Analysis
-
max time kernel
61s -
max time network
64s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24-03-2023 21:45
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win7-20230220-en
General
-
Target
Loader.exe
-
Size
3.6MB
-
MD5
9485ef4eb4927403cb0f1b40563e7d83
-
SHA1
97f4105f7a911d7b9f9028bac945aad687e12949
-
SHA256
4c947ca6cbc5ab813b051bb5ea739842b7c9b46e1d27f8dcc0ef881139ca482f
-
SHA512
13f110ee534bb13cf5b3120bdf9a2acc0acf0d70bbc902442f985739be742b4b015df08b9ff2dce4625e7fc500cf80f02cb36ef660926148948df92d0dca5a3b
-
SSDEEP
49152:DV961jhCeR2FNyAphBiyAVO9Enl0xeIGcS9EOoLNBF6FUVMP96BxMM3m9xCTCEBn:DKx48AphuVPeAIGcS9EO8NPVMVWTvJ
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Loader.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Loader.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Loader.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Loader.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Loader.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation Loader.exe -
Processes:
resource yara_rule behavioral2/memory/1504-133-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp themida behavioral2/memory/1504-134-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp themida behavioral2/memory/1504-135-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp themida behavioral2/memory/1504-136-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp themida behavioral2/memory/1504-137-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp themida behavioral2/memory/1504-138-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp themida behavioral2/memory/1504-139-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp themida behavioral2/memory/1504-140-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp themida behavioral2/memory/1504-141-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp themida behavioral2/memory/1504-142-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp themida behavioral2/memory/1504-143-0x00007FF625F50000-0x00007FF6268F8000-memory.dmp themida -
Processes:
Loader.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Loader.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Loader.exepid process 1504 Loader.exe -
Launches sc.exe 35 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1356 sc.exe 3448 sc.exe 4732 sc.exe 1088 sc.exe 4256 sc.exe 2432 sc.exe 4612 sc.exe 2600 sc.exe 3684 sc.exe 3240 sc.exe 2208 sc.exe 4108 sc.exe 4144 sc.exe 2728 sc.exe 4144 sc.exe 1668 sc.exe 3496 sc.exe 604 sc.exe 3160 sc.exe 4056 sc.exe 4692 sc.exe 1368 sc.exe 3656 sc.exe 4072 sc.exe 4496 sc.exe 4600 sc.exe 3176 sc.exe 2244 sc.exe 4116 sc.exe 3428 sc.exe 2280 sc.exe 4876 sc.exe 1944 sc.exe 2132 sc.exe 4692 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 36 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 436 taskkill.exe 4452 taskkill.exe 2724 taskkill.exe 1232 taskkill.exe 2284 taskkill.exe 3220 taskkill.exe 4488 taskkill.exe 1652 taskkill.exe 4424 taskkill.exe 4380 taskkill.exe 4652 taskkill.exe 4552 taskkill.exe 3928 taskkill.exe 3692 taskkill.exe 384 taskkill.exe 4116 taskkill.exe 4232 taskkill.exe 4292 taskkill.exe 1460 taskkill.exe 4712 taskkill.exe 4732 taskkill.exe 3176 taskkill.exe 4056 taskkill.exe 4652 taskkill.exe 4960 taskkill.exe 3020 taskkill.exe 2920 taskkill.exe 1040 taskkill.exe 1328 taskkill.exe 1460 taskkill.exe 2132 taskkill.exe 3236 taskkill.exe 3312 taskkill.exe 4092 taskkill.exe 4824 taskkill.exe 4232 taskkill.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exesc.exetaskkill.exetaskkill.exetaskkill.exesc.exetaskkill.exetaskkill.exetaskkill.execmd.exeConhost.exetaskkill.exetaskkill.exeConhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 436 taskkill.exe Token: SeDebugPrivilege 4092 taskkill.exe Token: SeDebugPrivilege 4452 taskkill.exe Token: SeDebugPrivilege 1460 taskkill.exe Token: SeDebugPrivilege 2724 taskkill.exe Token: SeDebugPrivilege 4960 taskkill.exe Token: SeDebugPrivilege 2132 sc.exe Token: SeDebugPrivilege 4712 taskkill.exe Token: SeDebugPrivilege 3020 taskkill.exe Token: SeDebugPrivilege 1232 taskkill.exe Token: SeDebugPrivilege 4732 sc.exe Token: SeDebugPrivilege 4232 taskkill.exe Token: SeDebugPrivilege 4652 taskkill.exe Token: SeDebugPrivilege 4552 taskkill.exe Token: SeDebugPrivilege 4292 cmd.exe Token: SeDebugPrivilege 2920 Conhost.exe Token: SeDebugPrivilege 2284 taskkill.exe Token: SeDebugPrivilege 3220 taskkill.exe Token: SeDebugPrivilege 1460 taskkill.exe Token: SeDebugPrivilege 3176 Conhost.exe Token: SeDebugPrivilege 4488 taskkill.exe Token: SeDebugPrivilege 1040 taskkill.exe Token: SeDebugPrivilege 4056 taskkill.exe Token: SeDebugPrivilege 3928 taskkill.exe Token: SeDebugPrivilege 4424 taskkill.exe Token: SeDebugPrivilege 3692 taskkill.exe Token: SeDebugPrivilege 384 taskkill.exe Token: SeDebugPrivilege 4824 taskkill.exe Token: SeDebugPrivilege 3236 taskkill.exe Token: SeDebugPrivilege 4116 taskkill.exe Token: SeDebugPrivilege 4652 taskkill.exe Token: SeDebugPrivilege 1328 taskkill.exe Token: SeDebugPrivilege 4380 taskkill.exe Token: SeDebugPrivilege 1652 taskkill.exe Token: SeDebugPrivilege 4232 taskkill.exe Token: SeDebugPrivilege 3312 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Loader.exetaskkill.exenet.execmd.exesc.execmd.exeConhost.execmd.execmd.execmd.execmd.execmd.exesvchost.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1504 wrote to memory of 1040 1504 Loader.exe taskkill.exe PID 1504 wrote to memory of 1040 1504 Loader.exe taskkill.exe PID 1504 wrote to memory of 4612 1504 Loader.exe sc.exe PID 1504 wrote to memory of 4612 1504 Loader.exe sc.exe PID 1504 wrote to memory of 236 1504 Loader.exe cmd.exe PID 1504 wrote to memory of 236 1504 Loader.exe cmd.exe PID 1504 wrote to memory of 2588 1504 Loader.exe cmd.exe PID 1504 wrote to memory of 2588 1504 Loader.exe cmd.exe PID 1040 wrote to memory of 1796 1040 taskkill.exe net.exe PID 1040 wrote to memory of 1796 1040 taskkill.exe net.exe PID 1504 wrote to memory of 4804 1504 Loader.exe cmd.exe PID 1504 wrote to memory of 4804 1504 Loader.exe cmd.exe PID 1796 wrote to memory of 3968 1796 net.exe net1.exe PID 1796 wrote to memory of 3968 1796 net.exe net1.exe PID 1504 wrote to memory of 1008 1504 Loader.exe cmd.exe PID 1504 wrote to memory of 1008 1504 Loader.exe cmd.exe PID 1504 wrote to memory of 4380 1504 Loader.exe Conhost.exe PID 1504 wrote to memory of 4380 1504 Loader.exe Conhost.exe PID 236 wrote to memory of 2432 236 cmd.exe sc.exe PID 236 wrote to memory of 2432 236 cmd.exe sc.exe PID 1504 wrote to memory of 1964 1504 Loader.exe cmd.exe PID 1504 wrote to memory of 1964 1504 Loader.exe cmd.exe PID 1504 wrote to memory of 4132 1504 Loader.exe cmd.exe PID 1504 wrote to memory of 4132 1504 Loader.exe cmd.exe PID 4612 wrote to memory of 2852 4612 sc.exe cmd.exe PID 4612 wrote to memory of 2852 4612 sc.exe cmd.exe PID 2852 wrote to memory of 3380 2852 cmd.exe net1.exe PID 2852 wrote to memory of 3380 2852 cmd.exe net1.exe PID 4380 wrote to memory of 4072 4380 Conhost.exe cmd.exe PID 4380 wrote to memory of 4072 4380 Conhost.exe cmd.exe PID 2588 wrote to memory of 2208 2588 cmd.exe TrustedInstaller.exe PID 2588 wrote to memory of 2208 2588 cmd.exe TrustedInstaller.exe PID 4804 wrote to memory of 4876 4804 cmd.exe sc.exe PID 4804 wrote to memory of 4876 4804 cmd.exe sc.exe PID 4132 wrote to memory of 436 4132 cmd.exe taskkill.exe PID 4132 wrote to memory of 436 4132 cmd.exe taskkill.exe PID 1008 wrote to memory of 1356 1008 cmd.exe sc.exe PID 1008 wrote to memory of 1356 1008 cmd.exe sc.exe PID 1964 wrote to memory of 4056 1964 cmd.exe taskkill.exe PID 1964 wrote to memory of 4056 1964 cmd.exe taskkill.exe PID 1504 wrote to memory of 3144 1504 Loader.exe svchost.exe PID 1504 wrote to memory of 3144 1504 Loader.exe svchost.exe PID 3144 wrote to memory of 4092 3144 svchost.exe taskkill.exe PID 3144 wrote to memory of 4092 3144 svchost.exe taskkill.exe PID 1504 wrote to memory of 372 1504 Loader.exe cmd.exe PID 1504 wrote to memory of 372 1504 Loader.exe cmd.exe PID 372 wrote to memory of 4496 372 cmd.exe cmd.exe PID 372 wrote to memory of 4496 372 cmd.exe cmd.exe PID 1504 wrote to memory of 2552 1504 Loader.exe cmd.exe PID 1504 wrote to memory of 2552 1504 Loader.exe cmd.exe PID 2552 wrote to memory of 4452 2552 cmd.exe taskkill.exe PID 2552 wrote to memory of 4452 2552 cmd.exe taskkill.exe PID 1504 wrote to memory of 4512 1504 Loader.exe cmd.exe PID 1504 wrote to memory of 4512 1504 Loader.exe cmd.exe PID 4512 wrote to memory of 1460 4512 cmd.exe taskkill.exe PID 4512 wrote to memory of 1460 4512 cmd.exe taskkill.exe PID 1504 wrote to memory of 2148 1504 Loader.exe cmd.exe PID 1504 wrote to memory of 2148 1504 Loader.exe cmd.exe PID 2148 wrote to memory of 2724 2148 cmd.exe taskkill.exe PID 2148 wrote to memory of 2724 2148 cmd.exe taskkill.exe PID 1504 wrote to memory of 2716 1504 Loader.exe cmd.exe PID 1504 wrote to memory of 2716 1504 Loader.exe cmd.exe PID 2716 wrote to memory of 4960 2716 cmd.exe taskkill.exe PID 2716 wrote to memory of 4960 2716 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver24⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im WindowsHost_Updates.x64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im WindowsHost_Updates.x64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGames.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGames.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_BE >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_BE3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_EAC >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_EAC3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteLauncher3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im steam.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im steam.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im steamwebhelper.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im steamwebhelper.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im csgo.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im csgo.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im GameOverlayUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im GameOverlayUI.exe3⤵
- Kills process with taskkill
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver24⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver24⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver24⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver24⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD53⤵
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro1⤵
- Launches sc.exe
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1504-133-0x00007FF625F50000-0x00007FF6268F8000-memory.dmpFilesize
9.7MB
-
memory/1504-134-0x00007FF625F50000-0x00007FF6268F8000-memory.dmpFilesize
9.7MB
-
memory/1504-135-0x00007FF625F50000-0x00007FF6268F8000-memory.dmpFilesize
9.7MB
-
memory/1504-136-0x00007FF625F50000-0x00007FF6268F8000-memory.dmpFilesize
9.7MB
-
memory/1504-137-0x00007FF625F50000-0x00007FF6268F8000-memory.dmpFilesize
9.7MB
-
memory/1504-138-0x00007FF625F50000-0x00007FF6268F8000-memory.dmpFilesize
9.7MB
-
memory/1504-139-0x00007FF625F50000-0x00007FF6268F8000-memory.dmpFilesize
9.7MB
-
memory/1504-140-0x00007FF625F50000-0x00007FF6268F8000-memory.dmpFilesize
9.7MB
-
memory/1504-141-0x00007FF625F50000-0x00007FF6268F8000-memory.dmpFilesize
9.7MB
-
memory/1504-142-0x00007FF625F50000-0x00007FF6268F8000-memory.dmpFilesize
9.7MB
-
memory/1504-143-0x00007FF625F50000-0x00007FF6268F8000-memory.dmpFilesize
9.7MB