Analysis
-
max time kernel
39s -
max time network
42s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
14-09-2022 17:50
Behavioral task
behavioral1
Sample
update.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
update.exe
Resource
win10v2004-20220812-en
General
-
Target
update.exe
-
Size
7.6MB
-
MD5
38d2e3ad694e5221b828441d82d6172d
-
SHA1
02e58b9fccb8fb01339c5f24aa26d656db389bcd
-
SHA256
3e8f5d33715f69f5297ca2750d9a9ed491749f009455217626b16f3b268dbcaf
-
SHA512
e96ca478921cb272f3b246e83b1b7a695638fb001dd05348ef4861b1842a2c49bccc4864867f99439e262fa983202056c196a2508597e2c83f4350683d5e6ea8
-
SSDEEP
196608:Bry4z4fbI39lVt1nRMT2cZlpbhQaQ9HQhMWuKej4ifJj/Fv4wkB1S:44z4MD1nS2YlUz9wTuD5/Fv4wcM
Malware Config
Signatures
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
Bazar/Team9 Backdoor payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/4956-136-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp BazarBackdoorVar3 behavioral2/memory/4956-137-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp BazarBackdoorVar3 behavioral2/memory/4956-141-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp BazarBackdoorVar3 behavioral2/memory/4956-142-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp BazarBackdoorVar3 behavioral2/memory/4956-143-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp BazarBackdoorVar3 behavioral2/memory/4956-216-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp BazarBackdoorVar3 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
update.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ update.exe -
Nirsoft 6 IoCs
Processes:
resource yara_rule behavioral2/memory/4956-136-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp Nirsoft behavioral2/memory/4956-137-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp Nirsoft behavioral2/memory/4956-141-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp Nirsoft behavioral2/memory/4956-142-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp Nirsoft behavioral2/memory/4956-143-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp Nirsoft behavioral2/memory/4956-216-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp Nirsoft -
Executes dropped EXE 1 IoCs
Processes:
pid process 2416 -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
update.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion update.exe -
Loads dropped DLL 3 IoCs
Processes:
update.execertutil.exepid process 4956 update.exe 1716 768 certutil.exe -
Processes:
resource yara_rule behavioral2/memory/4956-132-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp themida behavioral2/memory/4956-134-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp themida behavioral2/memory/4956-135-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp themida behavioral2/memory/4956-136-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp themida behavioral2/memory/4956-137-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp themida behavioral2/memory/4956-141-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp themida behavioral2/memory/4956-142-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp themida behavioral2/memory/4956-143-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp themida behavioral2/memory/4956-216-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Processes:
update.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA update.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
update.exepid process 4956 update.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e016c754-1de6-4335-bb84-ce8afc38d962.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220914195126.pma setup.exe -
Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 5020 sc.exe 4032 sc.exe 1216 sc.exe 3008 sc.exe 3496 sc.exe 2476 sc.exe 2708 sc.exe 756 sc.exe 1172 sc.exe 2908 sc.exe 5024 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Kills process with taskkill 50 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 32 taskkill.exe 3792 taskkill.exe 2112 taskkill.exe 4268 taskkill.exe 764 taskkill.exe 1180 taskkill.exe 3212 taskkill.exe 4328 taskkill.exe 3964 taskkill.exe 4896 taskkill.exe 1380 taskkill.exe 3892 taskkill.exe 4660 taskkill.exe 4260 taskkill.exe 1168 taskkill.exe 3580 taskkill.exe 904 taskkill.exe 3496 taskkill.exe 2168 taskkill.exe 4224 taskkill.exe 1356 taskkill.exe 2804 taskkill.exe 764 taskkill.exe 3740 taskkill.exe 3884 taskkill.exe 4148 taskkill.exe 3148 taskkill.exe 2236 taskkill.exe 4520 taskkill.exe 992 taskkill.exe 2056 taskkill.exe 4248 taskkill.exe 4384 taskkill.exe 2068 taskkill.exe 5028 taskkill.exe 2208 taskkill.exe 404 taskkill.exe 1620 taskkill.exe 2620 taskkill.exe 5060 taskkill.exe 1476 taskkill.exe 1376 taskkill.exe 4592 taskkill.exe 4028 taskkill.exe 3176 taskkill.exe 3972 taskkill.exe 2128 taskkill.exe 2700 taskkill.exe 3588 taskkill.exe 3608 taskkill.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings msedge.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2132 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
update.exepid process 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe 4956 update.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exepid process 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
update.exepid process 4956 update.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
cmd.execmd.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execmd.exemsedge.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exemsedge.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exemsedge.exesvchost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exemsedge.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exesetup.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 764 cmd.exe Token: SeDebugPrivilege 404 cmd.exe Token: SeDebugPrivilege 3892 taskkill.exe Token: SeDebugPrivilege 1356 taskkill.exe Token: SeDebugPrivilege 1620 taskkill.exe Token: SeDebugPrivilege 1180 taskkill.exe Token: SeDebugPrivilege 4660 cmd.exe Token: SeDebugPrivilege 3588 msedge.exe Token: SeDebugPrivilege 2804 taskkill.exe Token: SeDebugPrivilege 3212 taskkill.exe Token: SeDebugPrivilege 1168 taskkill.exe Token: SeDebugPrivilege 4520 taskkill.exe Token: SeDebugPrivilege 4028 taskkill.exe Token: SeDebugPrivilege 3580 taskkill.exe Token: SeDebugPrivilege 1376 msedge.exe Token: SeDebugPrivilege 4592 taskkill.exe Token: SeDebugPrivilege 3608 taskkill.exe Token: SeDebugPrivilege 4328 taskkill.exe Token: SeDebugPrivilege 904 taskkill.exe Token: SeDebugPrivilege 3964 taskkill.exe Token: SeDebugPrivilege 992 msedge.exe Token: SeDebugPrivilege 764 svchost.exe Token: SeDebugPrivilege 3496 taskkill.exe Token: SeDebugPrivilege 2056 taskkill.exe Token: SeDebugPrivilege 4248 taskkill.exe Token: SeDebugPrivilege 32 taskkill.exe Token: SeDebugPrivilege 3792 taskkill.exe Token: SeDebugPrivilege 3176 taskkill.exe Token: SeDebugPrivilege 3740 taskkill.exe Token: SeDebugPrivilege 2112 taskkill.exe Token: SeDebugPrivilege 4384 taskkill.exe Token: SeDebugPrivilege 4896 taskkill.exe Token: SeDebugPrivilege 2620 taskkill.exe Token: SeDebugPrivilege 4224 taskkill.exe Token: SeDebugPrivilege 2236 taskkill.exe Token: SeDebugPrivilege 3884 msedge.exe Token: SeDebugPrivilege 1380 taskkill.exe Token: SeDebugPrivilege 4260 taskkill.exe Token: SeDebugPrivilege 2168 taskkill.exe Token: SeDebugPrivilege 3148 taskkill.exe Token: SeDebugPrivilege 4148 taskkill.exe Token: SeDebugPrivilege 3972 setup.exe Token: SeDebugPrivilege 2068 taskkill.exe Token: SeDebugPrivilege 5060 taskkill.exe Token: SeDebugPrivilege 2128 taskkill.exe Token: SeDebugPrivilege 2700 taskkill.exe Token: SeDebugPrivilege 5028 taskkill.exe Token: SeDebugPrivilege 1476 taskkill.exe Token: SeDebugPrivilege 2208 taskkill.exe Token: SeDebugPrivilege 4268 taskkill.exe -
Suspicious use of FindShellTrayWindow 11 IoCs
Processes:
msedge.exepid process 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
update.exepid process 4956 update.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
update.execmd.execmd.exesc.exetaskkill.execmd.execmd.execmd.exetaskkill.execmd.execmd.execmd.execmd.exemsedge.exetaskkill.execmd.exetaskkill.exedescription pid process target process PID 4956 wrote to memory of 8 4956 update.exe cmd.exe PID 4956 wrote to memory of 8 4956 update.exe cmd.exe PID 8 wrote to memory of 764 8 cmd.exe taskkill.exe PID 8 wrote to memory of 764 8 cmd.exe taskkill.exe PID 4956 wrote to memory of 3044 4956 update.exe cmd.exe PID 4956 wrote to memory of 3044 4956 update.exe cmd.exe PID 3044 wrote to memory of 404 3044 cmd.exe cmd.exe PID 3044 wrote to memory of 404 3044 cmd.exe cmd.exe PID 4956 wrote to memory of 1216 4956 update.exe sc.exe PID 4956 wrote to memory of 1216 4956 update.exe sc.exe PID 1216 wrote to memory of 3496 1216 sc.exe taskkill.exe PID 1216 wrote to memory of 3496 1216 sc.exe taskkill.exe PID 4956 wrote to memory of 2128 4956 update.exe taskkill.exe PID 4956 wrote to memory of 2128 4956 update.exe taskkill.exe PID 2128 wrote to memory of 3892 2128 taskkill.exe taskkill.exe PID 2128 wrote to memory of 3892 2128 taskkill.exe taskkill.exe PID 4956 wrote to memory of 2244 4956 update.exe cmd.exe PID 4956 wrote to memory of 2244 4956 update.exe cmd.exe PID 2244 wrote to memory of 1356 2244 cmd.exe taskkill.exe PID 2244 wrote to memory of 1356 2244 cmd.exe taskkill.exe PID 4956 wrote to memory of 4004 4956 update.exe cmd.exe PID 4956 wrote to memory of 4004 4956 update.exe cmd.exe PID 4004 wrote to memory of 1620 4004 cmd.exe taskkill.exe PID 4004 wrote to memory of 1620 4004 cmd.exe taskkill.exe PID 4956 wrote to memory of 432 4956 update.exe cmd.exe PID 4956 wrote to memory of 432 4956 update.exe cmd.exe PID 432 wrote to memory of 1180 432 cmd.exe taskkill.exe PID 432 wrote to memory of 1180 432 cmd.exe taskkill.exe PID 4956 wrote to memory of 3176 4956 update.exe taskkill.exe PID 4956 wrote to memory of 3176 4956 update.exe taskkill.exe PID 3176 wrote to memory of 4660 3176 taskkill.exe cmd.exe PID 3176 wrote to memory of 4660 3176 taskkill.exe cmd.exe PID 4956 wrote to memory of 2360 4956 update.exe cmd.exe PID 4956 wrote to memory of 2360 4956 update.exe cmd.exe PID 2360 wrote to memory of 2908 2360 cmd.exe sc.exe PID 2360 wrote to memory of 2908 2360 cmd.exe sc.exe PID 4956 wrote to memory of 1856 4956 update.exe cmd.exe PID 4956 wrote to memory of 1856 4956 update.exe cmd.exe PID 1856 wrote to memory of 3588 1856 cmd.exe msedge.exe PID 1856 wrote to memory of 3588 1856 cmd.exe msedge.exe PID 4956 wrote to memory of 1020 4956 update.exe cmd.exe PID 4956 wrote to memory of 1020 4956 update.exe cmd.exe PID 1020 wrote to memory of 2804 1020 cmd.exe taskkill.exe PID 1020 wrote to memory of 2804 1020 cmd.exe taskkill.exe PID 4956 wrote to memory of 816 4956 update.exe cmd.exe PID 4956 wrote to memory of 816 4956 update.exe cmd.exe PID 816 wrote to memory of 3212 816 cmd.exe taskkill.exe PID 816 wrote to memory of 3212 816 cmd.exe taskkill.exe PID 4956 wrote to memory of 464 4956 update.exe msedge.exe PID 4956 wrote to memory of 464 4956 update.exe msedge.exe PID 464 wrote to memory of 1168 464 msedge.exe taskkill.exe PID 464 wrote to memory of 1168 464 msedge.exe taskkill.exe PID 4956 wrote to memory of 2620 4956 update.exe taskkill.exe PID 4956 wrote to memory of 2620 4956 update.exe taskkill.exe PID 2620 wrote to memory of 4520 2620 taskkill.exe taskkill.exe PID 2620 wrote to memory of 4520 2620 taskkill.exe taskkill.exe PID 4956 wrote to memory of 3504 4956 update.exe cmd.exe PID 4956 wrote to memory of 3504 4956 update.exe cmd.exe PID 3504 wrote to memory of 2476 3504 cmd.exe sc.exe PID 3504 wrote to memory of 2476 3504 cmd.exe sc.exe PID 4956 wrote to memory of 2236 4956 update.exe taskkill.exe PID 4956 wrote to memory of 2236 4956 update.exe taskkill.exe PID 2236 wrote to memory of 4028 2236 taskkill.exe taskkill.exe PID 2236 wrote to memory of 4028 2236 taskkill.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\update.exe"C:\Users\Admin\AppData\Local\Temp\update.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\update.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\update.exe" MD53⤵
- Loads dropped DLL
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1004583252671070339/1018436239373893632/xxxx.txt2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:23⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:33⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3000 /prefetch:83⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:13⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5352 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5204 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5536 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7fb065460,0x7ff7fb065470,0x7ff7fb0654804⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\xxxx.txt3⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18390438320092451787,731197282985530031,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro1⤵
- Launches sc.exe
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe1⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T1⤵
- Kills process with taskkill
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa35446f8,0x7ffaa3544708,0x7ffaa35447182⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T1⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro1⤵
- Launches sc.exe
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe1⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe1⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro1⤵
- Launches sc.exe
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F1⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T1⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro1⤵
- Launches sc.exe
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HookLib.dllFilesize
46KB
MD598f49c27634711f0af5e9535b13179f5
SHA14267af836b75278f22724a6864525efd60597781
SHA2569afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16
SHA512409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad
-
C:\Users\Admin\AppData\Local\Temp\HookLib.dllFilesize
46KB
MD598f49c27634711f0af5e9535b13179f5
SHA14267af836b75278f22724a6864525efd60597781
SHA2569afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16
SHA512409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad
-
C:\Users\Admin\AppData\Local\Temp\HookLib.dllFilesize
46KB
MD598f49c27634711f0af5e9535b13179f5
SHA14267af836b75278f22724a6864525efd60597781
SHA2569afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16
SHA512409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad
-
C:\Users\Admin\AppData\Local\Temp\HookLib.dllFilesize
46KB
MD598f49c27634711f0af5e9535b13179f5
SHA14267af836b75278f22724a6864525efd60597781
SHA2569afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16
SHA512409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad
-
C:\Users\Admin\AppData\Local\Temp\HookLib.dllFilesize
46KB
MD598f49c27634711f0af5e9535b13179f5
SHA14267af836b75278f22724a6864525efd60597781
SHA2569afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16
SHA512409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad
-
C:\Users\Admin\Downloads\xxxx.txtFilesize
283B
MD5b87e47fb397133d0c1d1c1c0f6457a15
SHA1f4d72332c606ba4f86d2b0c0c0cd9cb2a7e9e0f3
SHA256266a21a57fc2de40b427eab10531b469fd2ccda4f1e56f7fbb55b45a7f670ea5
SHA5124521ffd7973257e9726f06dbcd368a9fa732ac3f4e992361b2039334026707883408de024256dea05b41c448c9fe9381b1b636f84525e451bb8404b971dbf35f
-
\??\pipe\LOCAL\crashpad_3588_RDITDKBIEEOJGWICMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/8-145-0x0000000000000000-mapping.dmp
-
memory/32-207-0x0000000000000000-mapping.dmp
-
memory/404-149-0x0000000000000000-mapping.dmp
-
memory/432-158-0x0000000000000000-mapping.dmp
-
memory/464-170-0x0000000000000000-mapping.dmp
-
memory/764-197-0x0000000000000000-mapping.dmp
-
memory/764-147-0x0000000000000000-mapping.dmp
-
memory/768-214-0x00007FFA81510000-0x00007FFA81520000-memory.dmpFilesize
64KB
-
memory/816-168-0x0000000000000000-mapping.dmp
-
memory/904-192-0x0000000000000000-mapping.dmp
-
memory/992-195-0x0000000000000000-mapping.dmp
-
memory/1000-180-0x0000000000000000-mapping.dmp
-
memory/1020-166-0x0000000000000000-mapping.dmp
-
memory/1124-184-0x0000000000000000-mapping.dmp
-
memory/1168-171-0x0000000000000000-mapping.dmp
-
memory/1180-159-0x0000000000000000-mapping.dmp
-
memory/1216-150-0x0000000000000000-mapping.dmp
-
memory/1356-155-0x0000000000000000-mapping.dmp
-
memory/1376-181-0x0000000000000000-mapping.dmp
-
memory/1512-186-0x0000000000000000-mapping.dmp
-
memory/1620-157-0x0000000000000000-mapping.dmp
-
memory/1856-164-0x0000000000000000-mapping.dmp
-
memory/2056-203-0x0000000000000000-mapping.dmp
-
memory/2128-152-0x0000000000000000-mapping.dmp
-
memory/2136-204-0x0000000000000000-mapping.dmp
-
memory/2168-191-0x0000000000000000-mapping.dmp
-
memory/2208-208-0x0000000000000000-mapping.dmp
-
memory/2236-176-0x0000000000000000-mapping.dmp
-
memory/2244-154-0x0000000000000000-mapping.dmp
-
memory/2360-162-0x0000000000000000-mapping.dmp
-
memory/2476-175-0x0000000000000000-mapping.dmp
-
memory/2620-172-0x0000000000000000-mapping.dmp
-
memory/2644-193-0x0000000000000000-mapping.dmp
-
memory/2804-167-0x0000000000000000-mapping.dmp
-
memory/2908-163-0x0000000000000000-mapping.dmp
-
memory/3044-148-0x0000000000000000-mapping.dmp
-
memory/3176-160-0x0000000000000000-mapping.dmp
-
memory/3212-169-0x0000000000000000-mapping.dmp
-
memory/3392-206-0x0000000000000000-mapping.dmp
-
memory/3496-201-0x0000000000000000-mapping.dmp
-
memory/3496-151-0x0000000000000000-mapping.dmp
-
memory/3504-174-0x0000000000000000-mapping.dmp
-
memory/3580-179-0x0000000000000000-mapping.dmp
-
memory/3588-165-0x0000000000000000-mapping.dmp
-
memory/3608-185-0x0000000000000000-mapping.dmp
-
memory/3696-198-0x0000000000000000-mapping.dmp
-
memory/3792-209-0x0000000000000000-mapping.dmp
-
memory/3892-153-0x0000000000000000-mapping.dmp
-
memory/4004-156-0x0000000000000000-mapping.dmp
-
memory/4028-177-0x0000000000000000-mapping.dmp
-
memory/4148-190-0x0000000000000000-mapping.dmp
-
memory/4216-202-0x0000000000000000-mapping.dmp
-
memory/4228-178-0x0000000000000000-mapping.dmp
-
memory/4248-205-0x0000000000000000-mapping.dmp
-
memory/4328-189-0x0000000000000000-mapping.dmp
-
memory/4484-182-0x0000000000000000-mapping.dmp
-
memory/4488-196-0x0000000000000000-mapping.dmp
-
memory/4520-173-0x0000000000000000-mapping.dmp
-
memory/4592-183-0x0000000000000000-mapping.dmp
-
memory/4660-161-0x0000000000000000-mapping.dmp
-
memory/4944-194-0x0000000000000000-mapping.dmp
-
memory/4956-139-0x00007FFA81510000-0x00007FFA81520000-memory.dmpFilesize
64KB
-
memory/4956-137-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmpFilesize
15.1MB
-
memory/4956-132-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmpFilesize
15.1MB
-
memory/4956-141-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmpFilesize
15.1MB
-
memory/4956-140-0x00007FFA81510000-0x00007FFA81520000-memory.dmpFilesize
64KB
-
memory/4956-142-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmpFilesize
15.1MB
-
memory/4956-143-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmpFilesize
15.1MB
-
memory/4956-135-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmpFilesize
15.1MB
-
memory/4956-136-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmpFilesize
15.1MB
-
memory/4956-133-0x00007FFAC1490000-0x00007FFAC1685000-memory.dmpFilesize
2.0MB
-
memory/4956-134-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmpFilesize
15.1MB
-
memory/4956-216-0x00007FF7A0810000-0x00007FF7A1734000-memory.dmpFilesize
15.1MB
-
memory/4956-217-0x00007FFAC1490000-0x00007FFAC1685000-memory.dmpFilesize
2.0MB
-
memory/4988-188-0x0000000000000000-mapping.dmp
-
memory/5020-199-0x0000000000000000-mapping.dmp
-
memory/5024-187-0x0000000000000000-mapping.dmp
-
memory/5060-200-0x0000000000000000-mapping.dmp