a5cc8e6cb314a16986ad99066295f45622199ad94f93bb579cc5c74570783678

Analysis

max time kernel
150s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Badware Woofer/BadwareFree.exe
Size

7.2MB
MD5

6ec04fa24f0695f286801366108942f3
SHA1

309ee6a08c8ab0159dc3137865b6cfeb9f3e4e04
SHA256

ae27243a53f4c399aeb6bb39e67fa79f8378d51ef6b4fef9263791ec1acb6e78
SHA512

d835f387bb19b353f58eb72a94c2b32857826f3f1322c7b5be253a6dc3b2c6a9cf4cd0340ab001df74092899346bd0e4d1dfa8c5c8d77a2893b418311103a6b5
SSDEEP

98304:cMYzS+CQQ4vBmVK0Psj6+qU483Aj9urJBSzrAhzZVT6e3JKPfjV4ZTNy6oeZ2gCc:KS4qKsW80FIryV4fZo0/

Score

5^/10

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4772	BadwareFree.exe
4772	BadwareFree.exe

Kills process with taskkill 37 IoCs

evasion

pid	Process
3312	taskkill.exe
3232	taskkill.exe
8	taskkill.exe
4468	taskkill.exe
4868	taskkill.exe
448	taskkill.exe
2712	taskkill.exe
4536	taskkill.exe
4960	taskkill.exe
4612	taskkill.exe
2060	taskkill.exe
3360	taskkill.exe
4676	taskkill.exe
1124	taskkill.exe
3876	taskkill.exe
4176	taskkill.exe
4704	taskkill.exe
1256	taskkill.exe
2312	taskkill.exe
3792	taskkill.exe
2464	taskkill.exe
3336	taskkill.exe
2508	taskkill.exe
1040	taskkill.exe
1324	taskkill.exe
2496	taskkill.exe
4840	taskkill.exe
3272	taskkill.exe
4496	taskkill.exe
4288	taskkill.exe
2184	taskkill.exe
1484	taskkill.exe
4460	taskkill.exe
768	taskkill.exe
2932	taskkill.exe
4304	taskkill.exe
3328	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe
4772	BadwareFree.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	1040	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	2184	taskkill.exe
Token: SeDebugPrivilege	2932	taskkill.exe
Token: SeDebugPrivilege	2712	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	8	taskkill.exe
Token: SeDebugPrivilege	2496	taskkill.exe
Token: SeDebugPrivilege	4840	taskkill.exe
Token: SeDebugPrivilege	4676	taskkill.exe
Token: SeDebugPrivilege	3272	taskkill.exe
Token: SeDebugPrivilege	2312	taskkill.exe
Token: SeDebugPrivilege	4496	taskkill.exe
Token: SeDebugPrivilege	4460	taskkill.exe
Token: SeDebugPrivilege	3312	taskkill.exe
Token: SeDebugPrivilege	4960	taskkill.exe
Token: SeDebugPrivilege	4304	taskkill.exe
Token: SeDebugPrivilege	3792	taskkill.exe
Token: SeDebugPrivilege	1124	taskkill.exe
Token: SeDebugPrivilege	768	taskkill.exe
Token: SeDebugPrivilege	4468	taskkill.exe
Token: SeDebugPrivilege	3876	taskkill.exe
Token: SeDebugPrivilege	2464	taskkill.exe
Token: SeDebugPrivilege	3336	taskkill.exe
Token: SeDebugPrivilege	2508	taskkill.exe
Token: SeDebugPrivilege	3328	taskkill.exe
Token: SeDebugPrivilege	4176	taskkill.exe
Token: SeDebugPrivilege	4704	taskkill.exe
Token: SeDebugPrivilege	4288	taskkill.exe
Token: SeDebugPrivilege	1256	taskkill.exe
Token: SeDebugPrivilege	4868	taskkill.exe
Token: SeDebugPrivilege	4612	taskkill.exe
Token: SeDebugPrivilege	3360	taskkill.exe
Token: SeDebugPrivilege	448	taskkill.exe
Token: SeDebugPrivilege	2060	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 4216	4772	BadwareFree.exe	93
PID 4772 wrote to memory of 4216	4772	BadwareFree.exe	93
PID 4772 wrote to memory of 2784	4772	BadwareFree.exe	143
PID 4772 wrote to memory of 2784	4772	BadwareFree.exe	143
PID 2784 wrote to memory of 1040	2784	cmd.exe	95
PID 2784 wrote to memory of 1040	2784	cmd.exe	95
PID 4772 wrote to memory of 3232	4772	BadwareFree.exe	144
PID 4772 wrote to memory of 3232	4772	BadwareFree.exe	144
PID 4772 wrote to memory of 3208	4772	BadwareFree.exe	145
PID 4772 wrote to memory of 3208	4772	BadwareFree.exe	145
PID 4772 wrote to memory of 3996	4772	BadwareFree.exe	148
PID 4772 wrote to memory of 3996	4772	BadwareFree.exe	148
PID 4772 wrote to memory of 2484	4772	BadwareFree.exe	100
PID 4772 wrote to memory of 2484	4772	BadwareFree.exe	100
PID 2484 wrote to memory of 1324	2484	cmd.exe	101
PID 2484 wrote to memory of 1324	2484	cmd.exe	101
PID 4772 wrote to memory of 1588	4772	BadwareFree.exe	102
PID 4772 wrote to memory of 1588	4772	BadwareFree.exe	102
PID 1588 wrote to memory of 2184	1588	cmd.exe	103
PID 1588 wrote to memory of 2184	1588	cmd.exe	103
PID 4772 wrote to memory of 1536	4772	BadwareFree.exe	104
PID 4772 wrote to memory of 1536	4772	BadwareFree.exe	104
PID 1536 wrote to memory of 2932	1536	cmd.exe	105
PID 1536 wrote to memory of 2932	1536	cmd.exe	105
PID 4772 wrote to memory of 1988	4772	BadwareFree.exe	106
PID 4772 wrote to memory of 1988	4772	BadwareFree.exe	106
PID 1988 wrote to memory of 2712	1988	cmd.exe	107
PID 1988 wrote to memory of 2712	1988	cmd.exe	107
PID 4772 wrote to memory of 3328	4772	BadwareFree.exe	157
PID 4772 wrote to memory of 3328	4772	BadwareFree.exe	157
PID 3328 wrote to memory of 1484	3328	cmd.exe	109
PID 3328 wrote to memory of 1484	3328	cmd.exe	109
PID 4772 wrote to memory of 5104	4772	BadwareFree.exe	110
PID 4772 wrote to memory of 5104	4772	BadwareFree.exe	110
PID 5104 wrote to memory of 8	5104	cmd.exe	111
PID 5104 wrote to memory of 8	5104	cmd.exe	111
PID 4772 wrote to memory of 3364	4772	BadwareFree.exe	112
PID 4772 wrote to memory of 3364	4772	BadwareFree.exe	112
PID 3364 wrote to memory of 2496	3364	cmd.exe	113
PID 3364 wrote to memory of 2496	3364	cmd.exe	113
PID 4772 wrote to memory of 1500	4772	BadwareFree.exe	114
PID 4772 wrote to memory of 1500	4772	BadwareFree.exe	114
PID 1500 wrote to memory of 4840	1500	cmd.exe	115
PID 1500 wrote to memory of 4840	1500	cmd.exe	115
PID 4772 wrote to memory of 4740	4772	BadwareFree.exe	116
PID 4772 wrote to memory of 4740	4772	BadwareFree.exe	116
PID 4740 wrote to memory of 4676	4740	cmd.exe	117
PID 4740 wrote to memory of 4676	4740	cmd.exe	117
PID 4772 wrote to memory of 3068	4772	BadwareFree.exe	118
PID 4772 wrote to memory of 3068	4772	BadwareFree.exe	118
PID 3068 wrote to memory of 3272	3068	cmd.exe	119
PID 3068 wrote to memory of 3272	3068	cmd.exe	119
PID 4772 wrote to memory of 3292	4772	BadwareFree.exe	120
PID 4772 wrote to memory of 3292	4772	BadwareFree.exe	120
PID 3292 wrote to memory of 2312	3292	cmd.exe	121
PID 3292 wrote to memory of 2312	3292	cmd.exe	121
PID 4772 wrote to memory of 3348	4772	BadwareFree.exe	122
PID 4772 wrote to memory of 3348	4772	BadwareFree.exe	122
PID 3348 wrote to memory of 4496	3348	cmd.exe	123
PID 3348 wrote to memory of 4496	3348	cmd.exe	123
PID 4772 wrote to memory of 4776	4772	BadwareFree.exe	124
PID 4772 wrote to memory of 4776	4772	BadwareFree.exe	124
PID 4776 wrote to memory of 4460	4776	cmd.exe	125
PID 4776 wrote to memory of 4460	4776	cmd.exe	125

C:\Users\Admin\AppData\Local\Temp\Badware Woofer\BadwareFree.exe
"C:\Users\Admin\AppData\Local\Temp\Badware Woofer\BadwareFree.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 04
  2⤵
  PID:4216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im epicgameslauncher.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im epicgameslauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3328
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:8
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  PID:4252
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  PID:3128
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    - Kills process with taskkill
    PID:4536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:2340
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:1440
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:4508
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:4352
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:4444
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:1144
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:2784
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    - Kills process with taskkill
    PID:3232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:3208
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:2376
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:1932
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:1216
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:840
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:1772
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1640
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:3256
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:3484
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:3340
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:2276
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2388
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2744
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3608
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4772-0-0x00007FFA15410000-0x00007FFA15412000-memory.dmp

Filesize
8KB

Download
memory/4772-1-0x0000000140000000-0x0000000140F9C000-memory.dmp

Filesize
15.6MB

Download
memory/4772-2-0x0000000140000000-0x0000000140F9C000-memory.dmp

Filesize
15.6MB

Download
memory/4772-6-0x0000000140000000-0x0000000140F9C000-memory.dmp

Filesize
15.6MB

Download