582032dd5303f2293ae37f1d1e9a49245ffbdbd0c750409e53b238adb4f1d16a

Analysis

max time kernel
95s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sky Cheat Paid (v1.5).exe
Size

1006KB
MD5

201bf6483b763e6dd2c41dfdf3974df6
SHA1

7ffef12acb1638daf0fdd94e373aa4e5efb03087
SHA256

582032dd5303f2293ae37f1d1e9a49245ffbdbd0c750409e53b238adb4f1d16a
SHA512

4db7160e6230c0117e8e0cf60f1c88cd02c6ead4753a326bb1b9de271e363ebc885c9d34b7a51b7ca19259549f8439b34ae7f9d58077c6c53d99b3cc6db837bc
SSDEEP

24576:ZaSAZRDuaaqZhD0qQrSEDEag4mqnNuGKFxzCvO:ZWfkqcNuLELnQ/

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3808	sc.exe
3728	sc.exe
4840	sc.exe
2880	sc.exe
3180	sc.exe
4976	sc.exe
1628	sc.exe

Kills process with taskkill 29 IoCs

evasion

pid	Process
904	taskkill.exe
3976	taskkill.exe
2368	taskkill.exe
3036	taskkill.exe
4404	taskkill.exe
4288	taskkill.exe
5096	taskkill.exe
1908	taskkill.exe
1808	taskkill.exe
4184	taskkill.exe
4196	taskkill.exe
1400	taskkill.exe
1792	taskkill.exe
4244	taskkill.exe
5084	taskkill.exe
2304	taskkill.exe
4588	taskkill.exe
744	taskkill.exe
4608	taskkill.exe
2008	taskkill.exe
2780	taskkill.exe
1452	taskkill.exe
984	taskkill.exe
4064	taskkill.exe
3208	taskkill.exe
3160	taskkill.exe
4176	taskkill.exe
4256	taskkill.exe
1072	taskkill.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe
1120	Sky Cheat Paid (v1.5).exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	4244	taskkill.exe
Token: SeDebugPrivilege	4184	taskkill.exe
Token: SeDebugPrivilege	744	taskkill.exe
Token: SeDebugPrivilege	4064	taskkill.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	3208	taskkill.exe
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeDebugPrivilege	4608	taskkill.exe
Token: SeDebugPrivilege	1808	taskkill.exe
Token: SeDebugPrivilege	2780	taskkill.exe
Token: SeDebugPrivilege	5084	taskkill.exe
Token: SeDebugPrivilege	904	taskkill.exe
Token: SeDebugPrivilege	1452	taskkill.exe
Token: SeDebugPrivilege	4196	taskkill.exe
Token: SeDebugPrivilege	2368	taskkill.exe
Token: SeDebugPrivilege	3976	taskkill.exe
Token: SeDebugPrivilege	4288	taskkill.exe
Token: SeDebugPrivilege	1400	taskkill.exe
Token: SeDebugPrivilege	2304	taskkill.exe
Token: SeDebugPrivilege	4176	taskkill.exe
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeDebugPrivilege	984	taskkill.exe
Token: SeDebugPrivilege	3160	taskkill.exe
Token: SeDebugPrivilege	4256	taskkill.exe
Token: SeDebugPrivilege	3036	taskkill.exe
Token: SeDebugPrivilege	1072	taskkill.exe
Token: SeDebugPrivilege	4404	taskkill.exe
Token: SeDebugPrivilege	4588	taskkill.exe
Token: SeDebugPrivilege	5096	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 1824	1120	Sky Cheat Paid (v1.5).exe	84
PID 1120 wrote to memory of 1824	1120	Sky Cheat Paid (v1.5).exe	84
PID 1120 wrote to memory of 888	1120	Sky Cheat Paid (v1.5).exe	85
PID 1120 wrote to memory of 888	1120	Sky Cheat Paid (v1.5).exe	85
PID 1824 wrote to memory of 4244	1824	cmd.exe	86
PID 1824 wrote to memory of 4244	1824	cmd.exe	86
PID 1120 wrote to memory of 232	1120	Sky Cheat Paid (v1.5).exe	88
PID 1120 wrote to memory of 232	1120	Sky Cheat Paid (v1.5).exe	88
PID 232 wrote to memory of 4184	232	cmd.exe	89
PID 232 wrote to memory of 4184	232	cmd.exe	89
PID 1120 wrote to memory of 4748	1120	Sky Cheat Paid (v1.5).exe	91
PID 1120 wrote to memory of 4748	1120	Sky Cheat Paid (v1.5).exe	91
PID 4748 wrote to memory of 3728	4748	cmd.exe	92
PID 4748 wrote to memory of 3728	4748	cmd.exe	92
PID 1120 wrote to memory of 4328	1120	Sky Cheat Paid (v1.5).exe	93
PID 1120 wrote to memory of 4328	1120	Sky Cheat Paid (v1.5).exe	93
PID 4328 wrote to memory of 744	4328	cmd.exe	94
PID 4328 wrote to memory of 744	4328	cmd.exe	94
PID 1120 wrote to memory of 4532	1120	Sky Cheat Paid (v1.5).exe	95
PID 1120 wrote to memory of 4532	1120	Sky Cheat Paid (v1.5).exe	95
PID 4532 wrote to memory of 4064	4532	cmd.exe	96
PID 4532 wrote to memory of 4064	4532	cmd.exe	96
PID 1120 wrote to memory of 3244	1120	Sky Cheat Paid (v1.5).exe	97
PID 1120 wrote to memory of 3244	1120	Sky Cheat Paid (v1.5).exe	97
PID 3244 wrote to memory of 1908	3244	cmd.exe	98
PID 3244 wrote to memory of 1908	3244	cmd.exe	98
PID 1120 wrote to memory of 3036	1120	Sky Cheat Paid (v1.5).exe	101
PID 1120 wrote to memory of 3036	1120	Sky Cheat Paid (v1.5).exe	101
PID 1120 wrote to memory of 3496	1120	Sky Cheat Paid (v1.5).exe	102
PID 1120 wrote to memory of 3496	1120	Sky Cheat Paid (v1.5).exe	102
PID 1120 wrote to memory of 764	1120	Sky Cheat Paid (v1.5).exe	103
PID 1120 wrote to memory of 764	1120	Sky Cheat Paid (v1.5).exe	103
PID 1120 wrote to memory of 4976	1120	Sky Cheat Paid (v1.5).exe	104
PID 1120 wrote to memory of 4976	1120	Sky Cheat Paid (v1.5).exe	104
PID 1120 wrote to memory of 4416	1120	Sky Cheat Paid (v1.5).exe	105
PID 1120 wrote to memory of 4416	1120	Sky Cheat Paid (v1.5).exe	105
PID 1120 wrote to memory of 3048	1120	Sky Cheat Paid (v1.5).exe	106
PID 1120 wrote to memory of 3048	1120	Sky Cheat Paid (v1.5).exe	106
PID 1120 wrote to memory of 4168	1120	Sky Cheat Paid (v1.5).exe	107
PID 1120 wrote to memory of 4168	1120	Sky Cheat Paid (v1.5).exe	107
PID 764 wrote to memory of 3208	764	cmd.exe	108
PID 764 wrote to memory of 3208	764	cmd.exe	108
PID 4168 wrote to memory of 2828	4168	cmd.exe	109
PID 4168 wrote to memory of 2828	4168	cmd.exe	109
PID 3036 wrote to memory of 2008	3036	cmd.exe	110
PID 3036 wrote to memory of 2008	3036	cmd.exe	110
PID 4168 wrote to memory of 3456	4168	cmd.exe	111
PID 4168 wrote to memory of 3456	4168	cmd.exe	111
PID 4168 wrote to memory of 2192	4168	cmd.exe	112
PID 4168 wrote to memory of 2192	4168	cmd.exe	112
PID 3496 wrote to memory of 4608	3496	cmd.exe	113
PID 3496 wrote to memory of 4608	3496	cmd.exe	113
PID 4416 wrote to memory of 1808	4416	cmd.exe	114
PID 4416 wrote to memory of 1808	4416	cmd.exe	114
PID 4976 wrote to memory of 4840	4976	cmd.exe	115
PID 4976 wrote to memory of 4840	4976	cmd.exe	115
PID 1120 wrote to memory of 4404	1120	Sky Cheat Paid (v1.5).exe	116
PID 1120 wrote to memory of 4404	1120	Sky Cheat Paid (v1.5).exe	116
PID 1120 wrote to memory of 4920	1120	Sky Cheat Paid (v1.5).exe	117
PID 1120 wrote to memory of 4920	1120	Sky Cheat Paid (v1.5).exe	117
PID 1120 wrote to memory of 1968	1120	Sky Cheat Paid (v1.5).exe	118
PID 1120 wrote to memory of 1968	1120	Sky Cheat Paid (v1.5).exe	118
PID 1120 wrote to memory of 4444	1120	Sky Cheat Paid (v1.5).exe	119
PID 1120 wrote to memory of 4444	1120	Sky Cheat Paid (v1.5).exe	119

C:\Users\Admin\AppData\Local\Temp\Sky Cheat Paid (v1.5).exe
"C:\Users\Admin\AppData\Local\Temp\Sky Cheat Paid (v1.5).exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 05
  2⤵
  PID:888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1908
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2008
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4608
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3208
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:4840
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:3048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Sky Cheat Paid (v1.5).exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Sky Cheat Paid (v1.5).exe" MD5
    3⤵
    PID:2828
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:3456
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:2192
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4404
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1452
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4920
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2780
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1968
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:904
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:4444
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2880
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:1240
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5084
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:2740
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1692
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4196
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3204
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4288
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5024
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2368
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2792
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3180
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:3632
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3976
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3864
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4384
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4176
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4680
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4256
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3612
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1792
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2500
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1628
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:1908
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3036
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:4992
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3244
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3160
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4980
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:984
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4300
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:3468
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:4976
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:940
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1400
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:864
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3188
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4588
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2708
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1072
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5028
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5096
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2160
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3808
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:2900
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4404
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:2780