Analysis
-
max time kernel
45s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
04-08-2022 14:57
Behavioral task
behavioral1
Sample
Sapphire_Loader.exe
Resource
win7-20220715-en
General
-
Target
Sapphire_Loader.exe
-
Size
3.5MB
-
MD5
87cbbc8f1688054e0abef4e00ba76ccf
-
SHA1
99e7178d149f8046deb78c848ed99af50360616e
-
SHA256
91bec27b79b2889bfe9eedc744b74b9438c638299f43c14a39f080fbb90f8eee
-
SHA512
c840cb5aec658a000397b237876dd102e46aa5e44aa15d03d7618718ea637f9f903f4c9aff49e8bcfecaef2dfcce6a4c0dc201ed46ec2a4b7f701bfc995e2006
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
Sapphire_Loader.exeLoader.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Sapphire_Loader.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Loader.exe -
Executes dropped EXE 1 IoCs
Processes:
Loader.exepid process 824 Loader.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Sapphire_Loader.exeLoader.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Sapphire_Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Sapphire_Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Loader.exe -
Loads dropped DLL 1 IoCs
Processes:
Sapphire_Loader.exepid process 532 Sapphire_Loader.exe -
Processes:
resource yara_rule behavioral1/memory/532-54-0x000000013F760000-0x00000001400DE000-memory.dmp themida behavioral1/memory/532-55-0x000000013F760000-0x00000001400DE000-memory.dmp themida behavioral1/memory/532-56-0x000000013F760000-0x00000001400DE000-memory.dmp themida behavioral1/memory/532-57-0x000000013F760000-0x00000001400DE000-memory.dmp themida behavioral1/memory/532-61-0x000000013F760000-0x00000001400DE000-memory.dmp themida \SL\Loader.exe themida C:\SL\Loader.exe themida behavioral1/memory/824-127-0x000000013F5F0000-0x000000013FF6E000-memory.dmp themida behavioral1/memory/824-128-0x000000013F5F0000-0x000000013FF6E000-memory.dmp themida behavioral1/memory/824-129-0x000000013F5F0000-0x000000013FF6E000-memory.dmp themida behavioral1/memory/824-132-0x000000013F5F0000-0x000000013FF6E000-memory.dmp themida behavioral1/memory/532-134-0x000000013F760000-0x00000001400DE000-memory.dmp themida behavioral1/memory/824-136-0x000000013F5F0000-0x000000013FF6E000-memory.dmp themida -
Processes:
Sapphire_Loader.exeLoader.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Sapphire_Loader.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Loader.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Sapphire_Loader.exeLoader.exepid process 532 Sapphire_Loader.exe 824 Loader.exe -
Launches sc.exe 15 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1044 sc.exe 364 sc.exe 1084 sc.exe 544 sc.exe 1192 sc.exe 1620 sc.exe 1716 sc.exe 1580 sc.exe 1304 sc.exe 688 sc.exe 892 sc.exe 996 sc.exe 1656 sc.exe 1304 sc.exe 1476 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 60 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1528 taskkill.exe 1296 taskkill.exe 1340 taskkill.exe 688 taskkill.exe 636 taskkill.exe 1252 taskkill.exe 1600 taskkill.exe 988 taskkill.exe 552 taskkill.exe 1584 taskkill.exe 944 taskkill.exe 1868 taskkill.exe 872 taskkill.exe 1280 taskkill.exe 1204 taskkill.exe 1496 taskkill.exe 1696 taskkill.exe 1384 taskkill.exe 584 taskkill.exe 1736 taskkill.exe 1232 taskkill.exe 1740 taskkill.exe 1600 taskkill.exe 1840 taskkill.exe 1116 taskkill.exe 1108 taskkill.exe 1580 taskkill.exe 1892 taskkill.exe 1968 taskkill.exe 892 taskkill.exe 1364 taskkill.exe 1924 taskkill.exe 1204 taskkill.exe 1520 taskkill.exe 1616 taskkill.exe 2036 taskkill.exe 1648 taskkill.exe 1168 taskkill.exe 1852 taskkill.exe 2036 taskkill.exe 1688 taskkill.exe 1812 taskkill.exe 1788 taskkill.exe 2036 taskkill.exe 1588 taskkill.exe 944 taskkill.exe 1548 taskkill.exe 980 taskkill.exe 944 taskkill.exe 952 taskkill.exe 1424 taskkill.exe 572 taskkill.exe 1712 taskkill.exe 1476 taskkill.exe 580 taskkill.exe 1644 taskkill.exe 1424 taskkill.exe 752 taskkill.exe 1084 taskkill.exe 900 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Sapphire_Loader.exepid process 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe 532 Sapphire_Loader.exe -
Suspicious use of AdjustPrivilegeToken 59 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 952 taskkill.exe Token: SeDebugPrivilege 2036 taskkill.exe Token: SeDebugPrivilege 1424 taskkill.exe Token: SeDebugPrivilege 1644 taskkill.exe Token: SeDebugPrivilege 1232 taskkill.exe Token: SeDebugPrivilege 1892 taskkill.exe Token: SeDebugPrivilege 1108 taskkill.exe Token: SeDebugPrivilege 1528 taskkill.exe Token: SeDebugPrivilege 1740 taskkill.exe Token: SeDebugPrivilege 1384 taskkill.exe Token: SeDebugPrivilege 1688 taskkill.exe Token: SeDebugPrivilege 1968 taskkill.exe Token: SeDebugPrivilege 1812 taskkill.exe Token: SeDebugPrivilege 944 taskkill.exe Token: SeDebugPrivilege 572 taskkill.exe Token: SeDebugPrivilege 1548 taskkill.exe Token: SeDebugPrivilege 1252 taskkill.exe Token: SeDebugPrivilege 1296 taskkill.exe Token: SeDebugPrivilege 1600 taskkill.exe Token: SeDebugPrivilege 688 taskkill.exe Token: SeDebugPrivilege 1340 taskkill.exe Token: SeDebugPrivilege 2036 taskkill.exe Token: SeDebugPrivilege 1424 taskkill.exe Token: SeDebugPrivilege 944 taskkill.exe Token: SeDebugPrivilege 892 taskkill.exe Token: SeDebugPrivilege 872 taskkill.exe Token: SeDebugPrivilege 1204 taskkill.exe Token: SeDebugPrivilege 1712 taskkill.exe Token: SeDebugPrivilege 636 taskkill.exe Token: SeDebugPrivilege 1600 taskkill.exe Token: SeDebugPrivilege 1840 taskkill.exe Token: SeDebugPrivilege 1788 taskkill.exe Token: SeDebugPrivilege 988 taskkill.exe Token: SeDebugPrivilege 1116 taskkill.exe Token: SeDebugPrivilege 752 taskkill.exe Token: SeDebugPrivilege 552 taskkill.exe Token: SeDebugPrivilege 1580 taskkill.exe Token: SeDebugPrivilege 980 taskkill.exe Token: SeDebugPrivilege 1584 taskkill.exe Token: SeDebugPrivilege 1280 taskkill.exe Token: SeDebugPrivilege 1476 taskkill.exe Token: SeDebugPrivilege 1364 taskkill.exe Token: SeDebugPrivilege 1868 taskkill.exe Token: SeDebugPrivilege 1648 taskkill.exe Token: SeDebugPrivilege 1084 taskkill.exe Token: SeDebugPrivilege 580 taskkill.exe Token: SeDebugPrivilege 584 taskkill.exe Token: SeDebugPrivilege 944 taskkill.exe Token: SeDebugPrivilege 1204 taskkill.exe Token: SeDebugPrivilege 1168 taskkill.exe Token: SeDebugPrivilege 1520 taskkill.exe Token: SeDebugPrivilege 1852 taskkill.exe Token: SeDebugPrivilege 900 taskkill.exe Token: SeDebugPrivilege 1616 taskkill.exe Token: SeDebugPrivilege 2036 taskkill.exe Token: SeDebugPrivilege 1736 taskkill.exe Token: SeDebugPrivilege 1496 taskkill.exe Token: SeDebugPrivilege 1696 taskkill.exe Token: SeDebugPrivilege 1588 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Sapphire_Loader.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 532 wrote to memory of 996 532 Sapphire_Loader.exe cmd.exe PID 532 wrote to memory of 996 532 Sapphire_Loader.exe cmd.exe PID 532 wrote to memory of 996 532 Sapphire_Loader.exe cmd.exe PID 996 wrote to memory of 952 996 cmd.exe taskkill.exe PID 996 wrote to memory of 952 996 cmd.exe taskkill.exe PID 996 wrote to memory of 952 996 cmd.exe taskkill.exe PID 532 wrote to memory of 1640 532 Sapphire_Loader.exe cmd.exe PID 532 wrote to memory of 1640 532 Sapphire_Loader.exe cmd.exe PID 532 wrote to memory of 1640 532 Sapphire_Loader.exe cmd.exe PID 1640 wrote to memory of 2036 1640 cmd.exe taskkill.exe PID 1640 wrote to memory of 2036 1640 cmd.exe taskkill.exe PID 1640 wrote to memory of 2036 1640 cmd.exe taskkill.exe PID 532 wrote to memory of 1048 532 Sapphire_Loader.exe cmd.exe PID 532 wrote to memory of 1048 532 Sapphire_Loader.exe cmd.exe PID 532 wrote to memory of 1048 532 Sapphire_Loader.exe cmd.exe PID 1048 wrote to memory of 1424 1048 cmd.exe taskkill.exe PID 1048 wrote to memory of 1424 1048 cmd.exe taskkill.exe PID 1048 wrote to memory of 1424 1048 cmd.exe taskkill.exe PID 532 wrote to memory of 944 532 Sapphire_Loader.exe cmd.exe PID 532 wrote to memory of 944 532 Sapphire_Loader.exe cmd.exe PID 532 wrote to memory of 944 532 Sapphire_Loader.exe cmd.exe PID 944 wrote to memory of 544 944 cmd.exe sc.exe PID 944 wrote to memory of 544 944 cmd.exe sc.exe PID 944 wrote to memory of 544 944 cmd.exe sc.exe PID 532 wrote to memory of 572 532 Sapphire_Loader.exe cmd.exe PID 532 wrote to memory of 572 532 Sapphire_Loader.exe cmd.exe PID 532 wrote to memory of 572 532 Sapphire_Loader.exe cmd.exe PID 572 wrote to memory of 1644 572 cmd.exe taskkill.exe PID 572 wrote to memory of 1644 572 cmd.exe taskkill.exe PID 572 wrote to memory of 1644 572 cmd.exe taskkill.exe PID 532 wrote to memory of 2012 532 Sapphire_Loader.exe cmd.exe PID 532 wrote to memory of 2012 532 Sapphire_Loader.exe cmd.exe PID 532 wrote to memory of 2012 532 Sapphire_Loader.exe cmd.exe PID 532 wrote to memory of 1200 532 Sapphire_Loader.exe cmd.exe PID 532 wrote to memory of 1200 532 Sapphire_Loader.exe cmd.exe PID 532 wrote to memory of 1200 532 Sapphire_Loader.exe cmd.exe PID 1200 wrote to memory of 1232 1200 cmd.exe taskkill.exe PID 1200 wrote to memory of 1232 1200 cmd.exe taskkill.exe PID 1200 wrote to memory of 1232 1200 cmd.exe taskkill.exe PID 532 wrote to memory of 1128 532 Sapphire_Loader.exe cmd.exe PID 532 wrote to memory of 1128 532 Sapphire_Loader.exe cmd.exe PID 532 wrote to memory of 1128 532 Sapphire_Loader.exe cmd.exe PID 1128 wrote to memory of 1892 1128 cmd.exe taskkill.exe PID 1128 wrote to memory of 1892 1128 cmd.exe taskkill.exe PID 1128 wrote to memory of 1892 1128 cmd.exe taskkill.exe PID 532 wrote to memory of 864 532 Sapphire_Loader.exe cmd.exe PID 532 wrote to memory of 864 532 Sapphire_Loader.exe cmd.exe PID 532 wrote to memory of 864 532 Sapphire_Loader.exe cmd.exe PID 864 wrote to memory of 1108 864 cmd.exe taskkill.exe PID 864 wrote to memory of 1108 864 cmd.exe taskkill.exe PID 864 wrote to memory of 1108 864 cmd.exe taskkill.exe PID 532 wrote to memory of 636 532 Sapphire_Loader.exe cmd.exe PID 532 wrote to memory of 636 532 Sapphire_Loader.exe cmd.exe PID 532 wrote to memory of 636 532 Sapphire_Loader.exe cmd.exe PID 636 wrote to memory of 1192 636 cmd.exe sc.exe PID 636 wrote to memory of 1192 636 cmd.exe sc.exe PID 636 wrote to memory of 1192 636 cmd.exe sc.exe PID 532 wrote to memory of 1144 532 Sapphire_Loader.exe cmd.exe PID 532 wrote to memory of 1144 532 Sapphire_Loader.exe cmd.exe PID 532 wrote to memory of 1144 532 Sapphire_Loader.exe cmd.exe PID 1144 wrote to memory of 1528 1144 cmd.exe taskkill.exe PID 1144 wrote to memory of 1528 1144 cmd.exe taskkill.exe PID 1144 wrote to memory of 1528 1144 cmd.exe taskkill.exe PID 532 wrote to memory of 1792 532 Sapphire_Loader.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sapphire_Loader.exe"C:\Users\Admin\AppData\Local\Temp\Sapphire_Loader.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\SL\Loader.exe"C:\SL\Loader.exe" TL.run2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T4⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\SL\Loader.exeFilesize
3.5MB
MD58181b05092cd0942d298a179fd2bc115
SHA1b6af69c0037274a59a9ae506521061e504aaec00
SHA25678e1675c825d0fb943d2de108b5fa10901879e25fb43bdba4dee57a7f65a6a80
SHA512198330d77b987972e70789d2d80d51d8a30a1ec03459b0769aa287054a8ca2fda03d9b8644d0eed6665343edc34adba9628cda46487bce3c1c2ddb5cc891c750
-
\SL\Loader.exeFilesize
3.5MB
MD58181b05092cd0942d298a179fd2bc115
SHA1b6af69c0037274a59a9ae506521061e504aaec00
SHA25678e1675c825d0fb943d2de108b5fa10901879e25fb43bdba4dee57a7f65a6a80
SHA512198330d77b987972e70789d2d80d51d8a30a1ec03459b0769aa287054a8ca2fda03d9b8644d0eed6665343edc34adba9628cda46487bce3c1c2ddb5cc891c750
-
memory/280-90-0x0000000000000000-mapping.dmp
-
memory/532-134-0x000000013F760000-0x00000001400DE000-memory.dmpFilesize
9.5MB
-
memory/532-56-0x000000013F760000-0x00000001400DE000-memory.dmpFilesize
9.5MB
-
memory/532-54-0x000000013F760000-0x00000001400DE000-memory.dmpFilesize
9.5MB
-
memory/532-130-0x0000000003A70000-0x00000000043EE000-memory.dmpFilesize
9.5MB
-
memory/532-61-0x000000013F760000-0x00000001400DE000-memory.dmpFilesize
9.5MB
-
memory/532-55-0x000000013F760000-0x00000001400DE000-memory.dmpFilesize
9.5MB
-
memory/532-63-0x0000000077A40000-0x0000000077BE9000-memory.dmpFilesize
1.7MB
-
memory/532-124-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmpFilesize
8KB
-
memory/532-135-0x0000000077A40000-0x0000000077BE9000-memory.dmpFilesize
1.7MB
-
memory/532-57-0x000000013F760000-0x00000001400DE000-memory.dmpFilesize
9.5MB
-
memory/540-103-0x0000000000000000-mapping.dmp
-
memory/544-67-0x0000000000000000-mapping.dmp
-
memory/572-68-0x0000000000000000-mapping.dmp
-
memory/572-98-0x0000000000000000-mapping.dmp
-
memory/636-106-0x0000000000000000-mapping.dmp
-
memory/636-77-0x0000000000000000-mapping.dmp
-
memory/668-95-0x0000000000000000-mapping.dmp
-
memory/688-113-0x0000000000000000-mapping.dmp
-
memory/824-133-0x0000000077A40000-0x0000000077BE9000-memory.dmpFilesize
1.7MB
-
memory/824-129-0x000000013F5F0000-0x000000013FF6E000-memory.dmpFilesize
9.5MB
-
memory/824-128-0x000000013F5F0000-0x000000013FF6E000-memory.dmpFilesize
9.5MB
-
memory/824-127-0x000000013F5F0000-0x000000013FF6E000-memory.dmpFilesize
9.5MB
-
memory/824-132-0x000000013F5F0000-0x000000013FF6E000-memory.dmpFilesize
9.5MB
-
memory/824-136-0x000000013F5F0000-0x000000013FF6E000-memory.dmpFilesize
9.5MB
-
memory/824-137-0x0000000077A40000-0x0000000077BE9000-memory.dmpFilesize
1.7MB
-
memory/864-75-0x0000000000000000-mapping.dmp
-
memory/892-97-0x0000000000000000-mapping.dmp
-
memory/936-123-0x0000000000000000-mapping.dmp
-
memory/944-66-0x0000000000000000-mapping.dmp
-
memory/944-96-0x0000000000000000-mapping.dmp
-
memory/952-59-0x0000000000000000-mapping.dmp
-
memory/956-115-0x0000000000000000-mapping.dmp
-
memory/956-86-0x0000000000000000-mapping.dmp
-
memory/996-89-0x0000000000000000-mapping.dmp
-
memory/996-58-0x0000000000000000-mapping.dmp
-
memory/1048-64-0x0000000000000000-mapping.dmp
-
memory/1072-99-0x0000000000000000-mapping.dmp
-
memory/1088-88-0x0000000000000000-mapping.dmp
-
memory/1108-76-0x0000000000000000-mapping.dmp
-
memory/1128-73-0x0000000000000000-mapping.dmp
-
memory/1144-79-0x0000000000000000-mapping.dmp
-
memory/1176-117-0x0000000000000000-mapping.dmp
-
memory/1192-78-0x0000000000000000-mapping.dmp
-
memory/1200-71-0x0000000000000000-mapping.dmp
-
memory/1204-101-0x0000000000000000-mapping.dmp
-
memory/1232-72-0x0000000000000000-mapping.dmp
-
memory/1252-105-0x0000000000000000-mapping.dmp
-
memory/1296-107-0x0000000000000000-mapping.dmp
-
memory/1304-122-0x0000000000000000-mapping.dmp
-
memory/1340-116-0x0000000000000000-mapping.dmp
-
memory/1384-85-0x0000000000000000-mapping.dmp
-
memory/1404-84-0x0000000000000000-mapping.dmp
-
memory/1424-65-0x0000000000000000-mapping.dmp
-
memory/1424-120-0x0000000000000000-mapping.dmp
-
memory/1436-92-0x0000000000000000-mapping.dmp
-
memory/1488-93-0x0000000000000000-mapping.dmp
-
memory/1496-121-0x0000000000000000-mapping.dmp
-
memory/1528-80-0x0000000000000000-mapping.dmp
-
memory/1548-102-0x0000000000000000-mapping.dmp
-
memory/1580-100-0x0000000000000000-mapping.dmp
-
memory/1600-109-0x0000000000000000-mapping.dmp
-
memory/1620-111-0x0000000000000000-mapping.dmp
-
memory/1640-60-0x0000000000000000-mapping.dmp
-
memory/1644-69-0x0000000000000000-mapping.dmp
-
memory/1688-87-0x0000000000000000-mapping.dmp
-
memory/1712-104-0x0000000000000000-mapping.dmp
-
memory/1716-112-0x0000000000000000-mapping.dmp
-
memory/1740-83-0x0000000000000000-mapping.dmp
-
memory/1788-114-0x0000000000000000-mapping.dmp
-
memory/1792-81-0x0000000000000000-mapping.dmp
-
memory/1792-108-0x0000000000000000-mapping.dmp
-
memory/1812-94-0x0000000000000000-mapping.dmp
-
memory/1840-82-0x0000000000000000-mapping.dmp
-
memory/1840-110-0x0000000000000000-mapping.dmp
-
memory/1864-119-0x0000000000000000-mapping.dmp
-
memory/1892-74-0x0000000000000000-mapping.dmp
-
memory/1968-91-0x0000000000000000-mapping.dmp
-
memory/2012-70-0x0000000000000000-mapping.dmp
-
memory/2036-118-0x0000000000000000-mapping.dmp
-
memory/2036-62-0x0000000000000000-mapping.dmp