037515150fb0a29b4b02454369f3febd419df5df15fa5d8950f9c22a1edd9090

Analysis

max time kernel
147s
max time network
159s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
19/03/2024, 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader.exe
Size

20.6MB
MD5

a36c468a1e4cfd6f56c4e5934876014e
SHA1

7629d391b0405ad08148b39e95b9ce7a580c9661
SHA256

037515150fb0a29b4b02454369f3febd419df5df15fa5d8950f9c22a1edd9090
SHA512

31ab2a294a7d9e492929eb98fc584c6aed3f4860378b17c190dbb27ecc766105888fd74c641b9e2c33cecc817a8e945939df23514b0a095f776a30e9cf7982c4
SSDEEP

393216:4ZhEvkbSBowx32w6yxYHEcIiE8ozrvkBfO4aCyLJdd7:GhzbSBoMeyebhEBEBW4iLJP

Score

10^/10

evasion ransomware

Malware Config

Signatures

Deletes NTFS Change Journal 2 TTPs 1 IoCs

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

ransomware

Inhibit System Recovery

T1490

Data Destruction

T1485

pid	Process
2176	fsutil.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1000	loader.exe
2536	GamePanel.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1000 set thread context of 2536	1000	loader.exe	83

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3172	sc.exe
484	sc.exe
2824	sc.exe
1680	sc.exe
1560	sc.exe
4060	sc.exe
3700	sc.exe
4540	sc.exe
4292	sc.exe
1164	sc.exe
1740	sc.exe
4556	sc.exe
4516	sc.exe
4268	sc.exe
3488	sc.exe
4812	sc.exe
1996	sc.exe
1612	sc.exe
2464	sc.exe
2024	sc.exe
1588	sc.exe
3876	sc.exe
1280	sc.exe
2148	sc.exe
3488	sc.exe
4632	sc.exe
2748	sc.exe
1508	sc.exe
1480	sc.exe
2128	sc.exe
1636	sc.exe
244	sc.exe
4144	sc.exe
3532	sc.exe
2276	sc.exe
3284	sc.exe
708	sc.exe
820	sc.exe
4160	sc.exe
2308	sc.exe
3924	sc.exe
1384	sc.exe
1292	sc.exe
2652	sc.exe
1252	sc.exe
4724	sc.exe
4512	sc.exe
4676	sc.exe
4752	sc.exe
1932	sc.exe
2612	sc.exe
1172	sc.exe
3912	sc.exe
3876	sc.exe
3336	sc.exe
3924	sc.exe
1560	sc.exe
3268	sc.exe
2704	sc.exe
1248	sc.exe
3872	sc.exe
2736	sc.exe
1768	sc.exe
3832	sc.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
380	taskkill.exe
4568	taskkill.exe
3832	taskkill.exe
1588	taskkill.exe
2128	taskkill.exe
1136	taskkill.exe
1972	taskkill.exe
2108	taskkill.exe
3276	taskkill.exe
2192	taskkill.exe
2308	taskkill.exe
4836	taskkill.exe
4716	taskkill.exe
4724	taskkill.exe
1312	taskkill.exe
2552	taskkill.exe
244	taskkill.exe
3268	taskkill.exe
992	taskkill.exe
4616	taskkill.exe
2912	taskkill.exe
1180	taskkill.exe
3168	taskkill.exe
2852	taskkill.exe
960	taskkill.exe
884	taskkill.exe
4496	taskkill.exe
1876	taskkill.exe
1292	taskkill.exe
1164	taskkill.exe
4060	taskkill.exe
4924	taskkill.exe
4204	taskkill.exe
4612	taskkill.exe
3844	taskkill.exe
2912	taskkill.exe
2224	taskkill.exe
992	taskkill.exe
4268	taskkill.exe
1232	taskkill.exe
4292	taskkill.exe
2316	taskkill.exe
3548	taskkill.exe
2652	taskkill.exe
1044	taskkill.exe
4952	taskkill.exe
3160	taskkill.exe
4020	taskkill.exe
4592	taskkill.exe
3268	taskkill.exe
2288	taskkill.exe
4780	taskkill.exe
4604	taskkill.exe
1452	taskkill.exe
4644	taskkill.exe
1000	taskkill.exe
4188	taskkill.exe
4616	taskkill.exe
4384	taskkill.exe
1388	taskkill.exe
3704	taskkill.exe
3556	taskkill.exe
3540	taskkill.exe
1252	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
240	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1000	loader.exe
1000	loader.exe
2536	GamePanel.exe
2536	GamePanel.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	GamePanel.exe
Token: SeTakeOwnershipPrivilege	2536	GamePanel.exe
Token: SeLoadDriverPrivilege	2536	GamePanel.exe
Token: SeShutdownPrivilege	2536	GamePanel.exe
Token: SeDebugPrivilege	5068	taskkill.exe
Token: SeDebugPrivilege	1280	taskkill.exe
Token: SeDebugPrivilege	1232	taskkill.exe
Token: SeDebugPrivilege	4816	taskkill.exe
Token: SeDebugPrivilege	4632	taskkill.exe
Token: SeDebugPrivilege	3044	taskkill.exe
Token: SeDebugPrivilege	3464	taskkill.exe
Token: SeDebugPrivilege	1044	taskkill.exe
Token: SeDebugPrivilege	2148	taskkill.exe
Token: SeDebugPrivilege	1704	taskkill.exe
Token: SeDebugPrivilege	1892	taskkill.exe
Token: SeDebugPrivilege	3268	taskkill.exe
Token: SeDebugPrivilege	4988	taskkill.exe
Token: SeDebugPrivilege	2912	taskkill.exe
Token: SeDebugPrivilege	3984	taskkill.exe
Token: SeDebugPrivilege	3308	taskkill.exe
Token: SeDebugPrivilege	3480	taskkill.exe
Token: SeDebugPrivilege	1136	taskkill.exe
Token: SeDebugPrivilege	2316	taskkill.exe
Token: SeDebugPrivilege	4572	taskkill.exe
Token: SeDebugPrivilege	4612	taskkill.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	2288	taskkill.exe
Token: SeDebugPrivilege	1180	taskkill.exe
Token: SeDebugPrivilege	3412	taskkill.exe
Token: SeDebugPrivilege	2108	taskkill.exe
Token: SeDebugPrivilege	3336	taskkill.exe
Token: SeDebugPrivilege	4976	taskkill.exe
Token: SeDebugPrivilege	2852	taskkill.exe
Token: SeDebugPrivilege	1232	taskkill.exe
Token: SeDebugPrivilege	232	taskkill.exe
Token: SeDebugPrivilege	2652	taskkill.exe
Token: SeDebugPrivilege	4724	taskkill.exe
Token: SeDebugPrivilege	1184	taskkill.exe
Token: SeDebugPrivilege	960	taskkill.exe
Token: SeDebugPrivilege	3832	taskkill.exe
Token: SeDebugPrivilege	3460	taskkill.exe
Token: SeDebugPrivilege	2128	taskkill.exe
Token: SeDebugPrivilege	992	taskkill.exe
Token: SeDebugPrivilege	1312	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	1372	taskkill.exe
Token: SeDebugPrivilege	1452	taskkill.exe
Token: SeDebugPrivilege	3156	taskkill.exe
Token: SeDebugPrivilege	1416	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	2720	taskkill.exe
Token: SeDebugPrivilege	3748	taskkill.exe
Token: SeDebugPrivilege	2920	taskkill.exe
Token: SeDebugPrivilege	5068	taskkill.exe
Token: SeDebugPrivilege	3000	taskkill.exe
Token: SeDebugPrivilege	4924	taskkill.exe
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	992	taskkill.exe
Token: SeDebugPrivilege	2148	taskkill.exe
Token: SeDebugPrivilege	4384	taskkill.exe
Token: SeDebugPrivilege	1348	taskkill.exe
Token: SeDebugPrivilege	1388	taskkill.exe
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeDebugPrivilege	1416	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 2536	1000	loader.exe	83
PID 1000 wrote to memory of 2536	1000	loader.exe	83
PID 1000 wrote to memory of 2536	1000	loader.exe	83
PID 1000 wrote to memory of 2536	1000	loader.exe	83
PID 1000 wrote to memory of 2536	1000	loader.exe	83
PID 1000 wrote to memory of 2536	1000	loader.exe	83
PID 1000 wrote to memory of 2536	1000	loader.exe	83
PID 1000 wrote to memory of 2536	1000	loader.exe	83
PID 1000 wrote to memory of 2536	1000	loader.exe	83
PID 1000 wrote to memory of 2536	1000	loader.exe	83
PID 1000 wrote to memory of 2536	1000	loader.exe	83
PID 1000 wrote to memory of 2536	1000	loader.exe	83
PID 1000 wrote to memory of 3056	1000	loader.exe	84
PID 1000 wrote to memory of 3056	1000	loader.exe	84
PID 3056 wrote to memory of 240	3056	cmd.exe	86
PID 3056 wrote to memory of 240	3056	cmd.exe	86
PID 3056 wrote to memory of 2176	3056	cmd.exe	87
PID 3056 wrote to memory of 2176	3056	cmd.exe	87
PID 2536 wrote to memory of 2180	2536	GamePanel.exe	90
PID 2536 wrote to memory of 2180	2536	GamePanel.exe	90
PID 2536 wrote to memory of 2308	2536	GamePanel.exe	91
PID 2536 wrote to memory of 2308	2536	GamePanel.exe	91
PID 2536 wrote to memory of 4268	2536	GamePanel.exe	93
PID 2536 wrote to memory of 4268	2536	GamePanel.exe	93
PID 2536 wrote to memory of 5068	2536	GamePanel.exe	95
PID 2536 wrote to memory of 5068	2536	GamePanel.exe	95
PID 2536 wrote to memory of 1280	2536	GamePanel.exe	98
PID 2536 wrote to memory of 1280	2536	GamePanel.exe	98
PID 2536 wrote to memory of 1232	2536	GamePanel.exe	100
PID 2536 wrote to memory of 1232	2536	GamePanel.exe	100
PID 2536 wrote to memory of 4816	2536	GamePanel.exe	102
PID 2536 wrote to memory of 4816	2536	GamePanel.exe	102
PID 2536 wrote to memory of 4632	2536	GamePanel.exe	104
PID 2536 wrote to memory of 4632	2536	GamePanel.exe	104
PID 2536 wrote to memory of 3044	2536	GamePanel.exe	106
PID 2536 wrote to memory of 3044	2536	GamePanel.exe	106
PID 2536 wrote to memory of 3464	2536	GamePanel.exe	108
PID 2536 wrote to memory of 3464	2536	GamePanel.exe	108
PID 2536 wrote to memory of 1044	2536	GamePanel.exe	110
PID 2536 wrote to memory of 1044	2536	GamePanel.exe	110
PID 2536 wrote to memory of 2148	2536	GamePanel.exe	112
PID 2536 wrote to memory of 2148	2536	GamePanel.exe	112
PID 2536 wrote to memory of 1704	2536	GamePanel.exe	115
PID 2536 wrote to memory of 1704	2536	GamePanel.exe	115
PID 2536 wrote to memory of 1892	2536	GamePanel.exe	117
PID 2536 wrote to memory of 1892	2536	GamePanel.exe	117
PID 2536 wrote to memory of 3268	2536	GamePanel.exe	119
PID 2536 wrote to memory of 3268	2536	GamePanel.exe	119
PID 2536 wrote to memory of 4988	2536	GamePanel.exe	121
PID 2536 wrote to memory of 4988	2536	GamePanel.exe	121
PID 2536 wrote to memory of 2912	2536	GamePanel.exe	123
PID 2536 wrote to memory of 2912	2536	GamePanel.exe	123
PID 2536 wrote to memory of 3984	2536	GamePanel.exe	125
PID 2536 wrote to memory of 3984	2536	GamePanel.exe	125
PID 2536 wrote to memory of 3308	2536	GamePanel.exe	127
PID 2536 wrote to memory of 3308	2536	GamePanel.exe	127
PID 2536 wrote to memory of 3480	2536	GamePanel.exe	129
PID 2536 wrote to memory of 3480	2536	GamePanel.exe	129
PID 2536 wrote to memory of 1136	2536	GamePanel.exe	131
PID 2536 wrote to memory of 1136	2536	GamePanel.exe	131
PID 2536 wrote to memory of 2316	2536	GamePanel.exe	133
PID 2536 wrote to memory of 2316	2536	GamePanel.exe	133
PID 2536 wrote to memory of 4572	2536	GamePanel.exe	135
PID 2536 wrote to memory of 4572	2536	GamePanel.exe	135

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Windows\SYSTEM32\GamePanel.exe
  GamePanel.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SYSTEM32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    PID:2180
- - C:\Windows\SYSTEM32\sc.exe
    sc start ProfSvc
    3⤵
    - Launches sc.exe
    PID:2308
- - C:\Windows\SYSTEM32\sc.exe
    sc config ProfSvc start=auto
    3⤵
    - Launches sc.exe
    PID:4268
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5068
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1280
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1232
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4816
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4632
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3044
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3464
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "VALORANT-Win64-Shipping.exe" /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1044
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RiotClientUx.exe" /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2148
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RiotClientUxRender.exe" /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "EpicGamesLauncher.exe" /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1892
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteLauncher.exe" /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3268
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping.exe" /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4988
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping_BE.exe" /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping_EAC.exe" /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3984
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping_EAC_EOS.exe" /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3308
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "EscapeFromTarkov.exe" /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3480
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RainbowSix.exe" /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1136
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RustClient.exe" /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2316
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "BlackOpsColdWar.exe" /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4572
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RogueCompany.exe" /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4612
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "BlackOpsColdWar.exe" /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2224
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "ModernWarfare.exe" /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "cod.exe" /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1180
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "r5apex.exe" /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3412
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "DayZ_x64.exe" /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2108
- - C:\Windows\SYSTEM32\sc.exe
    sc stop vkg
    3⤵
    - Launches sc.exe
    PID:4060
- - C:\Windows\SYSTEM32\sc.exe
    sc stop FaceIT
    3⤵
    - Launches sc.exe
    PID:3700
- - C:\Windows\SYSTEM32\sc.exe
    sc stop BEService
    3⤵
    - Launches sc.exe
    PID:2148
- - C:\Windows\SYSTEM32\sc.exe
    sc stop BEDaisy
    3⤵
    - Launches sc.exe
    PID:1588
- - C:\Windows\SYSTEM32\sc.exe
    sc stop EasyAntiCheat
    3⤵
    - Launches sc.exe
    PID:4540
- - C:\Windows\SYSTEM32\sc.exe
    sc stop EasyAntiCheatSys
    3⤵
    - Launches sc.exe
    PID:3532
- - C:\Windows\SYSTEM32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:2276
- - C:\Windows\SYSTEM32\sc.exe
    sc stop atvi-brynhildr
    3⤵
    - Launches sc.exe
    PID:1932
- - C:\Windows\SYSTEM32\sc.exe
    sc start ProfSvc
    3⤵
    PID:1304
- - C:\Windows\SYSTEM32\sc.exe
    sc config ProfSvc start=auto
    3⤵
    - Launches sc.exe
    PID:4292
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3336
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4976
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1232
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:232
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4724
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "VALORANT-Win64-Shipping.exe" /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1184
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RiotClientUx.exe" /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:960
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RiotClientUxRender.exe" /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3832
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "EpicGamesLauncher.exe" /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3460
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteLauncher.exe" /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2128
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping.exe" /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:992
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping_BE.exe" /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping_EAC.exe" /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping_EAC_EOS.exe" /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1372
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "EscapeFromTarkov.exe" /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1452
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RainbowSix.exe" /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3156
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RustClient.exe" /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1416
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "BlackOpsColdWar.exe" /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1484
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RogueCompany.exe" /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "BlackOpsColdWar.exe" /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3748
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "ModernWarfare.exe" /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "cod.exe" /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5068
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "r5apex.exe" /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "DayZ_x64.exe" /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4924
- - C:\Windows\SYSTEM32\sc.exe
    sc stop vkg
    3⤵
    - Launches sc.exe
    PID:1768
- - C:\Windows\SYSTEM32\sc.exe
    sc stop FaceIT
    3⤵
    - Launches sc.exe
    PID:2024
- - C:\Windows\SYSTEM32\sc.exe
    sc stop BEService
    3⤵
    - Launches sc.exe
    PID:4724
- - C:\Windows\SYSTEM32\sc.exe
    sc stop BEDaisy
    3⤵
    - Launches sc.exe
    PID:3924
- - C:\Windows\SYSTEM32\sc.exe
    sc stop EasyAntiCheat
    3⤵
    PID:1288
- - C:\Windows\SYSTEM32\sc.exe
    sc stop EasyAntiCheatSys
    3⤵
    PID:960
- - C:\Windows\SYSTEM32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:1480
- - C:\Windows\SYSTEM32\sc.exe
    sc stop atvi-brynhildr
    3⤵
    - Launches sc.exe
    PID:1508
- - C:\Windows\SYSTEM32\sc.exe
    sc start ProfSvc
    3⤵
    - Launches sc.exe
    PID:1252
- - C:\Windows\SYSTEM32\sc.exe
    sc config ProfSvc start=auto
    3⤵
    - Launches sc.exe
    PID:2128
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:992
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2148
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4384
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1348
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1388
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1000
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "VALORANT-Win64-Shipping.exe" /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1416
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RiotClientUx.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:4952
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RiotClientUxRender.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:2912
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "EpicGamesLauncher.exe" /F /T
    3⤵
    PID:3984
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteLauncher.exe" /F /T
    3⤵
    PID:2920
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping.exe" /F /T
    3⤵
    PID:340
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping_BE.exe" /F /T
    3⤵
    PID:4512
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping_EAC.exe" /F /T
    3⤵
    PID:4528
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping_EAC_EOS.exe" /F /T
    3⤵
    PID:4816
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "EscapeFromTarkov.exe" /F /T
    3⤵
    PID:4584
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RainbowSix.exe" /F /T
    3⤵
    PID:2288
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RustClient.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:884
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "BlackOpsColdWar.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:1180
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RogueCompany.exe" /F /T
    3⤵
    PID:1592
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "BlackOpsColdWar.exe" /F /T
    3⤵
    PID:1920
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "ModernWarfare.exe" /F /T
    3⤵
    PID:4920
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "cod.exe" /F /T
    3⤵
    PID:2376
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "r5apex.exe" /F /T
    3⤵
    PID:4060
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "DayZ_x64.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:4188
- - C:\Windows\SYSTEM32\sc.exe
    sc stop vkg
    3⤵
    - Launches sc.exe
    PID:1680
- - C:\Windows\SYSTEM32\sc.exe
    sc stop FaceIT
    3⤵
    PID:2148
- - C:\Windows\SYSTEM32\sc.exe
    sc stop BEService
    3⤵
    - Launches sc.exe
    PID:1560
- - C:\Windows\SYSTEM32\sc.exe
    sc stop BEDaisy
    3⤵
    PID:3708
- - C:\Windows\SYSTEM32\sc.exe
    sc stop EasyAntiCheat
    3⤵
    - Launches sc.exe
    PID:3268
- - C:\Windows\SYSTEM32\sc.exe
    sc stop EasyAntiCheatSys
    3⤵
    PID:1452
- - C:\Windows\SYSTEM32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:1388
- - C:\Windows\SYSTEM32\sc.exe
    sc stop atvi-brynhildr
    3⤵
    - Launches sc.exe
    PID:3284
- - C:\Windows\SYSTEM32\sc.exe
    sc start ProfSvc
    3⤵
    - Launches sc.exe
    PID:3336
- - C:\Windows\SYSTEM32\sc.exe
    sc config ProfSvc start=auto
    3⤵
    - Launches sc.exe
    PID:3488
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:3372
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:3168
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2552
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:1440
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1876
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:1248
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:3556
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "VALORANT-Win64-Shipping.exe" /F /T
    3⤵
    PID:1412
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RiotClientUx.exe" /F /T
    3⤵
    PID:3496
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RiotClientUxRender.exe" /F /T
    3⤵
    PID:4040
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "EpicGamesLauncher.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:2128
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteLauncher.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:4496
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping.exe" /F /T
    3⤵
    PID:2432
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping_BE.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:244
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping_EAC.exe" /F /T
    3⤵
    PID:2148
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping_EAC_EOS.exe" /F /T
    3⤵
    PID:4776
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "EscapeFromTarkov.exe" /F /T
    3⤵
    PID:1372
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RainbowSix.exe" /F /T
    3⤵
    PID:2532
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RustClient.exe" /F /T
    3⤵
    PID:1924
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "BlackOpsColdWar.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:3160
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RogueCompany.exe" /F /T
    3⤵
    PID:4012
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "BlackOpsColdWar.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:3540
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "ModernWarfare.exe" /F /T
    3⤵
    PID:3056
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "cod.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:4204
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "r5apex.exe" /F /T
    3⤵
    PID:2180
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "DayZ_x64.exe" /F /T
    3⤵
    PID:1284
- - C:\Windows\SYSTEM32\sc.exe
    sc stop vkg
    3⤵
    - Launches sc.exe
    PID:3488
- - C:\Windows\SYSTEM32\sc.exe
    sc stop FaceIT
    3⤵
    - Launches sc.exe
    PID:1636
- - C:\Windows\SYSTEM32\sc.exe
    sc stop BEService
    3⤵
    - Launches sc.exe
    PID:4512
- - C:\Windows\SYSTEM32\sc.exe
    sc stop BEDaisy
    3⤵
    PID:5068
- - C:\Windows\SYSTEM32\sc.exe
    sc stop EasyAntiCheat
    3⤵
    - Launches sc.exe
    PID:2704
- - C:\Windows\SYSTEM32\sc.exe
    sc stop EasyAntiCheatSys
    3⤵
    - Launches sc.exe
    PID:4676
- - C:\Windows\SYSTEM32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:3876
- - C:\Windows\SYSTEM32\sc.exe
    sc stop atvi-brynhildr
    3⤵
    - Launches sc.exe
    PID:3924
- - C:\Windows\SYSTEM32\sc.exe
    sc start ProfSvc
    3⤵
    - Launches sc.exe
    PID:708
- - C:\Windows\SYSTEM32\sc.exe
    sc config ProfSvc start=auto
    3⤵
    PID:1972
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:3060
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:4716
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:4984
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:844
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:1976
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:2040
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1292
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "VALORANT-Win64-Shipping.exe" /F /T
    3⤵
    PID:1560
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RiotClientUx.exe" /F /T
    3⤵
    PID:4884
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RiotClientUxRender.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:3268
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "EpicGamesLauncher.exe" /F /T
    3⤵
    PID:1388
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteLauncher.exe" /F /T
    3⤵
    PID:2360
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping.exe" /F /T
    3⤵
    PID:1572
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping_BE.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:380
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping_EAC.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:4780
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping_EAC_EOS.exe" /F /T
    3⤵
    PID:4644
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "EscapeFromTarkov.exe" /F /T
    3⤵
    PID:840
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RainbowSix.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:3276
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RustClient.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:1136
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "BlackOpsColdWar.exe" /F /T
    3⤵
    PID:4016
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RogueCompany.exe" /F /T
    3⤵
    PID:3216
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "BlackOpsColdWar.exe" /F /T
    3⤵
    PID:3852
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "ModernWarfare.exe" /F /T
    3⤵
    PID:1828
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "cod.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:4020
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "r5apex.exe" /F /T
    3⤵
    PID:3924
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "DayZ_x64.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:4612
- - C:\Windows\SYSTEM32\sc.exe
    sc stop vkg
    3⤵
    - Launches sc.exe
    PID:4632
- - C:\Windows\SYSTEM32\sc.exe
    sc stop FaceIT
    3⤵
    - Launches sc.exe
    PID:1248
- - C:\Windows\SYSTEM32\sc.exe
    sc stop BEService
    3⤵
    - Launches sc.exe
    PID:2824
- - C:\Windows\SYSTEM32\sc.exe
    sc stop BEDaisy
    3⤵
    PID:4844
- - C:\Windows\SYSTEM32\sc.exe
    sc stop EasyAntiCheat
    3⤵
    - Launches sc.exe
    PID:4812
- - C:\Windows\SYSTEM32\sc.exe
    sc stop EasyAntiCheatSys
    3⤵
    - Launches sc.exe
    PID:3872
- - C:\Windows\SYSTEM32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:820
- - C:\Windows\SYSTEM32\sc.exe
    sc stop atvi-brynhildr
    3⤵
    PID:4920
- - C:\Windows\SYSTEM32\sc.exe
    sc start ProfSvc
    3⤵
    - Launches sc.exe
    PID:1996
- - C:\Windows\SYSTEM32\sc.exe
    sc config ProfSvc start=auto
    3⤵
    - Launches sc.exe
    PID:3912
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:2040
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2192
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:4836
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:3944
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:3268
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1164
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:572
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "VALORANT-Win64-Shipping.exe" /F /T
    3⤵
    PID:2612
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RiotClientUx.exe" /F /T
    3⤵
    PID:3736
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RiotClientUxRender.exe" /F /T
    3⤵
    PID:3076
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "EpicGamesLauncher.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:4268
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteLauncher.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:3844
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping.exe" /F /T
    3⤵
    PID:2032
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping_BE.exe" /F /T
    3⤵
    PID:1464
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping_EAC.exe" /F /T
    3⤵
    PID:4664
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping_EAC_EOS.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:4592
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "EscapeFromTarkov.exe" /F /T
    3⤵
    PID:1832
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RainbowSix.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:4616
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RustClient.exe" /F /T
    3⤵
    PID:4816
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "BlackOpsColdWar.exe" /F /T
    3⤵
    PID:1036
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RogueCompany.exe" /F /T
    3⤵
    PID:4516
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "BlackOpsColdWar.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:4604
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "ModernWarfare.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:1972
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "cod.exe" /F /T
    3⤵
    PID:1592
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "r5apex.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:1252
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "DayZ_x64.exe" /F /T
    3⤵
    PID:4908
- - C:\Windows\SYSTEM32\sc.exe
    sc stop vkg
    3⤵
    - Launches sc.exe
    PID:1172
- - C:\Windows\SYSTEM32\sc.exe
    sc stop FaceIT
    3⤵
    - Launches sc.exe
    PID:1384
- - C:\Windows\SYSTEM32\sc.exe
    sc stop BEService
    3⤵
    - Launches sc.exe
    PID:3172
- - C:\Windows\SYSTEM32\sc.exe
    sc stop BEDaisy
    3⤵
    - Launches sc.exe
    PID:2736
- - C:\Windows\SYSTEM32\sc.exe
    sc stop EasyAntiCheat
    3⤵
    - Launches sc.exe
    PID:1612
- - C:\Windows\SYSTEM32\sc.exe
    sc stop EasyAntiCheatSys
    3⤵
    - Launches sc.exe
    PID:1292
- - C:\Windows\SYSTEM32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:244
- - C:\Windows\SYSTEM32\sc.exe
    sc stop atvi-brynhildr
    3⤵
    - Launches sc.exe
    PID:1560
- - C:\Windows\SYSTEM32\sc.exe
    sc start ProfSvc
    3⤵
    - Launches sc.exe
    PID:1164
- - C:\Windows\SYSTEM32\sc.exe
    sc config ProfSvc start=auto
    3⤵
    - Launches sc.exe
    PID:484
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:2712
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2308
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:4292
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:4576
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:3388
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:4968
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:340
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "VALORANT-Win64-Shipping.exe" /F /T
    3⤵
    PID:2500
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RiotClientUx.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:2652
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RiotClientUxRender.exe" /F /T
    3⤵
    PID:2704
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "EpicGamesLauncher.exe" /F /T
    3⤵
    PID:2400
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteLauncher.exe" /F /T
    3⤵
    PID:1268
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping.exe" /F /T
    3⤵
    PID:2980
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping_BE.exe" /F /T
    3⤵
    PID:2528
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping_EAC.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:3704
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping_EAC_EOS.exe" /F /T
    3⤵
    PID:1412
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "EscapeFromTarkov.exe" /F /T
    3⤵
    PID:4340
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RainbowSix.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:4716
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RustClient.exe" /F /T
    3⤵
    PID:8
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "BlackOpsColdWar.exe" /F /T
    3⤵
    PID:780
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RogueCompany.exe" /F /T
    3⤵
    PID:1976
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "BlackOpsColdWar.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:4060
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "ModernWarfare.exe" /F /T
    3⤵
    PID:1544
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "cod.exe" /F /T
    3⤵
    PID:1588
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "r5apex.exe" /F /T
    3⤵
    PID:3988
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "DayZ_x64.exe" /F /T
    3⤵
    PID:3856
- - C:\Windows\SYSTEM32\sc.exe
    sc stop vkg
    3⤵
    PID:572
- - C:\Windows\SYSTEM32\sc.exe
    sc stop FaceIT
    3⤵
    - Launches sc.exe
    PID:1740
- - C:\Windows\SYSTEM32\sc.exe
    sc stop BEService
    3⤵
    - Launches sc.exe
    PID:2612
- - C:\Windows\SYSTEM32\sc.exe
    sc stop BEDaisy
    3⤵
    - Launches sc.exe
    PID:4160
- - C:\Windows\SYSTEM32\sc.exe
    sc stop EasyAntiCheat
    3⤵
    - Launches sc.exe
    PID:4144
- - C:\Windows\SYSTEM32\sc.exe
    sc stop EasyAntiCheatSys
    3⤵
    PID:4952
- - C:\Windows\SYSTEM32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:1280
- - C:\Windows\SYSTEM32\sc.exe
    sc stop atvi-brynhildr
    3⤵
    - Launches sc.exe
    PID:4752
- - C:\Windows\SYSTEM32\sc.exe
    sc start ProfSvc
    3⤵
    PID:3396
- - C:\Windows\SYSTEM32\sc.exe
    sc config ProfSvc start=auto
    3⤵
    PID:3336
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:4528
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:1768
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:4616
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:764
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:1340
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:2528
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:5076
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "VALORANT-Win64-Shipping.exe" /F /T
    3⤵
    PID:4760
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RiotClientUx.exe" /F /T
    3⤵
    PID:4140
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RiotClientUxRender.exe" /F /T
    3⤵
    PID:4056
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "EpicGamesLauncher.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:3548
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteLauncher.exe" /F /T
    3⤵
    PID:2996
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping.exe" /F /T
    3⤵
    PID:2044
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping_BE.exe" /F /T
    3⤵
    PID:4540
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping_EAC.exe" /F /T
    3⤵
    PID:2864
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "FortniteClient-Win64-Shipping_EAC_EOS.exe" /F /T
    3⤵
    PID:4988
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "EscapeFromTarkov.exe" /F /T
    3⤵
    PID:5104
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RainbowSix.exe" /F /T
    3⤵
    PID:3584
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RustClient.exe" /F /T
    3⤵
    PID:380
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "BlackOpsColdWar.exe" /F /T
    3⤵
    PID:4284
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "RogueCompany.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:4644
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "BlackOpsColdWar.exe" /F /T
    3⤵
    PID:3844
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "ModernWarfare.exe" /F /T
    3⤵
    PID:3388
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "cod.exe" /F /T
    3⤵
    PID:1084
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "r5apex.exe" /F /T
    3⤵
    - Kills process with taskkill
    PID:4568
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM "DayZ_x64.exe" /F /T
    3⤵
    PID:4704
- - C:\Windows\SYSTEM32\sc.exe
    sc stop vkg
    3⤵
    - Launches sc.exe
    PID:2652
- - C:\Windows\SYSTEM32\sc.exe
    sc stop FaceIT
    3⤵
    - Launches sc.exe
    PID:2464
- - C:\Windows\SYSTEM32\sc.exe
    sc stop BEService
    3⤵
    PID:2704
- - C:\Windows\SYSTEM32\sc.exe
    sc stop BEDaisy
    3⤵
    - Launches sc.exe
    PID:2748
- - C:\Windows\SYSTEM32\sc.exe
    sc stop EasyAntiCheat
    3⤵
    - Launches sc.exe
    PID:3876
- - C:\Windows\SYSTEM32\sc.exe
    sc stop EasyAntiCheatSys
    3⤵
    - Launches sc.exe
    PID:4556
- - C:\Windows\SYSTEM32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:4516
- - C:\Windows\SYSTEM32\sc.exe
    sc stop atvi-brynhildr
    3⤵
    - Launches sc.exe
    PID:3832
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\loader.exe" & fsutil usn deletejournal /D C:
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:240
- - C:\Windows\system32\fsutil.exe
    fsutil usn deletejournal /D C:
    3⤵
    - Deletes NTFS Change Journal
    PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Destruction

T1485

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1000-0-0x00007FFB76270000-0x00007FFB76272000-memory.dmp

Filesize
8KB

Download
memory/1000-1-0x0000000140000000-0x0000000145469000-memory.dmp

Filesize
84.4MB

Download
memory/2536-5-0x0000000140000000-0x0000000145469000-memory.dmp

Filesize
84.4MB

Download
memory/2536-7-0x0000000140000000-0x0000000145469000-memory.dmp

Filesize
84.4MB

Download
memory/2536-12-0x0000000140000000-0x0000000145469000-memory.dmp

Filesize
84.4MB

Download
memory/2536-14-0x0000000140000000-0x0000000145469000-memory.dmp

Filesize
84.4MB

Download
memory/2536-18-0x0000000140000000-0x0000000145469000-memory.dmp

Filesize
84.4MB

Download
memory/2536-19-0x0000000140000000-0x0000000145469000-memory.dmp

Filesize
84.4MB

Download