91bec27b79b2889bfe9eedc744b74b9438c638299f43c14a39f080fbb90f8eee

Virtualization/Sandbox Evasion

T1497

Processes:

Sapphire_Loader.exeLoader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Sapphire_Loader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader.exe

Executes dropped EXE 1 IoCs

Processes:

Loader.exe

pid process

1928 Loader.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1928	Loader.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

Sapphire_Loader.exeLoader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Sapphire_Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Sapphire_Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

Sapphire_Loader.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	Sapphire_Loader.exe

Themida packer 15 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/4740-130-0x00007FF6A8170000-0x00007FF6A8AEE000-memory.dmp	themida
behavioral2/memory/4740-131-0x00007FF6A8170000-0x00007FF6A8AEE000-memory.dmp	themida
behavioral2/memory/4740-132-0x00007FF6A8170000-0x00007FF6A8AEE000-memory.dmp	themida
behavioral2/memory/4740-133-0x00007FF6A8170000-0x00007FF6A8AEE000-memory.dmp	themida
behavioral2/memory/4740-135-0x00007FF6A8170000-0x00007FF6A8AEE000-memory.dmp	themida
behavioral2/memory/4740-197-0x00007FF6A8170000-0x00007FF6A8AEE000-memory.dmp	themida
C:\SL\Loader.exe	themida
C:\SL\Loader.exe	themida
behavioral2/memory/1928-204-0x00007FF795D00000-0x00007FF79667E000-memory.dmp	themida
behavioral2/memory/1928-205-0x00007FF795D00000-0x00007FF79667E000-memory.dmp	themida
behavioral2/memory/4740-206-0x00007FF6A8170000-0x00007FF6A8AEE000-memory.dmp	themida
behavioral2/memory/1928-207-0x00007FF795D00000-0x00007FF79667E000-memory.dmp	themida
behavioral2/memory/1928-209-0x00007FF795D00000-0x00007FF79667E000-memory.dmp	themida
behavioral2/memory/1928-211-0x00007FF795D00000-0x00007FF79667E000-memory.dmp	themida
behavioral2/memory/1928-212-0x00007FF795D00000-0x00007FF79667E000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

Processes:

Sapphire_Loader.exeLoader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Sapphire_Loader.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Sapphire_Loader.exeLoader.exe

pid process

4740 Sapphire_Loader.exe
1928 Loader.exe

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
452	sc.exe
4004	sc.exe
4976	sc.exe
3004	sc.exe
3996	sc.exe
4000	sc.exe
2856	sc.exe
5104	sc.exe
3192	sc.exe
1928	sc.exe
404	sc.exe
3840	sc.exe
2384	sc.exe
4072	sc.exe
796	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 60 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1244	taskkill.exe
2872	taskkill.exe
740	taskkill.exe
4252	taskkill.exe
1264	taskkill.exe
2356	taskkill.exe
2392	taskkill.exe
3204	taskkill.exe
1520	taskkill.exe
1124	taskkill.exe
2388	taskkill.exe
3064	taskkill.exe
4928	taskkill.exe
1416	taskkill.exe
800	taskkill.exe
3996	taskkill.exe
1972	taskkill.exe
1268	taskkill.exe
388	taskkill.exe
4664	taskkill.exe
796	taskkill.exe
4924	taskkill.exe
2436	taskkill.exe
3952	taskkill.exe
1936	taskkill.exe
4296	taskkill.exe
3940	taskkill.exe
4272	taskkill.exe
1784	taskkill.exe
3360	taskkill.exe
3132	taskkill.exe
4784	taskkill.exe
2108	taskkill.exe
4264	taskkill.exe
4244	taskkill.exe
4832	taskkill.exe
4184	taskkill.exe
5096	taskkill.exe
3076	taskkill.exe
3904	taskkill.exe
2772	taskkill.exe
1376	taskkill.exe
3900	taskkill.exe
4188	taskkill.exe
3932	taskkill.exe
4916	taskkill.exe
4028	taskkill.exe
1348	taskkill.exe
5088	taskkill.exe
2372	taskkill.exe
540	taskkill.exe
3452	taskkill.exe
3924	taskkill.exe
440	taskkill.exe
540	taskkill.exe
3696	taskkill.exe
4684	taskkill.exe
3956	taskkill.exe
4588	taskkill.exe
1392	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Sapphire_Loader.exe

pid	process
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe
4740	Sapphire_Loader.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1416	taskkill.exe
Token: SeDebugPrivilege	540	taskkill.exe
Token: SeDebugPrivilege	4244	taskkill.exe
Token: SeDebugPrivilege	3900	taskkill.exe
Token: SeDebugPrivilege	3360	taskkill.exe
Token: SeDebugPrivilege	4188	taskkill.exe
Token: SeDebugPrivilege	4184	taskkill.exe
Token: SeDebugPrivilege	1520	taskkill.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	2872	taskkill.exe
Token: SeDebugPrivilege	1264	taskkill.exe
Token: SeDebugPrivilege	4588	taskkill.exe
Token: SeDebugPrivilege	4924	taskkill.exe
Token: SeDebugPrivilege	5096	taskkill.exe
Token: SeDebugPrivilege	1392	taskkill.exe
Token: SeDebugPrivilege	4296	taskkill.exe
Token: SeDebugPrivilege	1268	taskkill.exe
Token: SeDebugPrivilege	2356	taskkill.exe
Token: SeDebugPrivilege	4916	taskkill.exe
Token: SeDebugPrivilege	3952	taskkill.exe
Token: SeDebugPrivilege	3924	taskkill.exe
Token: SeDebugPrivilege	3076	taskkill.exe
Token: SeDebugPrivilege	388	taskkill.exe
Token: SeDebugPrivilege	1124	taskkill.exe
Token: SeDebugPrivilege	3452	taskkill.exe
Token: SeDebugPrivilege	2436	taskkill.exe
Token: SeDebugPrivilege	1348	taskkill.exe
Token: SeDebugPrivilege	3904	taskkill.exe
Token: SeDebugPrivilege	5088	taskkill.exe
Token: SeDebugPrivilege	2388	taskkill.exe
Token: SeDebugPrivilege	3064	taskkill.exe
Token: SeDebugPrivilege	3996	taskkill.exe
Token: SeDebugPrivilege	4832	taskkill.exe
Token: SeDebugPrivilege	4784	taskkill.exe
Token: SeDebugPrivilege	440	taskkill.exe
Token: SeDebugPrivilege	2108	taskkill.exe
Token: SeDebugPrivilege	2372	taskkill.exe
Token: SeDebugPrivilege	2392	taskkill.exe
Token: SeDebugPrivilege	3204	taskkill.exe
Token: SeDebugPrivilege	800	taskkill.exe
Token: SeDebugPrivilege	3132	taskkill.exe
Token: SeDebugPrivilege	3940	taskkill.exe
Token: SeDebugPrivilege	4028	taskkill.exe
Token: SeDebugPrivilege	540	taskkill.exe
Token: SeDebugPrivilege	4252	taskkill.exe
Token: SeDebugPrivilege	4272	taskkill.exe
Token: SeDebugPrivilege	3932	taskkill.exe
Token: SeDebugPrivilege	740	taskkill.exe
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	1376	taskkill.exe
Token: SeDebugPrivilege	3696	taskkill.exe
Token: SeDebugPrivilege	4264	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	1244	taskkill.exe
Token: SeDebugPrivilege	1784	taskkill.exe
Token: SeDebugPrivilege	4928	taskkill.exe
Token: SeDebugPrivilege	4664	taskkill.exe
Token: SeDebugPrivilege	4684	taskkill.exe
Token: SeDebugPrivilege	796	taskkill.exe
Token: SeDebugPrivilege	3956	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Sapphire_Loader.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4740 wrote to memory of 3772	4740	Sapphire_Loader.exe	cmd.exe
PID 4740 wrote to memory of 3772	4740	Sapphire_Loader.exe	cmd.exe
PID 3772 wrote to memory of 1416	3772	cmd.exe	taskkill.exe
PID 3772 wrote to memory of 1416	3772	cmd.exe	taskkill.exe
PID 4740 wrote to memory of 1624	4740	Sapphire_Loader.exe	cmd.exe
PID 4740 wrote to memory of 1624	4740	Sapphire_Loader.exe	cmd.exe
PID 1624 wrote to memory of 540	1624	cmd.exe	taskkill.exe
PID 1624 wrote to memory of 540	1624	cmd.exe	taskkill.exe
PID 4740 wrote to memory of 2256	4740	Sapphire_Loader.exe	cmd.exe
PID 4740 wrote to memory of 2256	4740	Sapphire_Loader.exe	cmd.exe
PID 2256 wrote to memory of 4244	2256	cmd.exe	taskkill.exe
PID 2256 wrote to memory of 4244	2256	cmd.exe	taskkill.exe
PID 4740 wrote to memory of 2272	4740	Sapphire_Loader.exe	cmd.exe
PID 4740 wrote to memory of 2272	4740	Sapphire_Loader.exe	cmd.exe
PID 2272 wrote to memory of 404	2272	cmd.exe	sc.exe
PID 2272 wrote to memory of 404	2272	cmd.exe	sc.exe
PID 4740 wrote to memory of 4328	4740	Sapphire_Loader.exe	cmd.exe
PID 4740 wrote to memory of 4328	4740	Sapphire_Loader.exe	cmd.exe
PID 4328 wrote to memory of 3900	4328	cmd.exe	taskkill.exe
PID 4328 wrote to memory of 3900	4328	cmd.exe	taskkill.exe
PID 4740 wrote to memory of 4668	4740	Sapphire_Loader.exe	cmd.exe
PID 4740 wrote to memory of 4668	4740	Sapphire_Loader.exe	cmd.exe
PID 4740 wrote to memory of 2900	4740	Sapphire_Loader.exe	cmd.exe
PID 4740 wrote to memory of 2900	4740	Sapphire_Loader.exe	cmd.exe
PID 2900 wrote to memory of 3360	2900	cmd.exe	taskkill.exe
PID 2900 wrote to memory of 3360	2900	cmd.exe	taskkill.exe
PID 4740 wrote to memory of 740	4740	Sapphire_Loader.exe	cmd.exe
PID 4740 wrote to memory of 740	4740	Sapphire_Loader.exe	cmd.exe
PID 740 wrote to memory of 4188	740	cmd.exe	taskkill.exe
PID 740 wrote to memory of 4188	740	cmd.exe	taskkill.exe
PID 4740 wrote to memory of 2312	4740	Sapphire_Loader.exe	cmd.exe
PID 4740 wrote to memory of 2312	4740	Sapphire_Loader.exe	cmd.exe
PID 2312 wrote to memory of 4184	2312	cmd.exe	taskkill.exe
PID 2312 wrote to memory of 4184	2312	cmd.exe	taskkill.exe
PID 4740 wrote to memory of 1928	4740	Sapphire_Loader.exe	cmd.exe
PID 4740 wrote to memory of 1928	4740	Sapphire_Loader.exe	cmd.exe
PID 1928 wrote to memory of 3840	1928	cmd.exe	sc.exe
PID 1928 wrote to memory of 3840	1928	cmd.exe	sc.exe
PID 4740 wrote to memory of 1060	4740	Sapphire_Loader.exe	cmd.exe
PID 4740 wrote to memory of 1060	4740	Sapphire_Loader.exe	cmd.exe
PID 1060 wrote to memory of 1520	1060	cmd.exe	taskkill.exe
PID 1060 wrote to memory of 1520	1060	cmd.exe	taskkill.exe
PID 4740 wrote to memory of 3440	4740	Sapphire_Loader.exe	cmd.exe
PID 4740 wrote to memory of 3440	4740	Sapphire_Loader.exe	cmd.exe
PID 4740 wrote to memory of 1108	4740	Sapphire_Loader.exe	cmd.exe
PID 4740 wrote to memory of 1108	4740	Sapphire_Loader.exe	cmd.exe
PID 1108 wrote to memory of 1936	1108	cmd.exe	taskkill.exe
PID 1108 wrote to memory of 1936	1108	cmd.exe	taskkill.exe
PID 4740 wrote to memory of 2604	4740	Sapphire_Loader.exe	cmd.exe
PID 4740 wrote to memory of 2604	4740	Sapphire_Loader.exe	cmd.exe
PID 2604 wrote to memory of 2872	2604	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 2872	2604	cmd.exe	taskkill.exe
PID 4740 wrote to memory of 4536	4740	Sapphire_Loader.exe	cmd.exe
PID 4740 wrote to memory of 4536	4740	Sapphire_Loader.exe	cmd.exe
PID 4536 wrote to memory of 1264	4536	cmd.exe	taskkill.exe
PID 4536 wrote to memory of 1264	4536	cmd.exe	taskkill.exe
PID 4740 wrote to memory of 2472	4740	Sapphire_Loader.exe	cmd.exe
PID 4740 wrote to memory of 2472	4740	Sapphire_Loader.exe	cmd.exe
PID 2472 wrote to memory of 3996	2472	cmd.exe	sc.exe
PID 2472 wrote to memory of 3996	2472	cmd.exe	sc.exe
PID 4740 wrote to memory of 2232	4740	Sapphire_Loader.exe	cmd.exe
PID 4740 wrote to memory of 2232	4740	Sapphire_Loader.exe	cmd.exe
PID 2232 wrote to memory of 4588	2232	cmd.exe	taskkill.exe
PID 2232 wrote to memory of 4588	2232	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\Sapphire_Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Sapphire_Loader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:3840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:4372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:4836

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:1056

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1436

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1784

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:2116

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:2884

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:1372

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:2684

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:2484

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:3956

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:3948

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:2032

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:4140

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1628

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:1464

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:2856

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:2180

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:704

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:3840

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:2328

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:3440

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:840

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1292

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:2424

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:2764

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:3652

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:1228

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:2236

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:2364

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:756

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:4296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:1420

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:2092

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1000

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:2512

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:3004

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:2052

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:4656

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:4884

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:3772

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:2032

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:1496

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:2256

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1324

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:3452

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:2856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:1808

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:1488

C:\SL\Loader.exe
"C:\SL\Loader.exe" TL.run
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
3⤵
PID:4752

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
3⤵
PID:452

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
3⤵
PID:2672

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
3⤵
PID:2184

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
4⤵
- Launches sc.exe
PID:2384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
3⤵
PID:5084

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
3⤵
PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
3⤵
PID:2852

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
3⤵
PID:3304

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
3⤵
PID:2148

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
3⤵
PID:4296

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
4⤵
- Launches sc.exe
PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
3⤵
PID:4060

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
3⤵
PID:1852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
3⤵
PID:1428

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
3⤵
PID:2884

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
3⤵
PID:3048

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
3⤵
PID:2788

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
4⤵
- Launches sc.exe
PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
3⤵
PID:2484

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
3⤵
PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

3

Virtualization/Sandbox Evasion

T1497

System Information Discovery

4

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop