098ac3e6c47da12ac756e082e6bb8140bce495f8e8383c9e5ac90e777301485f

Analysis

max time kernel
61s
max time network
62s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ghost_Chair.exe
Size

902KB
MD5

be281884ffdbd2de2c56b96d02c16d15
SHA1

8a28794e32a143959fdfd5620b92face0499f632
SHA256

098ac3e6c47da12ac756e082e6bb8140bce495f8e8383c9e5ac90e777301485f
SHA512

fc95e7b5b6664a08a009b1dea82b18f1ce82c7aafb5719edb128d3f5e2441f58eeb67d77f50d4a57ae209339fce816714a39e79d6a2cee18bf501e3193453269
SSDEEP

12288:wm/rWPJbiF+hz5ptMhh5BOjxRwD+DdAs4eWD+PZE9O2bJIC0fDNN:JrWPhiFmzvO1OjTouRBM+O93l0fZ

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1452	sc.exe
1904	sc.exe
1464	sc.exe
2076	sc.exe
2076	sc.exe
2456	sc.exe
376	sc.exe

Kills process with taskkill 28 IoCs

evasion

pid	Process
2492	taskkill.exe
2588	taskkill.exe
1176	taskkill.exe
1036	taskkill.exe
2436	taskkill.exe
2180	taskkill.exe
1576	taskkill.exe
944	taskkill.exe
1068	taskkill.exe
1356	taskkill.exe
1676	taskkill.exe
284	taskkill.exe
2984	taskkill.exe
468	taskkill.exe
1164	taskkill.exe
1500	taskkill.exe
288	taskkill.exe
2956	taskkill.exe
2380	taskkill.exe
2416	taskkill.exe
1568	taskkill.exe
1552	taskkill.exe
1476	taskkill.exe
1184	taskkill.exe
2592	taskkill.exe
2528	taskkill.exe
2400	taskkill.exe
2688	taskkill.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	taskkill.exe
Token: SeDebugPrivilege	2492	taskkill.exe
Token: SeDebugPrivilege	2588	taskkill.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeDebugPrivilege	2400	taskkill.exe
Token: SeDebugPrivilege	2380	taskkill.exe
Token: SeDebugPrivilege	2436	taskkill.exe
Token: SeDebugPrivilege	2416	taskkill.exe
Token: SeDebugPrivilege	288	taskkill.exe
Token: SeDebugPrivilege	468	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	1356	taskkill.exe
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeDebugPrivilege	1568	taskkill.exe
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeDebugPrivilege	2180	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	1184	taskkill.exe
Token: SeDebugPrivilege	1176	taskkill.exe
Token: SeDebugPrivilege	1068	taskkill.exe
Token: SeDebugPrivilege	1476	taskkill.exe
Token: SeDebugPrivilege	284	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	944	taskkill.exe
Token: SeDebugPrivilege	1036	taskkill.exe
Token: SeDebugPrivilege	2592	taskkill.exe
Token: SeDebugPrivilege	2956	taskkill.exe
Token: SeDebugPrivilege	2688	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2468	2192	Ghost_Chair.exe	30
PID 2192 wrote to memory of 2468	2192	Ghost_Chair.exe	30
PID 2192 wrote to memory of 2468	2192	Ghost_Chair.exe	30
PID 2192 wrote to memory of 1788	2192	Ghost_Chair.exe	31
PID 2192 wrote to memory of 1788	2192	Ghost_Chair.exe	31
PID 2192 wrote to memory of 1788	2192	Ghost_Chair.exe	31
PID 2192 wrote to memory of 1360	2192	Ghost_Chair.exe	32
PID 2192 wrote to memory of 1360	2192	Ghost_Chair.exe	32
PID 2192 wrote to memory of 1360	2192	Ghost_Chair.exe	32
PID 2192 wrote to memory of 2688	2192	Ghost_Chair.exe	33
PID 2192 wrote to memory of 2688	2192	Ghost_Chair.exe	33
PID 2192 wrote to memory of 2688	2192	Ghost_Chair.exe	33
PID 2192 wrote to memory of 2908	2192	Ghost_Chair.exe	34
PID 2192 wrote to memory of 2908	2192	Ghost_Chair.exe	34
PID 2192 wrote to memory of 2908	2192	Ghost_Chair.exe	34
PID 2192 wrote to memory of 2476	2192	Ghost_Chair.exe	35
PID 2192 wrote to memory of 2476	2192	Ghost_Chair.exe	35
PID 2192 wrote to memory of 2476	2192	Ghost_Chair.exe	35
PID 2192 wrote to memory of 3020	2192	Ghost_Chair.exe	36
PID 2192 wrote to memory of 3020	2192	Ghost_Chair.exe	36
PID 2192 wrote to memory of 3020	2192	Ghost_Chair.exe	36
PID 2688 wrote to memory of 2076	2688	cmd.exe	37
PID 2688 wrote to memory of 2076	2688	cmd.exe	37
PID 2688 wrote to memory of 2076	2688	cmd.exe	37
PID 1788 wrote to memory of 2984	1788	cmd.exe	38
PID 1788 wrote to memory of 2984	1788	cmd.exe	38
PID 1788 wrote to memory of 2984	1788	cmd.exe	38
PID 2468 wrote to memory of 2528	2468	cmd.exe	39
PID 2468 wrote to memory of 2528	2468	cmd.exe	39
PID 2468 wrote to memory of 2528	2468	cmd.exe	39
PID 1360 wrote to memory of 2492	1360	cmd.exe	40
PID 1360 wrote to memory of 2492	1360	cmd.exe	40
PID 1360 wrote to memory of 2492	1360	cmd.exe	40
PID 2908 wrote to memory of 2588	2908	cmd.exe	41
PID 2908 wrote to memory of 2588	2908	cmd.exe	41
PID 2908 wrote to memory of 2588	2908	cmd.exe	41
PID 3020 wrote to memory of 2592	3020	cmd.exe	42
PID 3020 wrote to memory of 2592	3020	cmd.exe	42
PID 3020 wrote to memory of 2592	3020	cmd.exe	42
PID 2192 wrote to memory of 2304	2192	Ghost_Chair.exe	43
PID 2192 wrote to memory of 2304	2192	Ghost_Chair.exe	43
PID 2192 wrote to memory of 2304	2192	Ghost_Chair.exe	43
PID 2192 wrote to memory of 2668	2192	Ghost_Chair.exe	44
PID 2192 wrote to memory of 2668	2192	Ghost_Chair.exe	44
PID 2192 wrote to memory of 2668	2192	Ghost_Chair.exe	44
PID 2192 wrote to memory of 2440	2192	Ghost_Chair.exe	45
PID 2192 wrote to memory of 2440	2192	Ghost_Chair.exe	45
PID 2192 wrote to memory of 2440	2192	Ghost_Chair.exe	45
PID 2192 wrote to memory of 2148	2192	Ghost_Chair.exe	46
PID 2192 wrote to memory of 2148	2192	Ghost_Chair.exe	46
PID 2192 wrote to memory of 2148	2192	Ghost_Chair.exe	46
PID 2192 wrote to memory of 2448	2192	Ghost_Chair.exe	47
PID 2192 wrote to memory of 2448	2192	Ghost_Chair.exe	47
PID 2192 wrote to memory of 2448	2192	Ghost_Chair.exe	47
PID 2192 wrote to memory of 2560	2192	Ghost_Chair.exe	48
PID 2192 wrote to memory of 2560	2192	Ghost_Chair.exe	48
PID 2192 wrote to memory of 2560	2192	Ghost_Chair.exe	48
PID 2440 wrote to memory of 2380	2440	cmd.exe	49
PID 2440 wrote to memory of 2380	2440	cmd.exe	49
PID 2440 wrote to memory of 2380	2440	cmd.exe	49
PID 2304 wrote to memory of 2400	2304	cmd.exe	50
PID 2304 wrote to memory of 2400	2304	cmd.exe	50
PID 2304 wrote to memory of 2400	2304	cmd.exe	50
PID 2448 wrote to memory of 2416	2448	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\Ghost_Chair.exe
"C:\Users\Admin\AppData\Local\Temp\Ghost_Chair.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2528
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- C:\Windows\system32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2076
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2588
- C:\Windows\system32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:2476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Ghost_Chair.exe" MD5
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Ghost_Chair.exe" MD5
    3⤵
    PID:2592
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2400
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2668
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2436
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2380
- C:\Windows\system32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2148
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2456
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2416
- C:\Windows\system32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:2560
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2708
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1568
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2724
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2828
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:288
- C:\Windows\system32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:780
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:376
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:2836
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:468
- C:\Windows\system32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:2272
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1220
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1164
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1468
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1552
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:816
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2180
- C:\Windows\system32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:784
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1452
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:1448
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1356
- C:\Windows\system32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:1736
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3016
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3068
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1184
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3036
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1176
- C:\Windows\system32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:704
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1464
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:448
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1068
- C:\Windows\system32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:1128
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2332
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1476
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1160
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2312
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:284
- C:\Windows\system32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2648
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1904
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:1888
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:944
- C:\Windows\system32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:1864
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1844
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2184
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2956
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1524
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- C:\Windows\system32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1536
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2076
- C:\Windows\system32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:1528
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2592
- C:\Windows\system32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2192-0-0x000000013FAB0000-0x000000013FB95000-memory.dmp

Filesize
916KB

Download