Analysis
-
max time kernel
300s -
max time network
281s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
17/11/2024, 15:09
Static task
static1
Behavioral task
behavioral1
Sample
Discord.rar
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
Prv.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
SecureEngineSDK64.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
libcrypto-3-x64.dll
Resource
win10ltsc2021-20241023-en
General
-
Target
Prv.exe
-
Size
2.2MB
-
MD5
e66ed4613b57ea69f248d947c78aee5d
-
SHA1
fe22fd8f8d133d019d5a14737ebce8df93908b89
-
SHA256
df4f585a8338fb58d6d0d5a611faa30f1bf69ac792a5390e8ec322e6f96af040
-
SHA512
e9394f6d56b009e55dd7b1ee928641dc6422a201e50131e610a88b91556f2cf75fe1a366725625ce383e0c6d5899232390176c6cd2c6bf4f1cec793a88b8327f
-
SSDEEP
49152:SjkFlDYrAZ/4MmmPN9vdyIVT61U/S7CQnfGTXbFNL3DUMuFA6MVdh5kgh3kusPu/:Sjih/4oPNWA+G
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 228 netsh.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 68 discord.com 77 discord.com 80 discord.com 81 discord.com 32 discord.com 54 discord.com 84 discord.com 87 discord.com 29 discord.com 64 discord.com -
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1544 sc.exe 3156 sc.exe 1696 sc.exe 3232 sc.exe 3932 sc.exe 1268 sc.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 1252 ipconfig.exe -
Kills process with taskkill 24 IoCs
pid Process 2344 taskkill.exe 2920 taskkill.exe 4548 taskkill.exe 1388 taskkill.exe 1764 taskkill.exe 4692 taskkill.exe 4788 taskkill.exe 60 taskkill.exe 560 taskkill.exe 4872 taskkill.exe 396 taskkill.exe 392 taskkill.exe 4432 taskkill.exe 436 taskkill.exe 5080 taskkill.exe 3816 taskkill.exe 1984 taskkill.exe 3192 taskkill.exe 3756 taskkill.exe 3276 taskkill.exe 1924 taskkill.exe 1584 taskkill.exe 1680 taskkill.exe 3624 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe 1040 Prv.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2344 taskkill.exe Token: SeDebugPrivilege 5080 taskkill.exe Token: SeDebugPrivilege 2920 taskkill.exe Token: SeDebugPrivilege 4548 taskkill.exe Token: SeDebugPrivilege 3816 taskkill.exe Token: SeDebugPrivilege 1388 taskkill.exe Token: SeDebugPrivilege 3276 taskkill.exe Token: SeDebugPrivilege 4872 taskkill.exe Token: SeDebugPrivilege 1984 taskkill.exe Token: SeDebugPrivilege 1764 taskkill.exe Token: SeDebugPrivilege 4692 taskkill.exe Token: SeDebugPrivilege 1924 taskkill.exe Token: SeDebugPrivilege 4788 taskkill.exe Token: SeDebugPrivilege 396 taskkill.exe Token: SeDebugPrivilege 1584 taskkill.exe Token: SeDebugPrivilege 392 taskkill.exe Token: SeDebugPrivilege 1680 taskkill.exe Token: SeDebugPrivilege 4432 taskkill.exe Token: SeDebugPrivilege 3192 taskkill.exe Token: SeDebugPrivilege 436 taskkill.exe Token: SeDebugPrivilege 3756 taskkill.exe Token: SeDebugPrivilege 3624 taskkill.exe Token: SeDebugPrivilege 60 taskkill.exe Token: SeDebugPrivilege 560 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1040 wrote to memory of 116 1040 Prv.exe 82 PID 1040 wrote to memory of 116 1040 Prv.exe 82 PID 116 wrote to memory of 1252 116 cmd.exe 83 PID 116 wrote to memory of 1252 116 cmd.exe 83 PID 1040 wrote to memory of 4460 1040 Prv.exe 84 PID 1040 wrote to memory of 4460 1040 Prv.exe 84 PID 4460 wrote to memory of 228 4460 cmd.exe 85 PID 4460 wrote to memory of 228 4460 cmd.exe 85 PID 1040 wrote to memory of 1292 1040 Prv.exe 87 PID 1040 wrote to memory of 1292 1040 Prv.exe 87 PID 1040 wrote to memory of 2480 1040 Prv.exe 88 PID 1040 wrote to memory of 2480 1040 Prv.exe 88 PID 2480 wrote to memory of 2068 2480 cmd.exe 89 PID 2480 wrote to memory of 2068 2480 cmd.exe 89 PID 1040 wrote to memory of 3720 1040 Prv.exe 90 PID 1040 wrote to memory of 3720 1040 Prv.exe 90 PID 1040 wrote to memory of 1364 1040 Prv.exe 91 PID 1040 wrote to memory of 1364 1040 Prv.exe 91 PID 1364 wrote to memory of 2344 1364 cmd.exe 92 PID 1364 wrote to memory of 2344 1364 cmd.exe 92 PID 1040 wrote to memory of 5112 1040 Prv.exe 94 PID 1040 wrote to memory of 5112 1040 Prv.exe 94 PID 5112 wrote to memory of 5080 5112 cmd.exe 95 PID 5112 wrote to memory of 5080 5112 cmd.exe 95 PID 1040 wrote to memory of 4512 1040 Prv.exe 96 PID 1040 wrote to memory of 4512 1040 Prv.exe 96 PID 4512 wrote to memory of 2920 4512 cmd.exe 97 PID 4512 wrote to memory of 2920 4512 cmd.exe 97 PID 1040 wrote to memory of 3084 1040 Prv.exe 98 PID 1040 wrote to memory of 3084 1040 Prv.exe 98 PID 3084 wrote to memory of 1268 3084 cmd.exe 99 PID 3084 wrote to memory of 1268 3084 cmd.exe 99 PID 1040 wrote to memory of 736 1040 Prv.exe 100 PID 1040 wrote to memory of 736 1040 Prv.exe 100 PID 736 wrote to memory of 4548 736 cmd.exe 101 PID 736 wrote to memory of 4548 736 cmd.exe 101 PID 1040 wrote to memory of 4576 1040 Prv.exe 102 PID 1040 wrote to memory of 4576 1040 Prv.exe 102 PID 1040 wrote to memory of 4476 1040 Prv.exe 103 PID 1040 wrote to memory of 4476 1040 Prv.exe 103 PID 4476 wrote to memory of 5096 4476 cmd.exe 104 PID 4476 wrote to memory of 5096 4476 cmd.exe 104 PID 1040 wrote to memory of 2916 1040 Prv.exe 105 PID 1040 wrote to memory of 2916 1040 Prv.exe 105 PID 2916 wrote to memory of 3816 2916 cmd.exe 106 PID 2916 wrote to memory of 3816 2916 cmd.exe 106 PID 1040 wrote to memory of 4076 1040 Prv.exe 107 PID 1040 wrote to memory of 4076 1040 Prv.exe 107 PID 4076 wrote to memory of 1388 4076 cmd.exe 108 PID 4076 wrote to memory of 1388 4076 cmd.exe 108 PID 1040 wrote to memory of 2760 1040 Prv.exe 109 PID 1040 wrote to memory of 2760 1040 Prv.exe 109 PID 2760 wrote to memory of 3276 2760 cmd.exe 110 PID 2760 wrote to memory of 3276 2760 cmd.exe 110 PID 1040 wrote to memory of 4536 1040 Prv.exe 111 PID 1040 wrote to memory of 4536 1040 Prv.exe 111 PID 4536 wrote to memory of 1544 4536 cmd.exe 112 PID 4536 wrote to memory of 1544 4536 cmd.exe 112 PID 1040 wrote to memory of 448 1040 Prv.exe 113 PID 1040 wrote to memory of 448 1040 Prv.exe 113 PID 448 wrote to memory of 4872 448 cmd.exe 114 PID 448 wrote to memory of 4872 448 cmd.exe 114 PID 1040 wrote to memory of 3252 1040 Prv.exe 115 PID 1040 wrote to memory of 3252 1040 Prv.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\Prv.exe"C:\Users\Admin\AppData\Local\Temp\Prv.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns2⤵
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\system32\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
PID:1252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name="Block IP"2⤵
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall delete rule name="Block IP"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c MODE CON COLS=55 LINES=122⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\system32\mode.comMODE CON COLS=55 LINES=123⤵PID:2068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:1268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:4576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile C:\Users\Admin\AppData\Local\Temp\Prv.exe MD5 >> C:\ProgramData\hash.txt2⤵
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\system32\certutil.execertutil -hashfile C:\Users\Admin\AppData\Local\Temp\Prv.exe MD53⤵PID:5096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:1544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:3252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:2996
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:3700
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:2676
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:3536
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:3156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:1912
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:1556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:1340
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:1976
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:2284
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:4252
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:1696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:1460
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:1080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:1692
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:3916
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:2780
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:3060
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:3232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:4264
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:4720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:2772
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:3136
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:860
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:60
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:1796
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:3932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:4016
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:1160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c MODE CON COLS=55 LINES=122⤵PID:100
-
C:\Windows\system32\mode.comMODE CON COLS=55 LINES=123⤵PID:228
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
143B
MD506ab8bc670c47033af118b08cdde61be
SHA1feaa5e7133fa9613f5ab4a7b7e4e3933fae5b749
SHA256a363e6c0aee24c22dd45ae626196407d4f66c9e5c305f94e706984668739ab10
SHA512df952cd89af9bb7f8a0154a32324e188453484cfeec30541d8727ff4c9cd8390fbe1b8190ffdbefc0be96680e79fb70146242a639915e69738628a727a70fba7