Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
31-03-2023 13:43
Behavioral task
behavioral1
Sample
HyperFree..exe
Resource
win7-20230220-en
General
-
Target
HyperFree..exe
-
Size
5.8MB
-
MD5
5260c1a254c8af84557b82e195363a98
-
SHA1
80af1991a492833e039891117fd594d74366545e
-
SHA256
8eb72c8341be372e533736b84d8a7196cde5e28130eadb774c40871fcf0cf7b3
-
SHA512
623692226d361a2795f4e5c4c330ec8435170832aa11c2e5336915b36e9340e0a18b27e0c932213e4d22ea05349a962ceb6d75216608680b41c997a75568f02b
-
SSDEEP
98304:aEO3yMulKYLin3eE7CKG5Ea+k0XhXtFV0lb81vcBnLDCg6yrXA8CcbQh1lAL/dbs:aErts9+xEa+k0elb8hcB/C7yjA8J1O
Malware Config
Signatures
-
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral1/memory/1060-57-0x000000013FEA0000-0x0000000140921000-memory.dmp vmprotect -
Launches sc.exe 39 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1932 sc.exe 960 sc.exe 1608 sc.exe 1020 sc.exe 896 sc.exe 588 sc.exe 1512 sc.exe 884 sc.exe 1064 sc.exe 1196 sc.exe 1344 sc.exe 1828 sc.exe 1816 sc.exe 532 sc.exe 1940 sc.exe 1824 sc.exe 1936 sc.exe 1504 sc.exe 1488 sc.exe 2008 sc.exe 1156 sc.exe 796 sc.exe 1712 sc.exe 1008 sc.exe 1824 sc.exe 112 sc.exe 1740 sc.exe 564 sc.exe 1736 sc.exe 1932 sc.exe 1224 sc.exe 1716 sc.exe 888 sc.exe 940 sc.exe 1340 sc.exe 1052 sc.exe 1900 sc.exe 1924 sc.exe 872 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 9 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1508 taskkill.exe 776 taskkill.exe 1928 taskkill.exe 888 taskkill.exe 1168 taskkill.exe 1320 taskkill.exe 904 taskkill.exe 288 taskkill.exe 1608 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
HyperFree..exepid process 1060 HyperFree..exe 1060 HyperFree..exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1168 taskkill.exe Token: SeDebugPrivilege 1320 taskkill.exe Token: SeDebugPrivilege 1508 taskkill.exe Token: SeDebugPrivilege 776 taskkill.exe Token: SeDebugPrivilege 904 taskkill.exe Token: SeDebugPrivilege 1928 taskkill.exe Token: SeDebugPrivilege 288 taskkill.exe Token: SeDebugPrivilege 1608 taskkill.exe Token: SeDebugPrivilege 888 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
HyperFree..execmd.execmd.execmd.execmd.execmd.exenet.exenet.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1060 wrote to memory of 524 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 524 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 524 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 368 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 368 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 368 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 1464 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 1464 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 1464 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 1168 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 1168 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 1168 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 576 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 576 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 576 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 1116 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 1116 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 1116 1060 HyperFree..exe cmd.exe PID 1464 wrote to memory of 636 1464 cmd.exe net.exe PID 1464 wrote to memory of 636 1464 cmd.exe net.exe PID 1464 wrote to memory of 636 1464 cmd.exe net.exe PID 524 wrote to memory of 1348 524 cmd.exe net.exe PID 524 wrote to memory of 1348 524 cmd.exe net.exe PID 524 wrote to memory of 1348 524 cmd.exe net.exe PID 1060 wrote to memory of 760 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 760 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 760 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 2024 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 2024 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 2024 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 972 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 972 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 972 1060 HyperFree..exe cmd.exe PID 1168 wrote to memory of 1816 1168 cmd.exe sc.exe PID 1168 wrote to memory of 1816 1168 cmd.exe sc.exe PID 1168 wrote to memory of 1816 1168 cmd.exe sc.exe PID 576 wrote to memory of 112 576 cmd.exe sc.exe PID 576 wrote to memory of 112 576 cmd.exe sc.exe PID 576 wrote to memory of 112 576 cmd.exe sc.exe PID 1116 wrote to memory of 1936 1116 cmd.exe sc.exe PID 1116 wrote to memory of 1936 1116 cmd.exe sc.exe PID 1116 wrote to memory of 1936 1116 cmd.exe sc.exe PID 1348 wrote to memory of 704 1348 net.exe net1.exe PID 1348 wrote to memory of 704 1348 net.exe net1.exe PID 1348 wrote to memory of 704 1348 net.exe net1.exe PID 636 wrote to memory of 1892 636 net.exe net1.exe PID 636 wrote to memory of 1892 636 net.exe net1.exe PID 636 wrote to memory of 1892 636 net.exe net1.exe PID 760 wrote to memory of 872 760 cmd.exe sc.exe PID 760 wrote to memory of 872 760 cmd.exe sc.exe PID 760 wrote to memory of 872 760 cmd.exe sc.exe PID 972 wrote to memory of 796 972 cmd.exe sc.exe PID 972 wrote to memory of 796 972 cmd.exe sc.exe PID 972 wrote to memory of 796 972 cmd.exe sc.exe PID 2024 wrote to memory of 1900 2024 cmd.exe sc.exe PID 2024 wrote to memory of 1900 2024 cmd.exe sc.exe PID 2024 wrote to memory of 1900 2024 cmd.exe sc.exe PID 1060 wrote to memory of 1400 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 1400 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 1400 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 1788 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 1788 1060 HyperFree..exe cmd.exe PID 1060 wrote to memory of 1788 1060 HyperFree..exe cmd.exe PID 368 wrote to memory of 1160 368 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HyperFree..exe"C:\Users\Admin\AppData\Local\Temp\HyperFree..exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile C:\Users\Admin\AppData\Local\Temp\HyperFree..exe MD5 >> C:\ProgramData\hash.txt2⤵
-
C:\Windows\system32\certutil.execertutil -hashfile C:\Users\Admin\AppData\Local\Temp\HyperFree..exe MD53⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver24⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver24⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver24⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver24⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker31⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop KProcessHacker21⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wireshark1⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop KProcessHacker11⤵
- Launches sc.exe
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver21⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver21⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT1⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker11⤵
- Launches sc.exe
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1791214229-559106409-1034374460-1129898629762280788-1883949551-1379369343-290002806"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\hash.txtFilesize
170B
MD542fe12ed1b99e56d78873c540094ad96
SHA1daeef3a551085e583c3efcf0f79a677c904a5d92
SHA256b09705981a3147a2435c5d8bafac02e17c20d6b77b3078278b30ddc655a8cfee
SHA51251ce11c9a9012716a6f6a46dcdff352814d0764c71fc272e33fab1486e477c0d9b892dea14f553fbd4475e3eaacdb093a4857c136ae112c5b774328921960446
-
memory/1060-54-0x00000000771A0000-0x00000000771A2000-memory.dmpFilesize
8KB
-
memory/1060-55-0x00000000771A0000-0x00000000771A2000-memory.dmpFilesize
8KB
-
memory/1060-56-0x00000000771A0000-0x00000000771A2000-memory.dmpFilesize
8KB
-
memory/1060-57-0x000000013FEA0000-0x0000000140921000-memory.dmpFilesize
10.5MB