bazarbackdoor | 3e8f5d33715f69f5297ca2750d9a9ed491749f009455217626b16f3b268dbcaf

General

Target

update.exe
Size

7.6MB
MD5

38d2e3ad694e5221b828441d82d6172d
SHA1

02e58b9fccb8fb01339c5f24aa26d656db389bcd
SHA256

3e8f5d33715f69f5297ca2750d9a9ed491749f009455217626b16f3b268dbcaf
SHA512

e96ca478921cb272f3b246e83b1b7a695638fb001dd05348ef4861b1842a2c49bccc4864867f99439e262fa983202056c196a2508597e2c83f4350683d5e6ea8
SSDEEP

196608:Bry4z4fbI39lVt1nRMT2cZlpbhQaQ9HQhMWuKej4ifJj/Fv4wkB1S:44z4MD1nS2YlUz9wTuD5/Fv4wcM

Score

10^/10

bazarbackdoor backdoor evasion persistence themida trojan

Malware Config

Signatures

BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4956-136-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp	BazarBackdoorVar3
behavioral2/memory/4956-137-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp	BazarBackdoorVar3
behavioral2/memory/4956-141-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp	BazarBackdoorVar3
behavioral2/memory/4956-142-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp	BazarBackdoorVar3
behavioral2/memory/4956-143-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp	BazarBackdoorVar3
behavioral2/memory/4956-216-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp	BazarBackdoorVar3

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

update.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ update.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	update.exe

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4956-136-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp	Nirsoft
behavioral2/memory/4956-137-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp	Nirsoft
behavioral2/memory/4956-141-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp	Nirsoft
behavioral2/memory/4956-142-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp	Nirsoft
behavioral2/memory/4956-143-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp	Nirsoft
behavioral2/memory/4956-216-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp	Nirsoft

Executes dropped EXE 1 IoCs

Processes:

pid process

2416
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
2416

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

update.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	update.exe

Loads dropped DLL 3 IoCs

Processes:

update.execertutil.exe

pid process

4956 update.exe
1716
768 certutil.exe

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/4956-132-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp	themida
behavioral2/memory/4956-134-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp	themida
behavioral2/memory/4956-135-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp	themida
behavioral2/memory/4956-136-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp	themida
behavioral2/memory/4956-137-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp	themida
behavioral2/memory/4956-141-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp	themida
behavioral2/memory/4956-142-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp	themida
behavioral2/memory/4956-143-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp	themida
behavioral2/memory/4956-216-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

update.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA update.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

update.exe

pid process

4956 update.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	update.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e016c754-1de6-4335-bb84-ce8afc38d962.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220914195126.pma	setup.exe

Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

5020 sc.exe
4032 sc.exe
1216 sc.exe
3008 sc.exe
3496 sc.exe
2476 sc.exe
2708 sc.exe
756 sc.exe
1172 sc.exe
2908 sc.exe
5024 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
5020	sc.exe
4032	sc.exe
1216	sc.exe
3008	sc.exe
3496	sc.exe
2476	sc.exe
2708	sc.exe
756	sc.exe
1172	sc.exe
2908	sc.exe
5024	sc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 50 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
32	taskkill.exe
3792	taskkill.exe
2112	taskkill.exe
4268	taskkill.exe
764	taskkill.exe
1180	taskkill.exe
3212	taskkill.exe
4328	taskkill.exe
3964	taskkill.exe
4896	taskkill.exe
1380	taskkill.exe
3892	taskkill.exe
4660	taskkill.exe
4260	taskkill.exe
1168	taskkill.exe
3580	taskkill.exe
904	taskkill.exe
3496	taskkill.exe
2168	taskkill.exe
4224	taskkill.exe
1356	taskkill.exe
2804	taskkill.exe
764	taskkill.exe
3740	taskkill.exe
3884	taskkill.exe
4148	taskkill.exe
3148	taskkill.exe
2236	taskkill.exe
4520	taskkill.exe
992	taskkill.exe
2056	taskkill.exe
4248	taskkill.exe
4384	taskkill.exe
2068	taskkill.exe
5028	taskkill.exe
2208	taskkill.exe
404	taskkill.exe
1620	taskkill.exe
2620	taskkill.exe
5060	taskkill.exe
1476	taskkill.exe
1376	taskkill.exe
4592	taskkill.exe
4028	taskkill.exe
3176	taskkill.exe
3972	taskkill.exe
2128	taskkill.exe
2700	taskkill.exe
3588	taskkill.exe
3608	taskkill.exe

Modifies registry class 2 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2132 NOTEPAD.EXE

pid	process
2132	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

update.exe

pid	process
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe
4956	update.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

3588 msedge.exe
3588 msedge.exe
3588 msedge.exe
3588 msedge.exe
3588 msedge.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

update.exe

pid process

4956 update.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

cmd.execmd.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execmd.exemsedge.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exemsedge.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exemsedge.exesvchost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exemsedge.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exesetup.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	764	cmd.exe
Token: SeDebugPrivilege	404	cmd.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	1356	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	1180	taskkill.exe
Token: SeDebugPrivilege	4660	cmd.exe
Token: SeDebugPrivilege	3588	msedge.exe
Token: SeDebugPrivilege	2804	taskkill.exe
Token: SeDebugPrivilege	3212	taskkill.exe
Token: SeDebugPrivilege	1168	taskkill.exe
Token: SeDebugPrivilege	4520	taskkill.exe
Token: SeDebugPrivilege	4028	taskkill.exe
Token: SeDebugPrivilege	3580	taskkill.exe
Token: SeDebugPrivilege	1376	msedge.exe
Token: SeDebugPrivilege	4592	taskkill.exe
Token: SeDebugPrivilege	3608	taskkill.exe
Token: SeDebugPrivilege	4328	taskkill.exe
Token: SeDebugPrivilege	904	taskkill.exe
Token: SeDebugPrivilege	3964	taskkill.exe
Token: SeDebugPrivilege	992	msedge.exe
Token: SeDebugPrivilege	764	svchost.exe
Token: SeDebugPrivilege	3496	taskkill.exe
Token: SeDebugPrivilege	2056	taskkill.exe
Token: SeDebugPrivilege	4248	taskkill.exe
Token: SeDebugPrivilege	32	taskkill.exe
Token: SeDebugPrivilege	3792	taskkill.exe
Token: SeDebugPrivilege	3176	taskkill.exe
Token: SeDebugPrivilege	3740	taskkill.exe
Token: SeDebugPrivilege	2112	taskkill.exe
Token: SeDebugPrivilege	4384	taskkill.exe
Token: SeDebugPrivilege	4896	taskkill.exe
Token: SeDebugPrivilege	2620	taskkill.exe
Token: SeDebugPrivilege	4224	taskkill.exe
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeDebugPrivilege	3884	msedge.exe
Token: SeDebugPrivilege	1380	taskkill.exe
Token: SeDebugPrivilege	4260	taskkill.exe
Token: SeDebugPrivilege	2168	taskkill.exe
Token: SeDebugPrivilege	3148	taskkill.exe
Token: SeDebugPrivilege	4148	taskkill.exe
Token: SeDebugPrivilege	3972	setup.exe
Token: SeDebugPrivilege	2068	taskkill.exe
Token: SeDebugPrivilege	5060	taskkill.exe
Token: SeDebugPrivilege	2128	taskkill.exe
Token: SeDebugPrivilege	2700	taskkill.exe
Token: SeDebugPrivilege	5028	taskkill.exe
Token: SeDebugPrivilege	1476	taskkill.exe
Token: SeDebugPrivilege	2208	taskkill.exe
Token: SeDebugPrivilege	4268	taskkill.exe

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

msedge.exe

pid	process
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

update.exe

pid process

4956 update.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

update.execmd.execmd.exesc.exetaskkill.execmd.execmd.execmd.exetaskkill.execmd.execmd.execmd.execmd.exemsedge.exetaskkill.execmd.exetaskkill.exe

description	pid	process	target process
PID 4956 wrote to memory of 8	4956	update.exe	cmd.exe
PID 4956 wrote to memory of 8	4956	update.exe	cmd.exe
PID 8 wrote to memory of 764	8	cmd.exe	taskkill.exe
PID 8 wrote to memory of 764	8	cmd.exe	taskkill.exe
PID 4956 wrote to memory of 3044	4956	update.exe	cmd.exe
PID 4956 wrote to memory of 3044	4956	update.exe	cmd.exe
PID 3044 wrote to memory of 404	3044	cmd.exe	cmd.exe
PID 3044 wrote to memory of 404	3044	cmd.exe	cmd.exe
PID 4956 wrote to memory of 1216	4956	update.exe	sc.exe
PID 4956 wrote to memory of 1216	4956	update.exe	sc.exe
PID 1216 wrote to memory of 3496	1216	sc.exe	taskkill.exe
PID 1216 wrote to memory of 3496	1216	sc.exe	taskkill.exe
PID 4956 wrote to memory of 2128	4956	update.exe	taskkill.exe
PID 4956 wrote to memory of 2128	4956	update.exe	taskkill.exe
PID 2128 wrote to memory of 3892	2128	taskkill.exe	taskkill.exe
PID 2128 wrote to memory of 3892	2128	taskkill.exe	taskkill.exe
PID 4956 wrote to memory of 2244	4956	update.exe	cmd.exe
PID 4956 wrote to memory of 2244	4956	update.exe	cmd.exe
PID 2244 wrote to memory of 1356	2244	cmd.exe	taskkill.exe
PID 2244 wrote to memory of 1356	2244	cmd.exe	taskkill.exe
PID 4956 wrote to memory of 4004	4956	update.exe	cmd.exe
PID 4956 wrote to memory of 4004	4956	update.exe	cmd.exe
PID 4004 wrote to memory of 1620	4004	cmd.exe	taskkill.exe
PID 4004 wrote to memory of 1620	4004	cmd.exe	taskkill.exe
PID 4956 wrote to memory of 432	4956	update.exe	cmd.exe
PID 4956 wrote to memory of 432	4956	update.exe	cmd.exe
PID 432 wrote to memory of 1180	432	cmd.exe	taskkill.exe
PID 432 wrote to memory of 1180	432	cmd.exe	taskkill.exe
PID 4956 wrote to memory of 3176	4956	update.exe	taskkill.exe
PID 4956 wrote to memory of 3176	4956	update.exe	taskkill.exe
PID 3176 wrote to memory of 4660	3176	taskkill.exe	cmd.exe
PID 3176 wrote to memory of 4660	3176	taskkill.exe	cmd.exe
PID 4956 wrote to memory of 2360	4956	update.exe	cmd.exe
PID 4956 wrote to memory of 2360	4956	update.exe	cmd.exe
PID 2360 wrote to memory of 2908	2360	cmd.exe	sc.exe
PID 2360 wrote to memory of 2908	2360	cmd.exe	sc.exe
PID 4956 wrote to memory of 1856	4956	update.exe	cmd.exe
PID 4956 wrote to memory of 1856	4956	update.exe	cmd.exe
PID 1856 wrote to memory of 3588	1856	cmd.exe	msedge.exe
PID 1856 wrote to memory of 3588	1856	cmd.exe	msedge.exe
PID 4956 wrote to memory of 1020	4956	update.exe	cmd.exe
PID 4956 wrote to memory of 1020	4956	update.exe	cmd.exe
PID 1020 wrote to memory of 2804	1020	cmd.exe	taskkill.exe
PID 1020 wrote to memory of 2804	1020	cmd.exe	taskkill.exe
PID 4956 wrote to memory of 816	4956	update.exe	cmd.exe
PID 4956 wrote to memory of 816	4956	update.exe	cmd.exe
PID 816 wrote to memory of 3212	816	cmd.exe	taskkill.exe
PID 816 wrote to memory of 3212	816	cmd.exe	taskkill.exe
PID 4956 wrote to memory of 464	4956	update.exe	msedge.exe
PID 4956 wrote to memory of 464	4956	update.exe	msedge.exe
PID 464 wrote to memory of 1168	464	msedge.exe	taskkill.exe
PID 464 wrote to memory of 1168	464	msedge.exe	taskkill.exe
PID 4956 wrote to memory of 2620	4956	update.exe	taskkill.exe
PID 4956 wrote to memory of 2620	4956	update.exe	taskkill.exe
PID 2620 wrote to memory of 4520	2620	taskkill.exe	taskkill.exe
PID 2620 wrote to memory of 4520	2620	taskkill.exe	taskkill.exe
PID 4956 wrote to memory of 3504	4956	update.exe	cmd.exe
PID 4956 wrote to memory of 3504	4956	update.exe	cmd.exe
PID 3504 wrote to memory of 2476	3504	cmd.exe	sc.exe
PID 3504 wrote to memory of 2476	3504	cmd.exe	sc.exe
PID 4956 wrote to memory of 2236	4956	update.exe	taskkill.exe
PID 4956 wrote to memory of 2236	4956	update.exe	taskkill.exe
PID 2236 wrote to memory of 4028	2236	taskkill.exe	taskkill.exe
PID 2236 wrote to memory of 4028	2236	taskkill.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
PID:764

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:2128

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:2908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:464

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:2236

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:1000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1512

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:5024

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
4⤵
- Launches sc.exe
PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:4148

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:2644

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:4488

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:3392

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:32

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:2208

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:3208

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:2708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:4860

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:3696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:4000

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:3532

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\update.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
2⤵
PID:2320

C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\update.exe" MD5
3⤵
- Loads dropped DLL
PID:768

C:\Windows\system32\find.exe
find /i /v "certutil"
3⤵
PID:4240

C:\Windows\system32\find.exe
find /i /v "md5"
3⤵
PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:536

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:756

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:1512

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:1688

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:4640

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:5024

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:4944

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:1100

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:4488

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:4824

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:1444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:3244

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:3008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1004583252671070339/1018436239373893632/xxxx.txt
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3000 /prefetch:8
3⤵
- Suspicious use of WriteProcessMemory
PID:464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1
3⤵
PID:4816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5352 /prefetch:8
3⤵
PID:1452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5204 /prefetch:8
3⤵
PID:3800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
3⤵
PID:2708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5536 /prefetch:8
3⤵
PID:2736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
3⤵
PID:3084

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:8
3⤵
PID:1836

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7fb065460,0x7ff7fb065470,0x7ff7fb065480
4⤵
PID:2148

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\xxxx.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:2132

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:8
3⤵
PID:1716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
3⤵
PID:1944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
3⤵
PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:3956

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:4056

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:3004

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:2088

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:3472

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:3256

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:3428

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:464

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:3660

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
1⤵
- Launches sc.exe
PID:3496

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
1⤵
- Kills process with taskkill
PID:4660

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
1⤵
- Kills process with taskkill
PID:3588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa35446f8,0x7ffaa3544708,0x7ffaa3544718
2⤵
PID:3340

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
1⤵
- Kills process with taskkill
PID:1376

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
1⤵
- Launches sc.exe
PID:2476

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
1⤵
- Kills process with taskkill
PID:992

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
1⤵
- Kills process with taskkill
PID:764

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
1⤵
- Launches sc.exe
PID:5020

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
1⤵
- Kills process with taskkill
PID:3884

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3148

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
1⤵
- Kills process with taskkill
PID:3972

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
1⤵
- Launches sc.exe
PID:1172

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:912

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Impair Defenses

1

T1562

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HookLib.dll
Filesize
46KB

MD5
98f49c27634711f0af5e9535b13179f5

SHA1
4267af836b75278f22724a6864525efd60597781

SHA256
9afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16

SHA512
409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\HookLib.dll
Filesize
46KB

MD5
98f49c27634711f0af5e9535b13179f5

SHA1
4267af836b75278f22724a6864525efd60597781

SHA256
9afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16

SHA512
409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\HookLib.dll
Filesize
46KB

MD5
98f49c27634711f0af5e9535b13179f5

SHA1
4267af836b75278f22724a6864525efd60597781

SHA256
9afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16

SHA512
409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\HookLib.dll
Filesize
46KB

MD5
98f49c27634711f0af5e9535b13179f5

SHA1
4267af836b75278f22724a6864525efd60597781

SHA256
9afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16

SHA512
409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\HookLib.dll
Filesize
46KB

MD5
98f49c27634711f0af5e9535b13179f5

SHA1
4267af836b75278f22724a6864525efd60597781

SHA256
9afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16

SHA512
409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad

Download Submit
C:\Users\Admin\Downloads\xxxx.txt
Filesize
283B

MD5
b87e47fb397133d0c1d1c1c0f6457a15

SHA1
f4d72332c606ba4f86d2b0c0c0cd9cb2a7e9e0f3

SHA256
266a21a57fc2de40b427eab10531b469fd2ccda4f1e56f7fbb55b45a7f670ea5

SHA512
4521ffd7973257e9726f06dbcd368a9fa732ac3f4e992361b2039334026707883408de024256dea05b41c448c9fe9381b1b636f84525e451bb8404b971dbf35f

Download Submit
\??\pipe\LOCAL\crashpad_3588_RDITDKBIEEOJGWIC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/8-145-0x0000000000000000-mapping.dmp

Download
memory/32-207-0x0000000000000000-mapping.dmp

Download
memory/404-149-0x0000000000000000-mapping.dmp

Download
memory/432-158-0x0000000000000000-mapping.dmp

Download
memory/464-170-0x0000000000000000-mapping.dmp

Download
memory/764-197-0x0000000000000000-mapping.dmp

Download
memory/764-147-0x0000000000000000-mapping.dmp

Download
memory/768-214-0x00007FFA81510000-0x00007FFA81520000-memory.dmp

Filesize
64KB

Download
memory/816-168-0x0000000000000000-mapping.dmp

Download
memory/904-192-0x0000000000000000-mapping.dmp

Download
memory/992-195-0x0000000000000000-mapping.dmp

Download
memory/1000-180-0x0000000000000000-mapping.dmp

Download
memory/1020-166-0x0000000000000000-mapping.dmp

Download
memory/1124-184-0x0000000000000000-mapping.dmp

Download
memory/1168-171-0x0000000000000000-mapping.dmp

Download
memory/1180-159-0x0000000000000000-mapping.dmp

Download
memory/1216-150-0x0000000000000000-mapping.dmp

Download
memory/1356-155-0x0000000000000000-mapping.dmp

Download
memory/1376-181-0x0000000000000000-mapping.dmp

Download
memory/1512-186-0x0000000000000000-mapping.dmp

Download
memory/1620-157-0x0000000000000000-mapping.dmp

Download
memory/1856-164-0x0000000000000000-mapping.dmp

Download
memory/2056-203-0x0000000000000000-mapping.dmp

Download
memory/2128-152-0x0000000000000000-mapping.dmp

Download
memory/2136-204-0x0000000000000000-mapping.dmp

Download
memory/2168-191-0x0000000000000000-mapping.dmp

Download
memory/2208-208-0x0000000000000000-mapping.dmp

Download
memory/2236-176-0x0000000000000000-mapping.dmp

Download
memory/2244-154-0x0000000000000000-mapping.dmp

Download
memory/2360-162-0x0000000000000000-mapping.dmp

Download
memory/2476-175-0x0000000000000000-mapping.dmp

Download
memory/2620-172-0x0000000000000000-mapping.dmp

Download
memory/2644-193-0x0000000000000000-mapping.dmp

Download
memory/2804-167-0x0000000000000000-mapping.dmp

Download
memory/2908-163-0x0000000000000000-mapping.dmp

Download
memory/3044-148-0x0000000000000000-mapping.dmp

Download
memory/3176-160-0x0000000000000000-mapping.dmp

Download
memory/3212-169-0x0000000000000000-mapping.dmp

Download
memory/3392-206-0x0000000000000000-mapping.dmp

Download
memory/3496-201-0x0000000000000000-mapping.dmp

Download
memory/3496-151-0x0000000000000000-mapping.dmp

Download
memory/3504-174-0x0000000000000000-mapping.dmp

Download
memory/3580-179-0x0000000000000000-mapping.dmp

Download
memory/3588-165-0x0000000000000000-mapping.dmp

Download
memory/3608-185-0x0000000000000000-mapping.dmp

Download
memory/3696-198-0x0000000000000000-mapping.dmp

Download
memory/3792-209-0x0000000000000000-mapping.dmp

Download
memory/3892-153-0x0000000000000000-mapping.dmp

Download
memory/4004-156-0x0000000000000000-mapping.dmp

Download
memory/4028-177-0x0000000000000000-mapping.dmp

Download
memory/4148-190-0x0000000000000000-mapping.dmp

Download
memory/4216-202-0x0000000000000000-mapping.dmp

Download
memory/4228-178-0x0000000000000000-mapping.dmp

Download
memory/4248-205-0x0000000000000000-mapping.dmp

Download
memory/4328-189-0x0000000000000000-mapping.dmp

Download
memory/4484-182-0x0000000000000000-mapping.dmp

Download
memory/4488-196-0x0000000000000000-mapping.dmp

Download
memory/4520-173-0x0000000000000000-mapping.dmp

Download
memory/4592-183-0x0000000000000000-mapping.dmp

Download
memory/4660-161-0x0000000000000000-mapping.dmp

Download
memory/4944-194-0x0000000000000000-mapping.dmp

Download
memory/4956-139-0x00007FFA81510000-0x00007FFA81520000-memory.dmp

Filesize
64KB

Download
memory/4956-137-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp

Filesize
15.1MB

Download
memory/4956-132-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp

Filesize
15.1MB

Download
memory/4956-141-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp

Filesize
15.1MB

Download
memory/4956-140-0x00007FFA81510000-0x00007FFA81520000-memory.dmp

Filesize
64KB

Download
memory/4956-142-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp

Filesize
15.1MB

Download
memory/4956-143-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp

Filesize
15.1MB

Download
memory/4956-135-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp

Filesize
15.1MB

Download
memory/4956-136-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp

Filesize
15.1MB

Download
memory/4956-133-0x00007FFAC1490000-0x00007FFAC1685000-memory.dmp

Filesize
2.0MB

Download
memory/4956-134-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp

Filesize
15.1MB

Download
memory/4956-216-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp

Filesize
15.1MB

Download
memory/4956-217-0x00007FFAC1490000-0x00007FFAC1685000-memory.dmp

Filesize
2.0MB

Download
memory/4988-188-0x0000000000000000-mapping.dmp

Download
memory/5020-199-0x0000000000000000-mapping.dmp

Download
memory/5024-187-0x0000000000000000-mapping.dmp

Download
memory/5060-200-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads