4c947ca6cbc5ab813b051bb5ea739842b7c9b46e1d27f8dcc0ef881139ca482f

General

Target

Loader.exe
Size

3.6MB
MD5

9485ef4eb4927403cb0f1b40563e7d83
SHA1

97f4105f7a911d7b9f9028bac945aad687e12949
SHA256

4c947ca6cbc5ab813b051bb5ea739842b7c9b46e1d27f8dcc0ef881139ca482f
SHA512

13f110ee534bb13cf5b3120bdf9a2acc0acf0d70bbc902442f985739be742b4b015df08b9ff2dce4625e7fc500cf80f02cb36ef660926148948df92d0dca5a3b
SSDEEP

49152:DV961jhCeR2FNyAphBiyAVO9Enl0xeIGcS9EOoLNBF6FUVMP96BxMM3m9xCTCEBn:DKx48AphuVPeAIGcS9EO8NPVMVWTvJ

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Loader.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Loader.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Loader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Loader.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation Loader.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Loader.exe

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/792-133-0x00007FF793DF0000-0x00007FF794798000-memory.dmp	themida
behavioral2/memory/792-134-0x00007FF793DF0000-0x00007FF794798000-memory.dmp	themida
behavioral2/memory/792-135-0x00007FF793DF0000-0x00007FF794798000-memory.dmp	themida
behavioral2/memory/792-136-0x00007FF793DF0000-0x00007FF794798000-memory.dmp	themida
behavioral2/memory/792-137-0x00007FF793DF0000-0x00007FF794798000-memory.dmp	themida
behavioral2/memory/792-138-0x00007FF793DF0000-0x00007FF794798000-memory.dmp	themida
behavioral2/memory/792-139-0x00007FF793DF0000-0x00007FF794798000-memory.dmp	themida
behavioral2/memory/792-140-0x00007FF793DF0000-0x00007FF794798000-memory.dmp	themida
behavioral2/memory/792-141-0x00007FF793DF0000-0x00007FF794798000-memory.dmp	themida
behavioral2/memory/792-142-0x00007FF793DF0000-0x00007FF794798000-memory.dmp	themida
behavioral2/memory/792-143-0x00007FF793DF0000-0x00007FF794798000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Loader.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Loader.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Loader.exe

pid process

792 Loader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe

pid	process
792	Loader.exe

Launches sc.exe 49 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
3636	sc.exe
2728	sc.exe
3300	sc.exe
3816	sc.exe
3568	sc.exe
4608	sc.exe
3916	sc.exe
4156	sc.exe
1452	sc.exe
4660	sc.exe
2616	sc.exe
3220	sc.exe
3340	sc.exe
1316	sc.exe
1288	sc.exe
4788	sc.exe
4360	sc.exe
4156	sc.exe
2344	sc.exe
4676	sc.exe
4432	sc.exe
4012	sc.exe
2484	sc.exe
2260	sc.exe
4272	sc.exe
4084	sc.exe
3580	sc.exe
4520	sc.exe
4800	sc.exe
4996	sc.exe
4340	sc.exe
4924	sc.exe
2212	sc.exe
4520	sc.exe
2108	sc.exe
436	sc.exe
2004	sc.exe
672	sc.exe
4856	sc.exe
4244	sc.exe
2912	sc.exe
1972	sc.exe
2660	sc.exe
980	sc.exe
2212	sc.exe
5032	sc.exe
5056	sc.exe
4676	sc.exe
2056	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 46 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2848	taskkill.exe
2268	taskkill.exe
4900	taskkill.exe
1284	taskkill.exe
4588	taskkill.exe
2016	taskkill.exe
4304	taskkill.exe
4248	taskkill.exe
3900	taskkill.exe
3904	taskkill.exe
3608	taskkill.exe
2232	taskkill.exe
2684	taskkill.exe
3056	taskkill.exe
3440	taskkill.exe
3844	taskkill.exe
3024	taskkill.exe
4464	taskkill.exe
664	taskkill.exe
1460	taskkill.exe
4012	taskkill.exe
4128	taskkill.exe
4192	taskkill.exe
4200	taskkill.exe
748	taskkill.exe
4996	taskkill.exe
3804	taskkill.exe
376	taskkill.exe
1464	taskkill.exe
4028	taskkill.exe
2340	taskkill.exe
4396	taskkill.exe
3640	taskkill.exe
1336	taskkill.exe
2840	taskkill.exe
2444	taskkill.exe
3812	taskkill.exe
2976	taskkill.exe
4076	taskkill.exe
1304	taskkill.exe
3748	taskkill.exe
2772	taskkill.exe
4728	taskkill.exe
2496	taskkill.exe
4432	taskkill.exe
4980	taskkill.exe

Runs net.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Loader.exe

pid process

792 Loader.exe

pid	process
792	Loader.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execmd.exetaskkill.exenet.execmd.exetaskkill.exetaskkill.exesc.exetaskkill.exetaskkill.exesc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3748	taskkill.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	2340	taskkill.exe
Token: SeDebugPrivilege	664	taskkill.exe
Token: SeDebugPrivilege	4396	taskkill.exe
Token: SeDebugPrivilege	1336	taskkill.exe
Token: SeDebugPrivilege	4304	taskkill.exe
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	4996	taskkill.exe
Token: SeDebugPrivilege	3056	taskkill.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	2444	cmd.exe
Token: SeDebugPrivilege	3900	taskkill.exe
Token: SeDebugPrivilege	3904	net.exe
Token: SeDebugPrivilege	376	cmd.exe
Token: SeDebugPrivilege	3804	taskkill.exe
Token: SeDebugPrivilege	3812	taskkill.exe
Token: SeDebugPrivilege	4432	sc.exe
Token: SeDebugPrivilege	1460	taskkill.exe
Token: SeDebugPrivilege	4248	taskkill.exe
Token: SeDebugPrivilege	4012	sc.exe
Token: SeDebugPrivilege	4128	taskkill.exe
Token: SeDebugPrivilege	3640	taskkill.exe
Token: SeDebugPrivilege	4192	taskkill.exe
Token: SeDebugPrivilege	1464	taskkill.exe
Token: SeDebugPrivilege	4200	taskkill.exe
Token: SeDebugPrivilege	3440	taskkill.exe
Token: SeDebugPrivilege	2976	taskkill.exe
Token: SeDebugPrivilege	2848	taskkill.exe
Token: SeDebugPrivilege	3844	taskkill.exe
Token: SeDebugPrivilege	748	taskkill.exe
Token: SeDebugPrivilege	2268	taskkill.exe
Token: SeDebugPrivilege	3608	taskkill.exe
Token: SeDebugPrivilege	4980	taskkill.exe
Token: SeDebugPrivilege	4728	taskkill.exe
Token: SeDebugPrivilege	4076	taskkill.exe
Token: SeDebugPrivilege	3024	taskkill.exe
Token: SeDebugPrivilege	4028	taskkill.exe
Token: SeDebugPrivilege	1304	taskkill.exe
Token: SeDebugPrivilege	4464	taskkill.exe
Token: SeDebugPrivilege	4900	taskkill.exe
Token: SeDebugPrivilege	1284	taskkill.exe
Token: SeDebugPrivilege	4588	taskkill.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	2232	taskkill.exe
Token: SeDebugPrivilege	2496	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Loader.execmd.execmd.exenet.execmd.exenet.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 792 wrote to memory of 228	792	Loader.exe	cmd.exe
PID 792 wrote to memory of 228	792	Loader.exe	cmd.exe
PID 792 wrote to memory of 980	792	Loader.exe	cmd.exe
PID 792 wrote to memory of 980	792	Loader.exe	cmd.exe
PID 792 wrote to memory of 2744	792	Loader.exe	cmd.exe
PID 792 wrote to memory of 2744	792	Loader.exe	cmd.exe
PID 792 wrote to memory of 4784	792	Loader.exe	cmd.exe
PID 792 wrote to memory of 4784	792	Loader.exe	cmd.exe
PID 228 wrote to memory of 4068	228	cmd.exe	net.exe
PID 228 wrote to memory of 4068	228	cmd.exe	net.exe
PID 2744 wrote to memory of 4084	2744	cmd.exe	sc.exe
PID 2744 wrote to memory of 4084	2744	cmd.exe	sc.exe
PID 792 wrote to memory of 436	792	Loader.exe	cmd.exe
PID 792 wrote to memory of 436	792	Loader.exe	cmd.exe
PID 4068 wrote to memory of 3916	4068	net.exe	net1.exe
PID 4068 wrote to memory of 3916	4068	net.exe	net1.exe
PID 980 wrote to memory of 3640	980	cmd.exe	net.exe
PID 980 wrote to memory of 3640	980	cmd.exe	net.exe
PID 792 wrote to memory of 2428	792	Loader.exe	cmd.exe
PID 792 wrote to memory of 2428	792	Loader.exe	cmd.exe
PID 3640 wrote to memory of 4764	3640	net.exe	net1.exe
PID 3640 wrote to memory of 4764	3640	net.exe	net1.exe
PID 792 wrote to memory of 3320	792	Loader.exe	cmd.exe
PID 792 wrote to memory of 3320	792	Loader.exe	cmd.exe
PID 792 wrote to memory of 3756	792	Loader.exe	cmd.exe
PID 792 wrote to memory of 3756	792	Loader.exe	cmd.exe
PID 792 wrote to memory of 1784	792	Loader.exe	cmd.exe
PID 792 wrote to memory of 1784	792	Loader.exe	cmd.exe
PID 4784 wrote to memory of 2912	4784	cmd.exe	sc.exe
PID 4784 wrote to memory of 2912	4784	cmd.exe	sc.exe
PID 436 wrote to memory of 1316	436	cmd.exe	sc.exe
PID 436 wrote to memory of 1316	436	cmd.exe	sc.exe
PID 2428 wrote to memory of 1972	2428	cmd.exe	sc.exe
PID 2428 wrote to memory of 1972	2428	cmd.exe	sc.exe
PID 1784 wrote to memory of 3748	1784	cmd.exe	taskkill.exe
PID 1784 wrote to memory of 3748	1784	cmd.exe	taskkill.exe
PID 3320 wrote to memory of 2212	3320	cmd.exe	sc.exe
PID 3320 wrote to memory of 2212	3320	cmd.exe	sc.exe
PID 3756 wrote to memory of 4520	3756	cmd.exe	sc.exe
PID 3756 wrote to memory of 4520	3756	cmd.exe	sc.exe
PID 792 wrote to memory of 1288	792	Loader.exe	cmd.exe
PID 792 wrote to memory of 1288	792	Loader.exe	cmd.exe
PID 1288 wrote to memory of 2684	1288	cmd.exe	taskkill.exe
PID 1288 wrote to memory of 2684	1288	cmd.exe	taskkill.exe
PID 792 wrote to memory of 2712	792	Loader.exe	cmd.exe
PID 792 wrote to memory of 2712	792	Loader.exe	cmd.exe
PID 2712 wrote to memory of 672	2712	cmd.exe	sc.exe
PID 2712 wrote to memory of 672	2712	cmd.exe	sc.exe
PID 792 wrote to memory of 2232	792	Loader.exe	cmd.exe
PID 792 wrote to memory of 2232	792	Loader.exe	cmd.exe
PID 2232 wrote to memory of 2340	2232	cmd.exe	taskkill.exe
PID 2232 wrote to memory of 2340	2232	cmd.exe	taskkill.exe
PID 792 wrote to memory of 4716	792	Loader.exe	cmd.exe
PID 792 wrote to memory of 4716	792	Loader.exe	cmd.exe
PID 4716 wrote to memory of 664	4716	cmd.exe	taskkill.exe
PID 4716 wrote to memory of 664	4716	cmd.exe	taskkill.exe
PID 792 wrote to memory of 4876	792	Loader.exe	cmd.exe
PID 792 wrote to memory of 4876	792	Loader.exe	cmd.exe
PID 4876 wrote to memory of 4396	4876	cmd.exe	taskkill.exe
PID 4876 wrote to memory of 4396	4876	cmd.exe	taskkill.exe
PID 792 wrote to memory of 732	792	Loader.exe	cmd.exe
PID 792 wrote to memory of 732	792	Loader.exe	cmd.exe
PID 732 wrote to memory of 1336	732	cmd.exe	taskkill.exe
PID 732 wrote to memory of 1336	732	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
4⤵
PID:3916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
- Suspicious use of WriteProcessMemory
PID:3640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
4⤵
PID:4764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:4084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4784

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
PID:2912

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:1316

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
PID:1972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3320

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:2212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3756

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im WindowsHost_Updates.x64.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\system32\taskkill.exe
taskkill /f /im WindowsHost_Updates.x64.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
2⤵
PID:4240

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGames.exe >nul 2>&1
2⤵
PID:3528

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGames.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
2⤵
PID:1452

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_BE >nul 2>&1
2⤵
PID:3032

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_BE
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_EAC >nul 2>&1
2⤵
PID:632

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_EAC
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher >nul 2>&1
2⤵
PID:2296

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteLauncher
3⤵
- Kills process with taskkill
PID:2444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im steam.exe >nul 2>&1
2⤵
PID:1212

C:\Windows\system32\taskkill.exe
taskkill /f /im steam.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im steamwebhelper.exe >nul 2>&1
2⤵
PID:3780

C:\Windows\system32\taskkill.exe
taskkill /f /im steamwebhelper.exe
3⤵
- Kills process with taskkill
PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im csgo.exe >nul 2>&1
2⤵
PID:4108

C:\Windows\system32\taskkill.exe
taskkill /f /im csgo.exe
3⤵
- Kills process with taskkill
PID:376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im GameOverlayUI.exe >nul 2>&1
2⤵
PID:3608

C:\Windows\system32\taskkill.exe
taskkill /f /im GameOverlayUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3804

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
PID:1060

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
PID:2004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
4⤵
PID:5096

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
PID:616

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
PID:2420

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
4⤵
PID:948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1316

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:3580

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
PID:1448

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
PID:4608

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
PID:984

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:5032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
PID:400

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
PID:2108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
PID:1084

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:1288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:4464

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
PID:4200

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:2232

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:4752

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:2260

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:3112

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:2484

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:4012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
PID:2972

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
PID:1620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
4⤵
PID:3960

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
PID:2240

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
4⤵
PID:100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:3816

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:4856

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
PID:3104

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
PID:4156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:3916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
PID:2308

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4108

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
PID:436

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
PID:5016

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:3696

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
PID:2980

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:2784

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1972

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:1288

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:3992

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:4736

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
PID:5024

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
PID:4396

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
4⤵
PID:4260

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
PID:4728

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
PID:1984

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
4⤵
PID:1284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1304

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:3636

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
PID:3880

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
PID:3220

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
PID:4048

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:4156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
PID:2260

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
PID:3340

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
PID:3776

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:264

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:3356

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:3900

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:2304

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:2512

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:2388

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
PID:4588

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
PID:1440

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
4⤵
PID:1060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
PID:932

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
PID:2492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1088

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:5056

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
PID:4608

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2420

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
PID:2056

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:4676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
PID:232

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
PID:4308

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4260

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:2484

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
PID:3024

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:4396

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:4304

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:2680

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:5024

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1836

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:4500

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
2⤵
PID:3776

C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5
3⤵
PID:2872

C:\Windows\system32\find.exe
find /i /v "md5"
3⤵
PID:4660

C:\Windows\system32\find.exe
find /i /v "certutil"
3⤵
PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c CLS
2⤵
PID:2840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
PID:4652

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
PID:3504

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
4⤵
PID:2768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
PID:3928

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
PID:3768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
4⤵
PID:3696

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1972

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:2056

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
PID:4200

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
PID:2728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
PID:4468

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:2660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
PID:2684

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
PID:4244

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
PID:4032

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:2404

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
PID:3848

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:1004

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:4472

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:1796

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:2704

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:4876

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
2⤵
PID:632

C:\Windows\system32\net.exe
net stop FACEIT
3⤵
PID:2972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
4⤵
PID:952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
2⤵
PID:1212

C:\Windows\system32\net.exe
net stop ESEADriver2
3⤵
PID:3440

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
4⤵
PID:4224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:2872

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:3300

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
2⤵
PID:3488

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
PID:2344

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
2⤵
PID:3836

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:3568

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
2⤵
PID:1652

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
PID:4676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
2⤵
PID:3416

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
2⤵
PID:1052

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:4176

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:772

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:1340

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:1784

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:5052

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:3640

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
1⤵
PID:4732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/792-133-0x00007FF793DF0000-0x00007FF794798000-memory.dmp

Filesize
9.7MB

Download
memory/792-134-0x00007FF793DF0000-0x00007FF794798000-memory.dmp

Filesize
9.7MB

Download
memory/792-135-0x00007FF793DF0000-0x00007FF794798000-memory.dmp

Filesize
9.7MB

Download
memory/792-136-0x00007FF793DF0000-0x00007FF794798000-memory.dmp

Filesize
9.7MB

Download
memory/792-137-0x00007FF793DF0000-0x00007FF794798000-memory.dmp

Filesize
9.7MB

Download
memory/792-138-0x00007FF793DF0000-0x00007FF794798000-memory.dmp

Filesize
9.7MB

Download
memory/792-139-0x00007FF793DF0000-0x00007FF794798000-memory.dmp

Filesize
9.7MB

Download
memory/792-140-0x00007FF793DF0000-0x00007FF794798000-memory.dmp

Filesize
9.7MB

Download
memory/792-141-0x00007FF793DF0000-0x00007FF794798000-memory.dmp

Filesize
9.7MB

Download
memory/792-142-0x00007FF793DF0000-0x00007FF794798000-memory.dmp

Filesize
9.7MB

Download
memory/792-143-0x00007FF793DF0000-0x00007FF794798000-memory.dmp

Filesize
9.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads