Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 17:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Sky Cheat Paid (v1.5).exe
Resource
win7-20240708-en
0 signatures
150 seconds
General
-
Target
Sky Cheat Paid (v1.5).exe
-
Size
1006KB
-
MD5
201bf6483b763e6dd2c41dfdf3974df6
-
SHA1
7ffef12acb1638daf0fdd94e373aa4e5efb03087
-
SHA256
582032dd5303f2293ae37f1d1e9a49245ffbdbd0c750409e53b238adb4f1d16a
-
SHA512
4db7160e6230c0117e8e0cf60f1c88cd02c6ead4753a326bb1b9de271e363ebc885c9d34b7a51b7ca19259549f8439b34ae7f9d58077c6c53d99b3cc6db837bc
-
SSDEEP
24576:ZaSAZRDuaaqZhD0qQrSEDEag4mqnNuGKFxzCvO:ZWfkqcNuLELnQ/
Malware Config
Signatures
-
Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3808 sc.exe 3728 sc.exe 4840 sc.exe 2880 sc.exe 3180 sc.exe 4976 sc.exe 1628 sc.exe -
Kills process with taskkill 29 IoCs
pid Process 904 taskkill.exe 3976 taskkill.exe 2368 taskkill.exe 3036 taskkill.exe 4404 taskkill.exe 4288 taskkill.exe 5096 taskkill.exe 1908 taskkill.exe 1808 taskkill.exe 4184 taskkill.exe 4196 taskkill.exe 1400 taskkill.exe 1792 taskkill.exe 4244 taskkill.exe 5084 taskkill.exe 2304 taskkill.exe 4588 taskkill.exe 744 taskkill.exe 4608 taskkill.exe 2008 taskkill.exe 2780 taskkill.exe 1452 taskkill.exe 984 taskkill.exe 4064 taskkill.exe 3208 taskkill.exe 3160 taskkill.exe 4176 taskkill.exe 4256 taskkill.exe 1072 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe 1120 Sky Cheat Paid (v1.5).exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 4244 taskkill.exe Token: SeDebugPrivilege 4184 taskkill.exe Token: SeDebugPrivilege 744 taskkill.exe Token: SeDebugPrivilege 4064 taskkill.exe Token: SeDebugPrivilege 1908 taskkill.exe Token: SeDebugPrivilege 3208 taskkill.exe Token: SeDebugPrivilege 2008 taskkill.exe Token: SeDebugPrivilege 4608 taskkill.exe Token: SeDebugPrivilege 1808 taskkill.exe Token: SeDebugPrivilege 2780 taskkill.exe Token: SeDebugPrivilege 5084 taskkill.exe Token: SeDebugPrivilege 904 taskkill.exe Token: SeDebugPrivilege 1452 taskkill.exe Token: SeDebugPrivilege 4196 taskkill.exe Token: SeDebugPrivilege 2368 taskkill.exe Token: SeDebugPrivilege 3976 taskkill.exe Token: SeDebugPrivilege 4288 taskkill.exe Token: SeDebugPrivilege 1400 taskkill.exe Token: SeDebugPrivilege 2304 taskkill.exe Token: SeDebugPrivilege 4176 taskkill.exe Token: SeDebugPrivilege 1792 taskkill.exe Token: SeDebugPrivilege 984 taskkill.exe Token: SeDebugPrivilege 3160 taskkill.exe Token: SeDebugPrivilege 4256 taskkill.exe Token: SeDebugPrivilege 3036 taskkill.exe Token: SeDebugPrivilege 1072 taskkill.exe Token: SeDebugPrivilege 4404 taskkill.exe Token: SeDebugPrivilege 4588 taskkill.exe Token: SeDebugPrivilege 5096 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1120 wrote to memory of 1824 1120 Sky Cheat Paid (v1.5).exe 84 PID 1120 wrote to memory of 1824 1120 Sky Cheat Paid (v1.5).exe 84 PID 1120 wrote to memory of 888 1120 Sky Cheat Paid (v1.5).exe 85 PID 1120 wrote to memory of 888 1120 Sky Cheat Paid (v1.5).exe 85 PID 1824 wrote to memory of 4244 1824 cmd.exe 86 PID 1824 wrote to memory of 4244 1824 cmd.exe 86 PID 1120 wrote to memory of 232 1120 Sky Cheat Paid (v1.5).exe 88 PID 1120 wrote to memory of 232 1120 Sky Cheat Paid (v1.5).exe 88 PID 232 wrote to memory of 4184 232 cmd.exe 89 PID 232 wrote to memory of 4184 232 cmd.exe 89 PID 1120 wrote to memory of 4748 1120 Sky Cheat Paid (v1.5).exe 91 PID 1120 wrote to memory of 4748 1120 Sky Cheat Paid (v1.5).exe 91 PID 4748 wrote to memory of 3728 4748 cmd.exe 92 PID 4748 wrote to memory of 3728 4748 cmd.exe 92 PID 1120 wrote to memory of 4328 1120 Sky Cheat Paid (v1.5).exe 93 PID 1120 wrote to memory of 4328 1120 Sky Cheat Paid (v1.5).exe 93 PID 4328 wrote to memory of 744 4328 cmd.exe 94 PID 4328 wrote to memory of 744 4328 cmd.exe 94 PID 1120 wrote to memory of 4532 1120 Sky Cheat Paid (v1.5).exe 95 PID 1120 wrote to memory of 4532 1120 Sky Cheat Paid (v1.5).exe 95 PID 4532 wrote to memory of 4064 4532 cmd.exe 96 PID 4532 wrote to memory of 4064 4532 cmd.exe 96 PID 1120 wrote to memory of 3244 1120 Sky Cheat Paid (v1.5).exe 97 PID 1120 wrote to memory of 3244 1120 Sky Cheat Paid (v1.5).exe 97 PID 3244 wrote to memory of 1908 3244 cmd.exe 98 PID 3244 wrote to memory of 1908 3244 cmd.exe 98 PID 1120 wrote to memory of 3036 1120 Sky Cheat Paid (v1.5).exe 101 PID 1120 wrote to memory of 3036 1120 Sky Cheat Paid (v1.5).exe 101 PID 1120 wrote to memory of 3496 1120 Sky Cheat Paid (v1.5).exe 102 PID 1120 wrote to memory of 3496 1120 Sky Cheat Paid (v1.5).exe 102 PID 1120 wrote to memory of 764 1120 Sky Cheat Paid (v1.5).exe 103 PID 1120 wrote to memory of 764 1120 Sky Cheat Paid (v1.5).exe 103 PID 1120 wrote to memory of 4976 1120 Sky Cheat Paid (v1.5).exe 104 PID 1120 wrote to memory of 4976 1120 Sky Cheat Paid (v1.5).exe 104 PID 1120 wrote to memory of 4416 1120 Sky Cheat Paid (v1.5).exe 105 PID 1120 wrote to memory of 4416 1120 Sky Cheat Paid (v1.5).exe 105 PID 1120 wrote to memory of 3048 1120 Sky Cheat Paid (v1.5).exe 106 PID 1120 wrote to memory of 3048 1120 Sky Cheat Paid (v1.5).exe 106 PID 1120 wrote to memory of 4168 1120 Sky Cheat Paid (v1.5).exe 107 PID 1120 wrote to memory of 4168 1120 Sky Cheat Paid (v1.5).exe 107 PID 764 wrote to memory of 3208 764 cmd.exe 108 PID 764 wrote to memory of 3208 764 cmd.exe 108 PID 4168 wrote to memory of 2828 4168 cmd.exe 109 PID 4168 wrote to memory of 2828 4168 cmd.exe 109 PID 3036 wrote to memory of 2008 3036 cmd.exe 110 PID 3036 wrote to memory of 2008 3036 cmd.exe 110 PID 4168 wrote to memory of 3456 4168 cmd.exe 111 PID 4168 wrote to memory of 3456 4168 cmd.exe 111 PID 4168 wrote to memory of 2192 4168 cmd.exe 112 PID 4168 wrote to memory of 2192 4168 cmd.exe 112 PID 3496 wrote to memory of 4608 3496 cmd.exe 113 PID 3496 wrote to memory of 4608 3496 cmd.exe 113 PID 4416 wrote to memory of 1808 4416 cmd.exe 114 PID 4416 wrote to memory of 1808 4416 cmd.exe 114 PID 4976 wrote to memory of 4840 4976 cmd.exe 115 PID 4976 wrote to memory of 4840 4976 cmd.exe 115 PID 1120 wrote to memory of 4404 1120 Sky Cheat Paid (v1.5).exe 116 PID 1120 wrote to memory of 4404 1120 Sky Cheat Paid (v1.5).exe 116 PID 1120 wrote to memory of 4920 1120 Sky Cheat Paid (v1.5).exe 117 PID 1120 wrote to memory of 4920 1120 Sky Cheat Paid (v1.5).exe 117 PID 1120 wrote to memory of 1968 1120 Sky Cheat Paid (v1.5).exe 118 PID 1120 wrote to memory of 1968 1120 Sky Cheat Paid (v1.5).exe 118 PID 1120 wrote to memory of 4444 1120 Sky Cheat Paid (v1.5).exe 119 PID 1120 wrote to memory of 4444 1120 Sky Cheat Paid (v1.5).exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sky Cheat Paid (v1.5).exe"C:\Users\Admin\AppData\Local\Temp\Sky Cheat Paid (v1.5).exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 052⤵PID:888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:3728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1908
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4608
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3208
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:4840
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:3048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Sky Cheat Paid (v1.5).exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Sky Cheat Paid (v1.5).exe" MD53⤵PID:2828
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:3456
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:2192
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:4404
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:4920
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:1968
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:904
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:4444
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:2880
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:1240
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5084
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:2740
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:1692
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4196
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:3204
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4288
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:5024
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:2792
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:3180
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:3632
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3864
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:4384
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4176
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:4680
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4256
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:3612
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:2500
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:1628
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:1908
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:4992
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:3244
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3160
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:4980
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:984
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:4300
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:3468
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:4976
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:940
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1400
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:864
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:3188
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4588
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:2708
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:5028
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5096
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:2160
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:3808
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:2900
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4404
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:2780
-