Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
25-03-2023 17:58
Behavioral task
behavioral1
Sample
HyperFree..exe
Resource
win7-20230220-en
General
-
Target
HyperFree..exe
-
Size
5.8MB
-
MD5
5260c1a254c8af84557b82e195363a98
-
SHA1
80af1991a492833e039891117fd594d74366545e
-
SHA256
8eb72c8341be372e533736b84d8a7196cde5e28130eadb774c40871fcf0cf7b3
-
SHA512
623692226d361a2795f4e5c4c330ec8435170832aa11c2e5336915b36e9340e0a18b27e0c932213e4d22ea05349a962ceb6d75216608680b41c997a75568f02b
-
SSDEEP
98304:aEO3yMulKYLin3eE7CKG5Ea+k0XhXtFV0lb81vcBnLDCg6yrXA8CcbQh1lAL/dbs:aErts9+xEa+k0elb8hcB/C7yjA8J1O
Malware Config
Signatures
-
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral1/memory/1416-57-0x000000013F490000-0x000000013FF11000-memory.dmp vmprotect -
Launches sc.exe 39 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 660 sc.exe 1368 sc.exe 1620 sc.exe 1116 sc.exe 1996 sc.exe 1160 sc.exe 1868 sc.exe 660 sc.exe 560 sc.exe 1996 sc.exe 1988 sc.exe 620 sc.exe 1644 sc.exe 576 sc.exe 572 sc.exe 1736 sc.exe 1716 sc.exe 316 sc.exe 1160 sc.exe 1880 sc.exe 600 sc.exe 1936 sc.exe 1644 sc.exe 1952 sc.exe 688 sc.exe 900 sc.exe 1072 sc.exe 924 sc.exe 1764 sc.exe 1640 sc.exe 1764 sc.exe 1888 sc.exe 1004 sc.exe 1824 sc.exe 1244 sc.exe 1168 sc.exe 516 sc.exe 1212 sc.exe 1888 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 9 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1540 taskkill.exe 1824 taskkill.exe 1936 taskkill.exe 572 taskkill.exe 1820 taskkill.exe 1724 taskkill.exe 1980 taskkill.exe 1696 taskkill.exe 820 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
HyperFree..exepid process 1416 HyperFree..exe 1416 HyperFree..exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1724 taskkill.exe Token: SeDebugPrivilege 1824 taskkill.exe Token: SeDebugPrivilege 1980 taskkill.exe Token: SeDebugPrivilege 1936 taskkill.exe Token: SeDebugPrivilege 1696 taskkill.exe Token: SeDebugPrivilege 572 taskkill.exe Token: SeDebugPrivilege 820 taskkill.exe Token: SeDebugPrivilege 1820 taskkill.exe Token: SeDebugPrivilege 1540 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
HyperFree..execmd.execmd.execmd.execmd.exenet.exenet.execmd.exedescription pid process target process PID 1416 wrote to memory of 1112 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 1112 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 1112 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 1272 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 1272 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 1272 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 660 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 660 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 660 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 268 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 268 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 268 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 868 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 868 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 868 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 1600 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 1600 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 1600 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 1404 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 1404 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 1404 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 908 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 908 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 908 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 1572 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 1572 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 1572 1416 HyperFree..exe cmd.exe PID 1112 wrote to memory of 552 1112 cmd.exe net.exe PID 1112 wrote to memory of 552 1112 cmd.exe net.exe PID 1112 wrote to memory of 552 1112 cmd.exe net.exe PID 1600 wrote to memory of 1644 1600 cmd.exe sc.exe PID 1600 wrote to memory of 1644 1600 cmd.exe sc.exe PID 1600 wrote to memory of 1644 1600 cmd.exe sc.exe PID 1416 wrote to memory of 1704 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 1704 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 1704 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 548 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 548 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 548 1416 HyperFree..exe cmd.exe PID 268 wrote to memory of 1696 268 cmd.exe net.exe PID 268 wrote to memory of 1696 268 cmd.exe net.exe PID 268 wrote to memory of 1696 268 cmd.exe net.exe PID 1416 wrote to memory of 1320 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 1320 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 1320 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 1376 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 1376 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 1376 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 1120 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 1120 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 1120 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 1960 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 1960 1416 HyperFree..exe cmd.exe PID 1416 wrote to memory of 1960 1416 HyperFree..exe cmd.exe PID 868 wrote to memory of 1952 868 cmd.exe sc.exe PID 868 wrote to memory of 1952 868 cmd.exe sc.exe PID 868 wrote to memory of 1952 868 cmd.exe sc.exe PID 552 wrote to memory of 1140 552 net.exe net1.exe PID 552 wrote to memory of 1140 552 net.exe net1.exe PID 552 wrote to memory of 1140 552 net.exe net1.exe PID 1696 wrote to memory of 1184 1696 net.exe net1.exe PID 1696 wrote to memory of 1184 1696 net.exe net1.exe PID 1696 wrote to memory of 1184 1696 net.exe net1.exe PID 1572 wrote to memory of 1824 1572 cmd.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HyperFree..exe"C:\Users\Admin\AppData\Local\Temp\HyperFree..exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver24⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile C:\Users\Admin\AppData\Local\Temp\HyperFree..exe MD5 >> C:\ProgramData\hash.txt2⤵
-
C:\Windows\system32\certutil.execertutil -hashfile C:\Users\Admin\AppData\Local\Temp\HyperFree..exe MD53⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver24⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver24⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver24⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver24⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver21⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2075840929-981399707-5265818071186019041-4768313227569814224016858-1339531756"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-15879438402622995514028808061681001509-152830889520032064041902319988-98482483"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\hash.txtFilesize
170B
MD542fe12ed1b99e56d78873c540094ad96
SHA1daeef3a551085e583c3efcf0f79a677c904a5d92
SHA256b09705981a3147a2435c5d8bafac02e17c20d6b77b3078278b30ddc655a8cfee
SHA51251ce11c9a9012716a6f6a46dcdff352814d0764c71fc272e33fab1486e477c0d9b892dea14f553fbd4475e3eaacdb093a4857c136ae112c5b774328921960446
-
memory/1416-54-0x0000000077040000-0x0000000077042000-memory.dmpFilesize
8KB
-
memory/1416-55-0x0000000077040000-0x0000000077042000-memory.dmpFilesize
8KB
-
memory/1416-56-0x0000000077040000-0x0000000077042000-memory.dmpFilesize
8KB
-
memory/1416-57-0x000000013F490000-0x000000013FF11000-memory.dmpFilesize
10.5MB