ae27243a53f4c399aeb6bb39e67fa79f8378d51ef6b4fef9263791ec1acb6e78

Analysis

max time kernel
10s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08/08/2024, 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BadwareFree.exe
Size

7.2MB
MD5

6ec04fa24f0695f286801366108942f3
SHA1

309ee6a08c8ab0159dc3137865b6cfeb9f3e4e04
SHA256

ae27243a53f4c399aeb6bb39e67fa79f8378d51ef6b4fef9263791ec1acb6e78
SHA512

d835f387bb19b353f58eb72a94c2b32857826f3f1322c7b5be253a6dc3b2c6a9cf4cd0340ab001df74092899346bd0e4d1dfa8c5c8d77a2893b418311103a6b5
SSDEEP

98304:cMYzS+CQQ4vBmVK0Psj6+qU483Aj9urJBSzrAhzZVT6e3JKPfjV4ZTNy6oeZ2gCc:KS4qKsW80FIryV4fZo0/

Score

5^/10

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3032	BadwareFree.exe
3032	BadwareFree.exe

Kills process with taskkill 37 IoCs

evasion

pid	Process
2844	taskkill.exe
1956	taskkill.exe
2492	taskkill.exe
288	taskkill.exe
1728	taskkill.exe
2568	taskkill.exe
3056	taskkill.exe
2584	taskkill.exe
2856	taskkill.exe
2404	taskkill.exe
1716	taskkill.exe
2916	taskkill.exe
1228	taskkill.exe
2032	taskkill.exe
2720	taskkill.exe
1088	taskkill.exe
2944	taskkill.exe
348	taskkill.exe
1664	taskkill.exe
1584	taskkill.exe
1588	taskkill.exe
720	taskkill.exe
1336	taskkill.exe
1312	taskkill.exe
336	taskkill.exe
2040	taskkill.exe
1856	taskkill.exe
788	taskkill.exe
2740	taskkill.exe
1608	taskkill.exe
2312	taskkill.exe
2680	taskkill.exe
2716	taskkill.exe
1548	taskkill.exe
280	taskkill.exe
1860	taskkill.exe
912	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe
3032	BadwareFree.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	2844	taskkill.exe
Token: SeDebugPrivilege	2680	taskkill.exe
Token: SeDebugPrivilege	2716	taskkill.exe
Token: SeDebugPrivilege	2584	taskkill.exe
Token: SeDebugPrivilege	2720	taskkill.exe
Token: SeDebugPrivilege	2568	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	3056	taskkill.exe
Token: SeDebugPrivilege	1088	taskkill.exe
Token: SeDebugPrivilege	2916	taskkill.exe
Token: SeDebugPrivilege	2856	taskkill.exe
Token: SeDebugPrivilege	2944	taskkill.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	788	taskkill.exe
Token: SeDebugPrivilege	280	taskkill.exe
Token: SeDebugPrivilege	2492	taskkill.exe
Token: SeDebugPrivilege	2404	taskkill.exe
Token: SeDebugPrivilege	348	taskkill.exe
Token: SeDebugPrivilege	720	taskkill.exe
Token: SeDebugPrivilege	1336	taskkill.exe
Token: SeDebugPrivilege	288	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	912	taskkill.exe
Token: SeDebugPrivilege	2740	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	1312	taskkill.exe
Token: SeDebugPrivilege	1664	taskkill.exe
Token: SeDebugPrivilege	1228	taskkill.exe
Token: SeDebugPrivilege	2032	taskkill.exe
Token: SeDebugPrivilege	336	taskkill.exe
Token: SeDebugPrivilege	2312	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2468	3032	BadwareFree.exe	32
PID 3032 wrote to memory of 2468	3032	BadwareFree.exe	32
PID 3032 wrote to memory of 2468	3032	BadwareFree.exe	32
PID 3032 wrote to memory of 1680	3032	BadwareFree.exe	33
PID 3032 wrote to memory of 1680	3032	BadwareFree.exe	33
PID 3032 wrote to memory of 1680	3032	BadwareFree.exe	33
PID 1680 wrote to memory of 1728	1680	cmd.exe	34
PID 1680 wrote to memory of 1728	1680	cmd.exe	34
PID 1680 wrote to memory of 1728	1680	cmd.exe	34
PID 3032 wrote to memory of 572	3032	BadwareFree.exe	36
PID 3032 wrote to memory of 572	3032	BadwareFree.exe	36
PID 3032 wrote to memory of 572	3032	BadwareFree.exe	36
PID 3032 wrote to memory of 2116	3032	BadwareFree.exe	37
PID 3032 wrote to memory of 2116	3032	BadwareFree.exe	37
PID 3032 wrote to memory of 2116	3032	BadwareFree.exe	37
PID 3032 wrote to memory of 2792	3032	BadwareFree.exe	38
PID 3032 wrote to memory of 2792	3032	BadwareFree.exe	38
PID 3032 wrote to memory of 2792	3032	BadwareFree.exe	38
PID 3032 wrote to memory of 2828	3032	BadwareFree.exe	39
PID 3032 wrote to memory of 2828	3032	BadwareFree.exe	39
PID 3032 wrote to memory of 2828	3032	BadwareFree.exe	39
PID 2828 wrote to memory of 2844	2828	cmd.exe	40
PID 2828 wrote to memory of 2844	2828	cmd.exe	40
PID 2828 wrote to memory of 2844	2828	cmd.exe	40
PID 3032 wrote to memory of 2752	3032	BadwareFree.exe	41
PID 3032 wrote to memory of 2752	3032	BadwareFree.exe	41
PID 3032 wrote to memory of 2752	3032	BadwareFree.exe	41
PID 2752 wrote to memory of 2680	2752	cmd.exe	42
PID 2752 wrote to memory of 2680	2752	cmd.exe	42
PID 2752 wrote to memory of 2680	2752	cmd.exe	42
PID 3032 wrote to memory of 2736	3032	BadwareFree.exe	43
PID 3032 wrote to memory of 2736	3032	BadwareFree.exe	43
PID 3032 wrote to memory of 2736	3032	BadwareFree.exe	43
PID 2736 wrote to memory of 2716	2736	cmd.exe	44
PID 2736 wrote to memory of 2716	2736	cmd.exe	44
PID 2736 wrote to memory of 2716	2736	cmd.exe	44
PID 3032 wrote to memory of 2908	3032	BadwareFree.exe	45
PID 3032 wrote to memory of 2908	3032	BadwareFree.exe	45
PID 3032 wrote to memory of 2908	3032	BadwareFree.exe	45
PID 2908 wrote to memory of 2584	2908	cmd.exe	46
PID 2908 wrote to memory of 2584	2908	cmd.exe	46
PID 2908 wrote to memory of 2584	2908	cmd.exe	46
PID 3032 wrote to memory of 2728	3032	BadwareFree.exe	47
PID 3032 wrote to memory of 2728	3032	BadwareFree.exe	47
PID 3032 wrote to memory of 2728	3032	BadwareFree.exe	47
PID 2728 wrote to memory of 2720	2728	cmd.exe	48
PID 2728 wrote to memory of 2720	2728	cmd.exe	48
PID 2728 wrote to memory of 2720	2728	cmd.exe	48
PID 3032 wrote to memory of 2560	3032	BadwareFree.exe	49
PID 3032 wrote to memory of 2560	3032	BadwareFree.exe	49
PID 3032 wrote to memory of 2560	3032	BadwareFree.exe	49
PID 2560 wrote to memory of 2568	2560	cmd.exe	50
PID 2560 wrote to memory of 2568	2560	cmd.exe	50
PID 2560 wrote to memory of 2568	2560	cmd.exe	50
PID 3032 wrote to memory of 2676	3032	BadwareFree.exe	51
PID 3032 wrote to memory of 2676	3032	BadwareFree.exe	51
PID 3032 wrote to memory of 2676	3032	BadwareFree.exe	51
PID 2676 wrote to memory of 2040	2676	cmd.exe	52
PID 2676 wrote to memory of 2040	2676	cmd.exe	52
PID 2676 wrote to memory of 2040	2676	cmd.exe	52
PID 3032 wrote to memory of 2440	3032	BadwareFree.exe	53
PID 3032 wrote to memory of 2440	3032	BadwareFree.exe	53
PID 3032 wrote to memory of 2440	3032	BadwareFree.exe	53
PID 2440 wrote to memory of 1584	2440	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\BadwareFree.exe
"C:\Users\Admin\AppData\Local\Temp\BadwareFree.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 04
  2⤵
  PID:2468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im epicgameslauncher.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im epicgameslauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  PID:1084
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  PID:3040
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  PID:1736
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  PID:1932
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  PID:2836
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  PID:2860
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  PID:1940
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    - Kills process with taskkill
    PID:1856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:3068
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:1592
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:2124
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:2112
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:400
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:768
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:916
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    - Kills process with taskkill
    PID:1860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:832
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:1568
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:952
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:1464
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:328
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:676
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1552
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:1488
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:1644
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:2476
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:2076
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2992
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1440
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3004
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3032-5-0x0000000140000000-0x0000000140F9C000-memory.dmp

Filesize
15.6MB

Download
memory/3032-6-0x000000014041E000-0x0000000140865000-memory.dmp

Filesize
4.3MB

Download
memory/3032-4-0x00000000773C0000-0x00000000773C2000-memory.dmp

Filesize
8KB

Download
memory/3032-2-0x00000000773C0000-0x00000000773C2000-memory.dmp

Filesize
8KB

Download
memory/3032-0-0x00000000773C0000-0x00000000773C2000-memory.dmp

Filesize
8KB

Download
memory/3032-10-0x000000014041E000-0x0000000140865000-memory.dmp

Filesize
4.3MB

Download