Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
04-08-2022 15:00
Behavioral task
behavioral1
Sample
Sapphire_Loader.exe
Resource
win7-20220715-en
General
-
Target
Sapphire_Loader.exe
-
Size
3.5MB
-
MD5
87cbbc8f1688054e0abef4e00ba76ccf
-
SHA1
99e7178d149f8046deb78c848ed99af50360616e
-
SHA256
91bec27b79b2889bfe9eedc744b74b9438c638299f43c14a39f080fbb90f8eee
-
SHA512
c840cb5aec658a000397b237876dd102e46aa5e44aa15d03d7618718ea637f9f903f4c9aff49e8bcfecaef2dfcce6a4c0dc201ed46ec2a4b7f701bfc995e2006
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
Sapphire_Loader.exeLoader.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Sapphire_Loader.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Loader.exe -
Executes dropped EXE 1 IoCs
Processes:
Loader.exepid process 4092 Loader.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Sapphire_Loader.exeLoader.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Sapphire_Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Sapphire_Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Loader.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Sapphire_Loader.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation Sapphire_Loader.exe -
Processes:
resource yara_rule behavioral2/memory/2808-132-0x00007FF60A760000-0x00007FF60B0DE000-memory.dmp themida behavioral2/memory/2808-133-0x00007FF60A760000-0x00007FF60B0DE000-memory.dmp themida behavioral2/memory/2808-134-0x00007FF60A760000-0x00007FF60B0DE000-memory.dmp themida behavioral2/memory/2808-135-0x00007FF60A760000-0x00007FF60B0DE000-memory.dmp themida behavioral2/memory/2808-137-0x00007FF60A760000-0x00007FF60B0DE000-memory.dmp themida behavioral2/memory/2808-166-0x00007FF60A760000-0x00007FF60B0DE000-memory.dmp themida C:\SL\Loader.exe themida C:\SL\Loader.exe themida behavioral2/memory/4092-206-0x00007FF6D7B80000-0x00007FF6D84FE000-memory.dmp themida behavioral2/memory/4092-207-0x00007FF6D7B80000-0x00007FF6D84FE000-memory.dmp themida behavioral2/memory/4092-208-0x00007FF6D7B80000-0x00007FF6D84FE000-memory.dmp themida behavioral2/memory/4092-209-0x00007FF6D7B80000-0x00007FF6D84FE000-memory.dmp themida behavioral2/memory/2808-210-0x00007FF60A760000-0x00007FF60B0DE000-memory.dmp themida behavioral2/memory/4092-213-0x00007FF6D7B80000-0x00007FF6D84FE000-memory.dmp themida behavioral2/memory/4092-214-0x00007FF6D7B80000-0x00007FF6D84FE000-memory.dmp themida behavioral2/memory/4092-217-0x00007FF6D7B80000-0x00007FF6D84FE000-memory.dmp themida -
Processes:
Sapphire_Loader.exeLoader.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Sapphire_Loader.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Loader.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Sapphire_Loader.exeLoader.exepid process 2808 Sapphire_Loader.exe 4092 Loader.exe -
Launches sc.exe 18 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1732 sc.exe 2296 sc.exe 3972 sc.exe 5116 sc.exe 1244 sc.exe 872 sc.exe 2184 sc.exe 1120 sc.exe 3044 sc.exe 4292 sc.exe 2300 sc.exe 4376 sc.exe 5076 sc.exe 4760 sc.exe 1856 sc.exe 3228 sc.exe 4016 sc.exe 1824 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 64 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4884 taskkill.exe 1400 taskkill.exe 1196 taskkill.exe 3404 taskkill.exe 2112 taskkill.exe 1488 taskkill.exe 4984 taskkill.exe 4888 taskkill.exe 4356 taskkill.exe 4760 taskkill.exe 2468 taskkill.exe 4428 taskkill.exe 1180 taskkill.exe 828 taskkill.exe 4732 taskkill.exe 3404 taskkill.exe 4248 taskkill.exe 4060 taskkill.exe 4824 taskkill.exe 2284 taskkill.exe 3328 taskkill.exe 2808 taskkill.exe 5084 taskkill.exe 5040 taskkill.exe 5108 taskkill.exe 1716 taskkill.exe 3548 taskkill.exe 4292 taskkill.exe 944 taskkill.exe 4092 taskkill.exe 4884 taskkill.exe 4832 taskkill.exe 2956 taskkill.exe 2392 taskkill.exe 4036 taskkill.exe 1172 taskkill.exe 4056 taskkill.exe 3660 taskkill.exe 1680 taskkill.exe 3192 taskkill.exe 516 taskkill.exe 3888 taskkill.exe 1244 taskkill.exe 1372 taskkill.exe 4320 taskkill.exe 5008 taskkill.exe 3124 taskkill.exe 3488 taskkill.exe 1400 taskkill.exe 4656 taskkill.exe 632 taskkill.exe 3912 taskkill.exe 4984 taskkill.exe 2192 taskkill.exe 3368 taskkill.exe 2724 taskkill.exe 1972 taskkill.exe 2528 taskkill.exe 4676 taskkill.exe 3232 taskkill.exe 2752 taskkill.exe 888 taskkill.exe 968 taskkill.exe 1956 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Sapphire_Loader.exepid process 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe 2808 Sapphire_Loader.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 3888 taskkill.exe Token: SeDebugPrivilege 3404 taskkill.exe Token: SeDebugPrivilege 756 taskkill.exe Token: SeDebugPrivilege 944 taskkill.exe Token: SeDebugPrivilege 5108 taskkill.exe Token: SeDebugPrivilege 1820 taskkill.exe Token: SeDebugPrivilege 4036 taskkill.exe Token: SeDebugPrivilege 2112 taskkill.exe Token: SeDebugPrivilege 4884 taskkill.exe Token: SeDebugPrivilege 4092 taskkill.exe Token: SeDebugPrivilege 3232 taskkill.exe Token: SeDebugPrivilege 2752 taskkill.exe Token: SeDebugPrivilege 1172 taskkill.exe Token: SeDebugPrivilege 3548 taskkill.exe Token: SeDebugPrivilege 3404 taskkill.exe Token: SeDebugPrivilege 4644 taskkill.exe Token: SeDebugPrivilege 2724 taskkill.exe Token: SeDebugPrivilege 1244 taskkill.exe Token: SeDebugPrivilege 1400 taskkill.exe Token: SeDebugPrivilege 4824 taskkill.exe Token: SeDebugPrivilege 1972 taskkill.exe Token: SeDebugPrivilege 4884 taskkill.exe Token: SeDebugPrivilege 4656 taskkill.exe Token: SeDebugPrivilege 4248 taskkill.exe Token: SeDebugPrivilege 4060 taskkill.exe Token: SeDebugPrivilege 4760 taskkill.exe Token: SeDebugPrivilege 632 taskkill.exe Token: SeDebugPrivilege 2132 taskkill.exe Token: SeDebugPrivilege 888 taskkill.exe Token: SeDebugPrivilege 968 taskkill.exe Token: SeDebugPrivilege 4832 taskkill.exe Token: SeDebugPrivilege 4056 taskkill.exe Token: SeDebugPrivilege 5008 taskkill.exe Token: SeDebugPrivilege 3660 taskkill.exe Token: SeDebugPrivilege 3912 taskkill.exe Token: SeDebugPrivilege 1196 taskkill.exe Token: SeDebugPrivilege 2528 taskkill.exe Token: SeDebugPrivilege 2284 taskkill.exe Token: SeDebugPrivilege 4060 taskkill.exe Token: SeDebugPrivilege 1716 taskkill.exe Token: SeDebugPrivilege 3124 taskkill.exe Token: SeDebugPrivilege 2956 taskkill.exe Token: SeDebugPrivilege 3488 taskkill.exe Token: SeDebugPrivilege 4984 taskkill.exe Token: SeDebugPrivilege 1680 taskkill.exe Token: SeDebugPrivilege 1180 taskkill.exe Token: SeDebugPrivilege 828 taskkill.exe Token: SeDebugPrivilege 3192 taskkill.exe Token: SeDebugPrivilege 1716 taskkill.exe Token: SeDebugPrivilege 2468 taskkill.exe Token: SeDebugPrivilege 4676 taskkill.exe Token: SeDebugPrivilege 516 taskkill.exe Token: SeDebugPrivilege 1400 taskkill.exe Token: SeDebugPrivilege 4428 taskkill.exe Token: SeDebugPrivilege 1488 taskkill.exe Token: SeDebugPrivilege 3328 taskkill.exe Token: SeDebugPrivilege 1372 taskkill.exe Token: SeDebugPrivilege 2808 taskkill.exe Token: SeDebugPrivilege 2392 taskkill.exe Token: SeDebugPrivilege 4728 taskkill.exe Token: SeDebugPrivilege 2192 taskkill.exe Token: SeDebugPrivilege 4984 taskkill.exe Token: SeDebugPrivilege 1956 taskkill.exe Token: SeDebugPrivilege 1380 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Sapphire_Loader.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2808 wrote to memory of 4060 2808 Sapphire_Loader.exe cmd.exe PID 2808 wrote to memory of 4060 2808 Sapphire_Loader.exe cmd.exe PID 4060 wrote to memory of 3888 4060 cmd.exe taskkill.exe PID 4060 wrote to memory of 3888 4060 cmd.exe taskkill.exe PID 2808 wrote to memory of 4760 2808 Sapphire_Loader.exe cmd.exe PID 2808 wrote to memory of 4760 2808 Sapphire_Loader.exe cmd.exe PID 4760 wrote to memory of 3404 4760 cmd.exe taskkill.exe PID 4760 wrote to memory of 3404 4760 cmd.exe taskkill.exe PID 2808 wrote to memory of 4868 2808 Sapphire_Loader.exe cmd.exe PID 2808 wrote to memory of 4868 2808 Sapphire_Loader.exe cmd.exe PID 4868 wrote to memory of 756 4868 cmd.exe taskkill.exe PID 4868 wrote to memory of 756 4868 cmd.exe taskkill.exe PID 2808 wrote to memory of 3432 2808 Sapphire_Loader.exe cmd.exe PID 2808 wrote to memory of 3432 2808 Sapphire_Loader.exe cmd.exe PID 3432 wrote to memory of 3044 3432 cmd.exe sc.exe PID 3432 wrote to memory of 3044 3432 cmd.exe sc.exe PID 2808 wrote to memory of 880 2808 Sapphire_Loader.exe cmd.exe PID 2808 wrote to memory of 880 2808 Sapphire_Loader.exe cmd.exe PID 880 wrote to memory of 944 880 cmd.exe taskkill.exe PID 880 wrote to memory of 944 880 cmd.exe taskkill.exe PID 2808 wrote to memory of 2420 2808 Sapphire_Loader.exe cmd.exe PID 2808 wrote to memory of 2420 2808 Sapphire_Loader.exe cmd.exe PID 2808 wrote to memory of 1648 2808 Sapphire_Loader.exe cmd.exe PID 2808 wrote to memory of 1648 2808 Sapphire_Loader.exe cmd.exe PID 1648 wrote to memory of 5108 1648 cmd.exe taskkill.exe PID 1648 wrote to memory of 5108 1648 cmd.exe taskkill.exe PID 2808 wrote to memory of 4056 2808 Sapphire_Loader.exe cmd.exe PID 2808 wrote to memory of 4056 2808 Sapphire_Loader.exe cmd.exe PID 4056 wrote to memory of 1820 4056 cmd.exe taskkill.exe PID 4056 wrote to memory of 1820 4056 cmd.exe taskkill.exe PID 2808 wrote to memory of 1696 2808 Sapphire_Loader.exe cmd.exe PID 2808 wrote to memory of 1696 2808 Sapphire_Loader.exe cmd.exe PID 1696 wrote to memory of 4036 1696 cmd.exe taskkill.exe PID 1696 wrote to memory of 4036 1696 cmd.exe taskkill.exe PID 2808 wrote to memory of 3000 2808 Sapphire_Loader.exe cmd.exe PID 2808 wrote to memory of 3000 2808 Sapphire_Loader.exe cmd.exe PID 3000 wrote to memory of 3228 3000 cmd.exe sc.exe PID 3000 wrote to memory of 3228 3000 cmd.exe sc.exe PID 2808 wrote to memory of 2288 2808 Sapphire_Loader.exe cmd.exe PID 2808 wrote to memory of 2288 2808 Sapphire_Loader.exe cmd.exe PID 2288 wrote to memory of 2112 2288 cmd.exe taskkill.exe PID 2288 wrote to memory of 2112 2288 cmd.exe taskkill.exe PID 2808 wrote to memory of 5084 2808 Sapphire_Loader.exe cmd.exe PID 2808 wrote to memory of 5084 2808 Sapphire_Loader.exe cmd.exe PID 2808 wrote to memory of 3920 2808 Sapphire_Loader.exe cmd.exe PID 2808 wrote to memory of 3920 2808 Sapphire_Loader.exe cmd.exe PID 3920 wrote to memory of 4884 3920 cmd.exe taskkill.exe PID 3920 wrote to memory of 4884 3920 cmd.exe taskkill.exe PID 2808 wrote to memory of 3956 2808 Sapphire_Loader.exe cmd.exe PID 2808 wrote to memory of 3956 2808 Sapphire_Loader.exe cmd.exe PID 3956 wrote to memory of 4092 3956 cmd.exe taskkill.exe PID 3956 wrote to memory of 4092 3956 cmd.exe taskkill.exe PID 2808 wrote to memory of 4836 2808 Sapphire_Loader.exe cmd.exe PID 2808 wrote to memory of 4836 2808 Sapphire_Loader.exe cmd.exe PID 4836 wrote to memory of 3232 4836 cmd.exe taskkill.exe PID 4836 wrote to memory of 3232 4836 cmd.exe taskkill.exe PID 2808 wrote to memory of 4044 2808 Sapphire_Loader.exe cmd.exe PID 2808 wrote to memory of 4044 2808 Sapphire_Loader.exe cmd.exe PID 4044 wrote to memory of 4016 4044 cmd.exe sc.exe PID 4044 wrote to memory of 4016 4044 cmd.exe sc.exe PID 2808 wrote to memory of 5000 2808 Sapphire_Loader.exe cmd.exe PID 2808 wrote to memory of 5000 2808 Sapphire_Loader.exe cmd.exe PID 5000 wrote to memory of 2752 5000 cmd.exe taskkill.exe PID 5000 wrote to memory of 2752 5000 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sapphire_Loader.exe"C:\Users\Admin\AppData\Local\Temp\Sapphire_Loader.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\SL\Loader.exe"C:\SL\Loader.exe" TL.run2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T4⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T4⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F4⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T4⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T4⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F4⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&13⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\SL\Loader.exe"3⤵
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30004⤵
- Runs ping.exe
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro1⤵
- Launches sc.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\SL\Loader.exeFilesize
3.5MB
MD58181b05092cd0942d298a179fd2bc115
SHA1b6af69c0037274a59a9ae506521061e504aaec00
SHA25678e1675c825d0fb943d2de108b5fa10901879e25fb43bdba4dee57a7f65a6a80
SHA512198330d77b987972e70789d2d80d51d8a30a1ec03459b0769aa287054a8ca2fda03d9b8644d0eed6665343edc34adba9628cda46487bce3c1c2ddb5cc891c750
-
C:\SL\Loader.exeFilesize
3.5MB
MD58181b05092cd0942d298a179fd2bc115
SHA1b6af69c0037274a59a9ae506521061e504aaec00
SHA25678e1675c825d0fb943d2de108b5fa10901879e25fb43bdba4dee57a7f65a6a80
SHA512198330d77b987972e70789d2d80d51d8a30a1ec03459b0769aa287054a8ca2fda03d9b8644d0eed6665343edc34adba9628cda46487bce3c1c2ddb5cc891c750
-
memory/544-185-0x0000000000000000-mapping.dmp
-
memory/756-143-0x0000000000000000-mapping.dmp
-
memory/772-183-0x0000000000000000-mapping.dmp
-
memory/880-146-0x0000000000000000-mapping.dmp
-
memory/944-147-0x0000000000000000-mapping.dmp
-
memory/1172-173-0x0000000000000000-mapping.dmp
-
memory/1244-186-0x0000000000000000-mapping.dmp
-
memory/1308-178-0x0000000000000000-mapping.dmp
-
memory/1400-188-0x0000000000000000-mapping.dmp
-
memory/1648-149-0x0000000000000000-mapping.dmp
-
memory/1696-153-0x0000000000000000-mapping.dmp
-
memory/1820-152-0x0000000000000000-mapping.dmp
-
memory/1824-190-0x0000000000000000-mapping.dmp
-
memory/1972-195-0x0000000000000000-mapping.dmp
-
memory/2112-158-0x0000000000000000-mapping.dmp
-
memory/2140-176-0x0000000000000000-mapping.dmp
-
memory/2284-172-0x0000000000000000-mapping.dmp
-
memory/2288-157-0x0000000000000000-mapping.dmp
-
memory/2300-202-0x0000000000000000-mapping.dmp
-
memory/2420-148-0x0000000000000000-mapping.dmp
-
memory/2468-180-0x0000000000000000-mapping.dmp
-
memory/2724-184-0x0000000000000000-mapping.dmp
-
memory/2752-170-0x0000000000000000-mapping.dmp
-
memory/2808-137-0x00007FF60A760000-0x00007FF60B0DE000-memory.dmpFilesize
9.5MB
-
memory/2808-134-0x00007FF60A760000-0x00007FF60B0DE000-memory.dmpFilesize
9.5MB
-
memory/2808-198-0x00007FFA37A90000-0x00007FFA37C85000-memory.dmpFilesize
2.0MB
-
memory/2808-132-0x00007FF60A760000-0x00007FF60B0DE000-memory.dmpFilesize
9.5MB
-
memory/2808-136-0x00007FFA37A90000-0x00007FFA37C85000-memory.dmpFilesize
2.0MB
-
memory/2808-211-0x00007FFA37A90000-0x00007FFA37C85000-memory.dmpFilesize
2.0MB
-
memory/2808-135-0x00007FF60A760000-0x00007FF60B0DE000-memory.dmpFilesize
9.5MB
-
memory/2808-133-0x00007FF60A760000-0x00007FF60B0DE000-memory.dmpFilesize
9.5MB
-
memory/2808-210-0x00007FF60A760000-0x00007FF60B0DE000-memory.dmpFilesize
9.5MB
-
memory/2808-166-0x00007FF60A760000-0x00007FF60B0DE000-memory.dmpFilesize
9.5MB
-
memory/3000-155-0x0000000000000000-mapping.dmp
-
memory/3044-145-0x0000000000000000-mapping.dmp
-
memory/3228-156-0x0000000000000000-mapping.dmp
-
memory/3232-165-0x0000000000000000-mapping.dmp
-
memory/3368-194-0x0000000000000000-mapping.dmp
-
memory/3404-177-0x0000000000000000-mapping.dmp
-
memory/3404-141-0x0000000000000000-mapping.dmp
-
memory/3432-182-0x0000000000000000-mapping.dmp
-
memory/3432-144-0x0000000000000000-mapping.dmp
-
memory/3548-175-0x0000000000000000-mapping.dmp
-
memory/3748-174-0x0000000000000000-mapping.dmp
-
memory/3760-187-0x0000000000000000-mapping.dmp
-
memory/3888-139-0x0000000000000000-mapping.dmp
-
memory/3920-160-0x0000000000000000-mapping.dmp
-
memory/3956-162-0x0000000000000000-mapping.dmp
-
memory/4016-168-0x0000000000000000-mapping.dmp
-
memory/4036-154-0x0000000000000000-mapping.dmp
-
memory/4040-199-0x0000000000000000-mapping.dmp
-
memory/4044-167-0x0000000000000000-mapping.dmp
-
memory/4056-151-0x0000000000000000-mapping.dmp
-
memory/4060-138-0x0000000000000000-mapping.dmp
-
memory/4064-191-0x0000000000000000-mapping.dmp
-
memory/4092-163-0x0000000000000000-mapping.dmp
-
memory/4092-207-0x00007FF6D7B80000-0x00007FF6D84FE000-memory.dmpFilesize
9.5MB
-
memory/4092-217-0x00007FF6D7B80000-0x00007FF6D84FE000-memory.dmpFilesize
9.5MB
-
memory/4092-208-0x00007FF6D7B80000-0x00007FF6D84FE000-memory.dmpFilesize
9.5MB
-
memory/4092-206-0x00007FF6D7B80000-0x00007FF6D84FE000-memory.dmpFilesize
9.5MB
-
memory/4092-216-0x00007FFA37A90000-0x00007FFA37C85000-memory.dmpFilesize
2.0MB
-
memory/4092-215-0x00007FFA37A90000-0x00007FFA37C85000-memory.dmpFilesize
2.0MB
-
memory/4092-214-0x00007FF6D7B80000-0x00007FF6D84FE000-memory.dmpFilesize
9.5MB
-
memory/4092-209-0x00007FF6D7B80000-0x00007FF6D84FE000-memory.dmpFilesize
9.5MB
-
memory/4092-212-0x00007FFA37A90000-0x00007FFA37C85000-memory.dmpFilesize
2.0MB
-
memory/4092-213-0x00007FF6D7B80000-0x00007FF6D84FE000-memory.dmpFilesize
9.5MB
-
memory/4252-171-0x0000000000000000-mapping.dmp
-
memory/4292-179-0x0000000000000000-mapping.dmp
-
memory/4308-196-0x0000000000000000-mapping.dmp
-
memory/4324-193-0x0000000000000000-mapping.dmp
-
memory/4644-181-0x0000000000000000-mapping.dmp
-
memory/4656-200-0x0000000000000000-mapping.dmp
-
memory/4704-189-0x0000000000000000-mapping.dmp
-
memory/4760-140-0x0000000000000000-mapping.dmp
-
memory/4824-192-0x0000000000000000-mapping.dmp
-
memory/4836-164-0x0000000000000000-mapping.dmp
-
memory/4868-142-0x0000000000000000-mapping.dmp
-
memory/4884-197-0x0000000000000000-mapping.dmp
-
memory/4884-161-0x0000000000000000-mapping.dmp
-
memory/5000-169-0x0000000000000000-mapping.dmp
-
memory/5048-203-0x0000000000000000-mapping.dmp
-
memory/5056-201-0x0000000000000000-mapping.dmp
-
memory/5084-159-0x0000000000000000-mapping.dmp
-
memory/5108-150-0x0000000000000000-mapping.dmp