91bec27b79b2889bfe9eedc744b74b9438c638299f43c14a39f080fbb90f8eee

Virtualization/Sandbox Evasion

T1497

Processes:

Sapphire_Loader.exeLoader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Sapphire_Loader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader.exe

Executes dropped EXE 1 IoCs

Processes:

Loader.exe

pid process

4136 Loader.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
4136	Loader.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

Sapphire_Loader.exeLoader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Sapphire_Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Sapphire_Loader.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

Sapphire_Loader.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	Sapphire_Loader.exe

Themida packer 16 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/1416-130-0x00007FF6A9580000-0x00007FF6A9EFE000-memory.dmp	themida
behavioral2/memory/1416-131-0x00007FF6A9580000-0x00007FF6A9EFE000-memory.dmp	themida
behavioral2/memory/1416-132-0x00007FF6A9580000-0x00007FF6A9EFE000-memory.dmp	themida
behavioral2/memory/1416-133-0x00007FF6A9580000-0x00007FF6A9EFE000-memory.dmp	themida
behavioral2/memory/1416-135-0x00007FF6A9580000-0x00007FF6A9EFE000-memory.dmp	themida
behavioral2/memory/1416-200-0x00007FF6A9580000-0x00007FF6A9EFE000-memory.dmp	themida
C:\SL\Loader.exe	themida
C:\SL\Loader.exe	themida
behavioral2/memory/4136-204-0x00007FF6CE6B0000-0x00007FF6CF02E000-memory.dmp	themida
behavioral2/memory/4136-205-0x00007FF6CE6B0000-0x00007FF6CF02E000-memory.dmp	themida
behavioral2/memory/4136-206-0x00007FF6CE6B0000-0x00007FF6CF02E000-memory.dmp	themida
behavioral2/memory/4136-207-0x00007FF6CE6B0000-0x00007FF6CF02E000-memory.dmp	themida
behavioral2/memory/4136-210-0x00007FF6CE6B0000-0x00007FF6CF02E000-memory.dmp	themida
behavioral2/memory/1416-209-0x00007FF6A9580000-0x00007FF6A9EFE000-memory.dmp	themida
behavioral2/memory/4136-212-0x00007FF6CE6B0000-0x00007FF6CF02E000-memory.dmp	themida
behavioral2/memory/4136-214-0x00007FF6CE6B0000-0x00007FF6CF02E000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

Processes:

Sapphire_Loader.exeLoader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Sapphire_Loader.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Sapphire_Loader.exeLoader.exe

pid process

1416 Sapphire_Loader.exe
4136 Loader.exe

Launches sc.exe 18 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
4844	sc.exe
1116	sc.exe
436	sc.exe
3844	sc.exe
3160	sc.exe
1660	sc.exe
3028	sc.exe
3716	sc.exe
3144	sc.exe
4960	sc.exe
2308	sc.exe
2816	sc.exe
4492	sc.exe
3996	sc.exe
4572	sc.exe
4852	sc.exe
4924	sc.exe
1296	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2700	taskkill.exe
3600	taskkill.exe
1248	taskkill.exe
4552	taskkill.exe
4612	taskkill.exe
1256	taskkill.exe
4776	taskkill.exe
3500	taskkill.exe
4660	taskkill.exe
4864	taskkill.exe
3168	taskkill.exe
3736	taskkill.exe
3820	taskkill.exe
2800	taskkill.exe
648	taskkill.exe
3324	taskkill.exe
5016	taskkill.exe
4812	taskkill.exe
3172	taskkill.exe
2360	taskkill.exe
1532	taskkill.exe
1136	taskkill.exe
3264	taskkill.exe
4348	taskkill.exe
4012	taskkill.exe
4444	taskkill.exe
2264	taskkill.exe
2668	taskkill.exe
3360	taskkill.exe
740	taskkill.exe
648	taskkill.exe
2864	taskkill.exe
4520	taskkill.exe
3928	taskkill.exe
2152	taskkill.exe
3728	taskkill.exe
1748	taskkill.exe
396	taskkill.exe
2440	taskkill.exe
5064	taskkill.exe
4804	taskkill.exe
3752	taskkill.exe
3928	taskkill.exe
2380	taskkill.exe
1700	taskkill.exe
5008	taskkill.exe
3324	taskkill.exe
1628	taskkill.exe
1516	taskkill.exe
2600	taskkill.exe
616	taskkill.exe
4188	taskkill.exe
2504	taskkill.exe
4752	taskkill.exe
3992	taskkill.exe
3680	taskkill.exe
4312	taskkill.exe
4012	taskkill.exe
5004	taskkill.exe
3944	taskkill.exe
1500	taskkill.exe
4396	taskkill.exe
4928	taskkill.exe
4272	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4916 PING.EXE

pid	process
4916	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Sapphire_Loader.exe

pid	process
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe
1416	Sapphire_Loader.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3992	taskkill.exe
Token: SeDebugPrivilege	1532	taskkill.exe
Token: SeDebugPrivilege	3944	taskkill.exe
Token: SeDebugPrivilege	616	taskkill.exe
Token: SeDebugPrivilege	3680	taskkill.exe
Token: SeDebugPrivilege	3324	taskkill.exe
Token: SeDebugPrivilege	4348	taskkill.exe
Token: SeDebugPrivilege	3360	taskkill.exe
Token: SeDebugPrivilege	4804	taskkill.exe
Token: SeDebugPrivilege	4612	taskkill.exe
Token: SeDebugPrivilege	2700	taskkill.exe
Token: SeDebugPrivilege	4188	taskkill.exe
Token: SeDebugPrivilege	2260	taskkill.exe
Token: SeDebugPrivilege	3600	taskkill.exe
Token: SeDebugPrivilege	1248	taskkill.exe
Token: SeDebugPrivilege	1748	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	1136	taskkill.exe
Token: SeDebugPrivilege	3928	taskkill.exe
Token: SeDebugPrivilege	4012	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	3264	taskkill.exe
Token: SeDebugPrivilege	648	taskkill.exe
Token: SeDebugPrivilege	396	taskkill.exe
Token: SeDebugPrivilege	4312	taskkill.exe
Token: SeDebugPrivilege	4412	taskkill.exe
Token: SeDebugPrivilege	3324	taskkill.exe
Token: SeDebugPrivilege	4660	taskkill.exe
Token: SeDebugPrivilege	740	taskkill.exe
Token: SeDebugPrivilege	3500	taskkill.exe
Token: SeDebugPrivilege	4864	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	3168	taskkill.exe
Token: SeDebugPrivilege	4396	taskkill.exe
Token: SeDebugPrivilege	3752	taskkill.exe
Token: SeDebugPrivilege	3736	taskkill.exe
Token: SeDebugPrivilege	3820	taskkill.exe
Token: SeDebugPrivilege	2440	taskkill.exe
Token: SeDebugPrivilege	4552	taskkill.exe
Token: SeDebugPrivilege	5016	taskkill.exe
Token: SeDebugPrivilege	3928	taskkill.exe
Token: SeDebugPrivilege	1256	taskkill.exe
Token: SeDebugPrivilege	4012	taskkill.exe
Token: SeDebugPrivilege	4968	taskkill.exe
Token: SeDebugPrivilege	4812	taskkill.exe
Token: SeDebugPrivilege	648	taskkill.exe
Token: SeDebugPrivilege	2800	taskkill.exe
Token: SeDebugPrivilege	4444	taskkill.exe
Token: SeDebugPrivilege	2864	taskkill.exe
Token: SeDebugPrivilege	3728	taskkill.exe
Token: SeDebugPrivilege	2600	taskkill.exe
Token: SeDebugPrivilege	2264	taskkill.exe
Token: SeDebugPrivilege	4928	taskkill.exe
Token: SeDebugPrivilege	2380	taskkill.exe
Token: SeDebugPrivilege	2504	taskkill.exe
Token: SeDebugPrivilege	2376	taskkill.exe
Token: SeDebugPrivilege	1700	taskkill.exe
Token: SeDebugPrivilege	4272	taskkill.exe
Token: SeDebugPrivilege	1628	taskkill.exe
Token: SeDebugPrivilege	3172	taskkill.exe
Token: SeDebugPrivilege	4776	taskkill.exe
Token: SeDebugPrivilege	3784	taskkill.exe
Token: SeDebugPrivilege	4520	taskkill.exe
Token: SeDebugPrivilege	2360	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Sapphire_Loader.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1416 wrote to memory of 3576	1416	Sapphire_Loader.exe	cmd.exe
PID 1416 wrote to memory of 3576	1416	Sapphire_Loader.exe	cmd.exe
PID 3576 wrote to memory of 3992	3576	cmd.exe	taskkill.exe
PID 3576 wrote to memory of 3992	3576	cmd.exe	taskkill.exe
PID 1416 wrote to memory of 2232	1416	Sapphire_Loader.exe	cmd.exe
PID 1416 wrote to memory of 2232	1416	Sapphire_Loader.exe	cmd.exe
PID 2232 wrote to memory of 1532	2232	cmd.exe	taskkill.exe
PID 2232 wrote to memory of 1532	2232	cmd.exe	taskkill.exe
PID 1416 wrote to memory of 4116	1416	Sapphire_Loader.exe	cmd.exe
PID 1416 wrote to memory of 4116	1416	Sapphire_Loader.exe	cmd.exe
PID 4116 wrote to memory of 3944	4116	cmd.exe	taskkill.exe
PID 4116 wrote to memory of 3944	4116	cmd.exe	taskkill.exe
PID 1416 wrote to memory of 2800	1416	Sapphire_Loader.exe	cmd.exe
PID 1416 wrote to memory of 2800	1416	Sapphire_Loader.exe	cmd.exe
PID 2800 wrote to memory of 436	2800	cmd.exe	sc.exe
PID 2800 wrote to memory of 436	2800	cmd.exe	sc.exe
PID 1416 wrote to memory of 824	1416	Sapphire_Loader.exe	cmd.exe
PID 1416 wrote to memory of 824	1416	Sapphire_Loader.exe	cmd.exe
PID 824 wrote to memory of 616	824	cmd.exe	taskkill.exe
PID 824 wrote to memory of 616	824	cmd.exe	taskkill.exe
PID 1416 wrote to memory of 1588	1416	Sapphire_Loader.exe	cmd.exe
PID 1416 wrote to memory of 1588	1416	Sapphire_Loader.exe	cmd.exe
PID 1416 wrote to memory of 4412	1416	Sapphire_Loader.exe	cmd.exe
PID 1416 wrote to memory of 4412	1416	Sapphire_Loader.exe	cmd.exe
PID 4412 wrote to memory of 3680	4412	cmd.exe	taskkill.exe
PID 4412 wrote to memory of 3680	4412	cmd.exe	taskkill.exe
PID 1416 wrote to memory of 228	1416	Sapphire_Loader.exe	cmd.exe
PID 1416 wrote to memory of 228	1416	Sapphire_Loader.exe	cmd.exe
PID 228 wrote to memory of 3324	228	cmd.exe	taskkill.exe
PID 228 wrote to memory of 3324	228	cmd.exe	taskkill.exe
PID 1416 wrote to memory of 4660	1416	Sapphire_Loader.exe	cmd.exe
PID 1416 wrote to memory of 4660	1416	Sapphire_Loader.exe	cmd.exe
PID 4660 wrote to memory of 4348	4660	cmd.exe	taskkill.exe
PID 4660 wrote to memory of 4348	4660	cmd.exe	taskkill.exe
PID 1416 wrote to memory of 2580	1416	Sapphire_Loader.exe	cmd.exe
PID 1416 wrote to memory of 2580	1416	Sapphire_Loader.exe	cmd.exe
PID 2580 wrote to memory of 2816	2580	cmd.exe	sc.exe
PID 2580 wrote to memory of 2816	2580	cmd.exe	sc.exe
PID 1416 wrote to memory of 2600	1416	Sapphire_Loader.exe	cmd.exe
PID 1416 wrote to memory of 2600	1416	Sapphire_Loader.exe	cmd.exe
PID 2600 wrote to memory of 3360	2600	cmd.exe	taskkill.exe
PID 2600 wrote to memory of 3360	2600	cmd.exe	taskkill.exe
PID 1416 wrote to memory of 3500	1416	Sapphire_Loader.exe	cmd.exe
PID 1416 wrote to memory of 3500	1416	Sapphire_Loader.exe	cmd.exe
PID 1416 wrote to memory of 5084	1416	Sapphire_Loader.exe	cmd.exe
PID 1416 wrote to memory of 5084	1416	Sapphire_Loader.exe	cmd.exe
PID 5084 wrote to memory of 4804	5084	cmd.exe	taskkill.exe
PID 5084 wrote to memory of 4804	5084	cmd.exe	taskkill.exe
PID 1416 wrote to memory of 5096	1416	Sapphire_Loader.exe	cmd.exe
PID 1416 wrote to memory of 5096	1416	Sapphire_Loader.exe	cmd.exe
PID 5096 wrote to memory of 4612	5096	cmd.exe	taskkill.exe
PID 5096 wrote to memory of 4612	5096	cmd.exe	taskkill.exe
PID 1416 wrote to memory of 536	1416	Sapphire_Loader.exe	cmd.exe
PID 1416 wrote to memory of 536	1416	Sapphire_Loader.exe	cmd.exe
PID 536 wrote to memory of 2700	536	cmd.exe	taskkill.exe
PID 536 wrote to memory of 2700	536	cmd.exe	taskkill.exe
PID 1416 wrote to memory of 4964	1416	Sapphire_Loader.exe	cmd.exe
PID 1416 wrote to memory of 4964	1416	Sapphire_Loader.exe	cmd.exe
PID 4964 wrote to memory of 3844	4964	cmd.exe	sc.exe
PID 4964 wrote to memory of 3844	4964	cmd.exe	sc.exe
PID 1416 wrote to memory of 2080	1416	Sapphire_Loader.exe	cmd.exe
PID 1416 wrote to memory of 2080	1416	Sapphire_Loader.exe	cmd.exe
PID 2080 wrote to memory of 4188	2080	cmd.exe	taskkill.exe
PID 2080 wrote to memory of 4188	2080	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\Sapphire_Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Sapphire_Loader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4116

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4412

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:2816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:3500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:1116

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:4292

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:4272

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:4224

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:5076

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:3996

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:4120

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1540

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1256

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:3160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:3376

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:2252

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:4868

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:2180

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:436

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:764

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:1588

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:3680

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:4644

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:4316

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:4348

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:2296

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:2600

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:4960

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1252

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:4940

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:4976

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:3280

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:4464

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:2260

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:1864

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:632

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:1688

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1496

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:2412

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:512

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:4988

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:3160

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:4220

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:4216

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:3420

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:4848

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:1020

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:4336

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1132

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:956

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:1272

C:\SL\Loader.exe
"C:\SL\Loader.exe" TL.run
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
3⤵
PID:3708

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
3⤵
PID:760

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
3⤵
PID:3500

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
3⤵
PID:4864

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
4⤵
- Launches sc.exe
PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
3⤵
PID:5052

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
3⤵
PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
3⤵
PID:1928

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
3⤵
PID:2408

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
3⤵
PID:508

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
3⤵
PID:3620

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
4⤵
- Launches sc.exe
PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
3⤵
PID:4464

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
3⤵
PID:4284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
3⤵
PID:4416

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
3⤵
PID:4224

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
3⤵
PID:1456

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
3⤵
PID:4876

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
4⤵
- Launches sc.exe
PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
3⤵
PID:620

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
3⤵
PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
3⤵
PID:4472

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
3⤵
PID:2524

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
3⤵
PID:620

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
3⤵
PID:2684

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
4⤵
- Launches sc.exe
PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
3⤵
PID:4328

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
3⤵
PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
3⤵
PID:4676

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
4⤵
PID:512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
3⤵
PID:1848

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
4⤵
- Kills process with taskkill
PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
3⤵
PID:3312

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
4⤵
- Kills process with taskkill
PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
3⤵
PID:1204

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
4⤵
- Launches sc.exe
PID:3716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
3⤵
PID:4228

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
4⤵
- Kills process with taskkill
PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
3⤵
PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
3⤵
PID:1148

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
4⤵
- Kills process with taskkill
PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
3⤵
PID:5108

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
4⤵
- Kills process with taskkill
PID:2668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
3⤵
PID:1856

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
4⤵
PID:3092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
3⤵
PID:1004

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
4⤵
- Launches sc.exe
PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
3⤵
PID:4176

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
4⤵
- Kills process with taskkill
PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
3⤵
PID:3296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3576

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\SL\Loader.exe"
3⤵
PID:1156

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
4⤵
- Runs ping.exe
PID:4916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

3

Virtualization/Sandbox Evasion

T1497

System Information Discovery

4

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop