8eb72c8341be372e533736b84d8a7196cde5e28130eadb774c40871fcf0cf7b3

General

Target

HyperFree..exe
Size

5.8MB
MD5

5260c1a254c8af84557b82e195363a98
SHA1

80af1991a492833e039891117fd594d74366545e
SHA256

8eb72c8341be372e533736b84d8a7196cde5e28130eadb774c40871fcf0cf7b3
SHA512

623692226d361a2795f4e5c4c330ec8435170832aa11c2e5336915b36e9340e0a18b27e0c932213e4d22ea05349a962ceb6d75216608680b41c997a75568f02b
SSDEEP

98304:aEO3yMulKYLin3eE7CKG5Ea+k0XhXtFV0lb81vcBnLDCg6yrXA8CcbQh1lAL/dbs:aErts9+xEa+k0elb8hcB/C7yjA8J1O

Score

8^/10

evasion vmprotect

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1060-57-0x000000013FEA0000-0x0000000140921000-memory.dmp	vmprotect

Launches sc.exe 39 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1932	sc.exe
960	sc.exe
1608	sc.exe
1020	sc.exe
896	sc.exe
588	sc.exe
1512	sc.exe
884	sc.exe
1064	sc.exe
1196	sc.exe
1344	sc.exe
1828	sc.exe
1816	sc.exe
532	sc.exe
1940	sc.exe
1824	sc.exe
1936	sc.exe
1504	sc.exe
1488	sc.exe
2008	sc.exe
1156	sc.exe
796	sc.exe
1712	sc.exe
1008	sc.exe
1824	sc.exe
112	sc.exe
1740	sc.exe
564	sc.exe
1736	sc.exe
1932	sc.exe
1224	sc.exe
1716	sc.exe
888	sc.exe
940	sc.exe
1340	sc.exe
1052	sc.exe
1900	sc.exe
1924	sc.exe
872	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 9 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1508	taskkill.exe
776	taskkill.exe
1928	taskkill.exe
888	taskkill.exe
1168	taskkill.exe
1320	taskkill.exe
904	taskkill.exe
288	taskkill.exe
1608	taskkill.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

HyperFree..exe

pid process

1060 HyperFree..exe
1060 HyperFree..exe

pid	process
1060	HyperFree..exe
1060	HyperFree..exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1168	taskkill.exe
Token: SeDebugPrivilege	1320	taskkill.exe
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	776	taskkill.exe
Token: SeDebugPrivilege	904	taskkill.exe
Token: SeDebugPrivilege	1928	taskkill.exe
Token: SeDebugPrivilege	288	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	888	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

HyperFree..execmd.execmd.execmd.execmd.execmd.exenet.exenet.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1060 wrote to memory of 524	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 524	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 524	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 368	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 368	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 368	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 1464	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 1464	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 1464	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 1168	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 1168	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 1168	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 576	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 576	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 576	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 1116	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 1116	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 1116	1060	HyperFree..exe	cmd.exe
PID 1464 wrote to memory of 636	1464	cmd.exe	net.exe
PID 1464 wrote to memory of 636	1464	cmd.exe	net.exe
PID 1464 wrote to memory of 636	1464	cmd.exe	net.exe
PID 524 wrote to memory of 1348	524	cmd.exe	net.exe
PID 524 wrote to memory of 1348	524	cmd.exe	net.exe
PID 524 wrote to memory of 1348	524	cmd.exe	net.exe
PID 1060 wrote to memory of 760	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 760	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 760	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 2024	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 2024	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 2024	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 972	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 972	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 972	1060	HyperFree..exe	cmd.exe
PID 1168 wrote to memory of 1816	1168	cmd.exe	sc.exe
PID 1168 wrote to memory of 1816	1168	cmd.exe	sc.exe
PID 1168 wrote to memory of 1816	1168	cmd.exe	sc.exe
PID 576 wrote to memory of 112	576	cmd.exe	sc.exe
PID 576 wrote to memory of 112	576	cmd.exe	sc.exe
PID 576 wrote to memory of 112	576	cmd.exe	sc.exe
PID 1116 wrote to memory of 1936	1116	cmd.exe	sc.exe
PID 1116 wrote to memory of 1936	1116	cmd.exe	sc.exe
PID 1116 wrote to memory of 1936	1116	cmd.exe	sc.exe
PID 1348 wrote to memory of 704	1348	net.exe	net1.exe
PID 1348 wrote to memory of 704	1348	net.exe	net1.exe
PID 1348 wrote to memory of 704	1348	net.exe	net1.exe
PID 636 wrote to memory of 1892	636	net.exe	net1.exe
PID 636 wrote to memory of 1892	636	net.exe	net1.exe
PID 636 wrote to memory of 1892	636	net.exe	net1.exe
PID 760 wrote to memory of 872	760	cmd.exe	sc.exe
PID 760 wrote to memory of 872	760	cmd.exe	sc.exe
PID 760 wrote to memory of 872	760	cmd.exe	sc.exe
PID 972 wrote to memory of 796	972	cmd.exe	sc.exe
PID 972 wrote to memory of 796	972	cmd.exe	sc.exe
PID 972 wrote to memory of 796	972	cmd.exe	sc.exe
PID 2024 wrote to memory of 1900	2024	cmd.exe	sc.exe
PID 2024 wrote to memory of 1900	2024	cmd.exe	sc.exe
PID 2024 wrote to memory of 1900	2024	cmd.exe	sc.exe
PID 1060 wrote to memory of 1400	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 1400	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 1400	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 1788	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 1788	1060	HyperFree..exe	cmd.exe
PID 1060 wrote to memory of 1788	1060	HyperFree..exe	cmd.exe
PID 368 wrote to memory of 1160	368	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\HyperFree..exe
"C:\Users\Admin\AppData\Local\Temp\HyperFree..exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
PID:1160

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1816

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:796

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
PID:1400

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
PID:1948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1788

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
PID:1092

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:1712

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
PID:1960

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
PID:532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
PID:2000

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:896

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
PID:1004

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:1156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:1684

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:784

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1488

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:948

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile C:\Users\Admin\AppData\Local\Temp\HyperFree..exe MD5 >> C:\ProgramData\hash.txt
2⤵
PID:400

C:\Windows\system32\certutil.exe
certutil -hashfile C:\Users\Admin\AppData\Local\Temp\HyperFree..exe MD5
3⤵
PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:692

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1484

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1424

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:1952

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:436

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:2004

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
4⤵
PID:888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1712

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:1256

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
PID:1880

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
PID:1276

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
4⤵
PID:896

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
PID:1984

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
PID:784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
4⤵
PID:1488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1496

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1716

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
PID:1200

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
PID:1824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
PID:1180

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
PID:1340

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
PID:1512

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
PID:796

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
PID:2024

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
PID:2020

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
PID:2004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
4⤵
PID:2028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
PID:1536

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
PID:1608

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:368

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1940

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
PID:1708

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
PID:960

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
PID:1004

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:1488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
PID:1008

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
PID:564

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
PID:1276

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:1824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
PID:436

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
PID:828

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
PID:872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
PID:1364

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
PID:1720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
4⤵
PID:884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1908

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
PID:1948

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
PID:888

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
PID:1928

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:1608

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
PID:1368

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
PID:1344

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
PID:1072

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:940

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
PID:1792

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
PID:1256

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
4⤵
PID:1276

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
PID:1352

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:2008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
PID:2004

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
PID:776

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
4⤵
PID:1804

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:896

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1020

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
PID:960

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
PID:1340

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
PID:1728

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:1932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
PID:1008

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
PID:1052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
PID:1880

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:1828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
PID:872

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1084

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
1⤵
- Launches sc.exe
PID:112

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
1⤵
- Launches sc.exe
PID:1936

C:\Windows\system32\sc.exe
sc stop wireshark
1⤵
- Launches sc.exe
PID:1900

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
1⤵
- Launches sc.exe
PID:872

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
2⤵
PID:1804

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
1⤵
PID:1892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
1⤵
PID:704

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
1⤵
PID:1928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
1⤵
PID:1952

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
1⤵
- Launches sc.exe
PID:1224

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1791214229-559106409-1034374460-1129898629762280788-1883949551-1379369343-290002806"
1⤵
PID:1880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hash.txt
Filesize
170B

MD5
42fe12ed1b99e56d78873c540094ad96

SHA1
daeef3a551085e583c3efcf0f79a677c904a5d92

SHA256
b09705981a3147a2435c5d8bafac02e17c20d6b77b3078278b30ddc655a8cfee

SHA512
51ce11c9a9012716a6f6a46dcdff352814d0764c71fc272e33fab1486e477c0d9b892dea14f553fbd4475e3eaacdb093a4857c136ae112c5b774328921960446

Download Submit
memory/1060-54-0x00000000771A0000-0x00000000771A2000-memory.dmp

Filesize
8KB

Download
memory/1060-55-0x00000000771A0000-0x00000000771A2000-memory.dmp

Filesize
8KB

Download
memory/1060-56-0x00000000771A0000-0x00000000771A2000-memory.dmp

Filesize
8KB

Download
memory/1060-57-0x000000013FEA0000-0x0000000140921000-memory.dmp

Filesize
10.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads