Analysis
-
max time kernel
146s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24-03-2023 22:56
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win7-20230220-en
General
-
Target
Loader.exe
-
Size
3.6MB
-
MD5
9485ef4eb4927403cb0f1b40563e7d83
-
SHA1
97f4105f7a911d7b9f9028bac945aad687e12949
-
SHA256
4c947ca6cbc5ab813b051bb5ea739842b7c9b46e1d27f8dcc0ef881139ca482f
-
SHA512
13f110ee534bb13cf5b3120bdf9a2acc0acf0d70bbc902442f985739be742b4b015df08b9ff2dce4625e7fc500cf80f02cb36ef660926148948df92d0dca5a3b
-
SSDEEP
49152:DV961jhCeR2FNyAphBiyAVO9Enl0xeIGcS9EOoLNBF6FUVMP96BxMM3m9xCTCEBn:DKx48AphuVPeAIGcS9EO8NPVMVWTvJ
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Loader.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Loader.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Loader.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Loader.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Loader.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation Loader.exe -
Processes:
resource yara_rule behavioral2/memory/792-133-0x00007FF793DF0000-0x00007FF794798000-memory.dmp themida behavioral2/memory/792-134-0x00007FF793DF0000-0x00007FF794798000-memory.dmp themida behavioral2/memory/792-135-0x00007FF793DF0000-0x00007FF794798000-memory.dmp themida behavioral2/memory/792-136-0x00007FF793DF0000-0x00007FF794798000-memory.dmp themida behavioral2/memory/792-137-0x00007FF793DF0000-0x00007FF794798000-memory.dmp themida behavioral2/memory/792-138-0x00007FF793DF0000-0x00007FF794798000-memory.dmp themida behavioral2/memory/792-139-0x00007FF793DF0000-0x00007FF794798000-memory.dmp themida behavioral2/memory/792-140-0x00007FF793DF0000-0x00007FF794798000-memory.dmp themida behavioral2/memory/792-141-0x00007FF793DF0000-0x00007FF794798000-memory.dmp themida behavioral2/memory/792-142-0x00007FF793DF0000-0x00007FF794798000-memory.dmp themida behavioral2/memory/792-143-0x00007FF793DF0000-0x00007FF794798000-memory.dmp themida -
Processes:
Loader.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Loader.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Loader.exepid process 792 Loader.exe -
Launches sc.exe 49 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 3636 sc.exe 2728 sc.exe 3300 sc.exe 3816 sc.exe 3568 sc.exe 4608 sc.exe 3916 sc.exe 4156 sc.exe 1452 sc.exe 4660 sc.exe 2616 sc.exe 3220 sc.exe 3340 sc.exe 1316 sc.exe 1288 sc.exe 4788 sc.exe 4360 sc.exe 4156 sc.exe 2344 sc.exe 4676 sc.exe 4432 sc.exe 4012 sc.exe 2484 sc.exe 2260 sc.exe 4272 sc.exe 4084 sc.exe 3580 sc.exe 4520 sc.exe 4800 sc.exe 4996 sc.exe 4340 sc.exe 4924 sc.exe 2212 sc.exe 4520 sc.exe 2108 sc.exe 436 sc.exe 2004 sc.exe 672 sc.exe 4856 sc.exe 4244 sc.exe 2912 sc.exe 1972 sc.exe 2660 sc.exe 980 sc.exe 2212 sc.exe 5032 sc.exe 5056 sc.exe 4676 sc.exe 2056 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 46 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2848 taskkill.exe 2268 taskkill.exe 4900 taskkill.exe 1284 taskkill.exe 4588 taskkill.exe 2016 taskkill.exe 4304 taskkill.exe 4248 taskkill.exe 3900 taskkill.exe 3904 taskkill.exe 3608 taskkill.exe 2232 taskkill.exe 2684 taskkill.exe 3056 taskkill.exe 3440 taskkill.exe 3844 taskkill.exe 3024 taskkill.exe 4464 taskkill.exe 664 taskkill.exe 1460 taskkill.exe 4012 taskkill.exe 4128 taskkill.exe 4192 taskkill.exe 4200 taskkill.exe 748 taskkill.exe 4996 taskkill.exe 3804 taskkill.exe 376 taskkill.exe 1464 taskkill.exe 4028 taskkill.exe 2340 taskkill.exe 4396 taskkill.exe 3640 taskkill.exe 1336 taskkill.exe 2840 taskkill.exe 2444 taskkill.exe 3812 taskkill.exe 2976 taskkill.exe 4076 taskkill.exe 1304 taskkill.exe 3748 taskkill.exe 2772 taskkill.exe 4728 taskkill.exe 2496 taskkill.exe 4432 taskkill.exe 4980 taskkill.exe -
Runs net.exe
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Loader.exepid process 792 Loader.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execmd.exetaskkill.exenet.execmd.exetaskkill.exetaskkill.exesc.exetaskkill.exetaskkill.exesc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 3748 taskkill.exe Token: SeDebugPrivilege 2684 taskkill.exe Token: SeDebugPrivilege 2340 taskkill.exe Token: SeDebugPrivilege 664 taskkill.exe Token: SeDebugPrivilege 4396 taskkill.exe Token: SeDebugPrivilege 1336 taskkill.exe Token: SeDebugPrivilege 4304 taskkill.exe Token: SeDebugPrivilege 2772 taskkill.exe Token: SeDebugPrivilege 4996 taskkill.exe Token: SeDebugPrivilege 3056 taskkill.exe Token: SeDebugPrivilege 2840 taskkill.exe Token: SeDebugPrivilege 2444 cmd.exe Token: SeDebugPrivilege 3900 taskkill.exe Token: SeDebugPrivilege 3904 net.exe Token: SeDebugPrivilege 376 cmd.exe Token: SeDebugPrivilege 3804 taskkill.exe Token: SeDebugPrivilege 3812 taskkill.exe Token: SeDebugPrivilege 4432 sc.exe Token: SeDebugPrivilege 1460 taskkill.exe Token: SeDebugPrivilege 4248 taskkill.exe Token: SeDebugPrivilege 4012 sc.exe Token: SeDebugPrivilege 4128 taskkill.exe Token: SeDebugPrivilege 3640 taskkill.exe Token: SeDebugPrivilege 4192 taskkill.exe Token: SeDebugPrivilege 1464 taskkill.exe Token: SeDebugPrivilege 4200 taskkill.exe Token: SeDebugPrivilege 3440 taskkill.exe Token: SeDebugPrivilege 2976 taskkill.exe Token: SeDebugPrivilege 2848 taskkill.exe Token: SeDebugPrivilege 3844 taskkill.exe Token: SeDebugPrivilege 748 taskkill.exe Token: SeDebugPrivilege 2268 taskkill.exe Token: SeDebugPrivilege 3608 taskkill.exe Token: SeDebugPrivilege 4980 taskkill.exe Token: SeDebugPrivilege 4728 taskkill.exe Token: SeDebugPrivilege 4076 taskkill.exe Token: SeDebugPrivilege 3024 taskkill.exe Token: SeDebugPrivilege 4028 taskkill.exe Token: SeDebugPrivilege 1304 taskkill.exe Token: SeDebugPrivilege 4464 taskkill.exe Token: SeDebugPrivilege 4900 taskkill.exe Token: SeDebugPrivilege 1284 taskkill.exe Token: SeDebugPrivilege 4588 taskkill.exe Token: SeDebugPrivilege 2016 taskkill.exe Token: SeDebugPrivilege 2232 taskkill.exe Token: SeDebugPrivilege 2496 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Loader.execmd.execmd.exenet.execmd.exenet.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 792 wrote to memory of 228 792 Loader.exe cmd.exe PID 792 wrote to memory of 228 792 Loader.exe cmd.exe PID 792 wrote to memory of 980 792 Loader.exe cmd.exe PID 792 wrote to memory of 980 792 Loader.exe cmd.exe PID 792 wrote to memory of 2744 792 Loader.exe cmd.exe PID 792 wrote to memory of 2744 792 Loader.exe cmd.exe PID 792 wrote to memory of 4784 792 Loader.exe cmd.exe PID 792 wrote to memory of 4784 792 Loader.exe cmd.exe PID 228 wrote to memory of 4068 228 cmd.exe net.exe PID 228 wrote to memory of 4068 228 cmd.exe net.exe PID 2744 wrote to memory of 4084 2744 cmd.exe sc.exe PID 2744 wrote to memory of 4084 2744 cmd.exe sc.exe PID 792 wrote to memory of 436 792 Loader.exe cmd.exe PID 792 wrote to memory of 436 792 Loader.exe cmd.exe PID 4068 wrote to memory of 3916 4068 net.exe net1.exe PID 4068 wrote to memory of 3916 4068 net.exe net1.exe PID 980 wrote to memory of 3640 980 cmd.exe net.exe PID 980 wrote to memory of 3640 980 cmd.exe net.exe PID 792 wrote to memory of 2428 792 Loader.exe cmd.exe PID 792 wrote to memory of 2428 792 Loader.exe cmd.exe PID 3640 wrote to memory of 4764 3640 net.exe net1.exe PID 3640 wrote to memory of 4764 3640 net.exe net1.exe PID 792 wrote to memory of 3320 792 Loader.exe cmd.exe PID 792 wrote to memory of 3320 792 Loader.exe cmd.exe PID 792 wrote to memory of 3756 792 Loader.exe cmd.exe PID 792 wrote to memory of 3756 792 Loader.exe cmd.exe PID 792 wrote to memory of 1784 792 Loader.exe cmd.exe PID 792 wrote to memory of 1784 792 Loader.exe cmd.exe PID 4784 wrote to memory of 2912 4784 cmd.exe sc.exe PID 4784 wrote to memory of 2912 4784 cmd.exe sc.exe PID 436 wrote to memory of 1316 436 cmd.exe sc.exe PID 436 wrote to memory of 1316 436 cmd.exe sc.exe PID 2428 wrote to memory of 1972 2428 cmd.exe sc.exe PID 2428 wrote to memory of 1972 2428 cmd.exe sc.exe PID 1784 wrote to memory of 3748 1784 cmd.exe taskkill.exe PID 1784 wrote to memory of 3748 1784 cmd.exe taskkill.exe PID 3320 wrote to memory of 2212 3320 cmd.exe sc.exe PID 3320 wrote to memory of 2212 3320 cmd.exe sc.exe PID 3756 wrote to memory of 4520 3756 cmd.exe sc.exe PID 3756 wrote to memory of 4520 3756 cmd.exe sc.exe PID 792 wrote to memory of 1288 792 Loader.exe cmd.exe PID 792 wrote to memory of 1288 792 Loader.exe cmd.exe PID 1288 wrote to memory of 2684 1288 cmd.exe taskkill.exe PID 1288 wrote to memory of 2684 1288 cmd.exe taskkill.exe PID 792 wrote to memory of 2712 792 Loader.exe cmd.exe PID 792 wrote to memory of 2712 792 Loader.exe cmd.exe PID 2712 wrote to memory of 672 2712 cmd.exe sc.exe PID 2712 wrote to memory of 672 2712 cmd.exe sc.exe PID 792 wrote to memory of 2232 792 Loader.exe cmd.exe PID 792 wrote to memory of 2232 792 Loader.exe cmd.exe PID 2232 wrote to memory of 2340 2232 cmd.exe taskkill.exe PID 2232 wrote to memory of 2340 2232 cmd.exe taskkill.exe PID 792 wrote to memory of 4716 792 Loader.exe cmd.exe PID 792 wrote to memory of 4716 792 Loader.exe cmd.exe PID 4716 wrote to memory of 664 4716 cmd.exe taskkill.exe PID 4716 wrote to memory of 664 4716 cmd.exe taskkill.exe PID 792 wrote to memory of 4876 792 Loader.exe cmd.exe PID 792 wrote to memory of 4876 792 Loader.exe cmd.exe PID 4876 wrote to memory of 4396 4876 cmd.exe taskkill.exe PID 4876 wrote to memory of 4396 4876 cmd.exe taskkill.exe PID 792 wrote to memory of 732 792 Loader.exe cmd.exe PID 792 wrote to memory of 732 792 Loader.exe cmd.exe PID 732 wrote to memory of 1336 732 cmd.exe taskkill.exe PID 732 wrote to memory of 1336 732 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver24⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im WindowsHost_Updates.x64.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im WindowsHost_Updates.x64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGames.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGames.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_BE >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_BE3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_EAC >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_EAC3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteLauncher3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im steam.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im steam.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im steamwebhelper.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im steamwebhelper.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im csgo.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im csgo.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im GameOverlayUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im GameOverlayUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver24⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver24⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver24⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD53⤵
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver24⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop FACEIT3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FACEIT4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&12⤵
-
C:\Windows\system32\net.exenet stop ESEADriver23⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver24⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ESEADriver21⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/792-133-0x00007FF793DF0000-0x00007FF794798000-memory.dmpFilesize
9.7MB
-
memory/792-134-0x00007FF793DF0000-0x00007FF794798000-memory.dmpFilesize
9.7MB
-
memory/792-135-0x00007FF793DF0000-0x00007FF794798000-memory.dmpFilesize
9.7MB
-
memory/792-136-0x00007FF793DF0000-0x00007FF794798000-memory.dmpFilesize
9.7MB
-
memory/792-137-0x00007FF793DF0000-0x00007FF794798000-memory.dmpFilesize
9.7MB
-
memory/792-138-0x00007FF793DF0000-0x00007FF794798000-memory.dmpFilesize
9.7MB
-
memory/792-139-0x00007FF793DF0000-0x00007FF794798000-memory.dmpFilesize
9.7MB
-
memory/792-140-0x00007FF793DF0000-0x00007FF794798000-memory.dmpFilesize
9.7MB
-
memory/792-141-0x00007FF793DF0000-0x00007FF794798000-memory.dmpFilesize
9.7MB
-
memory/792-142-0x00007FF793DF0000-0x00007FF794798000-memory.dmpFilesize
9.7MB
-
memory/792-143-0x00007FF793DF0000-0x00007FF794798000-memory.dmpFilesize
9.7MB