91bec27b79b2889bfe9eedc744b74b9438c638299f43c14a39f080fbb90f8eee

General

Target

Sapphire_Loader.exe
Size

3.5MB
MD5

87cbbc8f1688054e0abef4e00ba76ccf
SHA1

99e7178d149f8046deb78c848ed99af50360616e
SHA256

91bec27b79b2889bfe9eedc744b74b9438c638299f43c14a39f080fbb90f8eee
SHA512

c840cb5aec658a000397b237876dd102e46aa5e44aa15d03d7618718ea637f9f903f4c9aff49e8bcfecaef2dfcce6a4c0dc201ed46ec2a4b7f701bfc995e2006

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Sapphire_Loader.exeLoader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Sapphire_Loader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader.exe

Executes dropped EXE 1 IoCs

Processes:

Loader.exe

pid process

3708 Loader.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
3708	Loader.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Sapphire_Loader.exeLoader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Sapphire_Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Sapphire_Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader.exe

Themida packer 14 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2764-127-0x00007FF68AA40000-0x00007FF68B3BE000-memory.dmp	themida
behavioral1/memory/2764-129-0x00007FF68AA40000-0x00007FF68B3BE000-memory.dmp	themida
behavioral1/memory/2764-130-0x00007FF68AA40000-0x00007FF68B3BE000-memory.dmp	themida
behavioral1/memory/2764-132-0x00007FF68AA40000-0x00007FF68B3BE000-memory.dmp	themida
behavioral1/memory/2764-197-0x00007FF68AA40000-0x00007FF68B3BE000-memory.dmp	themida
C:\SL\Loader.exe	themida
behavioral1/memory/3708-200-0x00007FF6C0E40000-0x00007FF6C17BE000-memory.dmp	themida
C:\SL\Loader.exe	themida
behavioral1/memory/2764-202-0x00007FF68AA40000-0x00007FF68B3BE000-memory.dmp	themida
behavioral1/memory/3708-204-0x00007FF6C0E40000-0x00007FF6C17BE000-memory.dmp	themida
behavioral1/memory/3708-205-0x00007FF6C0E40000-0x00007FF6C17BE000-memory.dmp	themida
behavioral1/memory/3708-206-0x00007FF6C0E40000-0x00007FF6C17BE000-memory.dmp	themida
behavioral1/memory/3708-208-0x00007FF6C0E40000-0x00007FF6C17BE000-memory.dmp	themida
behavioral1/memory/3708-209-0x00007FF6C0E40000-0x00007FF6C17BE000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Sapphire_Loader.exeLoader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Sapphire_Loader.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Sapphire_Loader.exeLoader.exe

pid process

2764 Sapphire_Loader.exe
3708 Loader.exe

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1716	sc.exe
3304	sc.exe
4448	sc.exe
1320	sc.exe
3140	sc.exe
4444	sc.exe
436	sc.exe
5112	sc.exe
1916	sc.exe
3432	sc.exe
4500	sc.exe
664	sc.exe
4928	sc.exe
2288	sc.exe
4960	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 60 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3460	taskkill.exe
448	taskkill.exe
3556	taskkill.exe
3300	taskkill.exe
4804	taskkill.exe
4768	taskkill.exe
4888	taskkill.exe
4732	taskkill.exe
3832	taskkill.exe
2464	taskkill.exe
4612	taskkill.exe
4564	taskkill.exe
3976	taskkill.exe
4812	taskkill.exe
5052	taskkill.exe
1016	taskkill.exe
4408	taskkill.exe
3180	taskkill.exe
2200	taskkill.exe
1716	taskkill.exe
4640	taskkill.exe
4628	taskkill.exe
2316	taskkill.exe
2180	taskkill.exe
5104	taskkill.exe
4316	taskkill.exe
4388	taskkill.exe
4848	taskkill.exe
536	taskkill.exe
4344	taskkill.exe
4072	taskkill.exe
3784	taskkill.exe
2968	taskkill.exe
3544	taskkill.exe
1852	taskkill.exe
4308	taskkill.exe
4736	taskkill.exe
4948	taskkill.exe
920	taskkill.exe
1320	taskkill.exe
4556	taskkill.exe
3924	taskkill.exe
4732	taskkill.exe
3404	taskkill.exe
3516	taskkill.exe
4468	taskkill.exe
4672	taskkill.exe
1836	taskkill.exe
4912	taskkill.exe
5000	taskkill.exe
828	taskkill.exe
2400	taskkill.exe
4512	taskkill.exe
4340	taskkill.exe
3944	taskkill.exe
868	taskkill.exe
4828	taskkill.exe
3276	taskkill.exe
3704	taskkill.exe
3920	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Sapphire_Loader.exe

pid	process
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe
2764	Sapphire_Loader.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4848	taskkill.exe
Token: SeDebugPrivilege	4888	taskkill.exe
Token: SeDebugPrivilege	3404	taskkill.exe
Token: SeDebugPrivilege	2400	taskkill.exe
Token: SeDebugPrivilege	3516	taskkill.exe
Token: SeDebugPrivilege	3460	taskkill.exe
Token: SeDebugPrivilege	3832	taskkill.exe
Token: SeDebugPrivilege	4812	taskkill.exe
Token: SeDebugPrivilege	4948	taskkill.exe
Token: SeDebugPrivilege	4828	taskkill.exe
Token: SeDebugPrivilege	3784	taskkill.exe
Token: SeDebugPrivilege	4512	taskkill.exe
Token: SeDebugPrivilege	3276	taskkill.exe
Token: SeDebugPrivilege	3704	taskkill.exe
Token: SeDebugPrivilege	5052	taskkill.exe
Token: SeDebugPrivilege	4556	taskkill.exe
Token: SeDebugPrivilege	4468	taskkill.exe
Token: SeDebugPrivilege	4672	taskkill.exe
Token: SeDebugPrivilege	4628	taskkill.exe
Token: SeDebugPrivilege	4732	taskkill.exe
Token: SeDebugPrivilege	1016	taskkill.exe
Token: SeDebugPrivilege	2316	taskkill.exe
Token: SeDebugPrivilege	536	taskkill.exe
Token: SeDebugPrivilege	2464	taskkill.exe
Token: SeDebugPrivilege	4408	taskkill.exe
Token: SeDebugPrivilege	3180	taskkill.exe
Token: SeDebugPrivilege	448	taskkill.exe
Token: SeDebugPrivilege	3920	taskkill.exe
Token: SeDebugPrivilege	2180	taskkill.exe
Token: SeDebugPrivilege	3924	taskkill.exe
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeDebugPrivilege	5104	taskkill.exe
Token: SeDebugPrivilege	2200	taskkill.exe
Token: SeDebugPrivilege	3300	taskkill.exe
Token: SeDebugPrivilege	2968	taskkill.exe
Token: SeDebugPrivilege	4912	taskkill.exe
Token: SeDebugPrivilege	3544	taskkill.exe
Token: SeDebugPrivilege	1852	taskkill.exe
Token: SeDebugPrivilege	4308	taskkill.exe
Token: SeDebugPrivilege	4344	taskkill.exe
Token: SeDebugPrivilege	5000	taskkill.exe
Token: SeDebugPrivilege	4804	taskkill.exe
Token: SeDebugPrivilege	4316	taskkill.exe
Token: SeDebugPrivilege	4340	taskkill.exe
Token: SeDebugPrivilege	4388	taskkill.exe
Token: SeDebugPrivilege	3976	taskkill.exe
Token: SeDebugPrivilege	3944	taskkill.exe
Token: SeDebugPrivilege	3556	taskkill.exe
Token: SeDebugPrivilege	4612	taskkill.exe
Token: SeDebugPrivilege	4736	taskkill.exe
Token: SeDebugPrivilege	4564	taskkill.exe
Token: SeDebugPrivilege	4732	taskkill.exe
Token: SeDebugPrivilege	920	taskkill.exe
Token: SeDebugPrivilege	828	taskkill.exe
Token: SeDebugPrivilege	868	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	4768	taskkill.exe
Token: SeDebugPrivilege	4072	taskkill.exe
Token: SeDebugPrivilege	4640	taskkill.exe
Token: SeDebugPrivilege	1320	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Sapphire_Loader.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2764 wrote to memory of 2164	2764	Sapphire_Loader.exe	cmd.exe
PID 2764 wrote to memory of 2164	2764	Sapphire_Loader.exe	cmd.exe
PID 2164 wrote to memory of 4848	2164	cmd.exe	taskkill.exe
PID 2164 wrote to memory of 4848	2164	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 4576	2764	Sapphire_Loader.exe	cmd.exe
PID 2764 wrote to memory of 4576	2764	Sapphire_Loader.exe	cmd.exe
PID 4576 wrote to memory of 4888	4576	cmd.exe	taskkill.exe
PID 4576 wrote to memory of 4888	4576	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 2352	2764	Sapphire_Loader.exe	cmd.exe
PID 2764 wrote to memory of 2352	2764	Sapphire_Loader.exe	cmd.exe
PID 2352 wrote to memory of 3404	2352	cmd.exe	taskkill.exe
PID 2352 wrote to memory of 3404	2352	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 5028	2764	Sapphire_Loader.exe	cmd.exe
PID 2764 wrote to memory of 5028	2764	Sapphire_Loader.exe	cmd.exe
PID 5028 wrote to memory of 5112	5028	cmd.exe	sc.exe
PID 5028 wrote to memory of 5112	5028	cmd.exe	sc.exe
PID 2764 wrote to memory of 2056	2764	Sapphire_Loader.exe	cmd.exe
PID 2764 wrote to memory of 2056	2764	Sapphire_Loader.exe	cmd.exe
PID 2056 wrote to memory of 2400	2056	cmd.exe	taskkill.exe
PID 2056 wrote to memory of 2400	2056	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 3396	2764	Sapphire_Loader.exe	cmd.exe
PID 2764 wrote to memory of 3396	2764	Sapphire_Loader.exe	cmd.exe
PID 2764 wrote to memory of 3388	2764	Sapphire_Loader.exe	cmd.exe
PID 2764 wrote to memory of 3388	2764	Sapphire_Loader.exe	cmd.exe
PID 3388 wrote to memory of 3516	3388	cmd.exe	taskkill.exe
PID 3388 wrote to memory of 3516	3388	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 4908	2764	Sapphire_Loader.exe	cmd.exe
PID 2764 wrote to memory of 4908	2764	Sapphire_Loader.exe	cmd.exe
PID 4908 wrote to memory of 3460	4908	cmd.exe	taskkill.exe
PID 4908 wrote to memory of 3460	4908	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 3700	2764	Sapphire_Loader.exe	cmd.exe
PID 2764 wrote to memory of 3700	2764	Sapphire_Loader.exe	cmd.exe
PID 3700 wrote to memory of 3832	3700	cmd.exe	taskkill.exe
PID 3700 wrote to memory of 3832	3700	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 4092	2764	Sapphire_Loader.exe	cmd.exe
PID 2764 wrote to memory of 4092	2764	Sapphire_Loader.exe	cmd.exe
PID 4092 wrote to memory of 1916	4092	cmd.exe	sc.exe
PID 4092 wrote to memory of 1916	4092	cmd.exe	sc.exe
PID 2764 wrote to memory of 4344	2764	Sapphire_Loader.exe	cmd.exe
PID 2764 wrote to memory of 4344	2764	Sapphire_Loader.exe	cmd.exe
PID 4344 wrote to memory of 4812	4344	cmd.exe	taskkill.exe
PID 4344 wrote to memory of 4812	4344	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 812	2764	Sapphire_Loader.exe	cmd.exe
PID 2764 wrote to memory of 812	2764	Sapphire_Loader.exe	cmd.exe
PID 2764 wrote to memory of 3196	2764	Sapphire_Loader.exe	cmd.exe
PID 2764 wrote to memory of 3196	2764	Sapphire_Loader.exe	cmd.exe
PID 3196 wrote to memory of 4948	3196	cmd.exe	taskkill.exe
PID 3196 wrote to memory of 4948	3196	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 4100	2764	Sapphire_Loader.exe	cmd.exe
PID 2764 wrote to memory of 4100	2764	Sapphire_Loader.exe	cmd.exe
PID 4100 wrote to memory of 4828	4100	cmd.exe	taskkill.exe
PID 4100 wrote to memory of 4828	4100	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 1284	2764	Sapphire_Loader.exe	cmd.exe
PID 2764 wrote to memory of 1284	2764	Sapphire_Loader.exe	cmd.exe
PID 1284 wrote to memory of 3784	1284	cmd.exe	taskkill.exe
PID 1284 wrote to memory of 3784	1284	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 4340	2764	Sapphire_Loader.exe	cmd.exe
PID 2764 wrote to memory of 4340	2764	Sapphire_Loader.exe	cmd.exe
PID 4340 wrote to memory of 3304	4340	cmd.exe	sc.exe
PID 4340 wrote to memory of 3304	4340	cmd.exe	sc.exe
PID 2764 wrote to memory of 4520	2764	Sapphire_Loader.exe	cmd.exe
PID 2764 wrote to memory of 4520	2764	Sapphire_Loader.exe	cmd.exe
PID 4520 wrote to memory of 4512	4520	cmd.exe	taskkill.exe
PID 4520 wrote to memory of 4512	4520	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\Sapphire_Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Sapphire_Loader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:3396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3388

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3196

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4340

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:3600

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:3328

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:5068

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:5076

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:2872

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:4708

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:4692

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:4432

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:4668

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:532

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:1932

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:1200

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:672

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:4348

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:2256

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:4764

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:4472

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:4772

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1752

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:3004

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:2384

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:3864

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:2296

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:3860

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:2288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:4600

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:3356

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:1108

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1512

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:2056

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:3140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:4916

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:1400

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:4288

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:4844

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:784

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:4812

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:4624

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:3716

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:3756

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1804

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:3304

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:4480

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:3800

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:5048

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:5072

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:4964

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:4928

C:\SL\Loader.exe
"C:\SL\Loader.exe" TL.run
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
3⤵
PID:4584

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
3⤵
PID:4692

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
3⤵
PID:4588

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
3⤵
PID:4668

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
4⤵
- Launches sc.exe
PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
3⤵
PID:604

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
3⤵
PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
3⤵
PID:1020

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
3⤵
PID:1932

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
3⤵
PID:1152

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
3⤵
PID:872

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
4⤵
- Launches sc.exe
PID:664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
3⤵
PID:2304

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
3⤵
PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
3⤵
PID:1920

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
3⤵
PID:1388

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
3⤵
PID:1328

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
3⤵
PID:972

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
4⤵
- Launches sc.exe
PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
3⤵
PID:2408

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
3⤵
PID:2748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SL\Loader.exe
Filesize
3.5MB

MD5
8181b05092cd0942d298a179fd2bc115

SHA1
b6af69c0037274a59a9ae506521061e504aaec00

SHA256
78e1675c825d0fb943d2de108b5fa10901879e25fb43bdba4dee57a7f65a6a80

SHA512
198330d77b987972e70789d2d80d51d8a30a1ec03459b0769aa287054a8ca2fda03d9b8644d0eed6665343edc34adba9628cda46487bce3c1c2ddb5cc891c750

Download Submit
C:\SL\Loader.exe
Filesize
3.5MB

MD5
8181b05092cd0942d298a179fd2bc115

SHA1
b6af69c0037274a59a9ae506521061e504aaec00

SHA256
78e1675c825d0fb943d2de108b5fa10901879e25fb43bdba4dee57a7f65a6a80

SHA512
198330d77b987972e70789d2d80d51d8a30a1ec03459b0769aa287054a8ca2fda03d9b8644d0eed6665343edc34adba9628cda46487bce3c1c2ddb5cc891c750

Download Submit
memory/532-185-0x0000000000000000-mapping.dmp

Download
memory/536-193-0x0000000000000000-mapping.dmp

Download
memory/672-192-0x0000000000000000-mapping.dmp

Download
memory/812-154-0x0000000000000000-mapping.dmp

Download
memory/1016-189-0x0000000000000000-mapping.dmp

Download
memory/1200-190-0x0000000000000000-mapping.dmp

Download
memory/1284-159-0x0000000000000000-mapping.dmp

Download
memory/1716-195-0x0000000000000000-mapping.dmp

Download
memory/1916-151-0x0000000000000000-mapping.dmp

Download
memory/1932-188-0x0000000000000000-mapping.dmp

Download
memory/2056-141-0x0000000000000000-mapping.dmp

Download
memory/2164-133-0x0000000000000000-mapping.dmp

Download
memory/2256-196-0x0000000000000000-mapping.dmp

Download
memory/2316-191-0x0000000000000000-mapping.dmp

Download
memory/2352-137-0x0000000000000000-mapping.dmp

Download
memory/2400-142-0x0000000000000000-mapping.dmp

Download
memory/2764-130-0x00007FF68AA40000-0x00007FF68B3BE000-memory.dmp

Filesize
9.5MB

Download
memory/2764-198-0x00007FFC608A0000-0x00007FFC60A7B000-memory.dmp

Filesize
1.9MB

Download
memory/2764-202-0x00007FF68AA40000-0x00007FF68B3BE000-memory.dmp

Filesize
9.5MB

Download
memory/2764-203-0x00007FFC608A0000-0x00007FFC60A7B000-memory.dmp

Filesize
1.9MB

Download
memory/2764-132-0x00007FF68AA40000-0x00007FF68B3BE000-memory.dmp

Filesize
9.5MB

Download
memory/2764-131-0x00007FFC608A0000-0x00007FFC60A7B000-memory.dmp

Filesize
1.9MB

Download
memory/2764-197-0x00007FF68AA40000-0x00007FF68B3BE000-memory.dmp

Filesize
9.5MB

Download
memory/2764-129-0x00007FF68AA40000-0x00007FF68B3BE000-memory.dmp

Filesize
9.5MB

Download
memory/2764-127-0x00007FF68AA40000-0x00007FF68B3BE000-memory.dmp

Filesize
9.5MB

Download
memory/2872-174-0x0000000000000000-mapping.dmp

Download
memory/3196-155-0x0000000000000000-mapping.dmp

Download
memory/3276-167-0x0000000000000000-mapping.dmp

Download
memory/3304-162-0x0000000000000000-mapping.dmp

Download
memory/3328-168-0x0000000000000000-mapping.dmp

Download
memory/3388-144-0x0000000000000000-mapping.dmp

Download
memory/3396-143-0x0000000000000000-mapping.dmp

Download
memory/3404-138-0x0000000000000000-mapping.dmp

Download
memory/3460-147-0x0000000000000000-mapping.dmp

Download
memory/3516-145-0x0000000000000000-mapping.dmp

Download
memory/3600-166-0x0000000000000000-mapping.dmp

Download
memory/3700-148-0x0000000000000000-mapping.dmp

Download
memory/3704-169-0x0000000000000000-mapping.dmp

Download
memory/3708-209-0x00007FF6C0E40000-0x00007FF6C17BE000-memory.dmp

Filesize
9.5MB

Download
memory/3708-208-0x00007FF6C0E40000-0x00007FF6C17BE000-memory.dmp

Filesize
9.5MB

Download
memory/3708-207-0x00007FFC608A0000-0x00007FFC60A7B000-memory.dmp

Filesize
1.9MB

Download
memory/3708-205-0x00007FF6C0E40000-0x00007FF6C17BE000-memory.dmp

Filesize
9.5MB

Download
memory/3708-204-0x00007FF6C0E40000-0x00007FF6C17BE000-memory.dmp

Filesize
9.5MB

Download
memory/3708-200-0x00007FF6C0E40000-0x00007FF6C17BE000-memory.dmp

Filesize
9.5MB

Download
memory/3708-210-0x00007FFC608A0000-0x00007FFC60A7B000-memory.dmp

Filesize
1.9MB

Download
memory/3708-206-0x00007FF6C0E40000-0x00007FF6C17BE000-memory.dmp

Filesize
9.5MB

Download
memory/3784-160-0x0000000000000000-mapping.dmp

Download
memory/3832-149-0x0000000000000000-mapping.dmp

Download
memory/3984-165-0x0000000000000000-mapping.dmp

Download
memory/4092-150-0x0000000000000000-mapping.dmp

Download
memory/4100-157-0x0000000000000000-mapping.dmp

Download
memory/4340-161-0x0000000000000000-mapping.dmp

Download
memory/4344-152-0x0000000000000000-mapping.dmp

Download
memory/4348-194-0x0000000000000000-mapping.dmp

Download
memory/4400-187-0x0000000000000000-mapping.dmp

Download
memory/4432-181-0x0000000000000000-mapping.dmp

Download
memory/4448-184-0x0000000000000000-mapping.dmp

Download
memory/4468-178-0x0000000000000000-mapping.dmp

Download
memory/4512-164-0x0000000000000000-mapping.dmp

Download
memory/4520-163-0x0000000000000000-mapping.dmp

Download
memory/4556-175-0x0000000000000000-mapping.dmp

Download
memory/4576-135-0x0000000000000000-mapping.dmp

Download
memory/4628-182-0x0000000000000000-mapping.dmp

Download
memory/4648-176-0x0000000000000000-mapping.dmp

Download
memory/4668-183-0x0000000000000000-mapping.dmp

Download
memory/4672-180-0x0000000000000000-mapping.dmp

Download
memory/4692-179-0x0000000000000000-mapping.dmp

Download
memory/4708-177-0x0000000000000000-mapping.dmp

Download
memory/4732-186-0x0000000000000000-mapping.dmp

Download
memory/4812-153-0x0000000000000000-mapping.dmp

Download
memory/4828-158-0x0000000000000000-mapping.dmp

Download
memory/4848-134-0x0000000000000000-mapping.dmp

Download
memory/4888-136-0x0000000000000000-mapping.dmp

Download
memory/4908-146-0x0000000000000000-mapping.dmp

Download
memory/4928-173-0x0000000000000000-mapping.dmp

Download
memory/4948-156-0x0000000000000000-mapping.dmp

Download
memory/5028-139-0x0000000000000000-mapping.dmp

Download
memory/5052-171-0x0000000000000000-mapping.dmp

Download
memory/5068-170-0x0000000000000000-mapping.dmp

Download
memory/5076-172-0x0000000000000000-mapping.dmp

Download
memory/5112-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads