36e7c1b0c1ebeddf0afd875dd49828bbc9ff2151faac9a9bed6c3fc45eb1ce48

Analysis

max time kernel
161s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2023, 01:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

owo.exe
Size

1.3MB
MD5

d9d7fde8c499ad14a9f6b9e901987df6
SHA1

2e41ffd9f3ee1ad9dca24ccf857a522a95694d2f
SHA256

36e7c1b0c1ebeddf0afd875dd49828bbc9ff2151faac9a9bed6c3fc45eb1ce48
SHA512

6d46c29bc498c349d29c9a92a5da7d1ea71928976e38f63ca781d8140c07f8431208a9e146a217a13fccc5a4785bf6277e53481db4a8576712d81271472b0937
SSDEEP

24576:JY86BCMcq8rSV8yTjzhyFL1lLq6nCiZQM0Tm7Cqdvz12XmtgIN:J56BCM+ERPF0nHnCComOqdvzU2tgIN

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4536	sc.exe
2856	sc.exe
4404	sc.exe
456	sc.exe
3852	sc.exe
1740	sc.exe
2108	sc.exe
3108	sc.exe

Kills process with taskkill 32 IoCs

evasion

pid	Process
3080	taskkill.exe
532	taskkill.exe
4796	taskkill.exe
2224	taskkill.exe
3936	taskkill.exe
224	taskkill.exe
1200	taskkill.exe
1996	taskkill.exe
2744	taskkill.exe
5092	taskkill.exe
4844	taskkill.exe
1988	taskkill.exe
2572	taskkill.exe
1360	taskkill.exe
3504	taskkill.exe
1192	taskkill.exe
3088	taskkill.exe
4584	taskkill.exe
1816	taskkill.exe
960	taskkill.exe
2768	taskkill.exe
2708	taskkill.exe
2120	taskkill.exe
4692	taskkill.exe
2452	taskkill.exe
4124	taskkill.exe
4852	taskkill.exe
4472	taskkill.exe
4416	taskkill.exe
440	taskkill.exe
2588	taskkill.exe
5068	taskkill.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1036	owo.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	4416	taskkill.exe
Token: SeDebugPrivilege	5092	taskkill.exe
Token: SeDebugPrivilege	224	taskkill.exe
Token: SeDebugPrivilege	2452	taskkill.exe
Token: SeDebugPrivilege	3080	taskkill.exe
Token: SeDebugPrivilege	3936	taskkill.exe
Token: SeDebugPrivilege	1200	taskkill.exe
Token: SeDebugPrivilege	4124	taskkill.exe
Token: SeDebugPrivilege	5068	taskkill.exe
Token: SeDebugPrivilege	3088	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	960	taskkill.exe
Token: SeDebugPrivilege	440	taskkill.exe
Token: SeDebugPrivilege	2588	taskkill.exe
Token: SeDebugPrivilege	4844	taskkill.exe
Token: SeDebugPrivilege	1988	taskkill.exe
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	4852	taskkill.exe
Token: SeDebugPrivilege	2572	taskkill.exe
Token: SeDebugPrivilege	4584	taskkill.exe
Token: SeDebugPrivilege	2768	taskkill.exe
Token: SeDebugPrivilege	2708	taskkill.exe
Token: SeDebugPrivilege	532	taskkill.exe
Token: SeDebugPrivilege	4472	taskkill.exe
Token: SeDebugPrivilege	1360	taskkill.exe
Token: SeDebugPrivilege	4796	taskkill.exe
Token: SeDebugPrivilege	2744	taskkill.exe
Token: SeDebugPrivilege	3504	taskkill.exe
Token: SeDebugPrivilege	2120	taskkill.exe
Token: SeDebugPrivilege	1192	taskkill.exe
Token: SeDebugPrivilege	4692	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 592	1036	owo.exe	85
PID 1036 wrote to memory of 592	1036	owo.exe	85
PID 592 wrote to memory of 2224	592	cmd.exe	86
PID 592 wrote to memory of 2224	592	cmd.exe	86
PID 1036 wrote to memory of 4392	1036	owo.exe	88
PID 1036 wrote to memory of 4392	1036	owo.exe	88
PID 4392 wrote to memory of 4416	4392	cmd.exe	87
PID 4392 wrote to memory of 4416	4392	cmd.exe	87
PID 1036 wrote to memory of 5032	1036	owo.exe	89
PID 1036 wrote to memory of 5032	1036	owo.exe	89
PID 5032 wrote to memory of 5092	5032	cmd.exe	90
PID 5032 wrote to memory of 5092	5032	cmd.exe	90
PID 1036 wrote to memory of 1152	1036	owo.exe	91
PID 1036 wrote to memory of 1152	1036	owo.exe	91
PID 1152 wrote to memory of 2856	1152	cmd.exe	92
PID 1152 wrote to memory of 2856	1152	cmd.exe	92
PID 1036 wrote to memory of 208	1036	owo.exe	93
PID 1036 wrote to memory of 208	1036	owo.exe	93
PID 208 wrote to memory of 224	208	cmd.exe	94
PID 208 wrote to memory of 224	208	cmd.exe	94
PID 1036 wrote to memory of 4028	1036	owo.exe	95
PID 1036 wrote to memory of 4028	1036	owo.exe	95
PID 1036 wrote to memory of 752	1036	owo.exe	96
PID 1036 wrote to memory of 752	1036	owo.exe	96
PID 752 wrote to memory of 4488	752	cmd.exe	97
PID 752 wrote to memory of 4488	752	cmd.exe	97
PID 1036 wrote to memory of 4472	1036	owo.exe	99
PID 1036 wrote to memory of 4472	1036	owo.exe	99
PID 4472 wrote to memory of 2452	4472	cmd.exe	100
PID 4472 wrote to memory of 2452	4472	cmd.exe	100
PID 1036 wrote to memory of 2952	1036	owo.exe	101
PID 1036 wrote to memory of 2952	1036	owo.exe	101
PID 2952 wrote to memory of 3080	2952	cmd.exe	102
PID 2952 wrote to memory of 3080	2952	cmd.exe	102
PID 1036 wrote to memory of 1916	1036	owo.exe	103
PID 1036 wrote to memory of 1916	1036	owo.exe	103
PID 1916 wrote to memory of 3936	1916	cmd.exe	104
PID 1916 wrote to memory of 3936	1916	cmd.exe	104
PID 1036 wrote to memory of 4796	1036	owo.exe	105
PID 1036 wrote to memory of 4796	1036	owo.exe	105
PID 4796 wrote to memory of 4404	4796	cmd.exe	106
PID 4796 wrote to memory of 4404	4796	cmd.exe	106
PID 1036 wrote to memory of 544	1036	owo.exe	107
PID 1036 wrote to memory of 544	1036	owo.exe	107
PID 544 wrote to memory of 1200	544	cmd.exe	108
PID 544 wrote to memory of 1200	544	cmd.exe	108
PID 1036 wrote to memory of 3108	1036	owo.exe	109
PID 1036 wrote to memory of 3108	1036	owo.exe	109
PID 1036 wrote to memory of 316	1036	owo.exe	110
PID 1036 wrote to memory of 316	1036	owo.exe	110
PID 316 wrote to memory of 4124	316	cmd.exe	111
PID 316 wrote to memory of 4124	316	cmd.exe	111
PID 1036 wrote to memory of 2052	1036	owo.exe	112
PID 1036 wrote to memory of 2052	1036	owo.exe	112
PID 2052 wrote to memory of 5068	2052	cmd.exe	113
PID 2052 wrote to memory of 5068	2052	cmd.exe	113
PID 1036 wrote to memory of 1648	1036	owo.exe	115
PID 1036 wrote to memory of 1648	1036	owo.exe	115
PID 1648 wrote to memory of 3088	1648	cmd.exe	116
PID 1648 wrote to memory of 3088	1648	cmd.exe	116
PID 1036 wrote to memory of 2580	1036	owo.exe	117
PID 1036 wrote to memory of 2580	1036	owo.exe	117
PID 2580 wrote to memory of 456	2580	cmd.exe	118
PID 2580 wrote to memory of 456	2580	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\owo.exe
"C:\Users\Admin\AppData\Local\Temp\owo.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:592
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:4028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile C:\Users\Admin\AppData\Local\Temp\owo.exe MD5 >> C:\ProgramData\hash.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\system32\certutil.exe
    certutil -hashfile C:\Users\Admin\AppData\Local\Temp\owo.exe MD5
    3⤵
    PID:4488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:4404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:3108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:1124
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4964
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4812
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4568
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1712
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:2636
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:4720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3624
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2932
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4836
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:4340
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:4664
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:3876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2836
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4336
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2596
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2068
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:740
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:3748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2452
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1944
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4208
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:544
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:2256
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:1060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5096
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4956
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2140
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:4304
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:4536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:4132
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:2296

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3888

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\f95046addcef4babb620130d4ef07b8d /t 2420 /p 1036
1⤵
PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hash.txt

Filesize
143B

MD5
20696dddbc2a75e7c3f0e442b3f51e0a

SHA1
6c53253a7cbe9b6a6f29f16a03c4e1593450e402

SHA256
1010f0765af9c0c0daa0ec52c7c7dc40bd521e640686118e9660d96e12ae5f84

SHA512
8f459741d4b2bf3f91194bdf9049cab2494326cd11ad81a90234c54f62b5b190cf4b6f22d5f22f89450fae2964c470998127f7c511daacb89287c685a3b019c2

Download Submit