4c947ca6cbc5ab813b051bb5ea739842b7c9b46e1d27f8dcc0ef881139ca482f

General

Target

Loader.exe
Size

3.6MB
MD5

9485ef4eb4927403cb0f1b40563e7d83
SHA1

97f4105f7a911d7b9f9028bac945aad687e12949
SHA256

4c947ca6cbc5ab813b051bb5ea739842b7c9b46e1d27f8dcc0ef881139ca482f
SHA512

13f110ee534bb13cf5b3120bdf9a2acc0acf0d70bbc902442f985739be742b4b015df08b9ff2dce4625e7fc500cf80f02cb36ef660926148948df92d0dca5a3b
SSDEEP

49152:DV961jhCeR2FNyAphBiyAVO9Enl0xeIGcS9EOoLNBF6FUVMP96BxMM3m9xCTCEBn:DKx48AphuVPeAIGcS9EO8NPVMVWTvJ

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Loader.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Loader.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Loader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Loader.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation Loader.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	Loader.exe

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/1504-133-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp	themida
behavioral2/memory/1504-134-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp	themida
behavioral2/memory/1504-135-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp	themida
behavioral2/memory/1504-136-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp	themida
behavioral2/memory/1504-137-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp	themida
behavioral2/memory/1504-138-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp	themida
behavioral2/memory/1504-139-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp	themida
behavioral2/memory/1504-140-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp	themida
behavioral2/memory/1504-141-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp	themida
behavioral2/memory/1504-142-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp	themida
behavioral2/memory/1504-143-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Loader.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Loader.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Loader.exe

pid process

1504 Loader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe

pid	process
1504	Loader.exe

Launches sc.exe 35 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1356	sc.exe
3448	sc.exe
4732	sc.exe
1088	sc.exe
4256	sc.exe
2432	sc.exe
4612	sc.exe
2600	sc.exe
3684	sc.exe
3240	sc.exe
2208	sc.exe
4108	sc.exe
4144	sc.exe
2728	sc.exe
4144	sc.exe
1668	sc.exe
3496	sc.exe
604	sc.exe
3160	sc.exe
4056	sc.exe
4692	sc.exe
1368	sc.exe
3656	sc.exe
4072	sc.exe
4496	sc.exe
4600	sc.exe
3176	sc.exe
2244	sc.exe
4116	sc.exe
3428	sc.exe
2280	sc.exe
4876	sc.exe
1944	sc.exe
2132	sc.exe
4692	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 36 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
436	taskkill.exe
4452	taskkill.exe
2724	taskkill.exe
1232	taskkill.exe
2284	taskkill.exe
3220	taskkill.exe
4488	taskkill.exe
1652	taskkill.exe
4424	taskkill.exe
4380	taskkill.exe
4652	taskkill.exe
4552	taskkill.exe
3928	taskkill.exe
3692	taskkill.exe
384	taskkill.exe
4116	taskkill.exe
4232	taskkill.exe
4292	taskkill.exe
1460	taskkill.exe
4712	taskkill.exe
4732	taskkill.exe
3176	taskkill.exe
4056	taskkill.exe
4652	taskkill.exe
4960	taskkill.exe
3020	taskkill.exe
2920	taskkill.exe
1040	taskkill.exe
1328	taskkill.exe
1460	taskkill.exe
2132	taskkill.exe
3236	taskkill.exe
3312	taskkill.exe
4092	taskkill.exe
4824	taskkill.exe
4232	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exesc.exetaskkill.exetaskkill.exetaskkill.exesc.exetaskkill.exetaskkill.exetaskkill.execmd.exeConhost.exetaskkill.exetaskkill.exeConhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	436	taskkill.exe
Token: SeDebugPrivilege	4092	taskkill.exe
Token: SeDebugPrivilege	4452	taskkill.exe
Token: SeDebugPrivilege	1460	taskkill.exe
Token: SeDebugPrivilege	2724	taskkill.exe
Token: SeDebugPrivilege	4960	taskkill.exe
Token: SeDebugPrivilege	2132	sc.exe
Token: SeDebugPrivilege	4712	taskkill.exe
Token: SeDebugPrivilege	3020	taskkill.exe
Token: SeDebugPrivilege	1232	taskkill.exe
Token: SeDebugPrivilege	4732	sc.exe
Token: SeDebugPrivilege	4232	taskkill.exe
Token: SeDebugPrivilege	4652	taskkill.exe
Token: SeDebugPrivilege	4552	taskkill.exe
Token: SeDebugPrivilege	4292	cmd.exe
Token: SeDebugPrivilege	2920	Conhost.exe
Token: SeDebugPrivilege	2284	taskkill.exe
Token: SeDebugPrivilege	3220	taskkill.exe
Token: SeDebugPrivilege	1460	taskkill.exe
Token: SeDebugPrivilege	3176	Conhost.exe
Token: SeDebugPrivilege	4488	taskkill.exe
Token: SeDebugPrivilege	1040	taskkill.exe
Token: SeDebugPrivilege	4056	taskkill.exe
Token: SeDebugPrivilege	3928	taskkill.exe
Token: SeDebugPrivilege	4424	taskkill.exe
Token: SeDebugPrivilege	3692	taskkill.exe
Token: SeDebugPrivilege	384	taskkill.exe
Token: SeDebugPrivilege	4824	taskkill.exe
Token: SeDebugPrivilege	3236	taskkill.exe
Token: SeDebugPrivilege	4116	taskkill.exe
Token: SeDebugPrivilege	4652	taskkill.exe
Token: SeDebugPrivilege	1328	taskkill.exe
Token: SeDebugPrivilege	4380	taskkill.exe
Token: SeDebugPrivilege	1652	taskkill.exe
Token: SeDebugPrivilege	4232	taskkill.exe
Token: SeDebugPrivilege	3312	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Loader.exetaskkill.exenet.execmd.exesc.execmd.exeConhost.execmd.execmd.execmd.execmd.execmd.exesvchost.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1504 wrote to memory of 1040	1504	Loader.exe	taskkill.exe
PID 1504 wrote to memory of 1040	1504	Loader.exe	taskkill.exe
PID 1504 wrote to memory of 4612	1504	Loader.exe	sc.exe
PID 1504 wrote to memory of 4612	1504	Loader.exe	sc.exe
PID 1504 wrote to memory of 236	1504	Loader.exe	cmd.exe
PID 1504 wrote to memory of 236	1504	Loader.exe	cmd.exe
PID 1504 wrote to memory of 2588	1504	Loader.exe	cmd.exe
PID 1504 wrote to memory of 2588	1504	Loader.exe	cmd.exe
PID 1040 wrote to memory of 1796	1040	taskkill.exe	net.exe
PID 1040 wrote to memory of 1796	1040	taskkill.exe	net.exe
PID 1504 wrote to memory of 4804	1504	Loader.exe	cmd.exe
PID 1504 wrote to memory of 4804	1504	Loader.exe	cmd.exe
PID 1796 wrote to memory of 3968	1796	net.exe	net1.exe
PID 1796 wrote to memory of 3968	1796	net.exe	net1.exe
PID 1504 wrote to memory of 1008	1504	Loader.exe	cmd.exe
PID 1504 wrote to memory of 1008	1504	Loader.exe	cmd.exe
PID 1504 wrote to memory of 4380	1504	Loader.exe	Conhost.exe
PID 1504 wrote to memory of 4380	1504	Loader.exe	Conhost.exe
PID 236 wrote to memory of 2432	236	cmd.exe	sc.exe
PID 236 wrote to memory of 2432	236	cmd.exe	sc.exe
PID 1504 wrote to memory of 1964	1504	Loader.exe	cmd.exe
PID 1504 wrote to memory of 1964	1504	Loader.exe	cmd.exe
PID 1504 wrote to memory of 4132	1504	Loader.exe	cmd.exe
PID 1504 wrote to memory of 4132	1504	Loader.exe	cmd.exe
PID 4612 wrote to memory of 2852	4612	sc.exe	cmd.exe
PID 4612 wrote to memory of 2852	4612	sc.exe	cmd.exe
PID 2852 wrote to memory of 3380	2852	cmd.exe	net1.exe
PID 2852 wrote to memory of 3380	2852	cmd.exe	net1.exe
PID 4380 wrote to memory of 4072	4380	Conhost.exe	cmd.exe
PID 4380 wrote to memory of 4072	4380	Conhost.exe	cmd.exe
PID 2588 wrote to memory of 2208	2588	cmd.exe	TrustedInstaller.exe
PID 2588 wrote to memory of 2208	2588	cmd.exe	TrustedInstaller.exe
PID 4804 wrote to memory of 4876	4804	cmd.exe	sc.exe
PID 4804 wrote to memory of 4876	4804	cmd.exe	sc.exe
PID 4132 wrote to memory of 436	4132	cmd.exe	taskkill.exe
PID 4132 wrote to memory of 436	4132	cmd.exe	taskkill.exe
PID 1008 wrote to memory of 1356	1008	cmd.exe	sc.exe
PID 1008 wrote to memory of 1356	1008	cmd.exe	sc.exe
PID 1964 wrote to memory of 4056	1964	cmd.exe	taskkill.exe
PID 1964 wrote to memory of 4056	1964	cmd.exe	taskkill.exe
PID 1504 wrote to memory of 3144	1504	Loader.exe	svchost.exe
PID 1504 wrote to memory of 3144	1504	Loader.exe	svchost.exe
PID 3144 wrote to memory of 4092	3144	svchost.exe	taskkill.exe
PID 3144 wrote to memory of 4092	3144	svchost.exe	taskkill.exe
PID 1504 wrote to memory of 372	1504	Loader.exe	cmd.exe
PID 1504 wrote to memory of 372	1504	Loader.exe	cmd.exe
PID 372 wrote to memory of 4496	372	cmd.exe	cmd.exe
PID 372 wrote to memory of 4496	372	cmd.exe	cmd.exe
PID 1504 wrote to memory of 2552	1504	Loader.exe	cmd.exe
PID 1504 wrote to memory of 2552	1504	Loader.exe	cmd.exe
PID 2552 wrote to memory of 4452	2552	cmd.exe	taskkill.exe
PID 2552 wrote to memory of 4452	2552	cmd.exe	taskkill.exe
PID 1504 wrote to memory of 4512	1504	Loader.exe	cmd.exe
PID 1504 wrote to memory of 4512	1504	Loader.exe	cmd.exe
PID 4512 wrote to memory of 1460	4512	cmd.exe	taskkill.exe
PID 4512 wrote to memory of 1460	4512	cmd.exe	taskkill.exe
PID 1504 wrote to memory of 2148	1504	Loader.exe	cmd.exe
PID 1504 wrote to memory of 2148	1504	Loader.exe	cmd.exe
PID 2148 wrote to memory of 2724	2148	cmd.exe	taskkill.exe
PID 2148 wrote to memory of 2724	2148	cmd.exe	taskkill.exe
PID 1504 wrote to memory of 2716	1504	Loader.exe	cmd.exe
PID 1504 wrote to memory of 2716	1504	Loader.exe	cmd.exe
PID 2716 wrote to memory of 4960	2716	cmd.exe	taskkill.exe
PID 2716 wrote to memory of 4960	2716	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
PID:1040

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
4⤵
PID:3968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
PID:4612

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
PID:2852

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
4⤵
PID:3380

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:236

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:2432

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
PID:2208

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
PID:4804

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:4876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
PID:1356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
PID:4380

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:3144

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:2552

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im WindowsHost_Updates.x64.exe >nul 2>&1
2⤵
PID:2716

C:\Windows\system32\taskkill.exe
taskkill /f /im WindowsHost_Updates.x64.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
2⤵
PID:1656

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
PID:2132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGames.exe >nul 2>&1
2⤵
PID:4064

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGames.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
2⤵
PID:1568

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_BE >nul 2>&1
2⤵
PID:4388

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_BE
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_EAC >nul 2>&1
2⤵
PID:384

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_EAC
3⤵
- Kills process with taskkill
PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher >nul 2>&1
2⤵
PID:1756

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteLauncher
3⤵
- Kills process with taskkill
PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im steam.exe >nul 2>&1
2⤵
PID:4676

C:\Windows\system32\taskkill.exe
taskkill /f /im steam.exe
3⤵
- Kills process with taskkill
PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im steamwebhelper.exe >nul 2>&1
2⤵
PID:4248

C:\Windows\system32\taskkill.exe
taskkill /f /im steamwebhelper.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im csgo.exe >nul 2>&1
2⤵
PID:2232

C:\Windows\system32\taskkill.exe
taskkill /f /im csgo.exe
3⤵
- Kills process with taskkill
PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im GameOverlayUI.exe >nul 2>&1
2⤵
PID:4344

C:\Windows\system32\taskkill.exe
taskkill /f /im GameOverlayUI.exe
3⤵
- Kills process with taskkill
PID:2920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
PID:2404

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
PID:3304

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
4⤵
PID:4644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
PID:2024

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
PID:2464

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
4⤵
PID:2792

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:3632

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
PID:2916

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
- Suspicious use of WriteProcessMemory
PID:4612

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:4108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
PID:5048

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
PID:1668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:2600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
PID:4592

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:2244

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:1820

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:844

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:1456

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1304

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
PID:4152

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
PID:5044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
4⤵
PID:4788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
PID:2272

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
PID:1328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
4⤵
PID:224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:3312

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:604

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
PID:4976

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
PID:3684

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
PID:1932

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:4600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
PID:4652

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
PID:3160

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
PID:1976

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:1184

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
PID:208

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:4072

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:2112

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:1140

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:2024

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:2728

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
PID:1824

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4592

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
PID:1456

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
4⤵
PID:2132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
PID:2428

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
PID:3320

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
4⤵
PID:1568

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:3448

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
PID:1148

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
PID:3176

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
PID:4496

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:4692

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
PID:2108

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
PID:3428

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
PID:4340

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:4264

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:384

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
PID:4744

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:4260

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:3684

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:4192

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:4884

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:4344

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
PID:4448

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
PID:4072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
4⤵
PID:4720

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
PID:1976

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
PID:180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
4⤵
PID:3380

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
PID:4716

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
PID:2728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
PID:756

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:4144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
PID:1140

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
PID:4692

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
PID:1964

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:3852

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
PID:4168

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:1368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:3180

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:556

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:3804

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
2⤵
PID:4264

C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5
3⤵
PID:4044

C:\Windows\system32\find.exe
find /i /v "md5"
3⤵
PID:1932

C:\Windows\system32\find.exe
find /i /v "certutil"
3⤵
PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c CLS
2⤵
PID:4928

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
1⤵
- Launches sc.exe
PID:4496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1504-133-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp

Filesize
9.7MB

Download
memory/1504-134-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp

Filesize
9.7MB

Download
memory/1504-135-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp

Filesize
9.7MB

Download
memory/1504-136-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp

Filesize
9.7MB

Download
memory/1504-137-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp

Filesize
9.7MB

Download
memory/1504-138-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp

Filesize
9.7MB

Download
memory/1504-139-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp

Filesize
9.7MB

Download
memory/1504-140-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp

Filesize
9.7MB

Download
memory/1504-141-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp

Filesize
9.7MB

Download
memory/1504-142-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp

Filesize
9.7MB

Download
memory/1504-143-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp

Filesize
9.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads