569542c9e1cc03c6e2482db365581e60c94f6fae7e130059ecd6fd4e1501ac2d

Analysis

max time kernel
3s
max time network
127s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19/02/2024, 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

21.2MB
MD5

641724e3d8211104be31438b62dc7d15
SHA1

114e784ccc74babf9590583bff1e1e83e8929bb4
SHA256

569542c9e1cc03c6e2482db365581e60c94f6fae7e130059ecd6fd4e1501ac2d
SHA512

5fc3562e2b0483f9c6ca6b16586d9f15b585b692f98c7547f3ce087114e9c8bb35e7a2d54e0e788489573ebf405650104c8ebf377baddc3cbacc8321916eeb2f
SSDEEP

393216:FBKR69QxEl93SQh6mn7tG+vp2jbKmMQL8NGm10C9REV6f01Serw2ngtTV:LKIsGj6CRGu23MBGm9wXzngT

Score

9^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2352	Loader.exe

Launches sc.exe 42 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2480	sc.exe
2508	sc.exe
240	sc.exe
580	sc.exe
1636	sc.exe
1092	sc.exe
1560	sc.exe
2500	sc.exe
2724	sc.exe
2452	sc.exe
1988	sc.exe
1924	sc.exe
2916	sc.exe
2504	sc.exe
2740	sc.exe
2588	sc.exe
2204	sc.exe
2748	sc.exe
1992	sc.exe
2760	sc.exe
2276	sc.exe
2660	sc.exe
1464	sc.exe
1096	sc.exe
2476	sc.exe
1720	sc.exe
1124	sc.exe
1204	sc.exe
1528	sc.exe
1608	sc.exe
2932	sc.exe
2588	sc.exe
484	sc.exe
900	sc.exe
2920	sc.exe
2256	sc.exe
2600	sc.exe
2464	sc.exe
1436	sc.exe
1660	sc.exe
1672	sc.exe
2604	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 30 IoCs

evasion

pid	Process
1120	taskkill.exe
2732	taskkill.exe
1636	taskkill.exe
2356	taskkill.exe
916	taskkill.exe
2940	taskkill.exe
2828	taskkill.exe
444	taskkill.exe
2128	taskkill.exe
2904	taskkill.exe
1312	taskkill.exe
944	taskkill.exe
1312	taskkill.exe
1648	taskkill.exe
320	taskkill.exe
600	taskkill.exe
1560	taskkill.exe
1880	taskkill.exe
2812	taskkill.exe
2680	taskkill.exe
1768	taskkill.exe
2892	taskkill.exe
2164	taskkill.exe
2300	taskkill.exe
1236	taskkill.exe
1984	taskkill.exe
1456	taskkill.exe
1536	taskkill.exe
2776	taskkill.exe
2344	taskkill.exe

Runs net.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 3020	2352	Loader.exe	224
PID 2352 wrote to memory of 3020	2352	Loader.exe	224
PID 2352 wrote to memory of 3020	2352	Loader.exe	224
PID 2352 wrote to memory of 2136	2352	Loader.exe	221
PID 2352 wrote to memory of 2136	2352	Loader.exe	221
PID 2352 wrote to memory of 2136	2352	Loader.exe	221
PID 2352 wrote to memory of 2164	2352	Loader.exe	96
PID 2352 wrote to memory of 2164	2352	Loader.exe	96
PID 2352 wrote to memory of 2164	2352	Loader.exe	96
PID 3020 wrote to memory of 2560	3020	cmd.exe	220
PID 3020 wrote to memory of 2560	3020	cmd.exe	220
PID 3020 wrote to memory of 2560	3020	cmd.exe	220
PID 2352 wrote to memory of 2580	2352	Loader.exe	219
PID 2352 wrote to memory of 2580	2352	Loader.exe	219
PID 2352 wrote to memory of 2580	2352	Loader.exe	219
PID 2352 wrote to memory of 2672	2352	Loader.exe	217
PID 2352 wrote to memory of 2672	2352	Loader.exe	217
PID 2352 wrote to memory of 2672	2352	Loader.exe	217

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:2752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
  2⤵
  PID:2796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
  2⤵
  PID:2780
- - C:\Windows\system32\net.exe
    net stop FACEIT
    3⤵
    PID:864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
  2⤵
  PID:2784
- - C:\Windows\system32\net.exe
    net stop ESEADriver2
    3⤵
    PID:1884
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:1416
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:1988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:1772
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
  2⤵
  PID:2060
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1892
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
  2⤵
  PID:1548
- - C:\Windows\system32\net.exe
    net stop FACEIT
    3⤵
    PID:1904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:1316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1616
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:2440
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:1720
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:1692
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:2932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
  2⤵
  PID:2884
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:1672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
  2⤵
  PID:2588
- - C:\Windows\system32\net.exe
    net stop ESEADriver2
    3⤵
    PID:2580
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ESEADriver2
      4⤵
      PID:2676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1320
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2084
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop FACEIT
    3⤵
    PID:3064
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
  2⤵
  PID:576
- - C:\Windows\system32\net.exe
    net stop ESEADriver2
    3⤵
    PID:2000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:2248
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:2916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  PID:892
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:1168
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:1928
  - - C:\Windows\system32\net.exe
      net stop ESEADriver2
      4⤵
      PID:1976
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5
    3⤵
    PID:1712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:1916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
  2⤵
  PID:1940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
  2⤵
  PID:536
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:620
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1160
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
  2⤵
  PID:2552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:2700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:2696
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
  2⤵
  PID:1544
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
  2⤵
  PID:2528
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:2448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:2508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:2516
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2460
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
  2⤵
  PID:2176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:3024
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
  2⤵
  PID:2288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:1060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
  2⤵
  PID:1928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
  2⤵
  PID:2000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:2868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1420
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
  2⤵
  PID:2760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:2460
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:2672
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:2580
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
  2⤵
  PID:2136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:1756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:2356
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:2600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:2540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:2632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
  2⤵
  PID:2604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
  2⤵
  PID:2688
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:1228
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:2032
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
  2⤵
  PID:860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
  2⤵
  PID:2408

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
1⤵
PID:2764

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
1⤵
- Kills process with taskkill
PID:2680

C:\Windows\system32\sc.exe
sc stop wireshark
1⤵
- Launches sc.exe
PID:2500

C:\Windows\system32\sc.exe
sc stop npf
1⤵
- Launches sc.exe
PID:2508
- C:\Windows\system32\sc.exe
  sc stop KProcessHacker2
  2⤵
  - Launches sc.exe
  PID:1560

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
1⤵
- Kills process with taskkill
PID:2344

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
1⤵
- Launches sc.exe
PID:2724

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
1⤵
- Kills process with taskkill
PID:320
- C:\Windows\system32\taskkill.exe
  taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
  2⤵
  - Kills process with taskkill
  PID:1560

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
1⤵
- Launches sc.exe
PID:2464

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
1⤵
- Kills process with taskkill
PID:1636

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
1⤵
- Launches sc.exe
PID:2452

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
1⤵
- Launches sc.exe
PID:2588

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
1⤵
- Kills process with taskkill
PID:1312

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
1⤵
PID:2008

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
1⤵
- Kills process with taskkill
PID:600

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
1⤵
- Launches sc.exe
PID:2276

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
1⤵
- Kills process with taskkill
PID:1456

C:\Windows\system32\sc.exe
sc stop npf
1⤵
- Launches sc.exe
PID:580

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
1⤵
- Launches sc.exe
PID:1924

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
1⤵
- Kills process with taskkill
PID:444

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
1⤵
- Kills process with taskkill
PID:1984

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
1⤵
- Launches sc.exe
PID:900

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
1⤵
- Kills process with taskkill
PID:2356

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
1⤵
- Launches sc.exe
PID:2660

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
1⤵
- Kills process with taskkill
PID:2128
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop ESEADriver2
  2⤵
  PID:3016

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
1⤵
- Kills process with taskkill
PID:2164
- C:\Windows\system32\sc.exe
  sc stop HTTPDebuggerPro
  2⤵
  - Launches sc.exe
  PID:2604
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:2740

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
1⤵
- Kills process with taskkill
PID:2904

C:\Windows\system32\sc.exe
sc stop npf
1⤵
- Launches sc.exe
PID:1636

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
1⤵
- Kills process with taskkill
PID:1312

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
1⤵
- Kills process with taskkill
PID:2776

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
1⤵
- Launches sc.exe
PID:1204

C:\Windows\system32\sc.exe
sc stop wireshark
1⤵
- Launches sc.exe
PID:2920

C:\Windows\system32\sc.exe
sc stop npf
1⤵
- Launches sc.exe
PID:2256

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
1⤵
- Kills process with taskkill
PID:916

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
1⤵
- Launches sc.exe
PID:1092

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
1⤵
- Kills process with taskkill
PID:1120

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
1⤵
- Kills process with taskkill
PID:1648

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
1⤵
- Kills process with taskkill
PID:1768

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
1⤵
- Kills process with taskkill
PID:1236

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
1⤵
- Launches sc.exe
PID:1464

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
1⤵
- Launches sc.exe
PID:1096

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
1⤵
PID:1812

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
1⤵
PID:2320

C:\Windows\system32\net.exe
net stop FACEIT
1⤵
PID:1100

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
1⤵
- Kills process with taskkill
PID:2732

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
1⤵
- Launches sc.exe
PID:1528

C:\Windows\system32\sc.exe
sc stop wireshark
1⤵
- Launches sc.exe
PID:2504
- C:\Windows\system32\taskkill.exe
  taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
  2⤵
  - Kills process with taskkill
  PID:2812

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
1⤵
- Launches sc.exe
PID:1660

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
1⤵
- Kills process with taskkill
PID:944

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
1⤵
- Launches sc.exe
PID:2476

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
1⤵
PID:2600

C:\Windows\system32\net.exe
net stop FACEIT
1⤵
PID:2968

C:\Windows\system32\sc.exe
sc stop npf
1⤵
- Launches sc.exe
PID:1608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
1⤵
PID:2088

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
1⤵
- Kills process with taskkill
PID:2940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
1⤵
PID:2324

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
1⤵
- Launches sc.exe
PID:1992

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
1⤵
PID:2892

C:\Windows\system32\net.exe
net stop ESEADriver2
1⤵
PID:2904

C:\Windows\system32\net.exe
net stop FACEIT
1⤵
PID:2560

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
1⤵
- Kills process with taskkill
PID:2892

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
1⤵
- Launches sc.exe
PID:2480

C:\Windows\system32\sc.exe
sc stop wireshark
1⤵
- Launches sc.exe
PID:2760

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
1⤵
- Kills process with taskkill
PID:2828

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
1⤵
- Kills process with taskkill
PID:1880

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
1⤵
- Launches sc.exe
PID:2588

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
1⤵
- Launches sc.exe
PID:1124

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
1⤵
PID:2596

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
1⤵
- Launches sc.exe
PID:2748

C:\Windows\system32\net.exe
net stop ESEADriver2
1⤵
PID:2128

C:\Windows\system32\net.exe
net stop FACEIT
1⤵
PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2352-0-0x0000000077530000-0x00000000776D9000-memory.dmp

Filesize
1.7MB

Download
memory/2352-2-0x000000013FB10000-0x000000014342A000-memory.dmp

Filesize
57.1MB

Download
memory/2352-3-0x000000013FB10000-0x000000014342A000-memory.dmp

Filesize
57.1MB

Download
memory/2352-4-0x000000013FB10000-0x000000014342A000-memory.dmp

Filesize
57.1MB

Download
memory/2352-5-0x000000013FB10000-0x000000014342A000-memory.dmp

Filesize
57.1MB

Download
memory/2352-6-0x000000013FB10000-0x000000014342A000-memory.dmp

Filesize
57.1MB

Download
memory/2352-7-0x000000013FB10000-0x000000014342A000-memory.dmp

Filesize
57.1MB

Download
memory/2352-8-0x000000013FB10000-0x000000014342A000-memory.dmp

Filesize
57.1MB

Download
memory/2352-9-0x0000000077530000-0x00000000776D9000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads