Malware Analysis Report

2024-09-23 12:40

Sample ID 240612-s7sf8szhmg
Target Loader.exe
SHA256 569542c9e1cc03c6e2482db365581e60c94f6fae7e130059ecd6fd4e1501ac2d
Tags
bootkit evasion execution persistence trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

569542c9e1cc03c6e2482db365581e60c94f6fae7e130059ecd6fd4e1501ac2d

Threat Level: Likely malicious

The file Loader.exe was found to be: Likely malicious.

Malicious Activity Summary

bootkit evasion execution persistence trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Stops running service(s)

Checks computer location settings

Checks BIOS information in registry

Writes to the Master Boot Record (MBR)

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-12 15:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 15:46

Reported

2024-06-12 15:49

Platform

win7-20240220-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Stops running service(s)

evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2080 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 2080 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 2080 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 2080 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 2080 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 2080 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 2080 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 2080 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 2080 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 2080 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 2080 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 2080 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 2080 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 2080 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 2080 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 2556 wrote to memory of 2576 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2556 wrote to memory of 2576 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2556 wrote to memory of 2576 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2524 wrote to memory of 2452 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe
PID 2524 wrote to memory of 2452 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe
PID 2524 wrote to memory of 2452 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe
PID 2652 wrote to memory of 2680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2652 wrote to memory of 2680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2652 wrote to memory of 2680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2080 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 2080 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 2080 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 2080 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 2080 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 2080 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 2548 wrote to memory of 2644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2548 wrote to memory of 2644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2548 wrote to memory of 2644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2576 wrote to memory of 2412 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2576 wrote to memory of 2412 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2576 wrote to memory of 2412 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2452 wrote to memory of 2436 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2452 wrote to memory of 2436 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2452 wrote to memory of 2436 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2080 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 2080 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 2080 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 2080 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 2080 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 2080 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 2536 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2536 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2536 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2756 wrote to memory of 2832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2756 wrote to memory of 2832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2756 wrote to memory of 2832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2456 wrote to memory of 2912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2456 wrote to memory of 2912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2456 wrote to memory of 2912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2580 wrote to memory of 2844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2580 wrote to memory of 2844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2580 wrote to memory of 2844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2488 wrote to memory of 2204 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\conhost.exe
PID 2488 wrote to memory of 2204 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\conhost.exe
PID 2488 wrote to memory of 2204 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\conhost.exe
PID 2080 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 2080 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 2080 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 2340 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1

C:\Windows\system32\net.exe

net stop ESEADriver2

C:\Windows\system32\net.exe

net stop FACEIT

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1

C:\Windows\system32\sc.exe

sc stop KProcessHacker2

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ESEADriver2

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop FACEIT

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\sc.exe

sc stop KProcessHacker3

C:\Windows\system32\sc.exe

sc stop KProcessHacker1

C:\Windows\system32\sc.exe

sc stop wireshark

C:\Windows\system32\sc.exe

sc stop npf

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1

C:\Windows\system32\net.exe

net stop FACEIT

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\net.exe

net stop ESEADriver2

C:\Windows\system32\sc.exe

sc stop KProcessHacker3

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop FACEIT

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\sc.exe

sc stop KProcessHacker2

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ESEADriver2

C:\Windows\system32\sc.exe

sc stop KProcessHacker1

C:\Windows\system32\sc.exe

sc stop wireshark

C:\Windows\system32\sc.exe

sc stop npf

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1

C:\Windows\system32\net.exe

net stop FACEIT

C:\Windows\system32\net.exe

net stop ESEADriver2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ESEADriver2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop FACEIT

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\sc.exe

sc stop KProcessHacker2

C:\Windows\system32\sc.exe

sc stop KProcessHacker3

C:\Windows\system32\sc.exe

sc stop KProcessHacker1

C:\Windows\system32\sc.exe

sc stop wireshark

C:\Windows\system32\sc.exe

sc stop npf

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\net.exe

net stop FACEIT

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1513516409-2034755282-1444979284-1610576816-1503366538949022273-466117098431537156"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop FACEIT

C:\Windows\system32\net.exe

net stop ESEADriver2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ESEADriver2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\sc.exe

sc stop KProcessHacker2

C:\Windows\system32\sc.exe

sc stop KProcessHacker3

C:\Windows\system32\sc.exe

sc stop KProcessHacker1

C:\Windows\system32\sc.exe

sc stop wireshark

C:\Windows\system32\sc.exe

sc stop npf

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1

C:\Windows\system32\net.exe

net stop FACEIT

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop FACEIT

C:\Windows\system32\net.exe

net stop ESEADriver2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ESEADriver2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\sc.exe

sc stop KProcessHacker3

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\sc.exe

sc stop KProcessHacker2

C:\Windows\system32\sc.exe

sc stop npf

C:\Windows\system32\sc.exe

sc stop wireshark

C:\Windows\system32\sc.exe

sc stop KProcessHacker1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c CLS

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1

C:\Windows\system32\net.exe

net stop FACEIT

C:\Windows\system32\net.exe

net stop ESEADriver2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ESEADriver2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop FACEIT

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\sc.exe

sc stop KProcessHacker3

C:\Windows\system32\sc.exe

sc stop KProcessHacker2

C:\Windows\system32\sc.exe

sc stop KProcessHacker1

C:\Windows\system32\sc.exe

sc stop wireshark

C:\Windows\system32\sc.exe

sc stop npf

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 104.26.1.5:443 keyauth.win tcp
US 8.8.8.8:53 apps.identrust.com udp
BE 2.17.107.226:80 apps.identrust.com tcp
N/A 127.0.0.1:49199 tcp
N/A 127.0.0.1:49201 tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp

Files

memory/2080-1-0x0000000077110000-0x0000000077112000-memory.dmp

memory/2080-0-0x000000013F2D0000-0x0000000142BEA000-memory.dmp

memory/2080-3-0x000000013F2D0000-0x0000000142BEA000-memory.dmp

memory/2080-8-0x000000013F2D0000-0x0000000142BEA000-memory.dmp

memory/2080-7-0x000000013F2D0000-0x0000000142BEA000-memory.dmp

memory/2080-6-0x000000013F2D0000-0x0000000142BEA000-memory.dmp

memory/2080-4-0x000000013F2D0000-0x0000000142BEA000-memory.dmp

memory/2080-5-0x000000013F2D0000-0x0000000142BEA000-memory.dmp

memory/2080-9-0x000000013F2D0000-0x0000000142BEA000-memory.dmp

memory/2080-10-0x000000013F2D0000-0x0000000142BEA000-memory.dmp

memory/2080-11-0x000000013F2D0000-0x0000000142BEA000-memory.dmp

memory/2080-12-0x000000013F2D0000-0x0000000142BEA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 15:46

Reported

2024-06-12 15:49

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Stops running service(s)

evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3908 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 3908 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 3908 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 3908 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 4932 wrote to memory of 4340 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4932 wrote to memory of 4340 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4340 wrote to memory of 4868 N/A C:\Windows\system32\net.exe C:\Windows\system32\cmd.exe
PID 4340 wrote to memory of 4868 N/A C:\Windows\system32\net.exe C:\Windows\system32\cmd.exe
PID 3908 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 3908 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 1188 wrote to memory of 4508 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1188 wrote to memory of 4508 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4508 wrote to memory of 3300 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4508 wrote to memory of 3300 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3908 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 3908 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 3908 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 3908 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 4888 wrote to memory of 4412 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4888 wrote to memory of 4412 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3908 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 3908 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 3200 wrote to memory of 2316 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3200 wrote to memory of 2316 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3656 wrote to memory of 4532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3656 wrote to memory of 4532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3908 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 3908 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 3908 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\net1.exe
PID 3908 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\net1.exe
PID 3908 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 3908 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 4952 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 1480 wrote to memory of 4952 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3320 wrote to memory of 3016 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3320 wrote to memory of 3016 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4544 wrote to memory of 1800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4544 wrote to memory of 1800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4904 wrote to memory of 3240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4904 wrote to memory of 3240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3908 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 3908 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 2936 wrote to memory of 5020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2936 wrote to memory of 5020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3908 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\sc.exe
PID 3908 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\sc.exe
PID 4620 wrote to memory of 1960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4620 wrote to memory of 1960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 3908 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 3908 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 988 wrote to memory of 1012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 988 wrote to memory of 1012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3908 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 3908 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 5100 wrote to memory of 4856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 5100 wrote to memory of 4856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 3908 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\taskkill.exe
PID 3908 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\taskkill.exe
PID 4516 wrote to memory of 4060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4516 wrote to memory of 4060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 3908 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\Conhost.exe
PID 3908 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\Conhost.exe
PID 3908 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 3908 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1

C:\Windows\system32\net.exe

net stop FACEIT

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop FACEIT

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\net.exe

net stop ESEADriver2

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ESEADriver2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1

C:\Windows\system32\sc.exe

sc stop KProcessHacker3

C:\Windows\system32\sc.exe

sc stop KProcessHacker2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4f4 0x468

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\sc.exe

sc stop KProcessHacker1

C:\Windows\system32\sc.exe

sc stop wireshark

C:\Windows\system32\sc.exe

sc stop npf

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1

C:\Windows\system32\net.exe

net stop FACEIT

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop FACEIT

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\net.exe

net stop ESEADriver2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ESEADriver2

C:\Windows\system32\sc.exe

sc stop KProcessHacker2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1

C:\Windows\system32\sc.exe

sc stop KProcessHacker3

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\sc.exe

sc stop KProcessHacker1

C:\Windows\system32\sc.exe

sc stop wireshark

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\sc.exe

sc stop npf

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1

C:\Windows\system32\net.exe

net stop FACEIT

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop FACEIT

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1

C:\Windows\system32\net.exe

net stop ESEADriver2

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ESEADriver2

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\sc.exe

sc stop KProcessHacker3

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\sc.exe

sc stop KProcessHacker2

C:\Windows\system32\sc.exe

sc stop KProcessHacker1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\sc.exe

sc stop npf

C:\Windows\system32\sc.exe

sc stop wireshark

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1

C:\Windows\system32\net.exe

net stop FACEIT

C:\Windows\system32\net.exe

net stop ESEADriver2

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop FACEIT

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ESEADriver2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\sc.exe

sc stop KProcessHacker3

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1

C:\Windows\system32\sc.exe

sc stop KProcessHacker1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\sc.exe

sc stop KProcessHacker2

C:\Windows\system32\sc.exe

sc stop wireshark

C:\Windows\system32\sc.exe

sc stop npf

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\net.exe

net stop FACEIT

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop FACEIT

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1

C:\Windows\system32\net.exe

net stop ESEADriver2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ESEADriver2

C:\Windows\system32\sc.exe

sc stop KProcessHacker3

C:\Windows\system32\sc.exe

sc stop KProcessHacker2

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\sc.exe

sc stop wireshark

C:\Windows\system32\sc.exe

sc stop KProcessHacker1

C:\Windows\system32\sc.exe

sc stop npf

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c CLS

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 104.26.0.5:443 keyauth.win tcp
US 8.8.8.8:53 5.0.26.104.in-addr.arpa udp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
BE 88.221.83.225:443 www.bing.com tcp
US 8.8.8.8:53 225.83.221.88.in-addr.arpa udp
N/A 127.0.0.1:54163 tcp
N/A 127.0.0.1:54165 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/3908-0-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp

memory/3908-1-0x00007FFB5AD50000-0x00007FFB5AD52000-memory.dmp

memory/3908-3-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp

memory/3908-5-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp

memory/3908-4-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp

memory/3908-6-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp

memory/3908-7-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp

memory/3908-8-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp

memory/3908-9-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp

memory/3908-10-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp

memory/3908-11-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp

memory/3908-12-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp

memory/3908-13-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp

memory/3908-14-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp

memory/3908-15-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp

memory/3908-16-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp

memory/3908-17-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp

memory/3908-18-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp

memory/3908-19-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp

memory/3908-20-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp

memory/3908-21-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp

memory/3908-22-0x00007FF6C8480000-0x00007FF6CBD9A000-memory.dmp