8eb72c8341be372e533736b84d8a7196cde5e28130eadb774c40871fcf0cf7b3

General

Target

HyperFree..exe
Size

5.8MB
MD5

5260c1a254c8af84557b82e195363a98
SHA1

80af1991a492833e039891117fd594d74366545e
SHA256

8eb72c8341be372e533736b84d8a7196cde5e28130eadb774c40871fcf0cf7b3
SHA512

623692226d361a2795f4e5c4c330ec8435170832aa11c2e5336915b36e9340e0a18b27e0c932213e4d22ea05349a962ceb6d75216608680b41c997a75568f02b
SSDEEP

98304:aEO3yMulKYLin3eE7CKG5Ea+k0XhXtFV0lb81vcBnLDCg6yrXA8CcbQh1lAL/dbs:aErts9+xEa+k0elb8hcB/C7yjA8J1O

Score

8^/10

evasion vmprotect

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1416-57-0x000000013F490000-0x000000013FF11000-memory.dmp	vmprotect

Launches sc.exe 39 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
660	sc.exe
1368	sc.exe
1620	sc.exe
1116	sc.exe
1996	sc.exe
1160	sc.exe
1868	sc.exe
660	sc.exe
560	sc.exe
1996	sc.exe
1988	sc.exe
620	sc.exe
1644	sc.exe
576	sc.exe
572	sc.exe
1736	sc.exe
1716	sc.exe
316	sc.exe
1160	sc.exe
1880	sc.exe
600	sc.exe
1936	sc.exe
1644	sc.exe
1952	sc.exe
688	sc.exe
900	sc.exe
1072	sc.exe
924	sc.exe
1764	sc.exe
1640	sc.exe
1764	sc.exe
1888	sc.exe
1004	sc.exe
1824	sc.exe
1244	sc.exe
1168	sc.exe
516	sc.exe
1212	sc.exe
1888	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 9 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1540	taskkill.exe
1824	taskkill.exe
1936	taskkill.exe
572	taskkill.exe
1820	taskkill.exe
1724	taskkill.exe
1980	taskkill.exe
1696	taskkill.exe
820	taskkill.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

HyperFree..exe

pid process

1416 HyperFree..exe
1416 HyperFree..exe

pid	process
1416	HyperFree..exe
1416	HyperFree..exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1724	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	572	taskkill.exe
Token: SeDebugPrivilege	820	taskkill.exe
Token: SeDebugPrivilege	1820	taskkill.exe
Token: SeDebugPrivilege	1540	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

HyperFree..execmd.execmd.execmd.execmd.exenet.exenet.execmd.exe

description	pid	process	target process
PID 1416 wrote to memory of 1112	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 1112	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 1112	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 1272	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 1272	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 1272	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 660	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 660	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 660	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 268	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 268	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 268	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 868	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 868	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 868	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 1600	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 1600	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 1600	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 1404	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 1404	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 1404	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 908	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 908	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 908	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 1572	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 1572	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 1572	1416	HyperFree..exe	cmd.exe
PID 1112 wrote to memory of 552	1112	cmd.exe	net.exe
PID 1112 wrote to memory of 552	1112	cmd.exe	net.exe
PID 1112 wrote to memory of 552	1112	cmd.exe	net.exe
PID 1600 wrote to memory of 1644	1600	cmd.exe	sc.exe
PID 1600 wrote to memory of 1644	1600	cmd.exe	sc.exe
PID 1600 wrote to memory of 1644	1600	cmd.exe	sc.exe
PID 1416 wrote to memory of 1704	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 1704	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 1704	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 548	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 548	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 548	1416	HyperFree..exe	cmd.exe
PID 268 wrote to memory of 1696	268	cmd.exe	net.exe
PID 268 wrote to memory of 1696	268	cmd.exe	net.exe
PID 268 wrote to memory of 1696	268	cmd.exe	net.exe
PID 1416 wrote to memory of 1320	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 1320	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 1320	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 1376	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 1376	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 1376	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 1120	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 1120	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 1120	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 1960	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 1960	1416	HyperFree..exe	cmd.exe
PID 1416 wrote to memory of 1960	1416	HyperFree..exe	cmd.exe
PID 868 wrote to memory of 1952	868	cmd.exe	sc.exe
PID 868 wrote to memory of 1952	868	cmd.exe	sc.exe
PID 868 wrote to memory of 1952	868	cmd.exe	sc.exe
PID 552 wrote to memory of 1140	552	net.exe	net1.exe
PID 552 wrote to memory of 1140	552	net.exe	net1.exe
PID 552 wrote to memory of 1140	552	net.exe	net1.exe
PID 1696 wrote to memory of 1184	1696	net.exe	net1.exe
PID 1696 wrote to memory of 1184	1696	net.exe	net1.exe
PID 1696 wrote to memory of 1184	1696	net.exe	net1.exe
PID 1572 wrote to memory of 1824	1572	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\HyperFree..exe
"C:\Users\Admin\AppData\Local\Temp\HyperFree..exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
PID:1272

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
PID:1832

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
4⤵
PID:1596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
4⤵
PID:1140

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
4⤵
PID:1184

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
PID:1404

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
PID:1996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
PID:660

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
PID:1980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:1824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
PID:548

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:1244

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
PID:1320

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
PID:1704

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
PID:1116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
PID:1376

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
PID:1072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
PID:908

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
PID:1716

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
PID:1960

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
PID:1120

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
PID:840

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:1884

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1616

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1212

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1996

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:1404

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile C:\Users\Admin\AppData\Local\Temp\HyperFree..exe MD5 >> C:\ProgramData\hash.txt
2⤵
PID:1952

C:\Windows\system32\certutil.exe
certutil -hashfile C:\Users\Admin\AppData\Local\Temp\HyperFree..exe MD5
3⤵
PID:908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:1672

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1604

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1664

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:916

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:1624

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:628

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1168

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:1360

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
PID:1512

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
PID:1684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
4⤵
PID:1152

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
PID:1116

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
PID:1824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
4⤵
PID:1980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
PID:1708

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
PID:1160

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:940

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1640

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
PID:1548

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:1764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
PID:948

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
PID:552

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
PID:1724

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
4⤵
PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
PID:812

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:1868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
PID:1212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
PID:1964

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
PID:1552

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
4⤵
PID:840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1516

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
PID:1280

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
PID:620

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
PID:1060

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:1644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
PID:1732

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
PID:660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
PID:108

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
PID:980

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1372

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
PID:1984

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
PID:1880

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
4⤵
PID:516

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
PID:1244

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
PID:2000

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
4⤵
PID:812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:296

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
PID:560

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
PID:1888

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
PID:588

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
PID:1304

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
PID:1368

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
PID:628

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
PID:944

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:1160

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
PID:1920

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
PID:1700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
4⤵
PID:900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:908

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1620

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
PID:1512

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
PID:572

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
4⤵
PID:1996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
PID:1752

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
PID:1936

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
PID:1952

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:1004

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
PID:940

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
PID:1212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
PID:1272

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
PID:948

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
1⤵
PID:1472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2075840929-981399707-5265818071186019041-4768313227569814224016858-1339531756"
1⤵
PID:516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15879438402622995514028808061681001509-152830889520032064041902319988-98482483"
1⤵
PID:812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hash.txt
Filesize
170B

MD5
42fe12ed1b99e56d78873c540094ad96

SHA1
daeef3a551085e583c3efcf0f79a677c904a5d92

SHA256
b09705981a3147a2435c5d8bafac02e17c20d6b77b3078278b30ddc655a8cfee

SHA512
51ce11c9a9012716a6f6a46dcdff352814d0764c71fc272e33fab1486e477c0d9b892dea14f553fbd4475e3eaacdb093a4857c136ae112c5b774328921960446

Download Submit
memory/1416-54-0x0000000077040000-0x0000000077042000-memory.dmp

Filesize
8KB

Download
memory/1416-55-0x0000000077040000-0x0000000077042000-memory.dmp

Filesize
8KB

Download
memory/1416-56-0x0000000077040000-0x0000000077042000-memory.dmp

Filesize
8KB

Download
memory/1416-57-0x000000013F490000-0x000000013FF11000-memory.dmp

Filesize
10.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads