Analysis
-
max time kernel
176s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
04-08-2022 14:57
Behavioral task
behavioral1
Sample
Sapphire_Loader.exe
Resource
win7-20220715-en
General
-
Target
Sapphire_Loader.exe
-
Size
3.5MB
-
MD5
87cbbc8f1688054e0abef4e00ba76ccf
-
SHA1
99e7178d149f8046deb78c848ed99af50360616e
-
SHA256
91bec27b79b2889bfe9eedc744b74b9438c638299f43c14a39f080fbb90f8eee
-
SHA512
c840cb5aec658a000397b237876dd102e46aa5e44aa15d03d7618718ea637f9f903f4c9aff49e8bcfecaef2dfcce6a4c0dc201ed46ec2a4b7f701bfc995e2006
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
Sapphire_Loader.exeLoader.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Sapphire_Loader.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Loader.exe -
Executes dropped EXE 1 IoCs
Processes:
Loader.exepid process 4136 Loader.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Sapphire_Loader.exeLoader.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Sapphire_Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Sapphire_Loader.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Sapphire_Loader.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation Sapphire_Loader.exe -
Processes:
resource yara_rule behavioral2/memory/1416-130-0x00007FF6A9580000-0x00007FF6A9EFE000-memory.dmp themida behavioral2/memory/1416-131-0x00007FF6A9580000-0x00007FF6A9EFE000-memory.dmp themida behavioral2/memory/1416-132-0x00007FF6A9580000-0x00007FF6A9EFE000-memory.dmp themida behavioral2/memory/1416-133-0x00007FF6A9580000-0x00007FF6A9EFE000-memory.dmp themida behavioral2/memory/1416-135-0x00007FF6A9580000-0x00007FF6A9EFE000-memory.dmp themida behavioral2/memory/1416-200-0x00007FF6A9580000-0x00007FF6A9EFE000-memory.dmp themida C:\SL\Loader.exe themida C:\SL\Loader.exe themida behavioral2/memory/4136-204-0x00007FF6CE6B0000-0x00007FF6CF02E000-memory.dmp themida behavioral2/memory/4136-205-0x00007FF6CE6B0000-0x00007FF6CF02E000-memory.dmp themida behavioral2/memory/4136-206-0x00007FF6CE6B0000-0x00007FF6CF02E000-memory.dmp themida behavioral2/memory/4136-207-0x00007FF6CE6B0000-0x00007FF6CF02E000-memory.dmp themida behavioral2/memory/4136-210-0x00007FF6CE6B0000-0x00007FF6CF02E000-memory.dmp themida behavioral2/memory/1416-209-0x00007FF6A9580000-0x00007FF6A9EFE000-memory.dmp themida behavioral2/memory/4136-212-0x00007FF6CE6B0000-0x00007FF6CF02E000-memory.dmp themida behavioral2/memory/4136-214-0x00007FF6CE6B0000-0x00007FF6CF02E000-memory.dmp themida -
Processes:
Sapphire_Loader.exeLoader.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Sapphire_Loader.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Loader.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Sapphire_Loader.exeLoader.exepid process 1416 Sapphire_Loader.exe 4136 Loader.exe -
Launches sc.exe 18 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4844 sc.exe 1116 sc.exe 436 sc.exe 3844 sc.exe 3160 sc.exe 1660 sc.exe 3028 sc.exe 3716 sc.exe 3144 sc.exe 4960 sc.exe 2308 sc.exe 2816 sc.exe 4492 sc.exe 3996 sc.exe 4572 sc.exe 4852 sc.exe 4924 sc.exe 1296 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 64 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2700 taskkill.exe 3600 taskkill.exe 1248 taskkill.exe 4552 taskkill.exe 4612 taskkill.exe 1256 taskkill.exe 4776 taskkill.exe 3500 taskkill.exe 4660 taskkill.exe 4864 taskkill.exe 3168 taskkill.exe 3736 taskkill.exe 3820 taskkill.exe 2800 taskkill.exe 648 taskkill.exe 3324 taskkill.exe 5016 taskkill.exe 4812 taskkill.exe 3172 taskkill.exe 2360 taskkill.exe 1532 taskkill.exe 1136 taskkill.exe 3264 taskkill.exe 4348 taskkill.exe 4012 taskkill.exe 4444 taskkill.exe 2264 taskkill.exe 2668 taskkill.exe 3360 taskkill.exe 740 taskkill.exe 648 taskkill.exe 2864 taskkill.exe 4520 taskkill.exe 3928 taskkill.exe 2152 taskkill.exe 3728 taskkill.exe 1748 taskkill.exe 396 taskkill.exe 2440 taskkill.exe 5064 taskkill.exe 4804 taskkill.exe 3752 taskkill.exe 3928 taskkill.exe 2380 taskkill.exe 1700 taskkill.exe 5008 taskkill.exe 3324 taskkill.exe 1628 taskkill.exe 1516 taskkill.exe 2600 taskkill.exe 616 taskkill.exe 4188 taskkill.exe 2504 taskkill.exe 4752 taskkill.exe 3992 taskkill.exe 3680 taskkill.exe 4312 taskkill.exe 4012 taskkill.exe 5004 taskkill.exe 3944 taskkill.exe 1500 taskkill.exe 4396 taskkill.exe 4928 taskkill.exe 4272 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Sapphire_Loader.exepid process 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe 1416 Sapphire_Loader.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 3992 taskkill.exe Token: SeDebugPrivilege 1532 taskkill.exe Token: SeDebugPrivilege 3944 taskkill.exe Token: SeDebugPrivilege 616 taskkill.exe Token: SeDebugPrivilege 3680 taskkill.exe Token: SeDebugPrivilege 3324 taskkill.exe Token: SeDebugPrivilege 4348 taskkill.exe Token: SeDebugPrivilege 3360 taskkill.exe Token: SeDebugPrivilege 4804 taskkill.exe Token: SeDebugPrivilege 4612 taskkill.exe Token: SeDebugPrivilege 2700 taskkill.exe Token: SeDebugPrivilege 4188 taskkill.exe Token: SeDebugPrivilege 2260 taskkill.exe Token: SeDebugPrivilege 3600 taskkill.exe Token: SeDebugPrivilege 1248 taskkill.exe Token: SeDebugPrivilege 1748 taskkill.exe Token: SeDebugPrivilege 2412 taskkill.exe Token: SeDebugPrivilege 1136 taskkill.exe Token: SeDebugPrivilege 3928 taskkill.exe Token: SeDebugPrivilege 4012 taskkill.exe Token: SeDebugPrivilege 2152 taskkill.exe Token: SeDebugPrivilege 3264 taskkill.exe Token: SeDebugPrivilege 648 taskkill.exe Token: SeDebugPrivilege 396 taskkill.exe Token: SeDebugPrivilege 4312 taskkill.exe Token: SeDebugPrivilege 4412 taskkill.exe Token: SeDebugPrivilege 3324 taskkill.exe Token: SeDebugPrivilege 4660 taskkill.exe Token: SeDebugPrivilege 740 taskkill.exe Token: SeDebugPrivilege 3500 taskkill.exe Token: SeDebugPrivilege 4864 taskkill.exe Token: SeDebugPrivilege 1500 taskkill.exe Token: SeDebugPrivilege 3168 taskkill.exe Token: SeDebugPrivilege 4396 taskkill.exe Token: SeDebugPrivilege 3752 taskkill.exe Token: SeDebugPrivilege 3736 taskkill.exe Token: SeDebugPrivilege 3820 taskkill.exe Token: SeDebugPrivilege 2440 taskkill.exe Token: SeDebugPrivilege 4552 taskkill.exe Token: SeDebugPrivilege 5016 taskkill.exe Token: SeDebugPrivilege 3928 taskkill.exe Token: SeDebugPrivilege 1256 taskkill.exe Token: SeDebugPrivilege 4012 taskkill.exe Token: SeDebugPrivilege 4968 taskkill.exe Token: SeDebugPrivilege 4812 taskkill.exe Token: SeDebugPrivilege 648 taskkill.exe Token: SeDebugPrivilege 2800 taskkill.exe Token: SeDebugPrivilege 4444 taskkill.exe Token: SeDebugPrivilege 2864 taskkill.exe Token: SeDebugPrivilege 3728 taskkill.exe Token: SeDebugPrivilege 2600 taskkill.exe Token: SeDebugPrivilege 2264 taskkill.exe Token: SeDebugPrivilege 4928 taskkill.exe Token: SeDebugPrivilege 2380 taskkill.exe Token: SeDebugPrivilege 2504 taskkill.exe Token: SeDebugPrivilege 2376 taskkill.exe Token: SeDebugPrivilege 1700 taskkill.exe Token: SeDebugPrivilege 4272 taskkill.exe Token: SeDebugPrivilege 1628 taskkill.exe Token: SeDebugPrivilege 3172 taskkill.exe Token: SeDebugPrivilege 4776 taskkill.exe Token: SeDebugPrivilege 3784 taskkill.exe Token: SeDebugPrivilege 4520 taskkill.exe Token: SeDebugPrivilege 2360 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Sapphire_Loader.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1416 wrote to memory of 3576 1416 Sapphire_Loader.exe cmd.exe PID 1416 wrote to memory of 3576 1416 Sapphire_Loader.exe cmd.exe PID 3576 wrote to memory of 3992 3576 cmd.exe taskkill.exe PID 3576 wrote to memory of 3992 3576 cmd.exe taskkill.exe PID 1416 wrote to memory of 2232 1416 Sapphire_Loader.exe cmd.exe PID 1416 wrote to memory of 2232 1416 Sapphire_Loader.exe cmd.exe PID 2232 wrote to memory of 1532 2232 cmd.exe taskkill.exe PID 2232 wrote to memory of 1532 2232 cmd.exe taskkill.exe PID 1416 wrote to memory of 4116 1416 Sapphire_Loader.exe cmd.exe PID 1416 wrote to memory of 4116 1416 Sapphire_Loader.exe cmd.exe PID 4116 wrote to memory of 3944 4116 cmd.exe taskkill.exe PID 4116 wrote to memory of 3944 4116 cmd.exe taskkill.exe PID 1416 wrote to memory of 2800 1416 Sapphire_Loader.exe cmd.exe PID 1416 wrote to memory of 2800 1416 Sapphire_Loader.exe cmd.exe PID 2800 wrote to memory of 436 2800 cmd.exe sc.exe PID 2800 wrote to memory of 436 2800 cmd.exe sc.exe PID 1416 wrote to memory of 824 1416 Sapphire_Loader.exe cmd.exe PID 1416 wrote to memory of 824 1416 Sapphire_Loader.exe cmd.exe PID 824 wrote to memory of 616 824 cmd.exe taskkill.exe PID 824 wrote to memory of 616 824 cmd.exe taskkill.exe PID 1416 wrote to memory of 1588 1416 Sapphire_Loader.exe cmd.exe PID 1416 wrote to memory of 1588 1416 Sapphire_Loader.exe cmd.exe PID 1416 wrote to memory of 4412 1416 Sapphire_Loader.exe cmd.exe PID 1416 wrote to memory of 4412 1416 Sapphire_Loader.exe cmd.exe PID 4412 wrote to memory of 3680 4412 cmd.exe taskkill.exe PID 4412 wrote to memory of 3680 4412 cmd.exe taskkill.exe PID 1416 wrote to memory of 228 1416 Sapphire_Loader.exe cmd.exe PID 1416 wrote to memory of 228 1416 Sapphire_Loader.exe cmd.exe PID 228 wrote to memory of 3324 228 cmd.exe taskkill.exe PID 228 wrote to memory of 3324 228 cmd.exe taskkill.exe PID 1416 wrote to memory of 4660 1416 Sapphire_Loader.exe cmd.exe PID 1416 wrote to memory of 4660 1416 Sapphire_Loader.exe cmd.exe PID 4660 wrote to memory of 4348 4660 cmd.exe taskkill.exe PID 4660 wrote to memory of 4348 4660 cmd.exe taskkill.exe PID 1416 wrote to memory of 2580 1416 Sapphire_Loader.exe cmd.exe PID 1416 wrote to memory of 2580 1416 Sapphire_Loader.exe cmd.exe PID 2580 wrote to memory of 2816 2580 cmd.exe sc.exe PID 2580 wrote to memory of 2816 2580 cmd.exe sc.exe PID 1416 wrote to memory of 2600 1416 Sapphire_Loader.exe cmd.exe PID 1416 wrote to memory of 2600 1416 Sapphire_Loader.exe cmd.exe PID 2600 wrote to memory of 3360 2600 cmd.exe taskkill.exe PID 2600 wrote to memory of 3360 2600 cmd.exe taskkill.exe PID 1416 wrote to memory of 3500 1416 Sapphire_Loader.exe cmd.exe PID 1416 wrote to memory of 3500 1416 Sapphire_Loader.exe cmd.exe PID 1416 wrote to memory of 5084 1416 Sapphire_Loader.exe cmd.exe PID 1416 wrote to memory of 5084 1416 Sapphire_Loader.exe cmd.exe PID 5084 wrote to memory of 4804 5084 cmd.exe taskkill.exe PID 5084 wrote to memory of 4804 5084 cmd.exe taskkill.exe PID 1416 wrote to memory of 5096 1416 Sapphire_Loader.exe cmd.exe PID 1416 wrote to memory of 5096 1416 Sapphire_Loader.exe cmd.exe PID 5096 wrote to memory of 4612 5096 cmd.exe taskkill.exe PID 5096 wrote to memory of 4612 5096 cmd.exe taskkill.exe PID 1416 wrote to memory of 536 1416 Sapphire_Loader.exe cmd.exe PID 1416 wrote to memory of 536 1416 Sapphire_Loader.exe cmd.exe PID 536 wrote to memory of 2700 536 cmd.exe taskkill.exe PID 536 wrote to memory of 2700 536 cmd.exe taskkill.exe PID 1416 wrote to memory of 4964 1416 Sapphire_Loader.exe cmd.exe PID 1416 wrote to memory of 4964 1416 Sapphire_Loader.exe cmd.exe PID 4964 wrote to memory of 3844 4964 cmd.exe sc.exe PID 4964 wrote to memory of 3844 4964 cmd.exe sc.exe PID 1416 wrote to memory of 2080 1416 Sapphire_Loader.exe cmd.exe PID 1416 wrote to memory of 2080 1416 Sapphire_Loader.exe cmd.exe PID 2080 wrote to memory of 4188 2080 cmd.exe taskkill.exe PID 2080 wrote to memory of 4188 2080 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sapphire_Loader.exe"C:\Users\Admin\AppData\Local\Temp\Sapphire_Loader.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\SL\Loader.exe"C:\SL\Loader.exe" TL.run2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T4⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F4⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T4⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T4⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F4⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\SL\Loader.exe"3⤵
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30004⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\SL\Loader.exeFilesize
3.5MB
MD58181b05092cd0942d298a179fd2bc115
SHA1b6af69c0037274a59a9ae506521061e504aaec00
SHA25678e1675c825d0fb943d2de108b5fa10901879e25fb43bdba4dee57a7f65a6a80
SHA512198330d77b987972e70789d2d80d51d8a30a1ec03459b0769aa287054a8ca2fda03d9b8644d0eed6665343edc34adba9628cda46487bce3c1c2ddb5cc891c750
-
C:\SL\Loader.exeFilesize
3.5MB
MD58181b05092cd0942d298a179fd2bc115
SHA1b6af69c0037274a59a9ae506521061e504aaec00
SHA25678e1675c825d0fb943d2de108b5fa10901879e25fb43bdba4dee57a7f65a6a80
SHA512198330d77b987972e70789d2d80d51d8a30a1ec03459b0769aa287054a8ca2fda03d9b8644d0eed6665343edc34adba9628cda46487bce3c1c2ddb5cc891c750
-
memory/228-149-0x0000000000000000-mapping.dmp
-
memory/436-197-0x0000000000000000-mapping.dmp
-
memory/436-143-0x0000000000000000-mapping.dmp
-
memory/536-162-0x0000000000000000-mapping.dmp
-
memory/616-145-0x0000000000000000-mapping.dmp
-
memory/648-196-0x0000000000000000-mapping.dmp
-
memory/764-199-0x0000000000000000-mapping.dmp
-
memory/824-144-0x0000000000000000-mapping.dmp
-
memory/1116-169-0x0000000000000000-mapping.dmp
-
memory/1136-183-0x0000000000000000-mapping.dmp
-
memory/1248-174-0x0000000000000000-mapping.dmp
-
memory/1256-186-0x0000000000000000-mapping.dmp
-
memory/1416-209-0x00007FF6A9580000-0x00007FF6A9EFE000-memory.dmpFilesize
9.5MB
-
memory/1416-133-0x00007FF6A9580000-0x00007FF6A9EFE000-memory.dmpFilesize
9.5MB
-
memory/1416-211-0x00007FF8DD7F0000-0x00007FF8DD9E5000-memory.dmpFilesize
2.0MB
-
memory/1416-135-0x00007FF6A9580000-0x00007FF6A9EFE000-memory.dmpFilesize
9.5MB
-
memory/1416-200-0x00007FF6A9580000-0x00007FF6A9EFE000-memory.dmpFilesize
9.5MB
-
memory/1416-134-0x00007FF8DD7F0000-0x00007FF8DD9E5000-memory.dmpFilesize
2.0MB
-
memory/1416-131-0x00007FF6A9580000-0x00007FF6A9EFE000-memory.dmpFilesize
9.5MB
-
memory/1416-132-0x00007FF6A9580000-0x00007FF6A9EFE000-memory.dmpFilesize
9.5MB
-
memory/1416-130-0x00007FF6A9580000-0x00007FF6A9EFE000-memory.dmpFilesize
9.5MB
-
memory/1416-201-0x00007FF8DD7F0000-0x00007FF8DD9E5000-memory.dmpFilesize
2.0MB
-
memory/1532-139-0x0000000000000000-mapping.dmp
-
memory/1540-184-0x0000000000000000-mapping.dmp
-
memory/1588-146-0x0000000000000000-mapping.dmp
-
memory/1748-178-0x0000000000000000-mapping.dmp
-
memory/2080-166-0x0000000000000000-mapping.dmp
-
memory/2152-192-0x0000000000000000-mapping.dmp
-
memory/2180-195-0x0000000000000000-mapping.dmp
-
memory/2232-138-0x0000000000000000-mapping.dmp
-
memory/2252-191-0x0000000000000000-mapping.dmp
-
memory/2260-170-0x0000000000000000-mapping.dmp
-
memory/2380-168-0x0000000000000000-mapping.dmp
-
memory/2412-181-0x0000000000000000-mapping.dmp
-
memory/2500-179-0x0000000000000000-mapping.dmp
-
memory/2580-153-0x0000000000000000-mapping.dmp
-
memory/2600-155-0x0000000000000000-mapping.dmp
-
memory/2700-163-0x0000000000000000-mapping.dmp
-
memory/2800-142-0x0000000000000000-mapping.dmp
-
memory/2816-154-0x0000000000000000-mapping.dmp
-
memory/3160-187-0x0000000000000000-mapping.dmp
-
memory/3264-194-0x0000000000000000-mapping.dmp
-
memory/3324-150-0x0000000000000000-mapping.dmp
-
memory/3360-156-0x0000000000000000-mapping.dmp
-
memory/3376-188-0x0000000000000000-mapping.dmp
-
memory/3500-157-0x0000000000000000-mapping.dmp
-
memory/3576-136-0x0000000000000000-mapping.dmp
-
memory/3600-172-0x0000000000000000-mapping.dmp
-
memory/3680-148-0x0000000000000000-mapping.dmp
-
memory/3844-165-0x0000000000000000-mapping.dmp
-
memory/3928-185-0x0000000000000000-mapping.dmp
-
memory/3944-141-0x0000000000000000-mapping.dmp
-
memory/3992-137-0x0000000000000000-mapping.dmp
-
memory/3996-180-0x0000000000000000-mapping.dmp
-
memory/4012-189-0x0000000000000000-mapping.dmp
-
memory/4116-140-0x0000000000000000-mapping.dmp
-
memory/4120-182-0x0000000000000000-mapping.dmp
-
memory/4136-204-0x00007FF6CE6B0000-0x00007FF6CF02E000-memory.dmpFilesize
9.5MB
-
memory/4136-207-0x00007FF6CE6B0000-0x00007FF6CF02E000-memory.dmpFilesize
9.5MB
-
memory/4136-208-0x00007FF8DD7F0000-0x00007FF8DD9E5000-memory.dmpFilesize
2.0MB
-
memory/4136-210-0x00007FF6CE6B0000-0x00007FF6CF02E000-memory.dmpFilesize
9.5MB
-
memory/4136-212-0x00007FF6CE6B0000-0x00007FF6CF02E000-memory.dmpFilesize
9.5MB
-
memory/4136-213-0x00007FF8DD7F0000-0x00007FF8DD9E5000-memory.dmpFilesize
2.0MB
-
memory/4136-214-0x00007FF6CE6B0000-0x00007FF6CF02E000-memory.dmpFilesize
9.5MB
-
memory/4136-215-0x00007FF8DD7F0000-0x00007FF8DD9E5000-memory.dmpFilesize
2.0MB
-
memory/4136-206-0x00007FF6CE6B0000-0x00007FF6CF02E000-memory.dmpFilesize
9.5MB
-
memory/4136-205-0x00007FF6CE6B0000-0x00007FF6CF02E000-memory.dmpFilesize
9.5MB
-
memory/4188-167-0x0000000000000000-mapping.dmp
-
memory/4224-175-0x0000000000000000-mapping.dmp
-
memory/4272-173-0x0000000000000000-mapping.dmp
-
memory/4292-171-0x0000000000000000-mapping.dmp
-
memory/4340-190-0x0000000000000000-mapping.dmp
-
memory/4348-152-0x0000000000000000-mapping.dmp
-
memory/4412-147-0x0000000000000000-mapping.dmp
-
memory/4612-161-0x0000000000000000-mapping.dmp
-
memory/4660-151-0x0000000000000000-mapping.dmp
-
memory/4804-159-0x0000000000000000-mapping.dmp
-
memory/4852-176-0x0000000000000000-mapping.dmp
-
memory/4868-193-0x0000000000000000-mapping.dmp
-
memory/4924-198-0x0000000000000000-mapping.dmp
-
memory/4964-164-0x0000000000000000-mapping.dmp
-
memory/5076-177-0x0000000000000000-mapping.dmp
-
memory/5084-158-0x0000000000000000-mapping.dmp
-
memory/5096-160-0x0000000000000000-mapping.dmp