Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
40s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02/09/2024, 15:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Public.exe
Resource
win7-20240708-en
8 signatures
150 seconds
General
-
Target
Public.exe
-
Size
25.0MB
-
MD5
351a8f255c9ec050957fad6feccaef4e
-
SHA1
7f640025be59f7b8a6872a94cc267327aea7114a
-
SHA256
3af8a3c2acc030605bb3d6832dc5a7a47a8374be2bf940b2be72b66f2dd9bd19
-
SHA512
996fa2be6cb334a0ab43d18981e64c01f5fddfb6a81d90a5c881a9ff63424c0e3725f898f205da8d0b1742f443367294709c78aac1165df596a4dea1994423dc
-
SSDEEP
786432:soNl21gQ2pM4XyBssbuo9x80w5bel4R/bamW:sGco/y+1oA1elm/ep
Malware Config
Signatures
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2524 Public.exe 2524 Public.exe -
Launches sc.exe 21 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2892 sc.exe 2788 sc.exe 920 sc.exe 2840 sc.exe 2392 sc.exe 2820 sc.exe 2748 sc.exe 1984 sc.exe 2812 sc.exe 1996 sc.exe 2060 sc.exe 2696 sc.exe 1100 sc.exe 2556 sc.exe 284 sc.exe 1520 sc.exe 2192 sc.exe 1684 sc.exe 1724 sc.exe 964 sc.exe 1232 sc.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2576 timeout.exe -
Kills process with taskkill 39 IoCs
pid Process 844 taskkill.exe 2016 taskkill.exe 1560 taskkill.exe 2044 taskkill.exe 1264 taskkill.exe 1212 taskkill.exe 1136 taskkill.exe 912 taskkill.exe 3004 taskkill.exe 2912 taskkill.exe 2632 taskkill.exe 2004 taskkill.exe 2656 taskkill.exe 2620 taskkill.exe 2336 taskkill.exe 2032 taskkill.exe 2904 taskkill.exe 2268 taskkill.exe 3060 taskkill.exe 1804 taskkill.exe 2108 taskkill.exe 1588 taskkill.exe 2596 taskkill.exe 2616 taskkill.exe 2352 taskkill.exe 2884 taskkill.exe 2796 taskkill.exe 2564 taskkill.exe 3060 taskkill.exe 1944 taskkill.exe 1004 taskkill.exe 2480 taskkill.exe 1744 taskkill.exe 3052 taskkill.exe 2000 taskkill.exe 1560 taskkill.exe 2352 taskkill.exe 1524 taskkill.exe 1556 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2524 Public.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeDebugPrivilege 2108 taskkill.exe Token: SeDebugPrivilege 2796 taskkill.exe Token: SeDebugPrivilege 2596 taskkill.exe Token: SeDebugPrivilege 2616 taskkill.exe Token: SeDebugPrivilege 2632 taskkill.exe Token: SeDebugPrivilege 2620 taskkill.exe Token: SeDebugPrivilege 3060 taskkill.exe Token: SeDebugPrivilege 2336 taskkill.exe Token: SeDebugPrivilege 2044 taskkill.exe Token: SeDebugPrivilege 2032 taskkill.exe Token: SeDebugPrivilege 2352 taskkill.exe Token: SeDebugPrivilege 1560 taskkill.exe Token: SeDebugPrivilege 1944 taskkill.exe Token: SeDebugPrivilege 1264 taskkill.exe Token: SeDebugPrivilege 1212 taskkill.exe Token: SeDebugPrivilege 1004 taskkill.exe Token: SeDebugPrivilege 2904 taskkill.exe Token: SeDebugPrivilege 1136 taskkill.exe Token: SeDebugPrivilege 912 taskkill.exe Token: SeDebugPrivilege 2268 taskkill.exe Token: SeDebugPrivilege 3004 taskkill.exe Token: SeDebugPrivilege 2480 taskkill.exe Token: SeDebugPrivilege 2656 taskkill.exe Token: SeDebugPrivilege 1744 taskkill.exe Token: SeDebugPrivilege 3052 taskkill.exe Token: SeDebugPrivilege 1556 taskkill.exe Token: SeDebugPrivilege 3060 taskkill.exe Token: SeDebugPrivilege 1804 taskkill.exe Token: SeDebugPrivilege 2004 taskkill.exe Token: SeDebugPrivilege 2352 taskkill.exe Token: SeDebugPrivilege 1560 taskkill.exe Token: SeDebugPrivilege 2000 taskkill.exe Token: SeDebugPrivilege 2884 taskkill.exe Token: SeDebugPrivilege 2912 taskkill.exe Token: SeDebugPrivilege 1588 taskkill.exe Token: SeDebugPrivilege 1524 taskkill.exe Token: SeDebugPrivilege 844 taskkill.exe Token: SeDebugPrivilege 2016 taskkill.exe Token: SeDebugPrivilege 2564 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2504 2524 Public.exe 31 PID 2524 wrote to memory of 2504 2524 Public.exe 31 PID 2524 wrote to memory of 2504 2524 Public.exe 31 PID 2504 wrote to memory of 2108 2504 cmd.exe 32 PID 2504 wrote to memory of 2108 2504 cmd.exe 32 PID 2504 wrote to memory of 2108 2504 cmd.exe 32 PID 2524 wrote to memory of 2740 2524 Public.exe 34 PID 2524 wrote to memory of 2740 2524 Public.exe 34 PID 2524 wrote to memory of 2740 2524 Public.exe 34 PID 2524 wrote to memory of 2792 2524 Public.exe 35 PID 2524 wrote to memory of 2792 2524 Public.exe 35 PID 2524 wrote to memory of 2792 2524 Public.exe 35 PID 2792 wrote to memory of 2796 2792 cmd.exe 36 PID 2792 wrote to memory of 2796 2792 cmd.exe 36 PID 2792 wrote to memory of 2796 2792 cmd.exe 36 PID 2524 wrote to memory of 2788 2524 Public.exe 37 PID 2524 wrote to memory of 2788 2524 Public.exe 37 PID 2524 wrote to memory of 2788 2524 Public.exe 37 PID 2524 wrote to memory of 2748 2524 Public.exe 38 PID 2524 wrote to memory of 2748 2524 Public.exe 38 PID 2524 wrote to memory of 2748 2524 Public.exe 38 PID 2748 wrote to memory of 2840 2748 cmd.exe 39 PID 2748 wrote to memory of 2840 2748 cmd.exe 39 PID 2748 wrote to memory of 2840 2748 cmd.exe 39 PID 2524 wrote to memory of 2716 2524 Public.exe 40 PID 2524 wrote to memory of 2716 2524 Public.exe 40 PID 2524 wrote to memory of 2716 2524 Public.exe 40 PID 2524 wrote to memory of 2780 2524 Public.exe 41 PID 2524 wrote to memory of 2780 2524 Public.exe 41 PID 2524 wrote to memory of 2780 2524 Public.exe 41 PID 2780 wrote to memory of 2596 2780 cmd.exe 42 PID 2780 wrote to memory of 2596 2780 cmd.exe 42 PID 2780 wrote to memory of 2596 2780 cmd.exe 42 PID 2524 wrote to memory of 2752 2524 Public.exe 43 PID 2524 wrote to memory of 2752 2524 Public.exe 43 PID 2524 wrote to memory of 2752 2524 Public.exe 43 PID 2524 wrote to memory of 2624 2524 Public.exe 44 PID 2524 wrote to memory of 2624 2524 Public.exe 44 PID 2524 wrote to memory of 2624 2524 Public.exe 44 PID 2624 wrote to memory of 2616 2624 cmd.exe 45 PID 2624 wrote to memory of 2616 2624 cmd.exe 45 PID 2624 wrote to memory of 2616 2624 cmd.exe 45 PID 2524 wrote to memory of 2764 2524 Public.exe 154 PID 2524 wrote to memory of 2764 2524 Public.exe 154 PID 2524 wrote to memory of 2764 2524 Public.exe 154 PID 2524 wrote to memory of 2728 2524 Public.exe 47 PID 2524 wrote to memory of 2728 2524 Public.exe 47 PID 2524 wrote to memory of 2728 2524 Public.exe 47 PID 2728 wrote to memory of 2632 2728 cmd.exe 48 PID 2728 wrote to memory of 2632 2728 cmd.exe 48 PID 2728 wrote to memory of 2632 2728 cmd.exe 48 PID 2524 wrote to memory of 2584 2524 Public.exe 49 PID 2524 wrote to memory of 2584 2524 Public.exe 49 PID 2524 wrote to memory of 2584 2524 Public.exe 49 PID 2524 wrote to memory of 2604 2524 Public.exe 50 PID 2524 wrote to memory of 2604 2524 Public.exe 50 PID 2524 wrote to memory of 2604 2524 Public.exe 50 PID 2604 wrote to memory of 2620 2604 cmd.exe 51 PID 2604 wrote to memory of 2620 2604 cmd.exe 51 PID 2604 wrote to memory of 2620 2604 cmd.exe 51 PID 2524 wrote to memory of 1884 2524 Public.exe 52 PID 2524 wrote to memory of 1884 2524 Public.exe 52 PID 2524 wrote to memory of 1884 2524 Public.exe 52 PID 2524 wrote to memory of 3020 2524 Public.exe 53
Processes
-
C:\Users\Admin\AppData\Local\Temp\Public.exe"C:\Users\Admin\AppData\Local\Temp\Public.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:2840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:3020
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&12⤵PID:1804
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&12⤵PID:1600
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq charles*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵PID:1960
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&12⤵PID:1444
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq ida*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:1956
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵PID:1892
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:1776
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:1232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&12⤵PID:1760
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
PID:2892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&12⤵PID:2912
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
PID:2812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&12⤵PID:2040
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
PID:2556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&12⤵PID:2160
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
PID:284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&12⤵PID:2360
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
PID:1996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵PID:1020
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵PID:2492
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:1736
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:1520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵PID:1304
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:1000
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵PID:2200
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:1668
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:2312
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&12⤵PID:2464
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&12⤵PID:564
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq charles*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵PID:352
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&12⤵PID:1084
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq ida*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:2332
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵PID:1696
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:2144
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:2060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&12⤵PID:2372
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
PID:2696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&12⤵PID:2064
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
PID:2392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&12⤵PID:2824
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
PID:2820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&12⤵PID:2792
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
PID:2788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&12⤵PID:2840
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
PID:2748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Public.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵PID:2448
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Public.exe" MD53⤵PID:2724
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:2304
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Public.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵PID:2652
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Public.exe" MD53⤵PID:2636
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:2608
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:3012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵PID:3016
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵PID:2336
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:2036
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:1984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵PID:264
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:2484
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵PID:576
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:1864
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:2688
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&12⤵PID:2812
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&12⤵PID:2184
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq charles*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵PID:2424
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&12⤵PID:1020
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq ida*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:2956
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵PID:1224
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:1348
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:2192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&12⤵PID:2284
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
PID:1684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&12⤵PID:1256
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
PID:1724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&12⤵PID:2100
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
PID:964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&12⤵PID:1668
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
PID:1100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&12⤵PID:1296
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
PID:920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: Session not found. Use latest code. You can only have app opened 1 at a time. && timeout /t 5"2⤵PID:3008
-
C:\Windows\system32\cmd.execmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: Session not found. Use latest code. You can only have app opened 1 at a time. && timeout /t 5"3⤵PID:2288
-
C:\Windows\system32\timeout.exetimeout /t 54⤵
- Delays execution with timeout.exe
PID:2576
-
-
-
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵PID:2764