Analysis
-
max time kernel
52s -
max time network
55s -
platform
windows10-1703_x64 -
resource
win10-20220722-en -
resource tags
arch:x64arch:x86image:win10-20220722-enlocale:en-usos:windows10-1703-x64system -
submitted
04-08-2022 14:59
General
-
Target
Sapphire_Loader.exe
-
Size
3.5MB
-
MD5
87cbbc8f1688054e0abef4e00ba76ccf
-
SHA1
99e7178d149f8046deb78c848ed99af50360616e
-
SHA256
91bec27b79b2889bfe9eedc744b74b9438c638299f43c14a39f080fbb90f8eee
-
SHA512
c840cb5aec658a000397b237876dd102e46aa5e44aa15d03d7618718ea637f9f903f4c9aff49e8bcfecaef2dfcce6a4c0dc201ed46ec2a4b7f701bfc995e2006
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
Sapphire_Loader.exeLoader.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Sapphire_Loader.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Loader.exe -
Executes dropped EXE 1 IoCs
Processes:
Loader.exepid process 3708 Loader.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Sapphire_Loader.exeLoader.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Sapphire_Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Sapphire_Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Loader.exe -
Processes:
resource yara_rule behavioral1/memory/2764-127-0x00007FF68AA40000-0x00007FF68B3BE000-memory.dmp themida behavioral1/memory/2764-129-0x00007FF68AA40000-0x00007FF68B3BE000-memory.dmp themida behavioral1/memory/2764-130-0x00007FF68AA40000-0x00007FF68B3BE000-memory.dmp themida behavioral1/memory/2764-132-0x00007FF68AA40000-0x00007FF68B3BE000-memory.dmp themida behavioral1/memory/2764-197-0x00007FF68AA40000-0x00007FF68B3BE000-memory.dmp themida C:\SL\Loader.exe themida behavioral1/memory/3708-200-0x00007FF6C0E40000-0x00007FF6C17BE000-memory.dmp themida C:\SL\Loader.exe themida behavioral1/memory/2764-202-0x00007FF68AA40000-0x00007FF68B3BE000-memory.dmp themida behavioral1/memory/3708-204-0x00007FF6C0E40000-0x00007FF6C17BE000-memory.dmp themida behavioral1/memory/3708-205-0x00007FF6C0E40000-0x00007FF6C17BE000-memory.dmp themida behavioral1/memory/3708-206-0x00007FF6C0E40000-0x00007FF6C17BE000-memory.dmp themida behavioral1/memory/3708-208-0x00007FF6C0E40000-0x00007FF6C17BE000-memory.dmp themida behavioral1/memory/3708-209-0x00007FF6C0E40000-0x00007FF6C17BE000-memory.dmp themida -
Processes:
Sapphire_Loader.exeLoader.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Sapphire_Loader.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Loader.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Sapphire_Loader.exeLoader.exepid process 2764 Sapphire_Loader.exe 3708 Loader.exe -
Launches sc.exe 15 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1716 sc.exe 3304 sc.exe 4448 sc.exe 1320 sc.exe 3140 sc.exe 4444 sc.exe 436 sc.exe 5112 sc.exe 1916 sc.exe 3432 sc.exe 4500 sc.exe 664 sc.exe 4928 sc.exe 2288 sc.exe 4960 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 60 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3460 taskkill.exe 448 taskkill.exe 3556 taskkill.exe 3300 taskkill.exe 4804 taskkill.exe 4768 taskkill.exe 4888 taskkill.exe 4732 taskkill.exe 3832 taskkill.exe 2464 taskkill.exe 4612 taskkill.exe 4564 taskkill.exe 3976 taskkill.exe 4812 taskkill.exe 5052 taskkill.exe 1016 taskkill.exe 4408 taskkill.exe 3180 taskkill.exe 2200 taskkill.exe 1716 taskkill.exe 4640 taskkill.exe 4628 taskkill.exe 2316 taskkill.exe 2180 taskkill.exe 5104 taskkill.exe 4316 taskkill.exe 4388 taskkill.exe 4848 taskkill.exe 536 taskkill.exe 4344 taskkill.exe 4072 taskkill.exe 3784 taskkill.exe 2968 taskkill.exe 3544 taskkill.exe 1852 taskkill.exe 4308 taskkill.exe 4736 taskkill.exe 4948 taskkill.exe 920 taskkill.exe 1320 taskkill.exe 4556 taskkill.exe 3924 taskkill.exe 4732 taskkill.exe 3404 taskkill.exe 3516 taskkill.exe 4468 taskkill.exe 4672 taskkill.exe 1836 taskkill.exe 4912 taskkill.exe 5000 taskkill.exe 828 taskkill.exe 2400 taskkill.exe 4512 taskkill.exe 4340 taskkill.exe 3944 taskkill.exe 868 taskkill.exe 4828 taskkill.exe 3276 taskkill.exe 3704 taskkill.exe 3920 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Sapphire_Loader.exepid process 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe 2764 Sapphire_Loader.exe -
Suspicious use of AdjustPrivilegeToken 60 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4848 taskkill.exe Token: SeDebugPrivilege 4888 taskkill.exe Token: SeDebugPrivilege 3404 taskkill.exe Token: SeDebugPrivilege 2400 taskkill.exe Token: SeDebugPrivilege 3516 taskkill.exe Token: SeDebugPrivilege 3460 taskkill.exe Token: SeDebugPrivilege 3832 taskkill.exe Token: SeDebugPrivilege 4812 taskkill.exe Token: SeDebugPrivilege 4948 taskkill.exe Token: SeDebugPrivilege 4828 taskkill.exe Token: SeDebugPrivilege 3784 taskkill.exe Token: SeDebugPrivilege 4512 taskkill.exe Token: SeDebugPrivilege 3276 taskkill.exe Token: SeDebugPrivilege 3704 taskkill.exe Token: SeDebugPrivilege 5052 taskkill.exe Token: SeDebugPrivilege 4556 taskkill.exe Token: SeDebugPrivilege 4468 taskkill.exe Token: SeDebugPrivilege 4672 taskkill.exe Token: SeDebugPrivilege 4628 taskkill.exe Token: SeDebugPrivilege 4732 taskkill.exe Token: SeDebugPrivilege 1016 taskkill.exe Token: SeDebugPrivilege 2316 taskkill.exe Token: SeDebugPrivilege 536 taskkill.exe Token: SeDebugPrivilege 2464 taskkill.exe Token: SeDebugPrivilege 4408 taskkill.exe Token: SeDebugPrivilege 3180 taskkill.exe Token: SeDebugPrivilege 448 taskkill.exe Token: SeDebugPrivilege 3920 taskkill.exe Token: SeDebugPrivilege 2180 taskkill.exe Token: SeDebugPrivilege 3924 taskkill.exe Token: SeDebugPrivilege 1836 taskkill.exe Token: SeDebugPrivilege 5104 taskkill.exe Token: SeDebugPrivilege 2200 taskkill.exe Token: SeDebugPrivilege 3300 taskkill.exe Token: SeDebugPrivilege 2968 taskkill.exe Token: SeDebugPrivilege 4912 taskkill.exe Token: SeDebugPrivilege 3544 taskkill.exe Token: SeDebugPrivilege 1852 taskkill.exe Token: SeDebugPrivilege 4308 taskkill.exe Token: SeDebugPrivilege 4344 taskkill.exe Token: SeDebugPrivilege 5000 taskkill.exe Token: SeDebugPrivilege 4804 taskkill.exe Token: SeDebugPrivilege 4316 taskkill.exe Token: SeDebugPrivilege 4340 taskkill.exe Token: SeDebugPrivilege 4388 taskkill.exe Token: SeDebugPrivilege 3976 taskkill.exe Token: SeDebugPrivilege 3944 taskkill.exe Token: SeDebugPrivilege 3556 taskkill.exe Token: SeDebugPrivilege 4612 taskkill.exe Token: SeDebugPrivilege 4736 taskkill.exe Token: SeDebugPrivilege 4564 taskkill.exe Token: SeDebugPrivilege 4732 taskkill.exe Token: SeDebugPrivilege 920 taskkill.exe Token: SeDebugPrivilege 828 taskkill.exe Token: SeDebugPrivilege 868 taskkill.exe Token: SeDebugPrivilege 1716 taskkill.exe Token: SeDebugPrivilege 4768 taskkill.exe Token: SeDebugPrivilege 4072 taskkill.exe Token: SeDebugPrivilege 4640 taskkill.exe Token: SeDebugPrivilege 1320 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Sapphire_Loader.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2764 wrote to memory of 2164 2764 Sapphire_Loader.exe cmd.exe PID 2764 wrote to memory of 2164 2764 Sapphire_Loader.exe cmd.exe PID 2164 wrote to memory of 4848 2164 cmd.exe taskkill.exe PID 2164 wrote to memory of 4848 2164 cmd.exe taskkill.exe PID 2764 wrote to memory of 4576 2764 Sapphire_Loader.exe cmd.exe PID 2764 wrote to memory of 4576 2764 Sapphire_Loader.exe cmd.exe PID 4576 wrote to memory of 4888 4576 cmd.exe taskkill.exe PID 4576 wrote to memory of 4888 4576 cmd.exe taskkill.exe PID 2764 wrote to memory of 2352 2764 Sapphire_Loader.exe cmd.exe PID 2764 wrote to memory of 2352 2764 Sapphire_Loader.exe cmd.exe PID 2352 wrote to memory of 3404 2352 cmd.exe taskkill.exe PID 2352 wrote to memory of 3404 2352 cmd.exe taskkill.exe PID 2764 wrote to memory of 5028 2764 Sapphire_Loader.exe cmd.exe PID 2764 wrote to memory of 5028 2764 Sapphire_Loader.exe cmd.exe PID 5028 wrote to memory of 5112 5028 cmd.exe sc.exe PID 5028 wrote to memory of 5112 5028 cmd.exe sc.exe PID 2764 wrote to memory of 2056 2764 Sapphire_Loader.exe cmd.exe PID 2764 wrote to memory of 2056 2764 Sapphire_Loader.exe cmd.exe PID 2056 wrote to memory of 2400 2056 cmd.exe taskkill.exe PID 2056 wrote to memory of 2400 2056 cmd.exe taskkill.exe PID 2764 wrote to memory of 3396 2764 Sapphire_Loader.exe cmd.exe PID 2764 wrote to memory of 3396 2764 Sapphire_Loader.exe cmd.exe PID 2764 wrote to memory of 3388 2764 Sapphire_Loader.exe cmd.exe PID 2764 wrote to memory of 3388 2764 Sapphire_Loader.exe cmd.exe PID 3388 wrote to memory of 3516 3388 cmd.exe taskkill.exe PID 3388 wrote to memory of 3516 3388 cmd.exe taskkill.exe PID 2764 wrote to memory of 4908 2764 Sapphire_Loader.exe cmd.exe PID 2764 wrote to memory of 4908 2764 Sapphire_Loader.exe cmd.exe PID 4908 wrote to memory of 3460 4908 cmd.exe taskkill.exe PID 4908 wrote to memory of 3460 4908 cmd.exe taskkill.exe PID 2764 wrote to memory of 3700 2764 Sapphire_Loader.exe cmd.exe PID 2764 wrote to memory of 3700 2764 Sapphire_Loader.exe cmd.exe PID 3700 wrote to memory of 3832 3700 cmd.exe taskkill.exe PID 3700 wrote to memory of 3832 3700 cmd.exe taskkill.exe PID 2764 wrote to memory of 4092 2764 Sapphire_Loader.exe cmd.exe PID 2764 wrote to memory of 4092 2764 Sapphire_Loader.exe cmd.exe PID 4092 wrote to memory of 1916 4092 cmd.exe sc.exe PID 4092 wrote to memory of 1916 4092 cmd.exe sc.exe PID 2764 wrote to memory of 4344 2764 Sapphire_Loader.exe cmd.exe PID 2764 wrote to memory of 4344 2764 Sapphire_Loader.exe cmd.exe PID 4344 wrote to memory of 4812 4344 cmd.exe taskkill.exe PID 4344 wrote to memory of 4812 4344 cmd.exe taskkill.exe PID 2764 wrote to memory of 812 2764 Sapphire_Loader.exe cmd.exe PID 2764 wrote to memory of 812 2764 Sapphire_Loader.exe cmd.exe PID 2764 wrote to memory of 3196 2764 Sapphire_Loader.exe cmd.exe PID 2764 wrote to memory of 3196 2764 Sapphire_Loader.exe cmd.exe PID 3196 wrote to memory of 4948 3196 cmd.exe taskkill.exe PID 3196 wrote to memory of 4948 3196 cmd.exe taskkill.exe PID 2764 wrote to memory of 4100 2764 Sapphire_Loader.exe cmd.exe PID 2764 wrote to memory of 4100 2764 Sapphire_Loader.exe cmd.exe PID 4100 wrote to memory of 4828 4100 cmd.exe taskkill.exe PID 4100 wrote to memory of 4828 4100 cmd.exe taskkill.exe PID 2764 wrote to memory of 1284 2764 Sapphire_Loader.exe cmd.exe PID 2764 wrote to memory of 1284 2764 Sapphire_Loader.exe cmd.exe PID 1284 wrote to memory of 3784 1284 cmd.exe taskkill.exe PID 1284 wrote to memory of 3784 1284 cmd.exe taskkill.exe PID 2764 wrote to memory of 4340 2764 Sapphire_Loader.exe cmd.exe PID 2764 wrote to memory of 4340 2764 Sapphire_Loader.exe cmd.exe PID 4340 wrote to memory of 3304 4340 cmd.exe sc.exe PID 4340 wrote to memory of 3304 4340 cmd.exe sc.exe PID 2764 wrote to memory of 4520 2764 Sapphire_Loader.exe cmd.exe PID 2764 wrote to memory of 4520 2764 Sapphire_Loader.exe cmd.exe PID 4520 wrote to memory of 4512 4520 cmd.exe taskkill.exe PID 4520 wrote to memory of 4512 4520 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sapphire_Loader.exe"C:\Users\Admin\AppData\Local\Temp\Sapphire_Loader.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\SL\Loader.exe"C:\SL\Loader.exe" TL.run2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\SL\Loader.exeFilesize
3.5MB
MD58181b05092cd0942d298a179fd2bc115
SHA1b6af69c0037274a59a9ae506521061e504aaec00
SHA25678e1675c825d0fb943d2de108b5fa10901879e25fb43bdba4dee57a7f65a6a80
SHA512198330d77b987972e70789d2d80d51d8a30a1ec03459b0769aa287054a8ca2fda03d9b8644d0eed6665343edc34adba9628cda46487bce3c1c2ddb5cc891c750
-
C:\SL\Loader.exeFilesize
3.5MB
MD58181b05092cd0942d298a179fd2bc115
SHA1b6af69c0037274a59a9ae506521061e504aaec00
SHA25678e1675c825d0fb943d2de108b5fa10901879e25fb43bdba4dee57a7f65a6a80
SHA512198330d77b987972e70789d2d80d51d8a30a1ec03459b0769aa287054a8ca2fda03d9b8644d0eed6665343edc34adba9628cda46487bce3c1c2ddb5cc891c750
-
memory/532-185-0x0000000000000000-mapping.dmp
-
memory/536-193-0x0000000000000000-mapping.dmp
-
memory/672-192-0x0000000000000000-mapping.dmp
-
memory/812-154-0x0000000000000000-mapping.dmp
-
memory/1016-189-0x0000000000000000-mapping.dmp
-
memory/1200-190-0x0000000000000000-mapping.dmp
-
memory/1284-159-0x0000000000000000-mapping.dmp
-
memory/1716-195-0x0000000000000000-mapping.dmp
-
memory/1916-151-0x0000000000000000-mapping.dmp
-
memory/1932-188-0x0000000000000000-mapping.dmp
-
memory/2056-141-0x0000000000000000-mapping.dmp
-
memory/2164-133-0x0000000000000000-mapping.dmp
-
memory/2256-196-0x0000000000000000-mapping.dmp
-
memory/2316-191-0x0000000000000000-mapping.dmp
-
memory/2352-137-0x0000000000000000-mapping.dmp
-
memory/2400-142-0x0000000000000000-mapping.dmp
-
memory/2764-130-0x00007FF68AA40000-0x00007FF68B3BE000-memory.dmpFilesize
9.5MB
-
memory/2764-198-0x00007FFC608A0000-0x00007FFC60A7B000-memory.dmpFilesize
1.9MB
-
memory/2764-202-0x00007FF68AA40000-0x00007FF68B3BE000-memory.dmpFilesize
9.5MB
-
memory/2764-203-0x00007FFC608A0000-0x00007FFC60A7B000-memory.dmpFilesize
1.9MB
-
memory/2764-132-0x00007FF68AA40000-0x00007FF68B3BE000-memory.dmpFilesize
9.5MB
-
memory/2764-131-0x00007FFC608A0000-0x00007FFC60A7B000-memory.dmpFilesize
1.9MB
-
memory/2764-197-0x00007FF68AA40000-0x00007FF68B3BE000-memory.dmpFilesize
9.5MB
-
memory/2764-129-0x00007FF68AA40000-0x00007FF68B3BE000-memory.dmpFilesize
9.5MB
-
memory/2764-127-0x00007FF68AA40000-0x00007FF68B3BE000-memory.dmpFilesize
9.5MB
-
memory/2872-174-0x0000000000000000-mapping.dmp
-
memory/3196-155-0x0000000000000000-mapping.dmp
-
memory/3276-167-0x0000000000000000-mapping.dmp
-
memory/3304-162-0x0000000000000000-mapping.dmp
-
memory/3328-168-0x0000000000000000-mapping.dmp
-
memory/3388-144-0x0000000000000000-mapping.dmp
-
memory/3396-143-0x0000000000000000-mapping.dmp
-
memory/3404-138-0x0000000000000000-mapping.dmp
-
memory/3460-147-0x0000000000000000-mapping.dmp
-
memory/3516-145-0x0000000000000000-mapping.dmp
-
memory/3600-166-0x0000000000000000-mapping.dmp
-
memory/3700-148-0x0000000000000000-mapping.dmp
-
memory/3704-169-0x0000000000000000-mapping.dmp
-
memory/3708-209-0x00007FF6C0E40000-0x00007FF6C17BE000-memory.dmpFilesize
9.5MB
-
memory/3708-208-0x00007FF6C0E40000-0x00007FF6C17BE000-memory.dmpFilesize
9.5MB
-
memory/3708-207-0x00007FFC608A0000-0x00007FFC60A7B000-memory.dmpFilesize
1.9MB
-
memory/3708-205-0x00007FF6C0E40000-0x00007FF6C17BE000-memory.dmpFilesize
9.5MB
-
memory/3708-204-0x00007FF6C0E40000-0x00007FF6C17BE000-memory.dmpFilesize
9.5MB
-
memory/3708-200-0x00007FF6C0E40000-0x00007FF6C17BE000-memory.dmpFilesize
9.5MB
-
memory/3708-210-0x00007FFC608A0000-0x00007FFC60A7B000-memory.dmpFilesize
1.9MB
-
memory/3708-206-0x00007FF6C0E40000-0x00007FF6C17BE000-memory.dmpFilesize
9.5MB
-
memory/3784-160-0x0000000000000000-mapping.dmp
-
memory/3832-149-0x0000000000000000-mapping.dmp
-
memory/3984-165-0x0000000000000000-mapping.dmp
-
memory/4092-150-0x0000000000000000-mapping.dmp
-
memory/4100-157-0x0000000000000000-mapping.dmp
-
memory/4340-161-0x0000000000000000-mapping.dmp
-
memory/4344-152-0x0000000000000000-mapping.dmp
-
memory/4348-194-0x0000000000000000-mapping.dmp
-
memory/4400-187-0x0000000000000000-mapping.dmp
-
memory/4432-181-0x0000000000000000-mapping.dmp
-
memory/4448-184-0x0000000000000000-mapping.dmp
-
memory/4468-178-0x0000000000000000-mapping.dmp
-
memory/4512-164-0x0000000000000000-mapping.dmp
-
memory/4520-163-0x0000000000000000-mapping.dmp
-
memory/4556-175-0x0000000000000000-mapping.dmp
-
memory/4576-135-0x0000000000000000-mapping.dmp
-
memory/4628-182-0x0000000000000000-mapping.dmp
-
memory/4648-176-0x0000000000000000-mapping.dmp
-
memory/4668-183-0x0000000000000000-mapping.dmp
-
memory/4672-180-0x0000000000000000-mapping.dmp
-
memory/4692-179-0x0000000000000000-mapping.dmp
-
memory/4708-177-0x0000000000000000-mapping.dmp
-
memory/4732-186-0x0000000000000000-mapping.dmp
-
memory/4812-153-0x0000000000000000-mapping.dmp
-
memory/4828-158-0x0000000000000000-mapping.dmp
-
memory/4848-134-0x0000000000000000-mapping.dmp
-
memory/4888-136-0x0000000000000000-mapping.dmp
-
memory/4908-146-0x0000000000000000-mapping.dmp
-
memory/4928-173-0x0000000000000000-mapping.dmp
-
memory/4948-156-0x0000000000000000-mapping.dmp
-
memory/5028-139-0x0000000000000000-mapping.dmp
-
memory/5052-171-0x0000000000000000-mapping.dmp
-
memory/5068-170-0x0000000000000000-mapping.dmp
-
memory/5076-172-0x0000000000000000-mapping.dmp
-
memory/5112-140-0x0000000000000000-mapping.dmp