90bfb31560bdff53539aa556437edb6ec0a1760928ea585e4c621994fbe020ea

Analysis

max time kernel
18s
max time network
140s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hollow.cc.exe
Size

89KB
MD5

daeae07e61c80cabc482c3b3f30183bf
SHA1

34afd425664c4cedd49c15e6dea81debce01ef4d
SHA256

90bfb31560bdff53539aa556437edb6ec0a1760928ea585e4c621994fbe020ea
SHA512

bf37703a58de244b6fefe706645aa2b296c32cda96834841861a3751022eb51c8277f4f3ccab397ba2897a78757234b73ecefa23e1e0c7f16ddb2f002ee859a9
SSDEEP

1536:QcBXBwWcN2p5qfIqZvUpYyIovpoK5ZFb9B90O0muuJJReU:QcBX3k2DqfIqZ3y3vpoK7R9B90/MDwU

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2620	sc.exe
2064	sc.exe
1644	sc.exe
2056	sc.exe
2692	sc.exe
2028	sc.exe
2868	sc.exe
2892	sc.exe
880	sc.exe
2364	sc.exe
2624	sc.exe
1612	sc.exe
1236	sc.exe
2140	sc.exe
2608	sc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 56 IoCs

evasion

pid	Process
1544	taskkill.exe
2992	taskkill.exe
2420	taskkill.exe
1592	taskkill.exe
528	taskkill.exe
584	taskkill.exe
2196	taskkill.exe
1432	taskkill.exe
1756	taskkill.exe
1900	taskkill.exe
2464	taskkill.exe
1800	taskkill.exe
2768	taskkill.exe
1964	taskkill.exe
2436	taskkill.exe
2968	taskkill.exe
1164	taskkill.exe
2772	taskkill.exe
1460	taskkill.exe
1608	taskkill.exe
3004	taskkill.exe
2660	taskkill.exe
1996	taskkill.exe
2312	taskkill.exe
1700	taskkill.exe
2744	taskkill.exe
2132	taskkill.exe
2208	taskkill.exe
2444	taskkill.exe
2392	taskkill.exe
1536	taskkill.exe
1708	taskkill.exe
1516	taskkill.exe
1332	taskkill.exe
1164	taskkill.exe
2140	taskkill.exe
2844	taskkill.exe
776	taskkill.exe
1404	taskkill.exe
1752	taskkill.exe
1492	taskkill.exe
2644	taskkill.exe
2892	taskkill.exe
760	taskkill.exe
2628	taskkill.exe
2700	taskkill.exe
1496	taskkill.exe
2820	taskkill.exe
1244	taskkill.exe
572	taskkill.exe
1908	taskkill.exe
1032	taskkill.exe
2284	taskkill.exe
844	taskkill.exe
2452	taskkill.exe
1064	taskkill.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Hollow.cc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Hollow.cc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Hollow.cc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Hollow.cc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Hollow.cc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Hollow.cc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1528	chrome.exe
1528	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe
Token: SeIncBasePriorityPrivilege	2612	Hollow.cc.exe
Token: 33	2612	Hollow.cc.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2088	2612	Hollow.cc.exe	29
PID 2612 wrote to memory of 2088	2612	Hollow.cc.exe	29
PID 2612 wrote to memory of 2088	2612	Hollow.cc.exe	29
PID 2612 wrote to memory of 2088	2612	Hollow.cc.exe	29
PID 2088 wrote to memory of 1164	2088	cmd.exe	31
PID 2088 wrote to memory of 1164	2088	cmd.exe	31
PID 2088 wrote to memory of 1164	2088	cmd.exe	31
PID 2088 wrote to memory of 1164	2088	cmd.exe	31
PID 2612 wrote to memory of 2276	2612	Hollow.cc.exe	108
PID 2612 wrote to memory of 2276	2612	Hollow.cc.exe	108
PID 2612 wrote to memory of 2276	2612	Hollow.cc.exe	108
PID 2612 wrote to memory of 2276	2612	Hollow.cc.exe	108
PID 2276 wrote to memory of 1544	2276	cmd.exe	35
PID 2276 wrote to memory of 1544	2276	cmd.exe	35
PID 2276 wrote to memory of 1544	2276	cmd.exe	35
PID 2276 wrote to memory of 1544	2276	cmd.exe	35
PID 2612 wrote to memory of 2432	2612	Hollow.cc.exe	36
PID 2612 wrote to memory of 2432	2612	Hollow.cc.exe	36
PID 2612 wrote to memory of 2432	2612	Hollow.cc.exe	36
PID 2612 wrote to memory of 2432	2612	Hollow.cc.exe	36
PID 2432 wrote to memory of 2284	2432	cmd.exe	38
PID 2432 wrote to memory of 2284	2432	cmd.exe	38
PID 2432 wrote to memory of 2284	2432	cmd.exe	38
PID 2432 wrote to memory of 2284	2432	cmd.exe	38
PID 2612 wrote to memory of 1760	2612	Hollow.cc.exe	39
PID 2612 wrote to memory of 1760	2612	Hollow.cc.exe	39
PID 2612 wrote to memory of 1760	2612	Hollow.cc.exe	39
PID 2612 wrote to memory of 1760	2612	Hollow.cc.exe	39
PID 1760 wrote to memory of 2196	1760	cmd.exe	222
PID 1760 wrote to memory of 2196	1760	cmd.exe	222
PID 1760 wrote to memory of 2196	1760	cmd.exe	222
PID 1760 wrote to memory of 2196	1760	cmd.exe	222
PID 2612 wrote to memory of 956	2612	Hollow.cc.exe	136
PID 2612 wrote to memory of 956	2612	Hollow.cc.exe	136
PID 2612 wrote to memory of 956	2612	Hollow.cc.exe	136
PID 2612 wrote to memory of 956	2612	Hollow.cc.exe	136
PID 956 wrote to memory of 1700	956	cmd.exe	44
PID 956 wrote to memory of 1700	956	cmd.exe	44
PID 956 wrote to memory of 1700	956	cmd.exe	44
PID 956 wrote to memory of 1700	956	cmd.exe	44
PID 1528 wrote to memory of 2280	1528	chrome.exe	46
PID 1528 wrote to memory of 2280	1528	chrome.exe	46
PID 1528 wrote to memory of 2280	1528	chrome.exe	46
PID 2612 wrote to memory of 1292	2612	Hollow.cc.exe	47
PID 2612 wrote to memory of 1292	2612	Hollow.cc.exe	47
PID 2612 wrote to memory of 1292	2612	Hollow.cc.exe	47
PID 2612 wrote to memory of 1292	2612	Hollow.cc.exe	47
PID 1292 wrote to memory of 844	1292	cmd.exe	49
PID 1292 wrote to memory of 844	1292	cmd.exe	49
PID 1292 wrote to memory of 844	1292	cmd.exe	49
PID 1292 wrote to memory of 844	1292	cmd.exe	49
PID 2612 wrote to memory of 2624	2612	Hollow.cc.exe	285
PID 2612 wrote to memory of 2624	2612	Hollow.cc.exe	285
PID 2612 wrote to memory of 2624	2612	Hollow.cc.exe	285
PID 2612 wrote to memory of 2624	2612	Hollow.cc.exe	285
PID 2624 wrote to memory of 2660	2624	cmd.exe	84
PID 2624 wrote to memory of 2660	2624	cmd.exe	84
PID 2624 wrote to memory of 2660	2624	cmd.exe	84
PID 2624 wrote to memory of 2660	2624	cmd.exe	84
PID 1528 wrote to memory of 564	1528	chrome.exe	291
PID 1528 wrote to memory of 564	1528	chrome.exe	291
PID 1528 wrote to memory of 564	1528	chrome.exe	291
PID 1528 wrote to memory of 564	1528	chrome.exe	291
PID 1528 wrote to memory of 564	1528	chrome.exe	291

C:\Users\Admin\AppData\Local\Temp\Hollow.cc.exe
"C:\Users\Admin\AppData\Local\Temp\Hollow.cc.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:1164
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:1544
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Kills process with taskkill
    PID:2284
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Kills process with taskkill
    PID:2196
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Kills process with taskkill
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im beamer.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im beamer.exe
    3⤵
    - Kills process with taskkill
    PID:844
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im UD.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im UD.exe
    3⤵
    - Kills process with taskkill
    PID:2660
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:1692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Kills process with taskkill
    PID:2744
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2492
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2692
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2408
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2452
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3068
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:2364
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:2644
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:2896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:2768
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2208
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1964
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2844
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2892
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2748
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2436
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:776
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:924
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:760
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2276
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1064
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2968
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2392
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1736
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1536
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1988
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1432
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:112
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:572
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2184
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1612
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop HTTPDebuggerProSdk >nul 2>&1
  2⤵
  PID:2168
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    - Launches sc.exe
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:1684
- - C:\Windows\SysWOW64\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:1236
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:2708
- - C:\Windows\SysWOW64\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:2140
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:868
- - C:\Windows\SysWOW64\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop wireshark >nul 2>&1
  2⤵
  PID:784
- - C:\Windows\SysWOW64\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:2364
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1112
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:1332
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:696
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2868
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2032
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:848
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2628
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1708
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1756
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1232
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2132
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1300
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq die*" /IM * /F /T >nul 2>&1
  2⤵
  PID:816
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq die*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:3004
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1532
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:2312
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebugger.exe >nul 2>&1
  2⤵
  PID:2556
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebugger.exe
    3⤵
    - Kills process with taskkill
    PID:2208
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im FolderChangesView.exe >nul 2>&1
  2⤵
  PID:2292
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im FolderChangesView.exe
    3⤵
    - Kills process with taskkill
    PID:1516
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop HttpDebuggerSdk >nul 2>&1
  2⤵
  PID:2060
- - C:\Windows\SysWOW64\sc.exe
    sc stop HttpDebuggerSdk
    3⤵
    - Launches sc.exe
    PID:2064
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop npf >nul 2>&1
  2⤵
  PID:2492
- - C:\Windows\SysWOW64\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:2892
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:2340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:2464
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1480
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:1908
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:2608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Kills process with taskkill
    PID:1164
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:2448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Kills process with taskkill
    PID:1404
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:924
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Kills process with taskkill
    PID:1460
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im beamer.exe >nul 2>&1
  2⤵
  PID:2276
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im beamer.exe
    3⤵
    - Kills process with taskkill
    PID:2444
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im UD.exe >nul 2>&1
  2⤵
  PID:2860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im UD.exe
    3⤵
    - Kills process with taskkill
    PID:2420
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:1560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Kills process with taskkill
    PID:1032
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Nexus\zhjers.exe /SU auto
  2⤵
  PID:2648
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1432
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1644
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Nexus\zhjers.exe /SS "Default string"
  2⤵
  PID:1664
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Nexus\zhjers.exe /SV "1.0"
  2⤵
  PID:1496
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2196
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1592
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Nexus\zhjers.exe /CSK "Default string"
  2⤵
  PID:1648
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Nexus\zhjers.exe /CM "Default string"
  2⤵
  PID:1492
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2140
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Nexus\zhjers.exe /SP "MS-7D22"
  2⤵
  PID:2412
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Nexus\zhjers.exe /SM "Micro-Star International Co., Ltd."
  2⤵
  PID:2236
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Nexus\zhjers.exe /SK "Default string"
  2⤵
  PID:2364
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Nexus\zhjers.exe /SF "Default string"
  2⤵
  PID:984
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Nexus\zhjers.exe /BM "Micro-Star International Co., Ltd."
  2⤵
  PID:1548
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1112
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:528
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Nexus\zhjers.exe /BP "H510M-A PRO (MS-7D22)"
  2⤵
  PID:2120
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Nexus\zhjers.exe /BV "1.0"
  2⤵
  PID:1864
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:2752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:584
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Nexus\zhjers.exe /BT "Default string"
  2⤵
  PID:2684
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Nexus\zhjers.exe /BLC "Default string"
  2⤵
  PID:1220
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Nexus\zhjers.exe /PSN "To Be Filled By O.E.M."
  2⤵
  PID:2532
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:2088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:1752
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Nexus\zhjers.exe /PAT "To Be Filled By O.E.M."
  2⤵
  PID:1932
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Nexus\zhjers.exe /PPN "To Be Filled By O.E.M."
  2⤵
  PID:1812
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Nexus\zhjers.exe /CSK "Default string"
  2⤵
  PID:1028
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Nexus\zhjers.exe /CS "Default string"
  2⤵
  PID:2164
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Nexus\zhjers.exe /CV "1.0"
  2⤵
  PID:2980
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2920
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2056
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Nexus\zhjers.exe /CM "Micro-Star International Co., Ltd."
  2⤵
  PID:268
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2232
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1800
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Nexus\zhjers.exe /CA "Default string"
  2⤵
  PID:3052
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Nexus\zhjers.exe /CO "0000 0000h"
  2⤵
  PID:2312
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Nexus\zhjers.exe /CT "03h"
  2⤵
  PID:2216
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Nexus\zhjers.exe /IV "3.80"
  2⤵
  PID:2624
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Nexus\zhjers.exe /IVN "American Megatrends International, LLC."
  2⤵
  PID:2304
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c C:\Nexus\zhjers.exe /BS "%random%%random%%random%%random%%random%"
  2⤵
  PID:2104
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c net stop winmgmt /y && net start winmgmt /y && sc stop winmgmt && sc start winmgmt
  2⤵
  PID:564
- - C:\Windows\SysWOW64\net.exe
    net stop winmgmt /y
    3⤵
    PID:1920
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop winmgmt /y
      4⤵
      PID:2536
- - C:\Windows\SysWOW64\net.exe
    net start winmgmt /y
    3⤵
    PID:1200
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start winmgmt /y
      4⤵
      PID:1224
- - C:\Windows\SysWOW64\sc.exe
    sc stop winmgmt
    3⤵
    - Launches sc.exe
    PID:880
- - C:\Windows\SysWOW64\sc.exe
    sc start winmgmt
    3⤵
    - Launches sc.exe
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1900
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2404
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1244
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2168
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2196
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7949758,0x7fef7949768,0x7fef7949778
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1100 --field-trial-handle=1384,i,3553499826257524814,7194484909270953979,131072 /prefetch:2
  2⤵
  PID:564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1384,i,3553499826257524814,7194484909270953979,131072 /prefetch:8
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1384,i,3553499826257524814,7194484909270953979,131072 /prefetch:8
  2⤵
  PID:324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2300 --field-trial-handle=1384,i,3553499826257524814,7194484909270953979,131072 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2308 --field-trial-handle=1384,i,3553499826257524814,7194484909270953979,131072 /prefetch:1
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1396 --field-trial-handle=1384,i,3553499826257524814,7194484909270953979,131072 /prefetch:2
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3200 --field-trial-handle=1384,i,3553499826257524814,7194484909270953979,131072 /prefetch:1
  2⤵
  PID:1972

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-86344212-1143930285-1994729898-77954442-80298439-407573142-20918188211754253298"
1⤵
PID:2660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4612172662349421831644231472-1098195572-81300733-501849301093688758-1462584363"
1⤵
PID:956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-332725593-2777766311812288265146321060-7927014539790636122136272957-2100325901"
1⤵
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9cddc5b3957b705d1b77cb26c652caf4

SHA1
7effab9f3e0297ad71ff663fa42a55f15e8dd4e1

SHA256
8ff5b0ca75d2e2d2ee09131808fdf11bbe84cf6a82ec8bd76421df7a23fd8b48

SHA512
30d9d981786ed4373b61aff638a091149583eded6d076bebf9e2043b6cd413ac3bc6b7a04c5ec991b3d9bbffd3ccdbea2741358450339a58e1e4a6d94497f90e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\da6de6e9-5198-4df1-a590-3e3061a92bc8.tmp

Filesize
15KB

MD5
ce45d0ce7e81bc1f3f896a89ffcf52af

SHA1
3d8717cabbf36b774dfad853812797e1f04684e1

SHA256
6d78edebed9dfc82c6ff3e5bfe34af56787ff8520cb15978baefa3228abe0983

SHA512
210321840c5b7c9ef2102542f8f012d4dad7f856e031175de8fd1fbf3612d436eca00ce8130ba1549eeb13cba3a25140374531e974893b1db31dca9509621ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBB84.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBD30.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
memory/2612-2-0x0000000000C40000-0x0000000000C80000-memory.dmp

Filesize
256KB

Download
memory/2612-1-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-0-0x00000000012D0000-0x00000000012EC000-memory.dmp

Filesize
112KB

Download
memory/2612-197-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-198-0x0000000000C40000-0x0000000000C80000-memory.dmp

Filesize
256KB

Download