91bec27b79b2889bfe9eedc744b74b9438c638299f43c14a39f080fbb90f8eee

General

Target

Sapphire_Loader.exe
Size

3.5MB
MD5

87cbbc8f1688054e0abef4e00ba76ccf
SHA1

99e7178d149f8046deb78c848ed99af50360616e
SHA256

91bec27b79b2889bfe9eedc744b74b9438c638299f43c14a39f080fbb90f8eee
SHA512

c840cb5aec658a000397b237876dd102e46aa5e44aa15d03d7618718ea637f9f903f4c9aff49e8bcfecaef2dfcce6a4c0dc201ed46ec2a4b7f701bfc995e2006

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Loader.exeSapphire_Loader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Sapphire_Loader.exe

Executes dropped EXE 1 IoCs

Processes:

Loader.exe

pid process

1204 Loader.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1204	Loader.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Sapphire_Loader.exeLoader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Sapphire_Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Sapphire_Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader.exe

Loads dropped DLL 1 IoCs

Processes:

Sapphire_Loader.exe

pid process

1876 Sapphire_Loader.exe

Themida packer 14 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1876-54-0x000000013F200000-0x000000013FB7E000-memory.dmp	themida
behavioral1/memory/1876-55-0x000000013F200000-0x000000013FB7E000-memory.dmp	themida
behavioral1/memory/1876-56-0x000000013F200000-0x000000013FB7E000-memory.dmp	themida
behavioral1/memory/1876-58-0x000000013F200000-0x000000013FB7E000-memory.dmp	themida
behavioral1/memory/1876-124-0x000000013F200000-0x000000013FB7E000-memory.dmp	themida
\SL\Loader.exe	themida
C:\SL\Loader.exe	themida
behavioral1/memory/1204-130-0x000000013FA60000-0x00000001403DE000-memory.dmp	themida
behavioral1/memory/1204-132-0x000000013FA60000-0x00000001403DE000-memory.dmp	themida
behavioral1/memory/1876-133-0x000000013F200000-0x000000013FB7E000-memory.dmp	themida
behavioral1/memory/1204-135-0x000000013FA60000-0x00000001403DE000-memory.dmp	themida
behavioral1/memory/1204-136-0x000000013FA60000-0x00000001403DE000-memory.dmp	themida
behavioral1/memory/1204-137-0x000000013FA60000-0x00000001403DE000-memory.dmp	themida
behavioral1/memory/1204-138-0x000000013FA60000-0x00000001403DE000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Sapphire_Loader.exeLoader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Sapphire_Loader.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Sapphire_Loader.exeLoader.exe

pid process

1876 Sapphire_Loader.exe
1204 Loader.exe

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
944	sc.exe
1088	sc.exe
1680	sc.exe
1908	sc.exe
1636	sc.exe
1528	sc.exe
1708	sc.exe
1616	sc.exe
1904	sc.exe
1212	sc.exe
1940	sc.exe
1072	sc.exe
776	sc.exe
1076	sc.exe
564	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 60 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1584	taskkill.exe
756	taskkill.exe
976	taskkill.exe
1736	taskkill.exe
1688	taskkill.exe
944	taskkill.exe
1316	taskkill.exe
1452	taskkill.exe
1352	taskkill.exe
1800	taskkill.exe
1236	taskkill.exe
1476	taskkill.exe
1624	taskkill.exe
2032	taskkill.exe
1084	taskkill.exe
2040	taskkill.exe
548	taskkill.exe
1736	taskkill.exe
2044	taskkill.exe
796	taskkill.exe
1660	taskkill.exe
676	taskkill.exe
748	taskkill.exe
1548	taskkill.exe
1212	taskkill.exe
1372	taskkill.exe
608	taskkill.exe
2004	taskkill.exe
1720	taskkill.exe
1548	taskkill.exe
1720	taskkill.exe
1456	taskkill.exe
988	taskkill.exe
1940	taskkill.exe
816	taskkill.exe
720	taskkill.exe
976	taskkill.exe
1980	taskkill.exe
108	taskkill.exe
1464	taskkill.exe
816	taskkill.exe
1272	taskkill.exe
1588	taskkill.exe
1088	taskkill.exe
2020	taskkill.exe
1904	taskkill.exe
1488	taskkill.exe
1520	taskkill.exe
1872	taskkill.exe
1700	taskkill.exe
1608	taskkill.exe
1008	taskkill.exe
1956	taskkill.exe
696	taskkill.exe
1752	taskkill.exe
1888	taskkill.exe
1016	taskkill.exe
1880	taskkill.exe
1632	taskkill.exe
608	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Sapphire_Loader.exe

pid	process
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe
1876	Sapphire_Loader.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2032	taskkill.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	944	taskkill.exe
Token: SeDebugPrivilege	1212	taskkill.exe
Token: SeDebugPrivilege	1476	taskkill.exe
Token: SeDebugPrivilege	1880	taskkill.exe
Token: SeDebugPrivilege	2020	taskkill.exe
Token: SeDebugPrivilege	976	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	1904	taskkill.exe
Token: SeDebugPrivilege	1488	taskkill.exe
Token: SeDebugPrivilege	2044	taskkill.exe
Token: SeDebugPrivilege	1316	taskkill.exe
Token: SeDebugPrivilege	1464	taskkill.exe
Token: SeDebugPrivilege	108	taskkill.exe
Token: SeDebugPrivilege	1452	taskkill.exe
Token: SeDebugPrivilege	1888	taskkill.exe
Token: SeDebugPrivilege	1372	taskkill.exe
Token: SeDebugPrivilege	796	taskkill.exe
Token: SeDebugPrivilege	1632	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	1352	taskkill.exe
Token: SeDebugPrivilege	608	taskkill.exe
Token: SeDebugPrivilege	1700	taskkill.exe
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	1456	taskkill.exe
Token: SeDebugPrivilege	816	taskkill.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeDebugPrivilege	976	taskkill.exe
Token: SeDebugPrivilege	1272	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	1236	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	696	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	1088	taskkill.exe
Token: SeDebugPrivilege	988	taskkill.exe
Token: SeDebugPrivilege	1940	taskkill.exe
Token: SeDebugPrivilege	1752	taskkill.exe
Token: SeDebugPrivilege	676	taskkill.exe
Token: SeDebugPrivilege	1520	taskkill.exe
Token: SeDebugPrivilege	548	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	608	taskkill.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	1084	taskkill.exe
Token: SeDebugPrivilege	748	taskkill.exe
Token: SeDebugPrivilege	816	taskkill.exe
Token: SeDebugPrivilege	1872	taskkill.exe
Token: SeDebugPrivilege	756	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	1008	taskkill.exe
Token: SeDebugPrivilege	720	taskkill.exe
Token: SeDebugPrivilege	1016	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Sapphire_Loader.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1876 wrote to memory of 1648	1876	Sapphire_Loader.exe	cmd.exe
PID 1876 wrote to memory of 1648	1876	Sapphire_Loader.exe	cmd.exe
PID 1876 wrote to memory of 1648	1876	Sapphire_Loader.exe	cmd.exe
PID 1648 wrote to memory of 2032	1648	cmd.exe	taskkill.exe
PID 1648 wrote to memory of 2032	1648	cmd.exe	taskkill.exe
PID 1648 wrote to memory of 2032	1648	cmd.exe	taskkill.exe
PID 1876 wrote to memory of 1692	1876	Sapphire_Loader.exe	cmd.exe
PID 1876 wrote to memory of 1692	1876	Sapphire_Loader.exe	cmd.exe
PID 1876 wrote to memory of 1692	1876	Sapphire_Loader.exe	cmd.exe
PID 1692 wrote to memory of 1548	1692	cmd.exe	taskkill.exe
PID 1692 wrote to memory of 1548	1692	cmd.exe	taskkill.exe
PID 1692 wrote to memory of 1548	1692	cmd.exe	taskkill.exe
PID 1876 wrote to memory of 1100	1876	Sapphire_Loader.exe	cmd.exe
PID 1876 wrote to memory of 1100	1876	Sapphire_Loader.exe	cmd.exe
PID 1876 wrote to memory of 1100	1876	Sapphire_Loader.exe	cmd.exe
PID 1100 wrote to memory of 944	1100	cmd.exe	taskkill.exe
PID 1100 wrote to memory of 944	1100	cmd.exe	taskkill.exe
PID 1100 wrote to memory of 944	1100	cmd.exe	taskkill.exe
PID 1876 wrote to memory of 1584	1876	Sapphire_Loader.exe	cmd.exe
PID 1876 wrote to memory of 1584	1876	Sapphire_Loader.exe	cmd.exe
PID 1876 wrote to memory of 1584	1876	Sapphire_Loader.exe	cmd.exe
PID 1584 wrote to memory of 1708	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 1708	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 1708	1584	cmd.exe	sc.exe
PID 1876 wrote to memory of 1256	1876	Sapphire_Loader.exe	cmd.exe
PID 1876 wrote to memory of 1256	1876	Sapphire_Loader.exe	cmd.exe
PID 1876 wrote to memory of 1256	1876	Sapphire_Loader.exe	cmd.exe
PID 1256 wrote to memory of 1212	1256	cmd.exe	taskkill.exe
PID 1256 wrote to memory of 1212	1256	cmd.exe	taskkill.exe
PID 1256 wrote to memory of 1212	1256	cmd.exe	taskkill.exe
PID 1876 wrote to memory of 980	1876	Sapphire_Loader.exe	cmd.exe
PID 1876 wrote to memory of 980	1876	Sapphire_Loader.exe	cmd.exe
PID 1876 wrote to memory of 980	1876	Sapphire_Loader.exe	cmd.exe
PID 1876 wrote to memory of 1456	1876	Sapphire_Loader.exe	cmd.exe
PID 1876 wrote to memory of 1456	1876	Sapphire_Loader.exe	cmd.exe
PID 1876 wrote to memory of 1456	1876	Sapphire_Loader.exe	cmd.exe
PID 1456 wrote to memory of 1476	1456	cmd.exe	taskkill.exe
PID 1456 wrote to memory of 1476	1456	cmd.exe	taskkill.exe
PID 1456 wrote to memory of 1476	1456	cmd.exe	taskkill.exe
PID 1876 wrote to memory of 748	1876	Sapphire_Loader.exe	cmd.exe
PID 1876 wrote to memory of 748	1876	Sapphire_Loader.exe	cmd.exe
PID 1876 wrote to memory of 748	1876	Sapphire_Loader.exe	cmd.exe
PID 748 wrote to memory of 1880	748	cmd.exe	taskkill.exe
PID 748 wrote to memory of 1880	748	cmd.exe	taskkill.exe
PID 748 wrote to memory of 1880	748	cmd.exe	taskkill.exe
PID 1876 wrote to memory of 1404	1876	Sapphire_Loader.exe	cmd.exe
PID 1876 wrote to memory of 1404	1876	Sapphire_Loader.exe	cmd.exe
PID 1876 wrote to memory of 1404	1876	Sapphire_Loader.exe	cmd.exe
PID 1404 wrote to memory of 2020	1404	cmd.exe	taskkill.exe
PID 1404 wrote to memory of 2020	1404	cmd.exe	taskkill.exe
PID 1404 wrote to memory of 2020	1404	cmd.exe	taskkill.exe
PID 1876 wrote to memory of 1752	1876	Sapphire_Loader.exe	cmd.exe
PID 1876 wrote to memory of 1752	1876	Sapphire_Loader.exe	cmd.exe
PID 1876 wrote to memory of 1752	1876	Sapphire_Loader.exe	cmd.exe
PID 1752 wrote to memory of 1940	1752	cmd.exe	sc.exe
PID 1752 wrote to memory of 1940	1752	cmd.exe	sc.exe
PID 1752 wrote to memory of 1940	1752	cmd.exe	sc.exe
PID 1876 wrote to memory of 964	1876	Sapphire_Loader.exe	cmd.exe
PID 1876 wrote to memory of 964	1876	Sapphire_Loader.exe	cmd.exe
PID 1876 wrote to memory of 964	1876	Sapphire_Loader.exe	cmd.exe
PID 964 wrote to memory of 976	964	cmd.exe	taskkill.exe
PID 964 wrote to memory of 976	964	cmd.exe	taskkill.exe
PID 964 wrote to memory of 976	964	cmd.exe	taskkill.exe
PID 1876 wrote to memory of 1972	1876	Sapphire_Loader.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Sapphire_Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Sapphire_Loader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:1528

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:1952

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1604

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:800

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:1688

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:1716

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:908

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:948

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:980

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:1864

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:2016

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:552

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1968

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1972

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:1736

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:1904

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:1488

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1036

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1244

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:1588

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:1212

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:1084

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1748

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1448

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:564

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:1620

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:756

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1932

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1964

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:1632

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:832

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:800

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1008

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:720

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:1228

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:1700

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:948

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:980

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1452

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:2020

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:1420

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:1372

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1424

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1972

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:752

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:1632

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:1248

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:800

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1008

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:720

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:1228

C:\SL\Loader.exe
"C:\SL\Loader.exe" TL.run
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
3⤵
PID:340

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
3⤵
PID:1456

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
3⤵
PID:1636

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
3⤵
PID:904

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
4⤵
- Launches sc.exe
PID:564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
3⤵
PID:1968

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
3⤵
PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
3⤵
PID:1160

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
3⤵
PID:1272

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
3⤵
PID:1528

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
3⤵
PID:1516

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
4⤵
- Launches sc.exe
PID:1904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
3⤵
PID:1632

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
3⤵
PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
3⤵
PID:1184

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
3⤵
PID:944

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
3⤵
PID:1584

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
3⤵
PID:1484

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
4⤵
- Launches sc.exe
PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
3⤵
PID:2024

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
3⤵
PID:380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:2012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SL\Loader.exe
Filesize
3.5MB

MD5
8181b05092cd0942d298a179fd2bc115

SHA1
b6af69c0037274a59a9ae506521061e504aaec00

SHA256
78e1675c825d0fb943d2de108b5fa10901879e25fb43bdba4dee57a7f65a6a80

SHA512
198330d77b987972e70789d2d80d51d8a30a1ec03459b0769aa287054a8ca2fda03d9b8644d0eed6665343edc34adba9628cda46487bce3c1c2ddb5cc891c750

Download Submit
\SL\Loader.exe
Filesize
3.5MB

MD5
8181b05092cd0942d298a179fd2bc115

SHA1
b6af69c0037274a59a9ae506521061e504aaec00

SHA256
78e1675c825d0fb943d2de108b5fa10901879e25fb43bdba4dee57a7f65a6a80

SHA512
198330d77b987972e70789d2d80d51d8a30a1ec03459b0769aa287054a8ca2fda03d9b8644d0eed6665343edc34adba9628cda46487bce3c1c2ddb5cc891c750

Download Submit
memory/108-98-0x0000000000000000-mapping.dmp

Download
memory/340-103-0x0000000000000000-mapping.dmp

Download
memory/552-106-0x0000000000000000-mapping.dmp

Download
memory/556-114-0x0000000000000000-mapping.dmp

Download
memory/608-120-0x0000000000000000-mapping.dmp

Download
memory/696-92-0x0000000000000000-mapping.dmp

Download
memory/748-73-0x0000000000000000-mapping.dmp

Download
memory/796-109-0x0000000000000000-mapping.dmp

Download
memory/800-88-0x0000000000000000-mapping.dmp

Download
memory/908-95-0x0000000000000000-mapping.dmp

Download
memory/944-65-0x0000000000000000-mapping.dmp

Download
memory/948-97-0x0000000000000000-mapping.dmp

Download
memory/964-79-0x0000000000000000-mapping.dmp

Download
memory/976-80-0x0000000000000000-mapping.dmp

Download
memory/980-70-0x0000000000000000-mapping.dmp

Download
memory/980-99-0x0000000000000000-mapping.dmp

Download
memory/1036-119-0x0000000000000000-mapping.dmp

Download
memory/1072-89-0x0000000000000000-mapping.dmp

Download
memory/1088-100-0x0000000000000000-mapping.dmp

Download
memory/1100-64-0x0000000000000000-mapping.dmp

Download
memory/1204-130-0x000000013FA60000-0x00000001403DE000-memory.dmp

Filesize
9.5MB

Download
memory/1204-131-0x0000000077230000-0x00000000773D9000-memory.dmp

Filesize
1.7MB

Download
memory/1204-132-0x000000013FA60000-0x00000001403DE000-memory.dmp

Filesize
9.5MB

Download
memory/1204-135-0x000000013FA60000-0x00000001403DE000-memory.dmp

Filesize
9.5MB

Download
memory/1204-136-0x000000013FA60000-0x00000001403DE000-memory.dmp

Filesize
9.5MB

Download
memory/1204-137-0x000000013FA60000-0x00000001403DE000-memory.dmp

Filesize
9.5MB

Download
memory/1204-138-0x000000013FA60000-0x00000001403DE000-memory.dmp

Filesize
9.5MB

Download
memory/1204-139-0x0000000077230000-0x00000000773D9000-memory.dmp

Filesize
1.7MB

Download
memory/1212-69-0x0000000000000000-mapping.dmp

Download
memory/1244-121-0x0000000000000000-mapping.dmp

Download
memory/1256-68-0x0000000000000000-mapping.dmp

Download
memory/1316-94-0x0000000000000000-mapping.dmp

Download
memory/1352-118-0x0000000000000000-mapping.dmp

Download
memory/1372-107-0x0000000000000000-mapping.dmp

Download
memory/1404-75-0x0000000000000000-mapping.dmp

Download
memory/1452-102-0x0000000000000000-mapping.dmp

Download
memory/1456-71-0x0000000000000000-mapping.dmp

Download
memory/1464-96-0x0000000000000000-mapping.dmp

Download
memory/1476-72-0x0000000000000000-mapping.dmp

Download
memory/1488-117-0x0000000000000000-mapping.dmp

Download
memory/1488-87-0x0000000000000000-mapping.dmp

Download
memory/1528-82-0x0000000000000000-mapping.dmp

Download
memory/1548-63-0x0000000000000000-mapping.dmp

Download
memory/1584-66-0x0000000000000000-mapping.dmp

Download
memory/1588-123-0x0000000000000000-mapping.dmp

Download
memory/1604-86-0x0000000000000000-mapping.dmp

Download
memory/1632-113-0x0000000000000000-mapping.dmp

Download
memory/1648-60-0x0000000000000000-mapping.dmp

Download
memory/1680-111-0x0000000000000000-mapping.dmp

Download
memory/1688-90-0x0000000000000000-mapping.dmp

Download
memory/1692-62-0x0000000000000000-mapping.dmp

Download
memory/1708-67-0x0000000000000000-mapping.dmp

Download
memory/1716-93-0x0000000000000000-mapping.dmp

Download
memory/1736-112-0x0000000000000000-mapping.dmp

Download
memory/1752-77-0x0000000000000000-mapping.dmp

Download
memory/1864-101-0x0000000000000000-mapping.dmp

Download
memory/1876-124-0x000000013F200000-0x000000013FB7E000-memory.dmp

Filesize
9.5MB

Download
memory/1876-55-0x000000013F200000-0x000000013FB7E000-memory.dmp

Filesize
9.5MB

Download
memory/1876-56-0x000000013F200000-0x000000013FB7E000-memory.dmp

Filesize
9.5MB

Download
memory/1876-59-0x0000000077230000-0x00000000773D9000-memory.dmp

Filesize
1.7MB

Download
memory/1876-58-0x000000013F200000-0x000000013FB7E000-memory.dmp

Filesize
9.5MB

Download
memory/1876-54-0x000000013F200000-0x000000013FB7E000-memory.dmp

Filesize
9.5MB

Download
memory/1876-133-0x000000013F200000-0x000000013FB7E000-memory.dmp

Filesize
9.5MB

Download
memory/1876-134-0x0000000077230000-0x00000000773D9000-memory.dmp

Filesize
1.7MB

Download
memory/1876-129-0x0000000002CD0000-0x000000000364E000-memory.dmp

Filesize
9.5MB

Download
memory/1876-126-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmp

Filesize
8KB

Download
memory/1876-125-0x0000000077230000-0x00000000773D9000-memory.dmp

Filesize
1.7MB

Download
memory/1880-74-0x0000000000000000-mapping.dmp

Download
memory/1888-105-0x0000000000000000-mapping.dmp

Download
memory/1904-115-0x0000000000000000-mapping.dmp

Download
memory/1904-85-0x0000000000000000-mapping.dmp

Download
memory/1908-122-0x0000000000000000-mapping.dmp

Download
memory/1940-78-0x0000000000000000-mapping.dmp

Download
memory/1952-84-0x0000000000000000-mapping.dmp

Download
memory/1956-116-0x0000000000000000-mapping.dmp

Download
memory/1968-108-0x0000000000000000-mapping.dmp

Download
memory/1972-110-0x0000000000000000-mapping.dmp

Download
memory/1972-81-0x0000000000000000-mapping.dmp

Download
memory/1980-83-0x0000000000000000-mapping.dmp

Download
memory/2016-104-0x0000000000000000-mapping.dmp

Download
memory/2020-76-0x0000000000000000-mapping.dmp

Download
memory/2032-61-0x0000000000000000-mapping.dmp

Download
memory/2044-91-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads