611fbb3467b28360f80f5e36424908d0c3ec2f94044778820b5a7f7cddb86549

Analysis

max time kernel
66s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

12.2MB
MD5

de29ac4da4a6babe3fa0b95a55bb08ad
SHA1

ff797ebfe3286018de4998df6e40f77d32106942
SHA256

611fbb3467b28360f80f5e36424908d0c3ec2f94044778820b5a7f7cddb86549
SHA512

25a098c8220f6f601b652e28408b069260b4922834d33bb99f99654f8e0042a5fd99b9a90b19ae0c17f6c9863f45debb4d227a7ae23162fff02bfea576673212
SSDEEP

196608:FPqOeo716XtLQaRKtL62KhzJ07rHHcm6Cq4UZ+9jF6t7fAGmbMaev:YONhbaRKx6tULcm6OUZ+FuAAPv

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Loader.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Loader.exe
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Loader.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Loader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	Loader.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Loader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Loader.exe

pid process

3664 Loader.exe
3664 Loader.exe
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

Loader.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN Loader.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	Loader.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Loader.exe

pid	process
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe
3664	Loader.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Loader.exe

description	pid	process	target process
PID 3664 wrote to memory of 760	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 760	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 4788	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 4788	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 1680	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 1680	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 8	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 8	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 2552	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 2552	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 4356	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 4356	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 3144	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 3144	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 2548	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 2548	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 4384	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 4384	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 4060	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 4060	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 2356	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 2356	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 2116	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 2116	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 3508	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 3508	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 3180	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 3180	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 4124	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 4124	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 1284	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 1284	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 2024	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 2024	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 4352	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 4352	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 1084	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 1084	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 4596	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 4596	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 2028	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 2028	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 4784	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 4784	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 4052	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 4052	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 4336	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 4336	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 3680	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 3680	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 880	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 880	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 3312	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 3312	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 5060	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 5060	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 984	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 984	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 3504	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 3504	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 4816	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 4816	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 1108	3664	Loader.exe	Loader.exe
PID 3664 wrote to memory of 1108	3664	Loader.exe	Loader.exe

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3664

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4356

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:2548

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4060

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3508

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3180

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4124

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4596

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4052

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3680

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:880

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3312

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:984

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4816

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3368

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3236

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:332

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4160

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3248

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4064

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:2684

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:2332

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:2904

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3252

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:2108

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3612

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3444

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4920

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4852

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3500

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4720

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:400

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:2980

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4728

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3716

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:804

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3352

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4164

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:680

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4532

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3792

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3860

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3264

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4420

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:380

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3900

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:1324

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3944

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:2544

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4320

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3552

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3724

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:2856

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:2792

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3848

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3904

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:3768

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5128

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5136

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5144

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5152

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5160

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5168

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5176

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5184

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5192

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5200

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5208

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5216

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5224

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5232

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5240

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5248

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5256

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5264

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5272

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5280

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5288

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5296

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5304

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5312

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5320

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5328

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5336

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5344

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5352

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5360

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5368

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5376

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5384

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5392

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5400

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5408

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5416

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5424

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5432

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5440

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5448

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5456

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5464

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5472

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5480

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5488

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5496

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5504

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5512

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5520

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5528

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5540

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5548

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5556

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5564

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5572

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5580

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
2⤵
PID:6124

C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5
3⤵
PID:5588

C:\Windows\system32\find.exe
find /i /v "md5"
3⤵
PID:5604

C:\Windows\system32\find.exe
find /i /v "certutil"
3⤵
PID:5612

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3664-0-0x00007FF7DC954000-0x00007FF7DD06C000-memory.dmp

Filesize
7.1MB

Download
memory/3664-1-0x00007FF9F6890000-0x00007FF9F6892000-memory.dmp

Filesize
8KB

Download
memory/3664-2-0x00007FF7DC760000-0x00007FF7DDCA7000-memory.dmp

Filesize
21.3MB

Download
memory/3664-11-0x000001A9AF3B0000-0x000001A9AF3B1000-memory.dmp

Filesize
4KB

Download
memory/3664-22-0x00007FF7DC760000-0x00007FF7DDCA7000-memory.dmp

Filesize
21.3MB

Download
memory/3664-24-0x000001A9B0D40000-0x000001A9B0D41000-memory.dmp

Filesize
4KB

Download
memory/3664-43-0x00007FF7DC760000-0x00007FF7DDCA7000-memory.dmp

Filesize
21.3MB

Download
memory/3664-69-0x00007FF7DC954000-0x00007FF7DD06C000-memory.dmp

Filesize
7.1MB

Download
memory/3664-95-0x00007FF7DC760000-0x00007FF7DDCA7000-memory.dmp

Filesize
21.3MB

Download
memory/3664-94-0x00007FF7DC760000-0x00007FF7DDCA7000-memory.dmp

Filesize
21.3MB

Download
memory/3664-120-0x00007FF7DC760000-0x00007FF7DDCA7000-memory.dmp

Filesize
21.3MB

Download
memory/3664-144-0x00007FF7DC760000-0x00007FF7DDCA7000-memory.dmp

Filesize
21.3MB

Download
memory/3664-194-0x00007FF7DC760000-0x00007FF7DDCA7000-memory.dmp

Filesize
21.3MB

Download
memory/3664-219-0x00007FF7DC760000-0x00007FF7DDCA7000-memory.dmp

Filesize
21.3MB

Download
memory/3664-267-0x00007FF7DC760000-0x00007FF7DDCA7000-memory.dmp

Filesize
21.3MB

Download
memory/3664-293-0x00007FF7DC760000-0x00007FF7DDCA7000-memory.dmp

Filesize
21.3MB

Download
memory/3664-319-0x00007FF7DC760000-0x00007FF7DDCA7000-memory.dmp

Filesize
21.3MB

Download