Analysis
-
max time kernel
53s -
max time network
116s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
24-03-2023 22:56
General
-
Target
Loader.exe
-
Size
3.6MB
-
MD5
9485ef4eb4927403cb0f1b40563e7d83
-
SHA1
97f4105f7a911d7b9f9028bac945aad687e12949
-
SHA256
4c947ca6cbc5ab813b051bb5ea739842b7c9b46e1d27f8dcc0ef881139ca482f
-
SHA512
13f110ee534bb13cf5b3120bdf9a2acc0acf0d70bbc902442f985739be742b4b015df08b9ff2dce4625e7fc500cf80f02cb36ef660926148948df92d0dca5a3b
-
SSDEEP
49152:DV961jhCeR2FNyAphBiyAVO9Enl0xeIGcS9EOoLNBF6FUVMP96BxMM3m9xCTCEBn:DKx48AphuVPeAIGcS9EO8NPVMVWTvJ
Score
9/10
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer 9 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Launches sc.exe 42 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 41 IoCs
-
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver24⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im WindowsHost_Updates.x64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im WindowsHost_Updates.x64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGames.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGames.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_BE >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_BE3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_EAC >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_EAC3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteLauncher3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im steam.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im steam.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im steamwebhelper.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im steamwebhelper.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im csgo.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im csgo.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im GameOverlayUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im GameOverlayUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver24⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver24⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver24⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver24⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD53⤵
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver21⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1948-54-0x000000013F190000-0x000000013FB38000-memory.dmpFilesize
9.7MB
-
memory/1948-55-0x000000013F190000-0x000000013FB38000-memory.dmpFilesize
9.7MB
-
memory/1948-57-0x000000013F190000-0x000000013FB38000-memory.dmpFilesize
9.7MB
-
memory/1948-56-0x000000013F190000-0x000000013FB38000-memory.dmpFilesize
9.7MB
-
memory/1948-58-0x000000013F190000-0x000000013FB38000-memory.dmpFilesize
9.7MB
-
memory/1948-59-0x000000013F190000-0x000000013FB38000-memory.dmpFilesize
9.7MB
-
memory/1948-60-0x000000013F190000-0x000000013FB38000-memory.dmpFilesize
9.7MB
-
memory/1948-61-0x000000013F190000-0x000000013FB38000-memory.dmpFilesize
9.7MB
-
memory/1948-62-0x000000013F190000-0x000000013FB38000-memory.dmpFilesize
9.7MB