63d8575d2e7d4ac1f43197e5730370f3ffd6b4d2400c836fd6c4b4d559fec407

General

Target

HWID_Swoofer.exe
Size

5.1MB
MD5

2401767168b533cee90da13673c0f30d
SHA1

b4c763d3e0c75fd97b654e9f8905bc5cc4adc45b
SHA256

63d8575d2e7d4ac1f43197e5730370f3ffd6b4d2400c836fd6c4b4d559fec407
SHA512

c7253ff6914d12395d2d1d0c8f480777d31ea4fca90177db3a5b961421e99e6f4fb9c4a0fd543f2b70658f6ba484637fdf454547a139ebf319f8ac677ea4345e
SSDEEP

98304:PCd+b+tvofM6wG5rx9K+SQt/BkcSMdAsNtq13Fv4t:ad+Kd6wIgQt5RS2N3o2

Score

8^/10

evasion vmprotect

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/4132-122-0x00007FF7DD4F0000-0x00007FF7DDD7A000-memory.dmp	vmprotect

Drops file in Windows directory 3 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\INF\netsstpa.PNF	svchost.exe
File created	C:\Windows\INF\netrasa.PNF	svchost.exe
File created	C:\Windows\INF\netrasa.PNF	svchost.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

4980 sc.exe
4940 sc.exe

pid	process
4980	sc.exe
4940	sc.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe

Kills process with taskkill 51 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3388	taskkill.exe
4200	taskkill.exe
4672	taskkill.exe
5012	taskkill.exe
2628	taskkill.exe
228	taskkill.exe
5084	taskkill.exe
312	taskkill.exe
4184	taskkill.exe
1952	taskkill.exe
688	taskkill.exe
4776	taskkill.exe
2224	taskkill.exe
5112	taskkill.exe
2312	taskkill.exe
1868	taskkill.exe
4948	taskkill.exe
3352	taskkill.exe
596	taskkill.exe
1236	taskkill.exe
3184	taskkill.exe
3252	taskkill.exe
5096	taskkill.exe
1588	taskkill.exe
1660	taskkill.exe
4984	taskkill.exe
4728	taskkill.exe
2188	taskkill.exe
3932	taskkill.exe
2168	taskkill.exe
5004	taskkill.exe
528	taskkill.exe
4304	taskkill.exe
2224	taskkill.exe
4432	taskkill.exe
1008	taskkill.exe
5068	taskkill.exe
1488	taskkill.exe
3360	taskkill.exe
4008	taskkill.exe
3424	taskkill.exe
4848	taskkill.exe
1808	taskkill.exe
520	taskkill.exe
316	taskkill.exe
372	taskkill.exe
700	taskkill.exe
1152	taskkill.exe
1992	taskkill.exe
1480	taskkill.exe
3704	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

HWID_Swoofer.exe

pid process

4132 HWID_Swoofer.exe
4132 HWID_Swoofer.exe
Suspicious behavior: LoadsDriver 10 IoCs

Processes:

pid

4
4
4
4
4
636
4
4
4
4

pid	process
4132	HWID_Swoofer.exe
4132	HWID_Swoofer.exe

pid
4
4
4
4
4
636
4
4
4
4

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exetaskkill.exetaskkill.exesvchost.exetaskkill.exetaskkill.execmd.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeShutdownPrivilege	2920	svchost.exe
Token: SeCreatePagefilePrivilege	2920	svchost.exe
Token: SeLoadDriverPrivilege	2920	svchost.exe
Token: SeLoadDriverPrivilege	2920	svchost.exe
Token: SeDebugPrivilege	3704	taskkill.exe
Token: SeLoadDriverPrivilege	2920	svchost.exe
Token: SeLoadDriverPrivilege	2920	svchost.exe
Token: SeLoadDriverPrivilege	2920	svchost.exe
Token: SeLoadDriverPrivilege	2920	svchost.exe
Token: SeLoadDriverPrivilege	2920	svchost.exe
Token: SeLoadDriverPrivilege	2920	svchost.exe
Token: SeLoadDriverPrivilege	2920	svchost.exe
Token: SeLoadDriverPrivilege	2920	svchost.exe
Token: SeDebugPrivilege	4848	taskkill.exe
Token: SeLoadDriverPrivilege	2920	svchost.exe
Token: SeLoadDriverPrivilege	2920	svchost.exe
Token: SeShutdownPrivilege	2292	svchost.exe
Token: SeCreatePagefilePrivilege	2292	svchost.exe
Token: SeDebugPrivilege	4432	taskkill.exe
Token: SeLoadDriverPrivilege	2292	svchost.exe
Token: SeLoadDriverPrivilege	2292	svchost.exe
Token: SeLoadDriverPrivilege	2292	svchost.exe
Token: SeLoadDriverPrivilege	2292	svchost.exe
Token: SeDebugPrivilege	3932	taskkill.exe
Token: SeDebugPrivilege	3252	cmd.exe
Token: SeDebugPrivilege	5096	taskkill.exe
Token: SeDebugPrivilege	5112	taskkill.exe
Token: SeDebugPrivilege	5084	taskkill.exe
Token: SeDebugPrivilege	1008	taskkill.exe
Token: SeDebugPrivilege	372	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	1488	taskkill.exe
Token: SeDebugPrivilege	3360	taskkill.exe
Token: SeDebugPrivilege	700	taskkill.exe
Token: SeDebugPrivilege	312	taskkill.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	2168	taskkill.exe
Token: SeDebugPrivilege	3388	taskkill.exe
Token: SeDebugPrivilege	1152	taskkill.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	4200	taskkill.exe
Token: SeDebugPrivilege	4184	taskkill.exe
Token: SeDebugPrivilege	4984	taskkill.exe
Token: SeDebugPrivilege	2312	taskkill.exe
Token: SeDebugPrivilege	4008	taskkill.exe
Token: SeDebugPrivilege	4672	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	3424	taskkill.exe
Token: SeDebugPrivilege	5004	taskkill.exe
Token: SeDebugPrivilege	1868	taskkill.exe
Token: SeDebugPrivilege	5012	taskkill.exe
Token: SeDebugPrivilege	520	taskkill.exe
Token: SeDebugPrivilege	688	taskkill.exe
Token: SeDebugPrivilege	3352	taskkill.exe
Token: SeDebugPrivilege	528	taskkill.exe
Token: SeDebugPrivilege	596	taskkill.exe
Token: SeDebugPrivilege	4304	taskkill.exe
Token: SeDebugPrivilege	1236	taskkill.exe
Token: SeDebugPrivilege	1808	taskkill.exe
Token: SeDebugPrivilege	4776	taskkill.exe
Token: SeDebugPrivilege	2188	taskkill.exe
Token: SeDebugPrivilege	1480	taskkill.exe
Token: SeDebugPrivilege	2628	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

HWID_Swoofer.execmd.execmd.execmd.exetaskkill.exetaskkill.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4132 wrote to memory of 4704	4132	HWID_Swoofer.exe	cmd.exe
PID 4132 wrote to memory of 4704	4132	HWID_Swoofer.exe	cmd.exe
PID 4704 wrote to memory of 3704	4704	cmd.exe	taskkill.exe
PID 4704 wrote to memory of 3704	4704	cmd.exe	taskkill.exe
PID 4132 wrote to memory of 2056	4132	HWID_Swoofer.exe	cmd.exe
PID 4132 wrote to memory of 2056	4132	HWID_Swoofer.exe	cmd.exe
PID 2056 wrote to memory of 4848	2056	cmd.exe	taskkill.exe
PID 2056 wrote to memory of 4848	2056	cmd.exe	taskkill.exe
PID 4132 wrote to memory of 4376	4132	HWID_Swoofer.exe	cmd.exe
PID 4132 wrote to memory of 4376	4132	HWID_Swoofer.exe	cmd.exe
PID 4376 wrote to memory of 4432	4376	cmd.exe	taskkill.exe
PID 4376 wrote to memory of 4432	4376	cmd.exe	taskkill.exe
PID 4132 wrote to memory of 3424	4132	HWID_Swoofer.exe	taskkill.exe
PID 4132 wrote to memory of 3424	4132	HWID_Swoofer.exe	taskkill.exe
PID 3424 wrote to memory of 3932	3424	taskkill.exe	taskkill.exe
PID 3424 wrote to memory of 3932	3424	taskkill.exe	taskkill.exe
PID 4132 wrote to memory of 1868	4132	HWID_Swoofer.exe	taskkill.exe
PID 4132 wrote to memory of 1868	4132	HWID_Swoofer.exe	taskkill.exe
PID 1868 wrote to memory of 3252	1868	taskkill.exe	cmd.exe
PID 1868 wrote to memory of 3252	1868	taskkill.exe	cmd.exe
PID 4132 wrote to memory of 4996	4132	HWID_Swoofer.exe	cmd.exe
PID 4132 wrote to memory of 4996	4132	HWID_Swoofer.exe	cmd.exe
PID 4996 wrote to memory of 4980	4996	cmd.exe	sc.exe
PID 4996 wrote to memory of 4980	4996	cmd.exe	sc.exe
PID 4132 wrote to memory of 4916	4132	HWID_Swoofer.exe	cmd.exe
PID 4132 wrote to memory of 4916	4132	HWID_Swoofer.exe	cmd.exe
PID 4916 wrote to memory of 4940	4916	cmd.exe	sc.exe
PID 4916 wrote to memory of 4940	4916	cmd.exe	sc.exe
PID 4132 wrote to memory of 5100	4132	HWID_Swoofer.exe	cmd.exe
PID 4132 wrote to memory of 5100	4132	HWID_Swoofer.exe	cmd.exe
PID 5100 wrote to memory of 5096	5100	cmd.exe	taskkill.exe
PID 5100 wrote to memory of 5096	5100	cmd.exe	taskkill.exe
PID 4132 wrote to memory of 764	4132	HWID_Swoofer.exe	cmd.exe
PID 4132 wrote to memory of 764	4132	HWID_Swoofer.exe	cmd.exe
PID 764 wrote to memory of 5112	764	cmd.exe	taskkill.exe
PID 764 wrote to memory of 5112	764	cmd.exe	taskkill.exe
PID 4132 wrote to memory of 5092	4132	HWID_Swoofer.exe	cmd.exe
PID 4132 wrote to memory of 5092	4132	HWID_Swoofer.exe	cmd.exe
PID 5092 wrote to memory of 5084	5092	cmd.exe	taskkill.exe
PID 5092 wrote to memory of 5084	5092	cmd.exe	taskkill.exe
PID 4132 wrote to memory of 428	4132	HWID_Swoofer.exe	cmd.exe
PID 4132 wrote to memory of 428	4132	HWID_Swoofer.exe	cmd.exe
PID 428 wrote to memory of 1008	428	cmd.exe	taskkill.exe
PID 428 wrote to memory of 1008	428	cmd.exe	taskkill.exe
PID 4132 wrote to memory of 604	4132	HWID_Swoofer.exe	cmd.exe
PID 4132 wrote to memory of 604	4132	HWID_Swoofer.exe	cmd.exe
PID 604 wrote to memory of 5068	604	cmd.exe	taskkill.exe
PID 604 wrote to memory of 5068	604	cmd.exe	taskkill.exe
PID 4132 wrote to memory of 1304	4132	HWID_Swoofer.exe	cmd.exe
PID 4132 wrote to memory of 1304	4132	HWID_Swoofer.exe	cmd.exe
PID 1304 wrote to memory of 372	1304	cmd.exe	taskkill.exe
PID 1304 wrote to memory of 372	1304	cmd.exe	taskkill.exe
PID 4132 wrote to memory of 824	4132	HWID_Swoofer.exe	cmd.exe
PID 4132 wrote to memory of 824	4132	HWID_Swoofer.exe	cmd.exe
PID 824 wrote to memory of 1588	824	cmd.exe	taskkill.exe
PID 824 wrote to memory of 1588	824	cmd.exe	taskkill.exe
PID 4132 wrote to memory of 1804	4132	HWID_Swoofer.exe	cmd.exe
PID 4132 wrote to memory of 1804	4132	HWID_Swoofer.exe	cmd.exe
PID 1804 wrote to memory of 1660	1804	cmd.exe	taskkill.exe
PID 1804 wrote to memory of 1660	1804	cmd.exe	taskkill.exe
PID 4132 wrote to memory of 2052	4132	HWID_Swoofer.exe	cmd.exe
PID 4132 wrote to memory of 2052	4132	HWID_Swoofer.exe	cmd.exe
PID 2052 wrote to memory of 1488	2052	cmd.exe	taskkill.exe
PID 2052 wrote to memory of 1488	2052	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\HWID_Swoofer.exe
"C:\Users\Admin\AppData\Local\Temp\HWID_Swoofer.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c TASKKILL /F /IM EpicGamesLauncher.exe >NUL 2> 1
2⤵
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c TASKKILL /F /IM EpicOnlineServices.exe >NUL 2> 1
2⤵
PID:2056

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM EpicOnlineServices.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c TASKKILL /F /IM EpicOnlineServicesInstallHelper.exe >NUL 2> 1
2⤵
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM EpicOnlineServicesInstallHelper.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c TASKKILL /F /IM EpicOnlineServicesUIHelper.exe >NUL 2> 1
2⤵
PID:3424

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM EpicOnlineServicesUIHelper.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c TASKKILL /F /IM EpicOnlineServicesUserHelper.exe >NUL 2> 1
2⤵
PID:1868

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM EpicOnlineServicesUserHelper.exe
3⤵
- Kills process with taskkill
PID:3252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop EasyAntiCheat >nul
2⤵
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop EasyAntiCheat.sys >nul
2⤵
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\system32\sc.exe
sc stop EasyAntiCheat.sys
3⤵
- Launches sc.exe
PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im procexp.exe >nul 2>&1
2⤵
PID:5100

C:\Windows\system32\taskkill.exe
taskkill /f /im procexp.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im procexp64.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\system32\taskkill.exe
taskkill /f /im procexp64.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im procexp64.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\system32\taskkill.exe
taskkill /f /im procexp64.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im mafiaengine-i386.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:428

C:\Windows\system32\taskkill.exe
taskkill /f /im mafiaengine-i386.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Mafia Engine.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\system32\taskkill.exe
taskkill /f /im Mafia Engine.exe
3⤵
- Kills process with taskkill
PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im mafiaengine-x86_64.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\system32\taskkill.exe
taskkill /f /im mafiaengine-x86_64.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Tutorial-i386.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\system32\taskkill.exe
taskkill /f /im Tutorial-i386.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Tutorial-x86_64.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\system32\taskkill.exe
taskkill /f /im Tutorial-x86_64.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im mafiaengine-x86_64-SSE4-AVX2.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\system32\taskkill.exe
taskkill /f /im mafiaengine-x86_64-SSE4-AVX2.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
2⤵
PID:1344

C:\Windows\system32\taskkill.exe
taskkill /f /im KsDumperClient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
2⤵
PID:2588

C:\Windows\system32\taskkill.exe
taskkill /f /im KsDumper.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:3496

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:5064

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
2⤵
PID:3264

C:\Windows\system32\taskkill.exe
taskkill /f /im ProcessHacker.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
2⤵
PID:1916

C:\Windows\system32\taskkill.exe
taskkill /f /im idaq.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
2⤵
PID:2680

C:\Windows\system32\taskkill.exe
taskkill /f /im idaq64.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
2⤵
PID:2684

C:\Windows\system32\taskkill.exe
taskkill /f /im Wireshark.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
2⤵
PID:2756

C:\Windows\system32\taskkill.exe
taskkill /f /im Fiddler.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
2⤵
PID:4052

C:\Windows\system32\taskkill.exe
taskkill /f /im FiddlerEverywhere.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
2⤵
PID:3984

C:\Windows\system32\taskkill.exe
taskkill /f /im Xenos64.exe
3⤵
- Kills process with taskkill
PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
2⤵
PID:2792

C:\Windows\system32\taskkill.exe
taskkill /f /im Xenos.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
2⤵
PID:4596

C:\Windows\system32\taskkill.exe
taskkill /f /im Xenos32.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
2⤵
PID:356

C:\Windows\system32\taskkill.exe
taskkill /f /im de4dot.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
2⤵
PID:3832

C:\Windows\system32\taskkill.exe
taskkill /f /im Cheat Engine.exe
3⤵
- Kills process with taskkill
PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
2⤵
PID:4748

C:\Windows\system32\taskkill.exe
taskkill /f /im cheatengine-x86_64.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\system32\taskkill.exe
taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
2⤵
PID:4456

C:\Windows\system32\taskkill.exe
taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
2⤵
PID:4496

C:\Windows\system32\taskkill.exe
taskkill /f /im MugenJinFuu-i386.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3252

C:\Windows\system32\taskkill.exe
taskkill /f /im cheatengine-x86_64.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
2⤵
PID:5000

C:\Windows\system32\taskkill.exe
taskkill /f /im cheatengine-i386.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
2⤵
PID:4932

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
3⤵
- Kills process with taskkill
PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\system32\taskkill.exe
taskkill /f /im KsDumper.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
2⤵
PID:652

C:\Windows\system32\taskkill.exe
taskkill /f /im OllyDbg.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
2⤵
PID:796

C:\Windows\system32\taskkill.exe
taskkill /f /im x64dbg.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
2⤵
PID:3208

C:\Windows\system32\taskkill.exe
taskkill /f /im x32dbg.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1788

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:1396

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:876

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
2⤵
PID:1836

C:\Windows\system32\taskkill.exe
taskkill /f /im Ida64.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
2⤵
PID:4860

C:\Windows\system32\taskkill.exe
taskkill /f /im OllyDbg.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
2⤵
PID:2172

C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg64.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
2⤵
PID:1356

C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg32.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im ida.exe >nul 2>&1
2⤵
PID:2624

C:\Windows\system32\taskkill.exe
taskkill /f /im ida.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:192

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:196

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:2240

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2220

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:376

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc
1⤵
PID:4504

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s SstpSvc
1⤵
PID:4696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4768

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2920

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:4816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Windows\system32\sc.exe
sc stop EasyAntiCheat
1⤵
- Launches sc.exe
PID:4980

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:4968

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2180

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
PID:3232

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3232.0.991513237\1528424303" -parentBuildID 20221007134813 -prefsHandle 1660 -prefMapHandle 1648 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf72e5ee-cb17-4bd8-9975-0bc990c2841e} 3232 "\\.\pipe\gecko-crash-server-pipe.3232" 1752 2265faa9258 gpu
3⤵
PID:4252

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3232.1.863173830\1129065473" -parentBuildID 20221007134813 -prefsHandle 2040 -prefMapHandle 2036 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60d2749e-a6f6-4929-8ac7-500fbb841984} 3232 "\\.\pipe\gecko-crash-server-pipe.3232" 2072 2265e807558 socket
3⤵
PID:1472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\INF\netrasa.PNF
Filesize
22KB

MD5
47f55358eb31f464d0d12f61f7941953

SHA1
12bdd78e5b1dfd4d1a94c0709d6e2e82f83d74ac

SHA256
1f8eb41181a4f8059411eda60ac35576e6b99187bf1006d763288f2a53127f17

SHA512
693221e795eac1bd70157a4d0f6dd80ad8d9064d42efc49fc4285a26acad0adbde255cee91832c90b576ac0b60887b8b20c435b5730152210337fc900f693ef7

Download Submit
C:\Windows\INF\netsstpa.PNF
Filesize
6KB

MD5
01e21456e8000bab92907eec3b3aeea9

SHA1
39b34fe438352f7b095e24c89968fca48b8ce11c

SHA256
35ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f

SHA512
9d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec

Download Submit
memory/4132-121-0x00007FFD1F3A0000-0x00007FFD1F3A2000-memory.dmp

Filesize
8KB

Download
memory/4132-122-0x00007FF7DD4F0000-0x00007FF7DDD7A000-memory.dmp

Filesize
8.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads