Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
17s -
max time network
36s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/09/2024, 15:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Public.exe
Resource
win7-20240708-en
8 signatures
150 seconds
General
-
Target
Public.exe
-
Size
25.0MB
-
MD5
351a8f255c9ec050957fad6feccaef4e
-
SHA1
7f640025be59f7b8a6872a94cc267327aea7114a
-
SHA256
3af8a3c2acc030605bb3d6832dc5a7a47a8374be2bf940b2be72b66f2dd9bd19
-
SHA512
996fa2be6cb334a0ab43d18981e64c01f5fddfb6a81d90a5c881a9ff63424c0e3725f898f205da8d0b1742f443367294709c78aac1165df596a4dea1994423dc
-
SSDEEP
786432:soNl21gQ2pM4XyBssbuo9x80w5bel4R/bamW:sGco/y+1oA1elm/ep
Malware Config
Signatures
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3372 Public.exe 3372 Public.exe -
Launches sc.exe 21 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1072 sc.exe 464 sc.exe 1768 sc.exe 924 sc.exe 448 sc.exe 1432 sc.exe 4072 sc.exe 1988 sc.exe 4160 sc.exe 2276 sc.exe 4080 sc.exe 2624 sc.exe 1716 sc.exe 4764 sc.exe 1632 sc.exe 2356 sc.exe 1048 sc.exe 2756 sc.exe 1356 sc.exe 2040 sc.exe 5096 sc.exe -
Kills process with taskkill 39 IoCs
pid Process 1856 taskkill.exe 3940 taskkill.exe 2244 taskkill.exe 3600 taskkill.exe 3036 taskkill.exe 4728 taskkill.exe 3292 taskkill.exe 3036 taskkill.exe 3992 taskkill.exe 1604 taskkill.exe 4532 taskkill.exe 3968 taskkill.exe 332 taskkill.exe 388 taskkill.exe 4684 taskkill.exe 4768 taskkill.exe 2920 taskkill.exe 3480 taskkill.exe 1612 taskkill.exe 404 taskkill.exe 4204 taskkill.exe 456 taskkill.exe 4132 taskkill.exe 5024 taskkill.exe 3452 taskkill.exe 3504 taskkill.exe 764 taskkill.exe 2836 taskkill.exe 4824 taskkill.exe 2140 taskkill.exe 1444 taskkill.exe 3532 taskkill.exe 316 taskkill.exe 3884 taskkill.exe 1284 taskkill.exe 3000 taskkill.exe 4388 taskkill.exe 2832 taskkill.exe 5044 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3372 Public.exe 3372 Public.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 3480 taskkill.exe Token: SeDebugPrivilege 3992 taskkill.exe Token: SeDebugPrivilege 3036 taskkill.exe Token: SeDebugPrivilege 4824 taskkill.exe Token: SeDebugPrivilege 2140 taskkill.exe Token: SeDebugPrivilege 1612 taskkill.exe Token: SeDebugPrivilege 4132 taskkill.exe Token: SeDebugPrivilege 4728 taskkill.exe Token: SeDebugPrivilege 1856 taskkill.exe Token: SeDebugPrivilege 4768 taskkill.exe Token: SeDebugPrivilege 1444 taskkill.exe Token: SeDebugPrivilege 3940 taskkill.exe Token: SeDebugPrivilege 3000 taskkill.exe Token: SeDebugPrivilege 4388 taskkill.exe Token: SeDebugPrivilege 3292 taskkill.exe Token: SeDebugPrivilege 1604 taskkill.exe Token: SeDebugPrivilege 5024 taskkill.exe Token: SeDebugPrivilege 2920 taskkill.exe Token: SeDebugPrivilege 3532 taskkill.exe Token: SeDebugPrivilege 316 taskkill.exe Token: SeDebugPrivilege 3884 taskkill.exe Token: SeDebugPrivilege 404 taskkill.exe Token: SeDebugPrivilege 2244 taskkill.exe Token: SeDebugPrivilege 1284 taskkill.exe Token: SeDebugPrivilege 3452 taskkill.exe Token: SeDebugPrivilege 2832 taskkill.exe Token: SeDebugPrivilege 3504 taskkill.exe Token: SeDebugPrivilege 5044 taskkill.exe Token: SeDebugPrivilege 764 taskkill.exe Token: SeDebugPrivilege 4532 taskkill.exe Token: SeDebugPrivilege 3968 taskkill.exe Token: SeDebugPrivilege 3600 taskkill.exe Token: SeDebugPrivilege 4204 taskkill.exe Token: SeDebugPrivilege 2836 taskkill.exe Token: SeDebugPrivilege 3036 taskkill.exe Token: SeDebugPrivilege 332 taskkill.exe Token: SeDebugPrivilege 456 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3372 wrote to memory of 1608 3372 Public.exe 88 PID 3372 wrote to memory of 1608 3372 Public.exe 88 PID 1608 wrote to memory of 3480 1608 cmd.exe 89 PID 1608 wrote to memory of 3480 1608 cmd.exe 89 PID 3372 wrote to memory of 2756 3372 Public.exe 91 PID 3372 wrote to memory of 2756 3372 Public.exe 91 PID 3372 wrote to memory of 4928 3372 Public.exe 92 PID 3372 wrote to memory of 4928 3372 Public.exe 92 PID 4928 wrote to memory of 3992 4928 cmd.exe 93 PID 4928 wrote to memory of 3992 4928 cmd.exe 93 PID 3372 wrote to memory of 2900 3372 Public.exe 94 PID 3372 wrote to memory of 2900 3372 Public.exe 94 PID 3372 wrote to memory of 396 3372 Public.exe 170 PID 3372 wrote to memory of 396 3372 Public.exe 170 PID 396 wrote to memory of 1768 396 cmd.exe 169 PID 396 wrote to memory of 1768 396 cmd.exe 169 PID 3372 wrote to memory of 3532 3372 Public.exe 171 PID 3372 wrote to memory of 3532 3372 Public.exe 171 PID 3372 wrote to memory of 4932 3372 Public.exe 100 PID 3372 wrote to memory of 4932 3372 Public.exe 100 PID 4932 wrote to memory of 3036 4932 cmd.exe 101 PID 4932 wrote to memory of 3036 4932 cmd.exe 101 PID 3372 wrote to memory of 4228 3372 Public.exe 102 PID 3372 wrote to memory of 4228 3372 Public.exe 102 PID 3372 wrote to memory of 3600 3372 Public.exe 241 PID 3372 wrote to memory of 3600 3372 Public.exe 241 PID 3600 wrote to memory of 4824 3600 cmd.exe 104 PID 3600 wrote to memory of 4824 3600 cmd.exe 104 PID 3372 wrote to memory of 1640 3372 Public.exe 105 PID 3372 wrote to memory of 1640 3372 Public.exe 105 PID 3372 wrote to memory of 4204 3372 Public.exe 244 PID 3372 wrote to memory of 4204 3372 Public.exe 244 PID 4204 wrote to memory of 2140 4204 cmd.exe 107 PID 4204 wrote to memory of 2140 4204 cmd.exe 107 PID 3372 wrote to memory of 2904 3372 Public.exe 108 PID 3372 wrote to memory of 2904 3372 Public.exe 108 PID 3372 wrote to memory of 2836 3372 Public.exe 247 PID 3372 wrote to memory of 2836 3372 Public.exe 247 PID 2836 wrote to memory of 1612 2836 cmd.exe 110 PID 2836 wrote to memory of 1612 2836 cmd.exe 110 PID 3372 wrote to memory of 3652 3372 Public.exe 111 PID 3372 wrote to memory of 3652 3372 Public.exe 111 PID 3372 wrote to memory of 1408 3372 Public.exe 112 PID 3372 wrote to memory of 1408 3372 Public.exe 112 PID 1408 wrote to memory of 4132 1408 cmd.exe 113 PID 1408 wrote to memory of 4132 1408 cmd.exe 113 PID 3372 wrote to memory of 2400 3372 Public.exe 114 PID 3372 wrote to memory of 2400 3372 Public.exe 114 PID 3372 wrote to memory of 456 3372 Public.exe 256 PID 3372 wrote to memory of 456 3372 Public.exe 256 PID 456 wrote to memory of 4728 456 cmd.exe 248 PID 456 wrote to memory of 4728 456 cmd.exe 248 PID 3372 wrote to memory of 1536 3372 Public.exe 117 PID 3372 wrote to memory of 1536 3372 Public.exe 117 PID 3372 wrote to memory of 4332 3372 Public.exe 118 PID 3372 wrote to memory of 4332 3372 Public.exe 118 PID 4332 wrote to memory of 1856 4332 cmd.exe 119 PID 4332 wrote to memory of 1856 4332 cmd.exe 119 PID 3372 wrote to memory of 332 3372 Public.exe 253 PID 3372 wrote to memory of 332 3372 Public.exe 253 PID 3372 wrote to memory of 740 3372 Public.exe 122 PID 3372 wrote to memory of 740 3372 Public.exe 122 PID 740 wrote to memory of 4768 740 cmd.exe 123 PID 740 wrote to memory of 4768 740 cmd.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\Public.exe"C:\Users\Admin\AppData\Local\Temp\Public.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:1768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq charles*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&12⤵PID:4732
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq ida*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:3696
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵PID:4588
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:3756
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&12⤵PID:2312
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
PID:448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&12⤵PID:4960
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
PID:2624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&12⤵PID:3732
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
PID:1432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&12⤵PID:1944
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
PID:2040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&12⤵PID:2004
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
PID:4072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵PID:3572
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵PID:3584
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:264
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:1988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵PID:1088
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:3760
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵PID:932
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:396
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:2252
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&12⤵PID:4328
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&12⤵PID:4100
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq charles*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵PID:1148
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&12⤵PID:1648
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq ida*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:2008
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵PID:880
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:1344
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:5096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&12⤵PID:3696
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
PID:1072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&12⤵PID:4812
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
PID:1716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&12⤵PID:4780
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
PID:1048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&12⤵PID:924
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
PID:464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&12⤵PID:4608
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
PID:4764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Public.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵PID:760
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Public.exe" MD53⤵PID:4936
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:4960
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:64
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Public.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵PID:4908
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Public.exe" MD53⤵PID:3044
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:4604
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:3292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵PID:3916
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵PID:4360
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:4776
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:2756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵PID:2724
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:2280
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵PID:4164
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:2220
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:2704
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&12⤵PID:4992
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&12⤵PID:2788
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq charles*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵PID:2980
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&12⤵PID:944
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq ida*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:1224
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
PID:388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵PID:1716
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
PID:4684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:4780
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:1632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&12⤵PID:4612
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
PID:4160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&12⤵PID:5084
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
PID:2276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&12⤵PID:1432
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
PID:1356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&12⤵PID:2420
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
PID:4080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&12⤵PID:4464
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
PID:2356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4908
-
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:4072
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv dtbl5AUGDUqPBoGYpHSIUw.0.21⤵PID:3504