Analysis Overview
SHA256
569542c9e1cc03c6e2482db365581e60c94f6fae7e130059ecd6fd4e1501ac2d
Threat Level: Likely malicious
The file Loader.exe was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Stops running service(s)
Checks computer location settings
Checks BIOS information in registry
Writes to the Master Boot Record (MBR)
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-12 15:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 15:46
Reported
2024-06-12 15:49
Platform
win7-20240220-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
Launches sc.exe
Enumerates physical storage devices
Kills process with taskkill
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
C:\Windows\system32\net.exe
net stop ESEADriver2
C:\Windows\system32\net.exe
net stop FACEIT
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
C:\Windows\system32\sc.exe
sc stop KProcessHacker2
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\sc.exe
sc stop KProcessHacker3
C:\Windows\system32\sc.exe
sc stop KProcessHacker1
C:\Windows\system32\sc.exe
sc stop wireshark
C:\Windows\system32\sc.exe
sc stop npf
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
C:\Windows\system32\net.exe
net stop FACEIT
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\net.exe
net stop ESEADriver2
C:\Windows\system32\sc.exe
sc stop KProcessHacker3
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\sc.exe
sc stop KProcessHacker2
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
C:\Windows\system32\sc.exe
sc stop KProcessHacker1
C:\Windows\system32\sc.exe
sc stop wireshark
C:\Windows\system32\sc.exe
sc stop npf
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
C:\Windows\system32\net.exe
net stop FACEIT
C:\Windows\system32\net.exe
net stop ESEADriver2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\sc.exe
sc stop KProcessHacker2
C:\Windows\system32\sc.exe
sc stop KProcessHacker3
C:\Windows\system32\sc.exe
sc stop KProcessHacker1
C:\Windows\system32\sc.exe
sc stop wireshark
C:\Windows\system32\sc.exe
sc stop npf
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\net.exe
net stop FACEIT
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1513516409-2034755282-1444979284-1610576816-1503366538949022273-466117098431537156"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
C:\Windows\system32\net.exe
net stop ESEADriver2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\sc.exe
sc stop KProcessHacker2
C:\Windows\system32\sc.exe
sc stop KProcessHacker3
C:\Windows\system32\sc.exe
sc stop KProcessHacker1
C:\Windows\system32\sc.exe
sc stop wireshark
C:\Windows\system32\sc.exe
sc stop npf
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
C:\Windows\system32\net.exe
net stop FACEIT
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
C:\Windows\system32\net.exe
net stop ESEADriver2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\sc.exe
sc stop KProcessHacker3
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\sc.exe
sc stop KProcessHacker2
C:\Windows\system32\sc.exe
sc stop npf
C:\Windows\system32\sc.exe
sc stop wireshark
C:\Windows\system32\sc.exe
sc stop KProcessHacker1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c CLS
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
C:\Windows\system32\net.exe
net stop FACEIT
C:\Windows\system32\net.exe
net stop ESEADriver2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\sc.exe
sc stop KProcessHacker3
C:\Windows\system32\sc.exe
sc stop KProcessHacker2
C:\Windows\system32\sc.exe
sc stop KProcessHacker1
C:\Windows\system32\sc.exe
sc stop wireshark
C:\Windows\system32\sc.exe
sc stop npf
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 104.26.1.5:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| BE | 2.17.107.226:80 | apps.identrust.com | tcp |
| N/A | 127.0.0.1:49199 | tcp | |
| N/A | 127.0.0.1:49201 | tcp | |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| BE | 23.55.97.11:80 | x2.c.lencr.org | tcp |
Files
memory/2080-1-0x0000000077110000-0x0000000077112000-memory.dmp
memory/2080-0-0x000000013F2D0000-0x0000000142BEA000-memory.dmp
memory/2080-3-0x000000013F2D0000-0x0000000142BEA000-memory.dmp
memory/2080-8-0x000000013F2D0000-0x0000000142BEA000-memory.dmp
memory/2080-7-0x000000013F2D0000-0x0000000142BEA000-memory.dmp
memory/2080-6-0x000000013F2D0000-0x0000000142BEA000-memory.dmp
memory/2080-4-0x000000013F2D0000-0x0000000142BEA000-memory.dmp
memory/2080-5-0x000000013F2D0000-0x0000000142BEA000-memory.dmp
memory/2080-9-0x000000013F2D0000-0x0000000142BEA000-memory.dmp
memory/2080-10-0x000000013F2D0000-0x0000000142BEA000-memory.dmp
memory/2080-11-0x000000013F2D0000-0x0000000142BEA000-memory.dmp
memory/2080-12-0x000000013F2D0000-0x0000000142BEA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 15:46
Reported
2024-06-12 15:49
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
97s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
Launches sc.exe
Enumerates physical storage devices
Kills process with taskkill
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
C:\Windows\system32\net.exe
net stop FACEIT
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\net.exe
net stop ESEADriver2
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
C:\Windows\system32\sc.exe
sc stop KProcessHacker3
C:\Windows\system32\sc.exe
sc stop KProcessHacker2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x468
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\sc.exe
sc stop KProcessHacker1
C:\Windows\system32\sc.exe
sc stop wireshark
C:\Windows\system32\sc.exe
sc stop npf
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
C:\Windows\system32\net.exe
net stop FACEIT
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\net.exe
net stop ESEADriver2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
C:\Windows\system32\sc.exe
sc stop KProcessHacker2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
C:\Windows\system32\sc.exe
sc stop KProcessHacker3
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\sc.exe
sc stop KProcessHacker1
C:\Windows\system32\sc.exe
sc stop wireshark
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\sc.exe
sc stop npf
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
C:\Windows\system32\net.exe
net stop FACEIT
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
C:\Windows\system32\net.exe
net stop ESEADriver2
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\sc.exe
sc stop KProcessHacker3
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\sc.exe
sc stop KProcessHacker2
C:\Windows\system32\sc.exe
sc stop KProcessHacker1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\sc.exe
sc stop npf
C:\Windows\system32\sc.exe
sc stop wireshark
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
C:\Windows\system32\net.exe
net stop FACEIT
C:\Windows\system32\net.exe
net stop ESEADriver2
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\sc.exe
sc stop KProcessHacker3
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
C:\Windows\system32\sc.exe
sc stop KProcessHacker1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\sc.exe
sc stop KProcessHacker2
C:\Windows\system32\sc.exe
sc stop wireshark
C:\Windows\system32\sc.exe
sc stop npf
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\net.exe
net stop FACEIT
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
C:\Windows\system32\net.exe
net stop ESEADriver2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
C:\Windows\system32\sc.exe
sc stop KProcessHacker3
C:\Windows\system32\sc.exe
sc stop KProcessHacker2
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\sc.exe
sc stop wireshark
C:\Windows\system32\sc.exe
sc stop KProcessHacker1
C:\Windows\system32\sc.exe
sc stop npf
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c CLS
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 104.26.0.5:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 5.0.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| BE | 23.55.97.11:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| BE | 88.221.83.225:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 225.83.221.88.in-addr.arpa | udp |
| N/A | 127.0.0.1:54163 | tcp | |
| N/A | 127.0.0.1:54165 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/3908-0-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp
memory/3908-1-0x00007FFB5AD50000-0x00007FFB5AD52000-memory.dmp
memory/3908-3-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp
memory/3908-5-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp
memory/3908-4-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp
memory/3908-6-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp
memory/3908-7-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp
memory/3908-8-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp
memory/3908-9-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp
memory/3908-10-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp
memory/3908-11-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp
memory/3908-12-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp
memory/3908-13-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp
memory/3908-14-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp
memory/3908-15-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp
memory/3908-16-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp
memory/3908-17-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp
memory/3908-18-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp
memory/3908-19-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp
memory/3908-20-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp
memory/3908-21-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp
memory/3908-22-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp