91bec27b79b2889bfe9eedc744b74b9438c638299f43c14a39f080fbb90f8eee

General

Target

Sapphire_Loader.exe
Size

3.5MB
MD5

87cbbc8f1688054e0abef4e00ba76ccf
SHA1

99e7178d149f8046deb78c848ed99af50360616e
SHA256

91bec27b79b2889bfe9eedc744b74b9438c638299f43c14a39f080fbb90f8eee
SHA512

c840cb5aec658a000397b237876dd102e46aa5e44aa15d03d7618718ea637f9f903f4c9aff49e8bcfecaef2dfcce6a4c0dc201ed46ec2a4b7f701bfc995e2006

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Sapphire_Loader.exeLoader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Sapphire_Loader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader.exe

Executes dropped EXE 1 IoCs

Processes:

Loader.exe

pid process

824 Loader.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
824	Loader.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Sapphire_Loader.exeLoader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Sapphire_Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Sapphire_Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader.exe

Loads dropped DLL 1 IoCs

Processes:

Sapphire_Loader.exe

pid process

532 Sapphire_Loader.exe

Themida packer 13 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/532-54-0x000000013F760000-0x00000001400DE000-memory.dmp	themida
behavioral1/memory/532-55-0x000000013F760000-0x00000001400DE000-memory.dmp	themida
behavioral1/memory/532-56-0x000000013F760000-0x00000001400DE000-memory.dmp	themida
behavioral1/memory/532-57-0x000000013F760000-0x00000001400DE000-memory.dmp	themida
behavioral1/memory/532-61-0x000000013F760000-0x00000001400DE000-memory.dmp	themida
\SL\Loader.exe	themida
C:\SL\Loader.exe	themida
behavioral1/memory/824-127-0x000000013F5F0000-0x000000013FF6E000-memory.dmp	themida
behavioral1/memory/824-128-0x000000013F5F0000-0x000000013FF6E000-memory.dmp	themida
behavioral1/memory/824-129-0x000000013F5F0000-0x000000013FF6E000-memory.dmp	themida
behavioral1/memory/824-132-0x000000013F5F0000-0x000000013FF6E000-memory.dmp	themida
behavioral1/memory/532-134-0x000000013F760000-0x00000001400DE000-memory.dmp	themida
behavioral1/memory/824-136-0x000000013F5F0000-0x000000013FF6E000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Sapphire_Loader.exeLoader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Sapphire_Loader.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Sapphire_Loader.exeLoader.exe

pid process

532 Sapphire_Loader.exe
824 Loader.exe

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1044	sc.exe
364	sc.exe
1084	sc.exe
544	sc.exe
1192	sc.exe
1620	sc.exe
1716	sc.exe
1580	sc.exe
1304	sc.exe
688	sc.exe
892	sc.exe
996	sc.exe
1656	sc.exe
1304	sc.exe
1476	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 60 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1528	taskkill.exe
1296	taskkill.exe
1340	taskkill.exe
688	taskkill.exe
636	taskkill.exe
1252	taskkill.exe
1600	taskkill.exe
988	taskkill.exe
552	taskkill.exe
1584	taskkill.exe
944	taskkill.exe
1868	taskkill.exe
872	taskkill.exe
1280	taskkill.exe
1204	taskkill.exe
1496	taskkill.exe
1696	taskkill.exe
1384	taskkill.exe
584	taskkill.exe
1736	taskkill.exe
1232	taskkill.exe
1740	taskkill.exe
1600	taskkill.exe
1840	taskkill.exe
1116	taskkill.exe
1108	taskkill.exe
1580	taskkill.exe
1892	taskkill.exe
1968	taskkill.exe
892	taskkill.exe
1364	taskkill.exe
1924	taskkill.exe
1204	taskkill.exe
1520	taskkill.exe
1616	taskkill.exe
2036	taskkill.exe
1648	taskkill.exe
1168	taskkill.exe
1852	taskkill.exe
2036	taskkill.exe
1688	taskkill.exe
1812	taskkill.exe
1788	taskkill.exe
2036	taskkill.exe
1588	taskkill.exe
944	taskkill.exe
1548	taskkill.exe
980	taskkill.exe
944	taskkill.exe
952	taskkill.exe
1424	taskkill.exe
572	taskkill.exe
1712	taskkill.exe
1476	taskkill.exe
580	taskkill.exe
1644	taskkill.exe
1424	taskkill.exe
752	taskkill.exe
1084	taskkill.exe
900	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Sapphire_Loader.exe

pid	process
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe
532	Sapphire_Loader.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	952	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	1424	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	1232	taskkill.exe
Token: SeDebugPrivilege	1892	taskkill.exe
Token: SeDebugPrivilege	1108	taskkill.exe
Token: SeDebugPrivilege	1528	taskkill.exe
Token: SeDebugPrivilege	1740	taskkill.exe
Token: SeDebugPrivilege	1384	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	1968	taskkill.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	944	taskkill.exe
Token: SeDebugPrivilege	572	taskkill.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	1252	taskkill.exe
Token: SeDebugPrivilege	1296	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	688	taskkill.exe
Token: SeDebugPrivilege	1340	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	1424	taskkill.exe
Token: SeDebugPrivilege	944	taskkill.exe
Token: SeDebugPrivilege	892	taskkill.exe
Token: SeDebugPrivilege	872	taskkill.exe
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	636	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	1840	taskkill.exe
Token: SeDebugPrivilege	1788	taskkill.exe
Token: SeDebugPrivilege	988	taskkill.exe
Token: SeDebugPrivilege	1116	taskkill.exe
Token: SeDebugPrivilege	752	taskkill.exe
Token: SeDebugPrivilege	552	taskkill.exe
Token: SeDebugPrivilege	1580	taskkill.exe
Token: SeDebugPrivilege	980	taskkill.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	1280	taskkill.exe
Token: SeDebugPrivilege	1476	taskkill.exe
Token: SeDebugPrivilege	1364	taskkill.exe
Token: SeDebugPrivilege	1868	taskkill.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeDebugPrivilege	1084	taskkill.exe
Token: SeDebugPrivilege	580	taskkill.exe
Token: SeDebugPrivilege	584	taskkill.exe
Token: SeDebugPrivilege	944	taskkill.exe
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeDebugPrivilege	1168	taskkill.exe
Token: SeDebugPrivilege	1520	taskkill.exe
Token: SeDebugPrivilege	1852	taskkill.exe
Token: SeDebugPrivilege	900	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	1496	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Sapphire_Loader.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 532 wrote to memory of 996	532	Sapphire_Loader.exe	cmd.exe
PID 532 wrote to memory of 996	532	Sapphire_Loader.exe	cmd.exe
PID 532 wrote to memory of 996	532	Sapphire_Loader.exe	cmd.exe
PID 996 wrote to memory of 952	996	cmd.exe	taskkill.exe
PID 996 wrote to memory of 952	996	cmd.exe	taskkill.exe
PID 996 wrote to memory of 952	996	cmd.exe	taskkill.exe
PID 532 wrote to memory of 1640	532	Sapphire_Loader.exe	cmd.exe
PID 532 wrote to memory of 1640	532	Sapphire_Loader.exe	cmd.exe
PID 532 wrote to memory of 1640	532	Sapphire_Loader.exe	cmd.exe
PID 1640 wrote to memory of 2036	1640	cmd.exe	taskkill.exe
PID 1640 wrote to memory of 2036	1640	cmd.exe	taskkill.exe
PID 1640 wrote to memory of 2036	1640	cmd.exe	taskkill.exe
PID 532 wrote to memory of 1048	532	Sapphire_Loader.exe	cmd.exe
PID 532 wrote to memory of 1048	532	Sapphire_Loader.exe	cmd.exe
PID 532 wrote to memory of 1048	532	Sapphire_Loader.exe	cmd.exe
PID 1048 wrote to memory of 1424	1048	cmd.exe	taskkill.exe
PID 1048 wrote to memory of 1424	1048	cmd.exe	taskkill.exe
PID 1048 wrote to memory of 1424	1048	cmd.exe	taskkill.exe
PID 532 wrote to memory of 944	532	Sapphire_Loader.exe	cmd.exe
PID 532 wrote to memory of 944	532	Sapphire_Loader.exe	cmd.exe
PID 532 wrote to memory of 944	532	Sapphire_Loader.exe	cmd.exe
PID 944 wrote to memory of 544	944	cmd.exe	sc.exe
PID 944 wrote to memory of 544	944	cmd.exe	sc.exe
PID 944 wrote to memory of 544	944	cmd.exe	sc.exe
PID 532 wrote to memory of 572	532	Sapphire_Loader.exe	cmd.exe
PID 532 wrote to memory of 572	532	Sapphire_Loader.exe	cmd.exe
PID 532 wrote to memory of 572	532	Sapphire_Loader.exe	cmd.exe
PID 572 wrote to memory of 1644	572	cmd.exe	taskkill.exe
PID 572 wrote to memory of 1644	572	cmd.exe	taskkill.exe
PID 572 wrote to memory of 1644	572	cmd.exe	taskkill.exe
PID 532 wrote to memory of 2012	532	Sapphire_Loader.exe	cmd.exe
PID 532 wrote to memory of 2012	532	Sapphire_Loader.exe	cmd.exe
PID 532 wrote to memory of 2012	532	Sapphire_Loader.exe	cmd.exe
PID 532 wrote to memory of 1200	532	Sapphire_Loader.exe	cmd.exe
PID 532 wrote to memory of 1200	532	Sapphire_Loader.exe	cmd.exe
PID 532 wrote to memory of 1200	532	Sapphire_Loader.exe	cmd.exe
PID 1200 wrote to memory of 1232	1200	cmd.exe	taskkill.exe
PID 1200 wrote to memory of 1232	1200	cmd.exe	taskkill.exe
PID 1200 wrote to memory of 1232	1200	cmd.exe	taskkill.exe
PID 532 wrote to memory of 1128	532	Sapphire_Loader.exe	cmd.exe
PID 532 wrote to memory of 1128	532	Sapphire_Loader.exe	cmd.exe
PID 532 wrote to memory of 1128	532	Sapphire_Loader.exe	cmd.exe
PID 1128 wrote to memory of 1892	1128	cmd.exe	taskkill.exe
PID 1128 wrote to memory of 1892	1128	cmd.exe	taskkill.exe
PID 1128 wrote to memory of 1892	1128	cmd.exe	taskkill.exe
PID 532 wrote to memory of 864	532	Sapphire_Loader.exe	cmd.exe
PID 532 wrote to memory of 864	532	Sapphire_Loader.exe	cmd.exe
PID 532 wrote to memory of 864	532	Sapphire_Loader.exe	cmd.exe
PID 864 wrote to memory of 1108	864	cmd.exe	taskkill.exe
PID 864 wrote to memory of 1108	864	cmd.exe	taskkill.exe
PID 864 wrote to memory of 1108	864	cmd.exe	taskkill.exe
PID 532 wrote to memory of 636	532	Sapphire_Loader.exe	cmd.exe
PID 532 wrote to memory of 636	532	Sapphire_Loader.exe	cmd.exe
PID 532 wrote to memory of 636	532	Sapphire_Loader.exe	cmd.exe
PID 636 wrote to memory of 1192	636	cmd.exe	sc.exe
PID 636 wrote to memory of 1192	636	cmd.exe	sc.exe
PID 636 wrote to memory of 1192	636	cmd.exe	sc.exe
PID 532 wrote to memory of 1144	532	Sapphire_Loader.exe	cmd.exe
PID 532 wrote to memory of 1144	532	Sapphire_Loader.exe	cmd.exe
PID 532 wrote to memory of 1144	532	Sapphire_Loader.exe	cmd.exe
PID 1144 wrote to memory of 1528	1144	cmd.exe	taskkill.exe
PID 1144 wrote to memory of 1528	1144	cmd.exe	taskkill.exe
PID 1144 wrote to memory of 1528	1144	cmd.exe	taskkill.exe
PID 532 wrote to memory of 1792	532	Sapphire_Loader.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Sapphire_Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Sapphire_Loader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:1840

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:1404

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:956

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1088

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:280

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:1436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:1488

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:668

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:892

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1072

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:1204

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:1712

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:636

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1792

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1840

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:1716

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:956

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:1176

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1864

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1496

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:936

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:572

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:1072

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1548

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1192

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:1252

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:1296

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:1904

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1620

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:760

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:1688

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:1420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:952

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:704

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1048

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1748

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:1496

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:2012

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:1644

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1692

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1168

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:1520

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:1784

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:1768

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1564

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1924

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:760

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:1088

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:952

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:704

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1048

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:1748

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:936

C:\SL\Loader.exe
"C:\SL\Loader.exe" TL.run
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
3⤵
PID:1644

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
3⤵
PID:364

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
3⤵
PID:1280

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
3⤵
PID:1856

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
4⤵
- Launches sc.exe
PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
3⤵
PID:1628

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
3⤵
PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
3⤵
PID:480

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
3⤵
PID:1716

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
4⤵
- Kills process with taskkill
PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
3⤵
PID:1972

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
3⤵
PID:1968

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
4⤵
- Launches sc.exe
PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
3⤵
PID:1116

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
3⤵
PID:848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
3⤵
PID:1864

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
3⤵
PID:552

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
3⤵
PID:1468

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
3⤵
PID:1684

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
4⤵
- Launches sc.exe
PID:892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
3⤵
PID:556

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
3⤵
PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SL\Loader.exe
Filesize
3.5MB

MD5
8181b05092cd0942d298a179fd2bc115

SHA1
b6af69c0037274a59a9ae506521061e504aaec00

SHA256
78e1675c825d0fb943d2de108b5fa10901879e25fb43bdba4dee57a7f65a6a80

SHA512
198330d77b987972e70789d2d80d51d8a30a1ec03459b0769aa287054a8ca2fda03d9b8644d0eed6665343edc34adba9628cda46487bce3c1c2ddb5cc891c750

Download Submit
\SL\Loader.exe
Filesize
3.5MB

MD5
8181b05092cd0942d298a179fd2bc115

SHA1
b6af69c0037274a59a9ae506521061e504aaec00

SHA256
78e1675c825d0fb943d2de108b5fa10901879e25fb43bdba4dee57a7f65a6a80

SHA512
198330d77b987972e70789d2d80d51d8a30a1ec03459b0769aa287054a8ca2fda03d9b8644d0eed6665343edc34adba9628cda46487bce3c1c2ddb5cc891c750

Download Submit
memory/280-90-0x0000000000000000-mapping.dmp

Download
memory/532-134-0x000000013F760000-0x00000001400DE000-memory.dmp

Filesize
9.5MB

Download
memory/532-56-0x000000013F760000-0x00000001400DE000-memory.dmp

Filesize
9.5MB

Download
memory/532-54-0x000000013F760000-0x00000001400DE000-memory.dmp

Filesize
9.5MB

Download
memory/532-130-0x0000000003A70000-0x00000000043EE000-memory.dmp

Filesize
9.5MB

Download
memory/532-61-0x000000013F760000-0x00000001400DE000-memory.dmp

Filesize
9.5MB

Download
memory/532-55-0x000000013F760000-0x00000001400DE000-memory.dmp

Filesize
9.5MB

Download
memory/532-63-0x0000000077A40000-0x0000000077BE9000-memory.dmp

Filesize
1.7MB

Download
memory/532-124-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmp

Filesize
8KB

Download
memory/532-135-0x0000000077A40000-0x0000000077BE9000-memory.dmp

Filesize
1.7MB

Download
memory/532-57-0x000000013F760000-0x00000001400DE000-memory.dmp

Filesize
9.5MB

Download
memory/540-103-0x0000000000000000-mapping.dmp

Download
memory/544-67-0x0000000000000000-mapping.dmp

Download
memory/572-68-0x0000000000000000-mapping.dmp

Download
memory/572-98-0x0000000000000000-mapping.dmp

Download
memory/636-106-0x0000000000000000-mapping.dmp

Download
memory/636-77-0x0000000000000000-mapping.dmp

Download
memory/668-95-0x0000000000000000-mapping.dmp

Download
memory/688-113-0x0000000000000000-mapping.dmp

Download
memory/824-133-0x0000000077A40000-0x0000000077BE9000-memory.dmp

Filesize
1.7MB

Download
memory/824-129-0x000000013F5F0000-0x000000013FF6E000-memory.dmp

Filesize
9.5MB

Download
memory/824-128-0x000000013F5F0000-0x000000013FF6E000-memory.dmp

Filesize
9.5MB

Download
memory/824-127-0x000000013F5F0000-0x000000013FF6E000-memory.dmp

Filesize
9.5MB

Download
memory/824-132-0x000000013F5F0000-0x000000013FF6E000-memory.dmp

Filesize
9.5MB

Download
memory/824-136-0x000000013F5F0000-0x000000013FF6E000-memory.dmp

Filesize
9.5MB

Download
memory/824-137-0x0000000077A40000-0x0000000077BE9000-memory.dmp

Filesize
1.7MB

Download
memory/864-75-0x0000000000000000-mapping.dmp

Download
memory/892-97-0x0000000000000000-mapping.dmp

Download
memory/936-123-0x0000000000000000-mapping.dmp

Download
memory/944-66-0x0000000000000000-mapping.dmp

Download
memory/944-96-0x0000000000000000-mapping.dmp

Download
memory/952-59-0x0000000000000000-mapping.dmp

Download
memory/956-115-0x0000000000000000-mapping.dmp

Download
memory/956-86-0x0000000000000000-mapping.dmp

Download
memory/996-89-0x0000000000000000-mapping.dmp

Download
memory/996-58-0x0000000000000000-mapping.dmp

Download
memory/1048-64-0x0000000000000000-mapping.dmp

Download
memory/1072-99-0x0000000000000000-mapping.dmp

Download
memory/1088-88-0x0000000000000000-mapping.dmp

Download
memory/1108-76-0x0000000000000000-mapping.dmp

Download
memory/1128-73-0x0000000000000000-mapping.dmp

Download
memory/1144-79-0x0000000000000000-mapping.dmp

Download
memory/1176-117-0x0000000000000000-mapping.dmp

Download
memory/1192-78-0x0000000000000000-mapping.dmp

Download
memory/1200-71-0x0000000000000000-mapping.dmp

Download
memory/1204-101-0x0000000000000000-mapping.dmp

Download
memory/1232-72-0x0000000000000000-mapping.dmp

Download
memory/1252-105-0x0000000000000000-mapping.dmp

Download
memory/1296-107-0x0000000000000000-mapping.dmp

Download
memory/1304-122-0x0000000000000000-mapping.dmp

Download
memory/1340-116-0x0000000000000000-mapping.dmp

Download
memory/1384-85-0x0000000000000000-mapping.dmp

Download
memory/1404-84-0x0000000000000000-mapping.dmp

Download
memory/1424-65-0x0000000000000000-mapping.dmp

Download
memory/1424-120-0x0000000000000000-mapping.dmp

Download
memory/1436-92-0x0000000000000000-mapping.dmp

Download
memory/1488-93-0x0000000000000000-mapping.dmp

Download
memory/1496-121-0x0000000000000000-mapping.dmp

Download
memory/1528-80-0x0000000000000000-mapping.dmp

Download
memory/1548-102-0x0000000000000000-mapping.dmp

Download
memory/1580-100-0x0000000000000000-mapping.dmp

Download
memory/1600-109-0x0000000000000000-mapping.dmp

Download
memory/1620-111-0x0000000000000000-mapping.dmp

Download
memory/1640-60-0x0000000000000000-mapping.dmp

Download
memory/1644-69-0x0000000000000000-mapping.dmp

Download
memory/1688-87-0x0000000000000000-mapping.dmp

Download
memory/1712-104-0x0000000000000000-mapping.dmp

Download
memory/1716-112-0x0000000000000000-mapping.dmp

Download
memory/1740-83-0x0000000000000000-mapping.dmp

Download
memory/1788-114-0x0000000000000000-mapping.dmp

Download
memory/1792-81-0x0000000000000000-mapping.dmp

Download
memory/1792-108-0x0000000000000000-mapping.dmp

Download
memory/1812-94-0x0000000000000000-mapping.dmp

Download
memory/1840-82-0x0000000000000000-mapping.dmp

Download
memory/1840-110-0x0000000000000000-mapping.dmp

Download
memory/1864-119-0x0000000000000000-mapping.dmp

Download
memory/1892-74-0x0000000000000000-mapping.dmp

Download
memory/1968-91-0x0000000000000000-mapping.dmp

Download
memory/2012-70-0x0000000000000000-mapping.dmp

Download
memory/2036-118-0x0000000000000000-mapping.dmp

Download
memory/2036-62-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads