
-
Filesize
283B
MD5b87e47fb397133d0c1d1c1c0f6457a15
SHA1f4d72332c606ba4f86d2b0c0c0cd9cb2a7e9e0f3
SHA256266a21a57fc2de40b427eab10531b469fd2ccda4f1e56f7fbb55b45a7f670ea5
SHA5124521ffd7973257e9726f06dbcd368a9fa732ac3f4e992361b2039334026707883408de024256dea05b41c448c9fe9381b1b636f84525e451bb8404b971dbf35f