Analysis
-
max time kernel
20s -
max time network
10s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07/09/2022, 21:01
Behavioral task
behavioral1
Sample
EXO_V5.exe
Resource
win7-20220812-en
10 signatures
30 seconds
General
-
Target
EXO_V5.exe
-
Size
4.0MB
-
MD5
1553d7bc2f09e7477e1e6dbb67199f94
-
SHA1
fe9f43aa44c6b4912a8403e6494b8ae27933dc8c
-
SHA256
11f4c19dd5f3558a1316b00a3518c88388d5ea893eed1ef8a3d482d0e40be6f3
-
SHA512
cd5433fbc94f548823d25ae4107d916d54fbc8ba3644d0b21115a2edf36a07f97f785d155061d177f934da0af14092cb5acaa494feffbfbd3986968eacc6892d
-
SSDEEP
98304:Fcs7PbvtLQkH1K5iUK7vgX7WFhMBdEXFCtMi0eRsKY:mYbWkVK5iO7diCt7E
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ EXO_V5.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion EXO_V5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion EXO_V5.exe -
resource yara_rule behavioral1/memory/1752-54-0x000000013F060000-0x000000013FB5F000-memory.dmp themida behavioral1/memory/1752-55-0x000000013F060000-0x000000013FB5F000-memory.dmp themida behavioral1/memory/1752-56-0x000000013F060000-0x000000013FB5F000-memory.dmp themida behavioral1/memory/1752-57-0x000000013F060000-0x000000013FB5F000-memory.dmp themida behavioral1/memory/1752-58-0x000000013F060000-0x000000013FB5F000-memory.dmp themida behavioral1/memory/1752-60-0x000000013F060000-0x000000013FB5F000-memory.dmp themida behavioral1/memory/1752-126-0x000000013F060000-0x000000013FB5F000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EXO_V5.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1752 EXO_V5.exe -
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1720 sc.exe 1968 sc.exe 1688 sc.exe 276 sc.exe 2184 sc.exe 1176 sc.exe 992 sc.exe 1524 sc.exe 1812 sc.exe -
Kills process with taskkill 36 IoCs
pid Process 1256 taskkill.exe 340 taskkill.exe 1616 taskkill.exe 1720 taskkill.exe 1604 taskkill.exe 2192 taskkill.exe 316 taskkill.exe 564 taskkill.exe 876 taskkill.exe 1512 taskkill.exe 1624 taskkill.exe 2208 taskkill.exe 1068 taskkill.exe 804 taskkill.exe 1284 taskkill.exe 992 taskkill.exe 988 taskkill.exe 688 taskkill.exe 1968 taskkill.exe 868 taskkill.exe 1668 taskkill.exe 1960 taskkill.exe 1776 taskkill.exe 1808 taskkill.exe 520 taskkill.exe 1984 taskkill.exe 1304 taskkill.exe 2200 taskkill.exe 564 taskkill.exe 468 taskkill.exe 960 taskkill.exe 1644 taskkill.exe 2228 taskkill.exe 432 taskkill.exe 1104 taskkill.exe 1536 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 1512 taskkill.exe Token: SeDebugPrivilege 316 taskkill.exe Token: SeDebugPrivilege 1968 taskkill.exe Token: SeDebugPrivilege 868 taskkill.exe Token: SeDebugPrivilege 1776 taskkill.exe Token: SeDebugPrivilege 804 taskkill.exe Token: SeDebugPrivilege 1984 taskkill.exe Token: SeDebugPrivilege 432 taskkill.exe Token: SeDebugPrivilege 1104 taskkill.exe Token: SeDebugPrivilege 564 taskkill.exe Token: SeDebugPrivilege 1284 taskkill.exe Token: SeDebugPrivilege 1668 taskkill.exe Token: SeDebugPrivilege 1624 taskkill.exe Token: SeDebugPrivilege 1808 taskkill.exe Token: SeDebugPrivilege 1604 taskkill.exe Token: SeDebugPrivilege 988 taskkill.exe Token: SeDebugPrivilege 688 taskkill.exe Token: SeDebugPrivilege 876 taskkill.exe Token: SeDebugPrivilege 520 taskkill.exe Token: SeDebugPrivilege 1536 taskkill.exe Token: SeDebugPrivilege 564 taskkill.exe Token: SeDebugPrivilege 340 taskkill.exe Token: SeDebugPrivilege 1304 taskkill.exe Token: SeDebugPrivilege 1068 taskkill.exe Token: SeDebugPrivilege 1720 taskkill.exe Token: SeDebugPrivilege 468 taskkill.exe Token: SeDebugPrivilege 1616 taskkill.exe Token: SeDebugPrivilege 960 taskkill.exe Token: SeDebugPrivilege 1960 taskkill.exe Token: SeDebugPrivilege 1644 taskkill.exe Token: SeDebugPrivilege 992 taskkill.exe Token: SeDebugPrivilege 1256 taskkill.exe Token: SeDebugPrivilege 2192 taskkill.exe Token: SeDebugPrivilege 2208 taskkill.exe Token: SeDebugPrivilege 2200 taskkill.exe Token: SeDebugPrivilege 2228 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1752 wrote to memory of 520 1752 EXO_V5.exe 29 PID 1752 wrote to memory of 520 1752 EXO_V5.exe 29 PID 1752 wrote to memory of 520 1752 EXO_V5.exe 29 PID 1752 wrote to memory of 624 1752 EXO_V5.exe 30 PID 1752 wrote to memory of 624 1752 EXO_V5.exe 30 PID 1752 wrote to memory of 624 1752 EXO_V5.exe 30 PID 1752 wrote to memory of 1648 1752 EXO_V5.exe 32 PID 1752 wrote to memory of 1648 1752 EXO_V5.exe 32 PID 1752 wrote to memory of 1648 1752 EXO_V5.exe 32 PID 1752 wrote to memory of 1708 1752 EXO_V5.exe 31 PID 1752 wrote to memory of 1708 1752 EXO_V5.exe 31 PID 1752 wrote to memory of 1708 1752 EXO_V5.exe 31 PID 1752 wrote to memory of 1332 1752 EXO_V5.exe 33 PID 1752 wrote to memory of 1332 1752 EXO_V5.exe 33 PID 1752 wrote to memory of 1332 1752 EXO_V5.exe 33 PID 520 wrote to memory of 1968 520 cmd.exe 37 PID 520 wrote to memory of 1968 520 cmd.exe 37 PID 520 wrote to memory of 1968 520 cmd.exe 37 PID 1648 wrote to memory of 316 1648 cmd.exe 36 PID 1648 wrote to memory of 316 1648 cmd.exe 36 PID 1648 wrote to memory of 316 1648 cmd.exe 36 PID 624 wrote to memory of 1512 624 cmd.exe 35 PID 624 wrote to memory of 1512 624 cmd.exe 35 PID 624 wrote to memory of 1512 624 cmd.exe 35 PID 1752 wrote to memory of 916 1752 EXO_V5.exe 34 PID 1752 wrote to memory of 916 1752 EXO_V5.exe 34 PID 1752 wrote to memory of 916 1752 EXO_V5.exe 34 PID 1708 wrote to memory of 1176 1708 cmd.exe 39 PID 1708 wrote to memory of 1176 1708 cmd.exe 39 PID 1708 wrote to memory of 1176 1708 cmd.exe 39 PID 1752 wrote to memory of 1120 1752 EXO_V5.exe 38 PID 1752 wrote to memory of 1120 1752 EXO_V5.exe 38 PID 1752 wrote to memory of 1120 1752 EXO_V5.exe 38 PID 1332 wrote to memory of 868 1332 cmd.exe 40 PID 1332 wrote to memory of 868 1332 cmd.exe 40 PID 1332 wrote to memory of 868 1332 cmd.exe 40 PID 1120 wrote to memory of 1068 1120 cmd.exe 41 PID 1120 wrote to memory of 1068 1120 cmd.exe 41 PID 1120 wrote to memory of 1068 1120 cmd.exe 41 PID 1752 wrote to memory of 808 1752 EXO_V5.exe 43 PID 1752 wrote to memory of 808 1752 EXO_V5.exe 43 PID 1752 wrote to memory of 808 1752 EXO_V5.exe 43 PID 1752 wrote to memory of 1164 1752 EXO_V5.exe 45 PID 1752 wrote to memory of 1164 1752 EXO_V5.exe 45 PID 1752 wrote to memory of 1164 1752 EXO_V5.exe 45 PID 1752 wrote to memory of 1736 1752 EXO_V5.exe 44 PID 1752 wrote to memory of 1736 1752 EXO_V5.exe 44 PID 1752 wrote to memory of 1736 1752 EXO_V5.exe 44 PID 808 wrote to memory of 1776 808 cmd.exe 47 PID 808 wrote to memory of 1776 808 cmd.exe 47 PID 808 wrote to memory of 1776 808 cmd.exe 47 PID 1752 wrote to memory of 1828 1752 EXO_V5.exe 46 PID 1752 wrote to memory of 1828 1752 EXO_V5.exe 46 PID 1752 wrote to memory of 1828 1752 EXO_V5.exe 46 PID 1752 wrote to memory of 1724 1752 EXO_V5.exe 51 PID 1752 wrote to memory of 1724 1752 EXO_V5.exe 51 PID 1752 wrote to memory of 1724 1752 EXO_V5.exe 51 PID 1828 wrote to memory of 992 1828 cmd.exe 50 PID 1828 wrote to memory of 992 1828 cmd.exe 50 PID 1828 wrote to memory of 992 1828 cmd.exe 50 PID 1164 wrote to memory of 432 1164 cmd.exe 49 PID 1164 wrote to memory of 432 1164 cmd.exe 49 PID 1164 wrote to memory of 432 1164 cmd.exe 49 PID 1736 wrote to memory of 804 1736 cmd.exe 48
Processes
-
C:\Users\Admin\AppData\Local\Temp\EXO_V5.exe"C:\Users\Admin\AppData\Local\Temp\EXO_V5.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
-
C:\Windows\system32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:1176
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:316
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
-
C:\Windows\system32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\EXO_V5.exe" MD52⤵
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\EXO_V5.exe" MD53⤵PID:1068
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:804
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:432
-
-
-
C:\Windows\system32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:992
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:1724
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
-
C:\Windows\system32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:1088
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:1836
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:276
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:972
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:564
-
-
-
C:\Windows\system32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:468
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:1720
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:1656
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1284
-
-
-
C:\Windows\system32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:556
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:1096
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:1644
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:240
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:876
-
-
-
C:\Windows\system32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:1416
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:1968
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:1620
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:520
-
-
-
C:\Windows\system32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:340
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:1256
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:624
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:1332
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:988
-
-
-
C:\Windows\system32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:1848
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:1688
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:1348
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:688
-
-
-
C:\Windows\system32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:1816
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:804
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:340
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:912
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:564
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:976
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1304
-
-
-
C:\Windows\system32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:1640
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:1524
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:1516
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:468
-
-
-
C:\Windows\system32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:240
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:1088
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:960
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:1176
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:1288
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
-
-
C:\Windows\system32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:1568
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:276
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:316
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:992
-
-
-
C:\Windows\system32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:664
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:1660
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:956
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:1712
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
-
C:\Windows\system32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:1104
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:1812
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:1120
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1068
-
-
-
C:\Windows\system32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:1324
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:2136
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:2144
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
-
C:\Windows\system32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:2176
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:2168
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
-
C:\Windows\system32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:2160
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:2152
-
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2208
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro1⤵
- Launches sc.exe
PID:2184