Analysis
-
max time kernel
300s -
max time network
278s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
17/11/2024, 15:08
Static task
static1
Behavioral task
behavioral1
Sample
Prv.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
SecureEngineSDK64.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
libcrypto-3-x64.dll
Resource
win10ltsc2021-20241023-en
General
-
Target
Prv.exe
-
Size
2.2MB
-
MD5
e66ed4613b57ea69f248d947c78aee5d
-
SHA1
fe22fd8f8d133d019d5a14737ebce8df93908b89
-
SHA256
df4f585a8338fb58d6d0d5a611faa30f1bf69ac792a5390e8ec322e6f96af040
-
SHA512
e9394f6d56b009e55dd7b1ee928641dc6422a201e50131e610a88b91556f2cf75fe1a366725625ce383e0c6d5899232390176c6cd2c6bf4f1cec793a88b8327f
-
SSDEEP
49152:SjkFlDYrAZ/4MmmPN9vdyIVT61U/S7CQnfGTXbFNL3DUMuFA6MVdh5kgh3kusPu/:Sjih/4oPNWA+G
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3760 netsh.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 85 discord.com 49 discord.com 62 discord.com 68 discord.com 75 discord.com 79 discord.com 82 discord.com 24 discord.com 25 discord.com 69 discord.com 78 discord.com -
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3864 sc.exe 1868 sc.exe 3904 sc.exe 3284 sc.exe 3176 sc.exe 5080 sc.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 4628 ipconfig.exe -
Kills process with taskkill 24 IoCs
pid Process 3288 taskkill.exe 4864 taskkill.exe 552 taskkill.exe 1748 taskkill.exe 1836 taskkill.exe 3360 taskkill.exe 1704 taskkill.exe 2500 taskkill.exe 864 taskkill.exe 2168 taskkill.exe 1640 taskkill.exe 1284 taskkill.exe 4816 taskkill.exe 344 taskkill.exe 2972 taskkill.exe 2840 taskkill.exe 1860 taskkill.exe 4708 taskkill.exe 1104 taskkill.exe 3592 taskkill.exe 4740 taskkill.exe 4820 taskkill.exe 4156 taskkill.exe 3080 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe 416 Prv.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 4816 taskkill.exe Token: SeDebugPrivilege 1704 taskkill.exe Token: SeDebugPrivilege 3288 taskkill.exe Token: SeDebugPrivilege 2500 taskkill.exe Token: SeDebugPrivilege 344 taskkill.exe Token: SeDebugPrivilege 1104 taskkill.exe Token: SeDebugPrivilege 3592 taskkill.exe Token: SeDebugPrivilege 4864 taskkill.exe Token: SeDebugPrivilege 864 taskkill.exe Token: SeDebugPrivilege 4740 taskkill.exe Token: SeDebugPrivilege 2972 taskkill.exe Token: SeDebugPrivilege 2840 taskkill.exe Token: SeDebugPrivilege 2168 taskkill.exe Token: SeDebugPrivilege 1640 taskkill.exe Token: SeDebugPrivilege 1860 taskkill.exe Token: SeDebugPrivilege 4708 taskkill.exe Token: SeDebugPrivilege 1284 taskkill.exe Token: SeDebugPrivilege 552 taskkill.exe Token: SeDebugPrivilege 1748 taskkill.exe Token: SeDebugPrivilege 4820 taskkill.exe Token: SeDebugPrivilege 4156 taskkill.exe Token: SeDebugPrivilege 3360 taskkill.exe Token: SeDebugPrivilege 1836 taskkill.exe Token: SeDebugPrivilege 3080 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 416 wrote to memory of 1228 416 Prv.exe 82 PID 416 wrote to memory of 1228 416 Prv.exe 82 PID 1228 wrote to memory of 4628 1228 cmd.exe 83 PID 1228 wrote to memory of 4628 1228 cmd.exe 83 PID 416 wrote to memory of 4372 416 Prv.exe 84 PID 416 wrote to memory of 4372 416 Prv.exe 84 PID 4372 wrote to memory of 3760 4372 cmd.exe 85 PID 4372 wrote to memory of 3760 4372 cmd.exe 85 PID 416 wrote to memory of 2396 416 Prv.exe 86 PID 416 wrote to memory of 2396 416 Prv.exe 86 PID 416 wrote to memory of 536 416 Prv.exe 87 PID 416 wrote to memory of 536 416 Prv.exe 87 PID 536 wrote to memory of 116 536 cmd.exe 88 PID 536 wrote to memory of 116 536 cmd.exe 88 PID 416 wrote to memory of 1876 416 Prv.exe 90 PID 416 wrote to memory of 1876 416 Prv.exe 90 PID 416 wrote to memory of 1804 416 Prv.exe 91 PID 416 wrote to memory of 1804 416 Prv.exe 91 PID 1804 wrote to memory of 4816 1804 cmd.exe 92 PID 1804 wrote to memory of 4816 1804 cmd.exe 92 PID 416 wrote to memory of 3812 416 Prv.exe 94 PID 416 wrote to memory of 3812 416 Prv.exe 94 PID 3812 wrote to memory of 1704 3812 cmd.exe 95 PID 3812 wrote to memory of 1704 3812 cmd.exe 95 PID 416 wrote to memory of 4252 416 Prv.exe 96 PID 416 wrote to memory of 4252 416 Prv.exe 96 PID 4252 wrote to memory of 3288 4252 cmd.exe 97 PID 4252 wrote to memory of 3288 4252 cmd.exe 97 PID 416 wrote to memory of 4696 416 Prv.exe 98 PID 416 wrote to memory of 4696 416 Prv.exe 98 PID 4696 wrote to memory of 3284 4696 cmd.exe 99 PID 4696 wrote to memory of 3284 4696 cmd.exe 99 PID 416 wrote to memory of 2040 416 Prv.exe 100 PID 416 wrote to memory of 2040 416 Prv.exe 100 PID 2040 wrote to memory of 2500 2040 cmd.exe 101 PID 2040 wrote to memory of 2500 2040 cmd.exe 101 PID 416 wrote to memory of 4332 416 Prv.exe 102 PID 416 wrote to memory of 4332 416 Prv.exe 102 PID 416 wrote to memory of 4500 416 Prv.exe 103 PID 416 wrote to memory of 4500 416 Prv.exe 103 PID 4500 wrote to memory of 4064 4500 cmd.exe 104 PID 4500 wrote to memory of 4064 4500 cmd.exe 104 PID 416 wrote to memory of 3500 416 Prv.exe 105 PID 416 wrote to memory of 3500 416 Prv.exe 105 PID 3500 wrote to memory of 344 3500 cmd.exe 106 PID 3500 wrote to memory of 344 3500 cmd.exe 106 PID 416 wrote to memory of 1672 416 Prv.exe 107 PID 416 wrote to memory of 1672 416 Prv.exe 107 PID 1672 wrote to memory of 1104 1672 cmd.exe 108 PID 1672 wrote to memory of 1104 1672 cmd.exe 108 PID 416 wrote to memory of 3896 416 Prv.exe 109 PID 416 wrote to memory of 3896 416 Prv.exe 109 PID 3896 wrote to memory of 3592 3896 cmd.exe 110 PID 3896 wrote to memory of 3592 3896 cmd.exe 110 PID 416 wrote to memory of 2888 416 Prv.exe 111 PID 416 wrote to memory of 2888 416 Prv.exe 111 PID 2888 wrote to memory of 3176 2888 cmd.exe 112 PID 2888 wrote to memory of 3176 2888 cmd.exe 112 PID 416 wrote to memory of 3708 416 Prv.exe 113 PID 416 wrote to memory of 3708 416 Prv.exe 113 PID 3708 wrote to memory of 4864 3708 cmd.exe 114 PID 3708 wrote to memory of 4864 3708 cmd.exe 114 PID 416 wrote to memory of 1528 416 Prv.exe 115 PID 416 wrote to memory of 1528 416 Prv.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\Prv.exe"C:\Users\Admin\AppData\Local\Temp\Prv.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns2⤵
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\system32\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
PID:4628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name="Block IP"2⤵
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall delete rule name="Block IP"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c MODE CON COLS=55 LINES=122⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\system32\mode.comMODE CON COLS=55 LINES=123⤵PID:116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:3284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:4332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile C:\Users\Admin\AppData\Local\Temp\Prv.exe MD5 >> C:\ProgramData\hash.txt2⤵
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\system32\certutil.execertutil -hashfile C:\Users\Admin\AppData\Local\Temp\Prv.exe MD53⤵PID:4064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:3176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:1528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:3452
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:980
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:3236
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:4312
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:5080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:4956
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:1592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:2932
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:2412
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:1200
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:1700
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:3864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:1936
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:1444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:1724
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:2664
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:2120
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:1604
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:1868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:4912
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:4828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:3996
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:1076
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:1228
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:3608
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:3904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:3148
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:4508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c MODE CON COLS=55 LINES=122⤵PID:1768
-
C:\Windows\system32\mode.comMODE CON COLS=55 LINES=123⤵PID:536
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
143B
MD506ab8bc670c47033af118b08cdde61be
SHA1feaa5e7133fa9613f5ab4a7b7e4e3933fae5b749
SHA256a363e6c0aee24c22dd45ae626196407d4f66c9e5c305f94e706984668739ab10
SHA512df952cd89af9bb7f8a0154a32324e188453484cfeec30541d8727ff4c9cd8390fbe1b8190ffdbefc0be96680e79fb70146242a639915e69738628a727a70fba7