4c947ca6cbc5ab813b051bb5ea739842b7c9b46e1d27f8dcc0ef881139ca482f

General

Target

Loader.exe
Size

3.6MB
MD5

9485ef4eb4927403cb0f1b40563e7d83
SHA1

97f4105f7a911d7b9f9028bac945aad687e12949
SHA256

4c947ca6cbc5ab813b051bb5ea739842b7c9b46e1d27f8dcc0ef881139ca482f
SHA512

13f110ee534bb13cf5b3120bdf9a2acc0acf0d70bbc902442f985739be742b4b015df08b9ff2dce4625e7fc500cf80f02cb36ef660926148948df92d0dca5a3b
SSDEEP

49152:DV961jhCeR2FNyAphBiyAVO9Enl0xeIGcS9EOoLNBF6FUVMP96BxMM3m9xCTCEBn:DKx48AphuVPeAIGcS9EO8NPVMVWTvJ

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Loader.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Loader.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Loader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Loader.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation Loader.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Loader.exe

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/628-133-0x00007FF6EBAF0000-0x00007FF6EC498000-memory.dmp	themida
behavioral2/memory/628-134-0x00007FF6EBAF0000-0x00007FF6EC498000-memory.dmp	themida
behavioral2/memory/628-135-0x00007FF6EBAF0000-0x00007FF6EC498000-memory.dmp	themida
behavioral2/memory/628-136-0x00007FF6EBAF0000-0x00007FF6EC498000-memory.dmp	themida
behavioral2/memory/628-137-0x00007FF6EBAF0000-0x00007FF6EC498000-memory.dmp	themida
behavioral2/memory/628-138-0x00007FF6EBAF0000-0x00007FF6EC498000-memory.dmp	themida
behavioral2/memory/628-139-0x00007FF6EBAF0000-0x00007FF6EC498000-memory.dmp	themida
behavioral2/memory/628-140-0x00007FF6EBAF0000-0x00007FF6EC498000-memory.dmp	themida
behavioral2/memory/628-141-0x00007FF6EBAF0000-0x00007FF6EC498000-memory.dmp	themida
behavioral2/memory/628-142-0x00007FF6EBAF0000-0x00007FF6EC498000-memory.dmp	themida
behavioral2/memory/628-143-0x00007FF6EBAF0000-0x00007FF6EC498000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Loader.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Loader.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Loader.exe

pid process

628 Loader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe

pid	process
628	Loader.exe

Launches sc.exe 35 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1800	sc.exe
2428	sc.exe
4384	sc.exe
4492	sc.exe
4792	sc.exe
5080	sc.exe
2680	sc.exe
3120	sc.exe
692	sc.exe
2736	sc.exe
2256	sc.exe
1620	sc.exe
4128	sc.exe
3292	sc.exe
4968	sc.exe
4740	sc.exe
4724	sc.exe
3700	sc.exe
4352	sc.exe
4572	sc.exe
3176	sc.exe
4876	sc.exe
4396	sc.exe
3920	sc.exe
2308	sc.exe
4308	sc.exe
2488	sc.exe
4384	sc.exe
4612	sc.exe
1108	sc.exe
1624	sc.exe
3684	sc.exe
1592	sc.exe
5084	sc.exe
1800	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 36 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1800	taskkill.exe
4804	taskkill.exe
5080	taskkill.exe
1592	taskkill.exe
2440	taskkill.exe
2232	taskkill.exe
4772	taskkill.exe
648	taskkill.exe
3644	taskkill.exe
2596	taskkill.exe
3988	taskkill.exe
4016	taskkill.exe
3280	taskkill.exe
2668	taskkill.exe
4248	taskkill.exe
1820	taskkill.exe
4976	taskkill.exe
3852	taskkill.exe
2044	taskkill.exe
3948	taskkill.exe
3644	taskkill.exe
4624	taskkill.exe
4864	taskkill.exe
1888	taskkill.exe
2292	taskkill.exe
1268	taskkill.exe
1896	taskkill.exe
3160	taskkill.exe
3204	taskkill.exe
3588	taskkill.exe
220	taskkill.exe
756	taskkill.exe
3404	taskkill.exe
4804	taskkill.exe
1572	taskkill.exe
4764	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeConhost.execmd.execmd.exenet1.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exesc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	2044	taskkill.exe
Token: SeDebugPrivilege	3948	taskkill.exe
Token: SeDebugPrivilege	4804	taskkill.exe
Token: SeDebugPrivilege	3644	taskkill.exe
Token: SeDebugPrivilege	1896	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	5080	taskkill.exe
Token: SeDebugPrivilege	3160	taskkill.exe
Token: SeDebugPrivilege	3204	Conhost.exe
Token: SeDebugPrivilege	3280	cmd.exe
Token: SeDebugPrivilege	3588	cmd.exe
Token: SeDebugPrivilege	2668	net1.exe
Token: SeDebugPrivilege	220	taskkill.exe
Token: SeDebugPrivilege	756	taskkill.exe
Token: SeDebugPrivilege	4864	taskkill.exe
Token: SeDebugPrivilege	3404	taskkill.exe
Token: SeDebugPrivilege	3644	taskkill.exe
Token: SeDebugPrivilege	1592	sc.exe
Token: SeDebugPrivilege	1268	taskkill.exe
Token: SeDebugPrivilege	4624	taskkill.exe
Token: SeDebugPrivilege	4248	taskkill.exe
Token: SeDebugPrivilege	1888	taskkill.exe
Token: SeDebugPrivilege	4804	taskkill.exe
Token: SeDebugPrivilege	4772	taskkill.exe
Token: SeDebugPrivilege	2292	taskkill.exe
Token: SeDebugPrivilege	1820	taskkill.exe
Token: SeDebugPrivilege	4764	taskkill.exe
Token: SeDebugPrivilege	4976	taskkill.exe
Token: SeDebugPrivilege	3852	taskkill.exe
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	2440	taskkill.exe
Token: SeDebugPrivilege	2232	taskkill.exe
Token: SeDebugPrivilege	3988	taskkill.exe
Token: SeDebugPrivilege	648	taskkill.exe
Token: SeDebugPrivilege	4016	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Loader.execmd.execmd.exenet.exenet.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exetaskkill.exesc.execmd.execmd.execmd.exe

description	pid	process	target process
PID 628 wrote to memory of 2256	628	Loader.exe	cmd.exe
PID 628 wrote to memory of 2256	628	Loader.exe	cmd.exe
PID 628 wrote to memory of 4320	628	Loader.exe	cmd.exe
PID 628 wrote to memory of 4320	628	Loader.exe	cmd.exe
PID 628 wrote to memory of 1820	628	Loader.exe	cmd.exe
PID 628 wrote to memory of 1820	628	Loader.exe	cmd.exe
PID 628 wrote to memory of 456	628	Loader.exe	cmd.exe
PID 628 wrote to memory of 456	628	Loader.exe	cmd.exe
PID 2256 wrote to memory of 4864	2256	cmd.exe	net.exe
PID 2256 wrote to memory of 4864	2256	cmd.exe	net.exe
PID 628 wrote to memory of 3764	628	Loader.exe	cmd.exe
PID 628 wrote to memory of 3764	628	Loader.exe	cmd.exe
PID 4320 wrote to memory of 4408	4320	cmd.exe	net.exe
PID 4320 wrote to memory of 4408	4320	cmd.exe	net.exe
PID 4864 wrote to memory of 4316	4864	net.exe	net1.exe
PID 4864 wrote to memory of 4316	4864	net.exe	net1.exe
PID 4408 wrote to memory of 3680	4408	net.exe	net1.exe
PID 4408 wrote to memory of 3680	4408	net.exe	net1.exe
PID 628 wrote to memory of 2404	628	Loader.exe	cmd.exe
PID 628 wrote to memory of 2404	628	Loader.exe	cmd.exe
PID 628 wrote to memory of 4928	628	Loader.exe	cmd.exe
PID 628 wrote to memory of 4928	628	Loader.exe	cmd.exe
PID 1820 wrote to memory of 4572	1820	cmd.exe	sc.exe
PID 1820 wrote to memory of 4572	1820	cmd.exe	sc.exe
PID 628 wrote to memory of 1148	628	Loader.exe	cmd.exe
PID 628 wrote to memory of 1148	628	Loader.exe	cmd.exe
PID 628 wrote to memory of 3272	628	Loader.exe	cmd.exe
PID 628 wrote to memory of 3272	628	Loader.exe	cmd.exe
PID 456 wrote to memory of 4968	456	cmd.exe	sc.exe
PID 456 wrote to memory of 4968	456	cmd.exe	sc.exe
PID 3764 wrote to memory of 2308	3764	cmd.exe	sc.exe
PID 3764 wrote to memory of 2308	3764	cmd.exe	sc.exe
PID 3272 wrote to memory of 1800	3272	cmd.exe	taskkill.exe
PID 3272 wrote to memory of 1800	3272	cmd.exe	taskkill.exe
PID 4928 wrote to memory of 3120	4928	cmd.exe	sc.exe
PID 4928 wrote to memory of 3120	4928	cmd.exe	sc.exe
PID 2404 wrote to memory of 5084	2404	cmd.exe	sc.exe
PID 2404 wrote to memory of 5084	2404	cmd.exe	sc.exe
PID 1148 wrote to memory of 4740	1148	cmd.exe	sc.exe
PID 1148 wrote to memory of 4740	1148	cmd.exe	sc.exe
PID 628 wrote to memory of 2232	628	Loader.exe	cmd.exe
PID 628 wrote to memory of 2232	628	Loader.exe	cmd.exe
PID 2232 wrote to memory of 2044	2232	cmd.exe	taskkill.exe
PID 2232 wrote to memory of 2044	2232	cmd.exe	taskkill.exe
PID 628 wrote to memory of 3404	628	Loader.exe	taskkill.exe
PID 628 wrote to memory of 3404	628	Loader.exe	taskkill.exe
PID 3404 wrote to memory of 2736	3404	taskkill.exe	sc.exe
PID 3404 wrote to memory of 2736	3404	taskkill.exe	sc.exe
PID 628 wrote to memory of 4492	628	Loader.exe	sc.exe
PID 628 wrote to memory of 4492	628	Loader.exe	sc.exe
PID 4492 wrote to memory of 3948	4492	sc.exe	taskkill.exe
PID 4492 wrote to memory of 3948	4492	sc.exe	taskkill.exe
PID 628 wrote to memory of 4772	628	Loader.exe	cmd.exe
PID 628 wrote to memory of 4772	628	Loader.exe	cmd.exe
PID 4772 wrote to memory of 4804	4772	cmd.exe	taskkill.exe
PID 4772 wrote to memory of 4804	4772	cmd.exe	taskkill.exe
PID 628 wrote to memory of 3872	628	Loader.exe	cmd.exe
PID 628 wrote to memory of 3872	628	Loader.exe	cmd.exe
PID 3872 wrote to memory of 3644	3872	cmd.exe	taskkill.exe
PID 3872 wrote to memory of 3644	3872	cmd.exe	taskkill.exe
PID 628 wrote to memory of 4300	628	Loader.exe	cmd.exe
PID 628 wrote to memory of 4300	628	Loader.exe	cmd.exe
PID 4300 wrote to memory of 1896	4300	cmd.exe	taskkill.exe
PID 4300 wrote to memory of 1896	4300	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:4572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
PID:4968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:2308

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
PID:5084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3272

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:3404

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:4492

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im WindowsHost_Updates.x64.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\system32\taskkill.exe
taskkill /f /im WindowsHost_Updates.x64.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
2⤵
PID:1644

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGames.exe >nul 2>&1
2⤵
PID:5072

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGames.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
2⤵
PID:3612

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_BE >nul 2>&1
2⤵
PID:4016

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_BE
3⤵
- Kills process with taskkill
PID:3204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_EAC >nul 2>&1
2⤵
PID:1972

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_EAC
3⤵
- Kills process with taskkill
PID:3280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher >nul 2>&1
2⤵
PID:876

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteLauncher
3⤵
- Kills process with taskkill
PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im steam.exe >nul 2>&1
2⤵
PID:2188

C:\Windows\system32\taskkill.exe
taskkill /f /im steam.exe
3⤵
- Kills process with taskkill
PID:2668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im steamwebhelper.exe >nul 2>&1
2⤵
PID:4996

C:\Windows\system32\taskkill.exe
taskkill /f /im steamwebhelper.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im csgo.exe >nul 2>&1
2⤵
PID:1976

C:\Windows\system32\taskkill.exe
taskkill /f /im csgo.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im GameOverlayUI.exe >nul 2>&1
2⤵
PID:4408

C:\Windows\system32\taskkill.exe
taskkill /f /im GameOverlayUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
PID:3808

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
PID:3548

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
4⤵
PID:4660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
PID:4452

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
PID:544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
4⤵
PID:4072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:2256

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:3176

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
PID:4732

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
PID:4308

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
PID:980

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:1800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
PID:2088

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
PID:3616

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:4896

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
PID:4720

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:4548

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:408

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:1632

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:4260

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:5072

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
PID:3752

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
PID:1844

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
PID:3036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4016

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
PID:5008

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
4⤵
PID:4528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:652

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:2488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
PID:4724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
PID:3852

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:3920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
PID:3472

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
PID:2256

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
PID:4408

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:2404

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
PID:4740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3176

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:5104

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:4924

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:4868

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:2728

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:4080

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
PID:2232

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
PID:2148

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
4⤵
PID:2360

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
PID:3156

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
PID:5072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:3872

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:2428

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
PID:4556

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
PID:1620

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
PID:1496

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:4384

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
PID:4260

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
PID:1108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
PID:1452

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:4128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3280

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
PID:1432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:4392

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:4640

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:2640

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:4192

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:3120

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
PID:4680

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
PID:556

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
4⤵
PID:408

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
PID:4880

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
PID:4364

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
4⤵
PID:4240

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:2180

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2088

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:5080

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
PID:4560

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
PID:4352

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
PID:3196

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:3684

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
PID:4844

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
PID:4384

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
PID:2300

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:3292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:3856

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
PID:4416

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:4548

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:4444

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:2488

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:4432

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:1800

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
2⤵
PID:2256

C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5
3⤵
PID:936

C:\Windows\system32\find.exe
find /i /v "md5"
3⤵
PID:652

C:\Windows\system32\find.exe
find /i /v "certutil"
3⤵
PID:3280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c CLS
2⤵
PID:3700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
1⤵
PID:4316

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
1⤵
PID:3680

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
1⤵
PID:3656

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/628-133-0x00007FF6EBAF0000-0x00007FF6EC498000-memory.dmp

Filesize
9.7MB

Download
memory/628-134-0x00007FF6EBAF0000-0x00007FF6EC498000-memory.dmp

Filesize
9.7MB

Download
memory/628-135-0x00007FF6EBAF0000-0x00007FF6EC498000-memory.dmp

Filesize
9.7MB

Download
memory/628-136-0x00007FF6EBAF0000-0x00007FF6EC498000-memory.dmp

Filesize
9.7MB

Download
memory/628-137-0x00007FF6EBAF0000-0x00007FF6EC498000-memory.dmp

Filesize
9.7MB

Download
memory/628-138-0x00007FF6EBAF0000-0x00007FF6EC498000-memory.dmp

Filesize
9.7MB

Download
memory/628-139-0x00007FF6EBAF0000-0x00007FF6EC498000-memory.dmp

Filesize
9.7MB

Download
memory/628-140-0x00007FF6EBAF0000-0x00007FF6EC498000-memory.dmp

Filesize
9.7MB

Download
memory/628-141-0x00007FF6EBAF0000-0x00007FF6EC498000-memory.dmp

Filesize
9.7MB

Download
memory/628-142-0x00007FF6EBAF0000-0x00007FF6EC498000-memory.dmp

Filesize
9.7MB

Download
memory/628-143-0x00007FF6EBAF0000-0x00007FF6EC498000-memory.dmp

Filesize
9.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads