569542c9e1cc03c6e2482db365581e60c94f6fae7e130059ecd6fd4e1501ac2d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 00:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

21.2MB
MD5

641724e3d8211104be31438b62dc7d15
SHA1

114e784ccc74babf9590583bff1e1e83e8929bb4
SHA256

569542c9e1cc03c6e2482db365581e60c94f6fae7e130059ecd6fd4e1501ac2d
SHA512

5fc3562e2b0483f9c6ca6b16586d9f15b585b692f98c7547f3ce087114e9c8bb35e7a2d54e0e788489573ebf405650104c8ebf377baddc3cbacc8321916eeb2f
SSDEEP

393216:FBKR69QxEl93SQh6mn7tG+vp2jbKmMQL8NGm10C9REV6f01Serw2ngtTV:LKIsGj6CRGu23MBGm9wXzngT

Score

9^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	Loader.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3744	Loader.exe

Launches sc.exe 42 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1164	sc.exe
1880	sc.exe
4928	sc.exe
1080	sc.exe
2340	sc.exe
4440	sc.exe
4884	sc.exe
4028	sc.exe
516	sc.exe
4932	sc.exe
4296	sc.exe
4576	sc.exe
3664	sc.exe
4568	sc.exe
4932	sc.exe
2844	sc.exe
1848	sc.exe
2288	sc.exe
3012	sc.exe
2464	sc.exe
1484	sc.exe
3040	sc.exe
4692	sc.exe
872	sc.exe
1716	sc.exe
3504	sc.exe
2044	sc.exe
1996	sc.exe
1744	sc.exe
1944	sc.exe
2632	sc.exe
3140	sc.exe
2964	sc.exe
1884	sc.exe
408	sc.exe
1848	sc.exe
1468	sc.exe
1456	sc.exe
4572	sc.exe
516	sc.exe
3172	sc.exe
4896	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 30 IoCs

evasion

pid	Process
4860	taskkill.exe
2848	taskkill.exe
1356	taskkill.exe
4492	taskkill.exe
3820	taskkill.exe
404	taskkill.exe
1476	taskkill.exe
3664	taskkill.exe
3740	taskkill.exe
2632	taskkill.exe
4504	taskkill.exe
4144	taskkill.exe
2920	taskkill.exe
1500	taskkill.exe
5108	taskkill.exe
4000	taskkill.exe
1444	taskkill.exe
3984	taskkill.exe
3332	taskkill.exe
1104	taskkill.exe
3000	taskkill.exe
396	taskkill.exe
1056	taskkill.exe
1908	taskkill.exe
2296	taskkill.exe
3748	taskkill.exe
4988	taskkill.exe
2328	taskkill.exe
2896	taskkill.exe
2736	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	taskkill.exe
Token: SeDebugPrivilege	3000	taskkill.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	404	taskkill.exe
Token: SeDebugPrivilege	4860	taskkill.exe
Token: SeDebugPrivilege	3984	taskkill.exe
Token: SeDebugPrivilege	4144	taskkill.exe
Token: SeDebugPrivilege	2632	taskkill.exe
Token: SeDebugPrivilege	2296	taskkill.exe
Token: SeDebugPrivilege	1476	taskkill.exe
Token: SeDebugPrivilege	2848	taskkill.exe
Token: SeDebugPrivilege	3748	taskkill.exe
Token: SeDebugPrivilege	4504	taskkill.exe
Token: SeDebugPrivilege	4988	taskkill.exe
Token: SeDebugPrivilege	3332	taskkill.exe
Token: SeDebugPrivilege	1356	taskkill.exe
Token: SeDebugPrivilege	1444	taskkill.exe
Token: SeDebugPrivilege	4000	taskkill.exe
Token: SeDebugPrivilege	2920	taskkill.exe
Token: SeDebugPrivilege	3664	taskkill.exe
Token: SeDebugPrivilege	4492	taskkill.exe
Token: SeDebugPrivilege	1056	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	1104	taskkill.exe
Token: SeDebugPrivilege	3740	taskkill.exe
Token: SeDebugPrivilege	396	taskkill.exe
Token: SeDebugPrivilege	2328	taskkill.exe
Token: SeDebugPrivilege	3820	taskkill.exe
Token: SeDebugPrivilege	5108	taskkill.exe
Token: SeDebugPrivilege	2896	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 2672	3744	Loader.exe	207
PID 3744 wrote to memory of 2672	3744	Loader.exe	207
PID 3744 wrote to memory of 1576	3744	Loader.exe	91
PID 3744 wrote to memory of 1576	3744	Loader.exe	91
PID 2672 wrote to memory of 2948	2672	cmd.exe	93
PID 2672 wrote to memory of 2948	2672	cmd.exe	93
PID 3744 wrote to memory of 1932	3744	Loader.exe	214
PID 3744 wrote to memory of 1932	3744	Loader.exe	214
PID 2948 wrote to memory of 3192	2948	net.exe	96
PID 2948 wrote to memory of 3192	2948	net.exe	96
PID 3744 wrote to memory of 2024	3744	Loader.exe	98
PID 3744 wrote to memory of 2024	3744	Loader.exe	98
PID 1576 wrote to memory of 4908	1576	cmd.exe	188
PID 1576 wrote to memory of 4908	1576	cmd.exe	188
PID 4908 wrote to memory of 1880	4908	net.exe	187
PID 4908 wrote to memory of 1880	4908	net.exe	187
PID 3744 wrote to memory of 4692	3744	Loader.exe	266
PID 3744 wrote to memory of 4692	3744	Loader.exe	266
PID 3744 wrote to memory of 2440	3744	Loader.exe	104
PID 3744 wrote to memory of 2440	3744	Loader.exe	104
PID 3744 wrote to memory of 4616	3744	Loader.exe	273
PID 3744 wrote to memory of 4616	3744	Loader.exe	273
PID 2024 wrote to memory of 4932	2024	cmd.exe	267
PID 2024 wrote to memory of 4932	2024	cmd.exe	267
PID 4692 wrote to memory of 1716	4692	cmd.exe	109
PID 4692 wrote to memory of 1716	4692	cmd.exe	109
PID 1932 wrote to memory of 4572	1932	cmd.exe	209
PID 1932 wrote to memory of 4572	1932	cmd.exe	209
PID 3744 wrote to memory of 4384	3744	Loader.exe	111
PID 3744 wrote to memory of 4384	3744	Loader.exe	111
PID 3744 wrote to memory of 2156	3744	Loader.exe	112
PID 3744 wrote to memory of 2156	3744	Loader.exe	112
PID 4616 wrote to memory of 4028	4616	cmd.exe	212
PID 4616 wrote to memory of 4028	4616	cmd.exe	212
PID 2440 wrote to memory of 4296	2440	cmd.exe	115
PID 2440 wrote to memory of 4296	2440	cmd.exe	115
PID 2156 wrote to memory of 2736	2156	cmd.exe	116
PID 2156 wrote to memory of 2736	2156	cmd.exe	116
PID 4384 wrote to memory of 2844	4384	cmd.exe	215
PID 4384 wrote to memory of 2844	4384	cmd.exe	215
PID 3744 wrote to memory of 4732	3744	Loader.exe	119
PID 3744 wrote to memory of 4732	3744	Loader.exe	119
PID 4732 wrote to memory of 3000	4732	cmd.exe	226
PID 4732 wrote to memory of 3000	4732	cmd.exe	226
PID 3744 wrote to memory of 2676	3744	Loader.exe	121
PID 3744 wrote to memory of 2676	3744	Loader.exe	121
PID 2676 wrote to memory of 1484	2676	cmd.exe	173
PID 2676 wrote to memory of 1484	2676	cmd.exe	173
PID 3744 wrote to memory of 2340	3744	Loader.exe	261
PID 3744 wrote to memory of 2340	3744	Loader.exe	261
PID 2340 wrote to memory of 1908	2340	cmd.exe	124
PID 2340 wrote to memory of 1908	2340	cmd.exe	124
PID 3744 wrote to memory of 1996	3744	Loader.exe	275
PID 3744 wrote to memory of 1996	3744	Loader.exe	275
PID 1996 wrote to memory of 404	1996	cmd.exe	126
PID 1996 wrote to memory of 404	1996	cmd.exe	126
PID 3744 wrote to memory of 1836	3744	Loader.exe	181
PID 3744 wrote to memory of 1836	3744	Loader.exe	181
PID 1836 wrote to memory of 4860	1836	cmd.exe	128
PID 1836 wrote to memory of 4860	1836	cmd.exe	128
PID 3744 wrote to memory of 3028	3744	Loader.exe	129
PID 3744 wrote to memory of 3028	3744	Loader.exe	129
PID 3744 wrote to memory of 2980	3744	Loader.exe	131
PID 3744 wrote to memory of 2980	3744	Loader.exe	131

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\system32\net.exe
    net stop FACEIT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop FACEIT
      4⤵
      PID:3192
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\system32\net.exe
    net stop ESEADriver2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ESEADriver2
      4⤵
      PID:1880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:4572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:4932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:1716
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:4296
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:4028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:2844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
  2⤵
  PID:3028
- - C:\Windows\system32\net.exe
    net stop FACEIT
    3⤵
    PID:4372
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop FACEIT
      4⤵
      PID:3972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
  2⤵
  PID:2980
- - C:\Windows\system32\net.exe
    net stop ESEADriver2
    3⤵
    PID:1780
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ESEADriver2
      4⤵
      PID:3736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:656
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:4988
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:4896
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:4444
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:4576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:3748
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:2964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
  2⤵
  PID:1568
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:1848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
  2⤵
  PID:2200
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:3504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:1048
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:3944
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:3696
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1932
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4972
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3676
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1476
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
  2⤵
  PID:1456
- - C:\Windows\system32\net.exe
    net stop FACEIT
    3⤵
    PID:1996
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop FACEIT
      4⤵
      PID:4780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
  2⤵
  PID:4040
- - C:\Windows\system32\net.exe
    net stop ESEADriver2
    3⤵
    PID:1976
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ESEADriver2
      4⤵
      PID:3904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1356
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1468
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:1484
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:1164
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:692
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:1880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:1836
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:516
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
  2⤵
  PID:1304
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:4928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
  2⤵
  PID:4908
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:3664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:3108
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:2740
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:3200
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3160
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2292
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:8
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3332
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
  2⤵
  PID:4492
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2672
- - C:\Windows\system32\net.exe
    net stop FACEIT
    3⤵
    PID:2844
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop FACEIT
      4⤵
      PID:1948
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
  2⤵
  PID:5096
- - C:\Windows\system32\net.exe
    net stop ESEADriver2
    3⤵
    PID:1184
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ESEADriver2
      4⤵
      PID:4336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:4572
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:1972
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4028
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:1944
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:3164
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1932
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:4568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:3548
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:1996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
  2⤵
  PID:3144
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:1744
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
  2⤵
  PID:3360
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:1080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:3000
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:3820
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1412
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1644
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4916
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:976
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3664
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
  2⤵
  PID:1804
- - C:\Windows\system32\net.exe
    net stop FACEIT
    3⤵
    PID:2836
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop FACEIT
      4⤵
      PID:2468
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
  2⤵
  PID:5012
- - C:\Windows\system32\net.exe
    net stop ESEADriver2
    3⤵
    PID:1048
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ESEADriver2
      4⤵
      PID:2788
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1536
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:4628
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:2340
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:2092
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:4692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:4988
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2292
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:4932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
  2⤵
  PID:2172
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:3172
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
  2⤵
  PID:3040
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:2632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:4440
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4544
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:4616
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1996
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4240
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:396
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  PID:3360
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5
    3⤵
    PID:4884
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:5112
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:3012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4680
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
  2⤵
  PID:440
- - C:\Windows\system32\net.exe
    net stop FACEIT
    3⤵
    PID:1296
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop FACEIT
      4⤵
      PID:1172
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
  2⤵
  PID:2292
- - C:\Windows\system32\net.exe
    net stop ESEADriver2
    3⤵
    PID:4492
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ESEADriver2
      4⤵
      PID:1932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:4820
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:4440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:4572
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:3012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:3944
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:4884
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:2768
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:2464
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
  2⤵
  PID:2676
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
  2⤵
  PID:1104
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:1456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:1880
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4964
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1924
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1248
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2312
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1304
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3744-0-0x00007FF8B9650000-0x00007FF8B9845000-memory.dmp

Filesize
2.0MB

Download
memory/3744-2-0x00007FF6E2DC0000-0x00007FF6E66DA000-memory.dmp

Filesize
57.1MB

Download
memory/3744-3-0x00007FF6E2DC0000-0x00007FF6E66DA000-memory.dmp

Filesize
57.1MB

Download
memory/3744-4-0x00007FF6E2DC0000-0x00007FF6E66DA000-memory.dmp

Filesize
57.1MB

Download
memory/3744-5-0x00007FF6E2DC0000-0x00007FF6E66DA000-memory.dmp

Filesize
57.1MB

Download
memory/3744-6-0x00007FF6E2DC0000-0x00007FF6E66DA000-memory.dmp

Filesize
57.1MB

Download
memory/3744-7-0x00007FF6E2DC0000-0x00007FF6E66DA000-memory.dmp

Filesize
57.1MB

Download
memory/3744-8-0x00007FF6E2DC0000-0x00007FF6E66DA000-memory.dmp

Filesize
57.1MB

Download
memory/3744-9-0x00007FF6E2DC0000-0x00007FF6E66DA000-memory.dmp

Filesize
57.1MB

Download
memory/3744-10-0x00007FF8B9650000-0x00007FF8B9845000-memory.dmp

Filesize
2.0MB

Download
memory/3744-11-0x00007FF6E2DC0000-0x00007FF6E66DA000-memory.dmp

Filesize
57.1MB

Download
memory/3744-12-0x00007FF6E2DC0000-0x00007FF6E66DA000-memory.dmp

Filesize
57.1MB

Download
memory/3744-13-0x00007FF6E2DC0000-0x00007FF6E66DA000-memory.dmp

Filesize
57.1MB

Download
memory/3744-14-0x00007FF8B9650000-0x00007FF8B9845000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads