ae27243a53f4c399aeb6bb39e67fa79f8378d51ef6b4fef9263791ec1acb6e78

Resubmissions

21/02/2024, 18:07

240221-wqltxadd42 5

21/02/2024, 17:45

240221-wb81wsch98 5

Analysis

max time kernel
54s
max time network
65s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2XL_Free_Spoof.exe
Size

7.2MB
MD5

6ec04fa24f0695f286801366108942f3
SHA1

309ee6a08c8ab0159dc3137865b6cfeb9f3e4e04
SHA256

ae27243a53f4c399aeb6bb39e67fa79f8378d51ef6b4fef9263791ec1acb6e78
SHA512

d835f387bb19b353f58eb72a94c2b32857826f3f1322c7b5be253a6dc3b2c6a9cf4cd0340ab001df74092899346bd0e4d1dfa8c5c8d77a2893b418311103a6b5
SSDEEP

98304:cMYzS+CQQ4vBmVK0Psj6+qU483Aj9urJBSzrAhzZVT6e3JKPfjV4ZTNy6oeZ2gCc:KS4qKsW80FIryV4fZo0/

Score

5^/10

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe

Kills process with taskkill 37 IoCs

evasion

pid	Process
1236	taskkill.exe
1064	taskkill.exe
4920	taskkill.exe
1608	taskkill.exe
3796	taskkill.exe
2756	taskkill.exe
4152	taskkill.exe
4552	taskkill.exe
1516	taskkill.exe
3412	taskkill.exe
3912	taskkill.exe
2552	taskkill.exe
3844	taskkill.exe
2240	taskkill.exe
2456	taskkill.exe
3136	taskkill.exe
3716	taskkill.exe
4288	taskkill.exe
1160	taskkill.exe
372	taskkill.exe
4536	taskkill.exe
2728	taskkill.exe
4308	taskkill.exe
4868	taskkill.exe
688	taskkill.exe
3960	taskkill.exe
528	taskkill.exe
3964	taskkill.exe
3156	taskkill.exe
1828	taskkill.exe
2832	taskkill.exe
1660	taskkill.exe
4572	taskkill.exe
4244	taskkill.exe
800	taskkill.exe
4384	taskkill.exe
4220	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe
1240	2XL_Free_Spoof.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	4552	taskkill.exe
Token: SeDebugPrivilege	372	taskkill.exe
Token: SeDebugPrivilege	2552	taskkill.exe
Token: SeDebugPrivilege	4868	taskkill.exe
Token: SeDebugPrivilege	4244	taskkill.exe
Token: SeDebugPrivilege	800	taskkill.exe
Token: SeDebugPrivilege	4536	taskkill.exe
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeDebugPrivilege	4308	taskkill.exe
Token: SeDebugPrivilege	1516	taskkill.exe
Token: SeDebugPrivilege	3156	taskkill.exe
Token: SeDebugPrivilege	4384	taskkill.exe
Token: SeDebugPrivilege	4220	taskkill.exe
Token: SeDebugPrivilege	3844	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	1828	taskkill.exe
Token: SeDebugPrivilege	3412	taskkill.exe
Token: SeDebugPrivilege	2832	taskkill.exe
Token: SeDebugPrivilege	3796	taskkill.exe
Token: SeDebugPrivilege	3136	taskkill.exe
Token: SeDebugPrivilege	3716	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	1236	taskkill.exe
Token: SeDebugPrivilege	4152	taskkill.exe
Token: SeDebugPrivilege	4572	taskkill.exe
Token: SeDebugPrivilege	3912	taskkill.exe
Token: SeDebugPrivilege	4288	taskkill.exe
Token: SeDebugPrivilege	3960	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	688	taskkill.exe
Token: SeDebugPrivilege	528	taskkill.exe
Token: SeDebugPrivilege	2456	taskkill.exe
Token: SeDebugPrivilege	1064	taskkill.exe
Token: SeDebugPrivilege	3964	taskkill.exe
Token: SeDebugPrivilege	4920	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 2620	1240	2XL_Free_Spoof.exe	86
PID 1240 wrote to memory of 2620	1240	2XL_Free_Spoof.exe	86
PID 1240 wrote to memory of 3688	1240	2XL_Free_Spoof.exe	87
PID 1240 wrote to memory of 3688	1240	2XL_Free_Spoof.exe	87
PID 3688 wrote to memory of 4552	3688	cmd.exe	88
PID 3688 wrote to memory of 4552	3688	cmd.exe	88
PID 1240 wrote to memory of 2228	1240	2XL_Free_Spoof.exe	90
PID 1240 wrote to memory of 2228	1240	2XL_Free_Spoof.exe	90
PID 1240 wrote to memory of 4436	1240	2XL_Free_Spoof.exe	91
PID 1240 wrote to memory of 4436	1240	2XL_Free_Spoof.exe	91
PID 1240 wrote to memory of 2044	1240	2XL_Free_Spoof.exe	92
PID 1240 wrote to memory of 2044	1240	2XL_Free_Spoof.exe	92
PID 1240 wrote to memory of 2884	1240	2XL_Free_Spoof.exe	93
PID 1240 wrote to memory of 2884	1240	2XL_Free_Spoof.exe	93
PID 2884 wrote to memory of 372	2884	cmd.exe	94
PID 2884 wrote to memory of 372	2884	cmd.exe	94
PID 1240 wrote to memory of 1852	1240	2XL_Free_Spoof.exe	95
PID 1240 wrote to memory of 1852	1240	2XL_Free_Spoof.exe	95
PID 1852 wrote to memory of 2552	1852	cmd.exe	96
PID 1852 wrote to memory of 2552	1852	cmd.exe	96
PID 1240 wrote to memory of 3540	1240	2XL_Free_Spoof.exe	98
PID 1240 wrote to memory of 3540	1240	2XL_Free_Spoof.exe	98
PID 3540 wrote to memory of 4868	3540	cmd.exe	97
PID 3540 wrote to memory of 4868	3540	cmd.exe	97
PID 1240 wrote to memory of 224	1240	2XL_Free_Spoof.exe	99
PID 1240 wrote to memory of 224	1240	2XL_Free_Spoof.exe	99
PID 224 wrote to memory of 4244	224	cmd.exe	100
PID 224 wrote to memory of 4244	224	cmd.exe	100
PID 1240 wrote to memory of 4936	1240	2XL_Free_Spoof.exe	101
PID 1240 wrote to memory of 4936	1240	2XL_Free_Spoof.exe	101
PID 4936 wrote to memory of 800	4936	cmd.exe	102
PID 4936 wrote to memory of 800	4936	cmd.exe	102
PID 1240 wrote to memory of 1444	1240	2XL_Free_Spoof.exe	103
PID 1240 wrote to memory of 1444	1240	2XL_Free_Spoof.exe	103
PID 1444 wrote to memory of 4536	1444	cmd.exe	104
PID 1444 wrote to memory of 4536	1444	cmd.exe	104
PID 1240 wrote to memory of 4784	1240	2XL_Free_Spoof.exe	105
PID 1240 wrote to memory of 4784	1240	2XL_Free_Spoof.exe	105
PID 4784 wrote to memory of 2728	4784	cmd.exe	106
PID 4784 wrote to memory of 2728	4784	cmd.exe	106
PID 1240 wrote to memory of 220	1240	2XL_Free_Spoof.exe	107
PID 1240 wrote to memory of 220	1240	2XL_Free_Spoof.exe	107
PID 220 wrote to memory of 4308	220	cmd.exe	108
PID 220 wrote to memory of 4308	220	cmd.exe	108
PID 1240 wrote to memory of 3032	1240	2XL_Free_Spoof.exe	110
PID 1240 wrote to memory of 3032	1240	2XL_Free_Spoof.exe	110
PID 3032 wrote to memory of 1516	3032	cmd.exe	109
PID 3032 wrote to memory of 1516	3032	cmd.exe	109
PID 1240 wrote to memory of 3600	1240	2XL_Free_Spoof.exe	111
PID 1240 wrote to memory of 3600	1240	2XL_Free_Spoof.exe	111
PID 3600 wrote to memory of 3156	3600	cmd.exe	112
PID 3600 wrote to memory of 3156	3600	cmd.exe	112
PID 1240 wrote to memory of 1440	1240	2XL_Free_Spoof.exe	113
PID 1240 wrote to memory of 1440	1240	2XL_Free_Spoof.exe	113
PID 1440 wrote to memory of 4384	1440	cmd.exe	114
PID 1440 wrote to memory of 4384	1440	cmd.exe	114
PID 1240 wrote to memory of 3516	1240	2XL_Free_Spoof.exe	116
PID 1240 wrote to memory of 3516	1240	2XL_Free_Spoof.exe	116
PID 3516 wrote to memory of 4220	3516	cmd.exe	115
PID 3516 wrote to memory of 4220	3516	cmd.exe	115
PID 1240 wrote to memory of 3288	1240	2XL_Free_Spoof.exe	117
PID 1240 wrote to memory of 3288	1240	2XL_Free_Spoof.exe	117
PID 3288 wrote to memory of 3844	3288	cmd.exe	118
PID 3288 wrote to memory of 3844	3288	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\2XL_Free_Spoof.exe
"C:\Users\Admin\AppData\Local\Temp\2XL_Free_Spoof.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 04
  2⤵
  PID:2620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im epicgameslauncher.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im epicgameslauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3288
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  PID:2232
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  PID:1532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:2128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:3376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:4132
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:1728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:1624
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:3512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:5112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:3400
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:4272
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:3744
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:3052
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:2720
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4084
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:4924
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:2620
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:2676
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:3356
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5024
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3916
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3444
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:372

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\system32\taskkill.exe
taskkill /f /im Fiddler.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\system32\taskkill.exe
taskkill /f /im Xenos.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Windows\system32\taskkill.exe
taskkill /f /im Cheat Engine.exe
1⤵
- Kills process with taskkill
PID:2240

C:\Windows\system32\taskkill.exe
taskkill /f /im cheatengine-x86_64.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\system32\taskkill.exe
taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3412

C:\Windows\system32\taskkill.exe
taskkill /f /im MugenJinFuu-i386.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\system32\taskkill.exe
taskkill /f /im cheatengine-x86_64.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
1⤵
- Kills process with taskkill
PID:2756

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1240-0-0x00007FFBCD090000-0x00007FFBCD092000-memory.dmp

Filesize
8KB

Download
memory/1240-2-0x0000000140000000-0x0000000140F9C000-memory.dmp

Filesize
15.6MB

Download
memory/1240-1-0x0000000140000000-0x0000000140F9C000-memory.dmp

Filesize
15.6MB

Download
memory/1240-6-0x0000000140000000-0x0000000140F9C000-memory.dmp

Filesize
15.6MB

Download