Analysis
-
max time kernel
65s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
11-03-2024 00:14
Static task
static1
Behavioral task
behavioral1
Sample
1buttonBETA10-22b.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
1buttonBETA10-22b.exe
Resource
win10v2004-20240226-en
General
-
Target
1buttonBETA10-22b.exe
-
Size
31.9MB
-
MD5
a48537d35ede9fe4d15b0818870c6ff2
-
SHA1
e760863c4db17e55e72ba507ebb22a5b9396c304
-
SHA256
628a2b6ad14cb09e3432f369c7ac3f2d341c5c518bfb9af16ee77e1d62601deb
-
SHA512
c6556320d20a051cbfe08febbdf80ff3168b4a7654ce1d77bada1329d499497462cef1d978abfa95d064dac49eb14dc7e914d0b9391aec6546991d499f3aaf97
-
SSDEEP
786432:LCnT9Z2zDfgQwtKa41MOYS0ndZNEMans/GtxeUVMGHKc6j:YLSMQwwa41ro9EManrtxTMx
Malware Config
Signatures
-
Cerber 12 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
Processes:
taskkill.exetaskkill.exetaskkill.exeAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEtaskkill.exetaskkill.exeAMIDEWINx64.EXEAMIDEWINx64.EXEpid process 1620 taskkill.exe 1584 taskkill.exe 1484 taskkill.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} AMIDEWINx64.EXE Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} AMIDEWINx64.EXE Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} AMIDEWINx64.EXE Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} AMIDEWINx64.EXE Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} AMIDEWINx64.EXE 1512 taskkill.exe 2776 taskkill.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} AMIDEWINx64.EXE Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} AMIDEWINx64.EXE -
Clears Windows event logs 1 TTPs 44 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exepid process 1856 wevtutil.exe 2948 wevtutil.exe 2996 wevtutil.exe 2612 wevtutil.exe 2364 wevtutil.exe 1652 wevtutil.exe 2068 wevtutil.exe 1488 wevtutil.exe 2276 wevtutil.exe 2808 wevtutil.exe 1636 wevtutil.exe 2664 wevtutil.exe 1520 wevtutil.exe 2620 wevtutil.exe 2420 wevtutil.exe 984 wevtutil.exe 2872 wevtutil.exe 2832 wevtutil.exe 1008 wevtutil.exe 2328 wevtutil.exe 2520 wevtutil.exe 2624 wevtutil.exe 2452 wevtutil.exe 2944 wevtutil.exe 2608 wevtutil.exe 2956 wevtutil.exe 2904 wevtutil.exe 880 wevtutil.exe 2532 wevtutil.exe 2760 wevtutil.exe 2972 wevtutil.exe 2172 wevtutil.exe 2392 wevtutil.exe 2436 wevtutil.exe 2396 wevtutil.exe 2568 wevtutil.exe 2524 wevtutil.exe 2376 wevtutil.exe 2556 wevtutil.exe 2632 wevtutil.exe 2160 wevtutil.exe 1884 wevtutil.exe 796 wevtutil.exe 2728 wevtutil.exe -
Nirsoft 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\DevManView.exe Nirsoft -
Drops file in Drivers directory 8 IoCs
Processes:
AMIDEWIN.EXEAMIDEWIN.EXEAMIDEWIN.EXEAMIDEWIN.EXEAMIDEWIN.EXEAMIDEWIN.EXEAMIDEWIN.EXEdescription ioc process File opened for modification C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys AMIDEWIN.EXE File opened for modification C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys AMIDEWIN.EXE File opened for modification C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys AMIDEWIN.EXE File opened for modification C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys AMIDEWIN.EXE File opened for modification C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys AMIDEWIN.EXE File created C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys AMIDEWIN.EXE File opened for modification C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys AMIDEWIN.EXE File opened for modification C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys AMIDEWIN.EXE -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 25 IoCs
Processes:
FIXusrTEMPv6.exeddc.execleanerOLD1.exeCleaner8.exeAdvancedEventCleaner.exe1-RUNFIRST.exeAMIDEWIN.EXEreset_adapters.exeAMIDEWIN.EXEAMIDEWIN.EXEAMIDEWIN.EXEAMIDEWIN.EXEAMIDEWIN.EXEAMIDEWIN.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEmoreCLEANhardware.exereset2-Hardware Rescan after Adapter reset.exedevcon.exeDevManView.exepid process 2936 FIXusrTEMPv6.exe 732 ddc.exe 812 cleanerOLD1.exe 1132 Cleaner8.exe 2092 AdvancedEventCleaner.exe 844 1-RUNFIRST.exe 3000 AMIDEWIN.EXE 2268 reset_adapters.exe 2548 AMIDEWIN.EXE 764 AMIDEWIN.EXE 1452 AMIDEWIN.EXE 320 AMIDEWIN.EXE 1208 AMIDEWIN.EXE 2056 AMIDEWIN.EXE 1776 AMIDEWINx64.EXE 1724 AMIDEWINx64.EXE 1476 AMIDEWINx64.EXE 1600 AMIDEWINx64.EXE 1744 AMIDEWINx64.EXE 2616 AMIDEWINx64.EXE 1536 AMIDEWINx64.EXE 2576 moreCLEANhardware.exe 2400 reset2-Hardware Rescan after Adapter reset.exe 1012 devcon.exe 2888 DevManView.exe -
Loads dropped DLL 17 IoCs
Processes:
cmd.execmd.execmd.execmd.exeWerFault.execmd.exeWerFault.execmd.execmd.exepid process 2744 cmd.exe 2336 cmd.exe 2744 cmd.exe 3020 cmd.exe 2280 cmd.exe 1896 WerFault.exe 1896 WerFault.exe 1896 WerFault.exe 2744 cmd.exe 2636 cmd.exe 2556 WerFault.exe 2556 WerFault.exe 2556 WerFault.exe 2556 WerFault.exe 2536 cmd.exe 2536 cmd.exe 872 cmd.exe -
Checks system information in the registry 2 TTPs 1 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
ddc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName ddc.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 496 sc.exe 768 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 7 IoCs
Processes:
Cleaner8.exedescription ioc process Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Cleaner8.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Cleaner8.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Cleaner8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier Cleaner8.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Cleaner8.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "033bffbe-52d25dfb-a" Cleaner8.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Cleaner8.exe -
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exeipconfig.exepid process 1536 ipconfig.exe 2852 ipconfig.exe 2960 ipconfig.exe -
Kills process with taskkill 8 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1432 taskkill.exe 1620 taskkill.exe 1584 taskkill.exe 1512 taskkill.exe 1484 taskkill.exe 2776 taskkill.exe 1664 taskkill.exe 1704 taskkill.exe -
Processes:
Cleaner8.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 4a33a2853a3275d8 Cleaner8.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Runs ping.exe 1 TTPs 28 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2644 PING.EXE 2096 PING.EXE 2404 PING.EXE 1668 PING.EXE 2792 PING.EXE 844 PING.EXE 2808 PING.EXE 536 PING.EXE 1488 PING.EXE 2988 PING.EXE 2104 PING.EXE 568 PING.EXE 2216 PING.EXE 2188 PING.EXE 988 PING.EXE 1116 PING.EXE 1696 PING.EXE 2020 PING.EXE 2784 PING.EXE 1356 PING.EXE 2380 PING.EXE 2856 PING.EXE 2284 PING.EXE 2728 PING.EXE 2116 PING.EXE 2000 PING.EXE 1996 PING.EXE 2160 PING.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 10 IoCs
Processes:
ddc.execleanerOLD1.exeAMIDEWIN.EXEAMIDEWIN.EXEAMIDEWIN.EXEAMIDEWIN.EXEAMIDEWIN.EXEAMIDEWIN.EXEAMIDEWIN.EXEreset2-Hardware Rescan after Adapter reset.exepid process 732 ddc.exe 812 cleanerOLD1.exe 3000 AMIDEWIN.EXE 2548 AMIDEWIN.EXE 764 AMIDEWIN.EXE 1452 AMIDEWIN.EXE 320 AMIDEWIN.EXE 1208 AMIDEWIN.EXE 2056 AMIDEWIN.EXE 2400 reset2-Hardware Rescan after Adapter reset.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
1-RUNFIRST.execleanerOLD1.exepid process 844 1-RUNFIRST.exe 812 cleanerOLD1.exe 812 cleanerOLD1.exe -
Suspicious behavior: LoadsDriver 21 IoCs
Processes:
pid process 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeCleaner8.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exedescription pid process Token: SeDebugPrivilege 2776 taskkill.exe Token: SeDebugPrivilege 1484 taskkill.exe Token: SeDebugPrivilege 1620 taskkill.exe Token: SeDebugPrivilege 1584 taskkill.exe Token: SeDebugPrivilege 1512 taskkill.exe Token: SeTakeOwnershipPrivilege 1132 Cleaner8.exe Token: SeSecurityPrivilege 2180 wevtutil.exe Token: SeBackupPrivilege 2180 wevtutil.exe Token: SeSecurityPrivilege 2832 wevtutil.exe Token: SeBackupPrivilege 2832 wevtutil.exe Token: SeSecurityPrivilege 1488 wevtutil.exe Token: SeBackupPrivilege 1488 wevtutil.exe Token: SeSecurityPrivilege 2872 wevtutil.exe Token: SeBackupPrivilege 2872 wevtutil.exe Token: SeSecurityPrivilege 2948 wevtutil.exe Token: SeBackupPrivilege 2948 wevtutil.exe Token: SeSecurityPrivilege 2972 wevtutil.exe Token: SeBackupPrivilege 2972 wevtutil.exe Token: SeSecurityPrivilege 984 wevtutil.exe Token: SeBackupPrivilege 984 wevtutil.exe Token: SeSecurityPrivilege 880 wevtutil.exe Token: SeBackupPrivilege 880 wevtutil.exe Token: SeSecurityPrivilege 2276 wevtutil.exe Token: SeBackupPrivilege 2276 wevtutil.exe Token: SeSecurityPrivilege 1520 wevtutil.exe Token: SeBackupPrivilege 1520 wevtutil.exe Token: SeSecurityPrivilege 1652 wevtutil.exe Token: SeBackupPrivilege 1652 wevtutil.exe Token: SeSecurityPrivilege 2996 wevtutil.exe Token: SeBackupPrivilege 2996 wevtutil.exe Token: SeSecurityPrivilege 2632 wevtutil.exe Token: SeBackupPrivilege 2632 wevtutil.exe Token: SeSecurityPrivilege 2328 wevtutil.exe Token: SeBackupPrivilege 2328 wevtutil.exe Token: SeSecurityPrivilege 2160 wevtutil.exe Token: SeBackupPrivilege 2160 wevtutil.exe Token: SeSecurityPrivilege 1008 wevtutil.exe Token: SeBackupPrivilege 1008 wevtutil.exe Token: SeSecurityPrivilege 1884 wevtutil.exe Token: SeBackupPrivilege 1884 wevtutil.exe Token: SeSecurityPrivilege 796 wevtutil.exe Token: SeBackupPrivilege 796 wevtutil.exe Token: SeSecurityPrivilege 2620 wevtutil.exe Token: SeBackupPrivilege 2620 wevtutil.exe Token: SeSecurityPrivilege 2556 wevtutil.exe Token: SeBackupPrivilege 2556 wevtutil.exe Token: SeSecurityPrivilege 2568 wevtutil.exe Token: SeBackupPrivilege 2568 wevtutil.exe Token: SeSecurityPrivilege 2520 wevtutil.exe Token: SeBackupPrivilege 2520 wevtutil.exe Token: SeSecurityPrivilege 2172 wevtutil.exe Token: SeBackupPrivilege 2172 wevtutil.exe Token: SeSecurityPrivilege 2808 wevtutil.exe Token: SeBackupPrivilege 2808 wevtutil.exe Token: SeSecurityPrivilege 2524 wevtutil.exe Token: SeBackupPrivilege 2524 wevtutil.exe Token: SeSecurityPrivilege 2612 wevtutil.exe Token: SeBackupPrivilege 2612 wevtutil.exe Token: SeSecurityPrivilege 2728 wevtutil.exe Token: SeBackupPrivilege 2728 wevtutil.exe Token: SeSecurityPrivilege 2392 wevtutil.exe Token: SeBackupPrivilege 2392 wevtutil.exe Token: SeSecurityPrivilege 2944 wevtutil.exe Token: SeBackupPrivilege 2944 wevtutil.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1buttonBETA10-22b.execmd.exeFIXusrTEMPv6.execmd.exedescription pid process target process PID 2256 wrote to memory of 2744 2256 1buttonBETA10-22b.exe cmd.exe PID 2256 wrote to memory of 2744 2256 1buttonBETA10-22b.exe cmd.exe PID 2256 wrote to memory of 2744 2256 1buttonBETA10-22b.exe cmd.exe PID 2744 wrote to memory of 2776 2744 cmd.exe taskkill.exe PID 2744 wrote to memory of 2776 2744 cmd.exe taskkill.exe PID 2744 wrote to memory of 2776 2744 cmd.exe taskkill.exe PID 2744 wrote to memory of 1484 2744 cmd.exe taskkill.exe PID 2744 wrote to memory of 1484 2744 cmd.exe taskkill.exe PID 2744 wrote to memory of 1484 2744 cmd.exe taskkill.exe PID 2744 wrote to memory of 1620 2744 cmd.exe taskkill.exe PID 2744 wrote to memory of 1620 2744 cmd.exe taskkill.exe PID 2744 wrote to memory of 1620 2744 cmd.exe taskkill.exe PID 2744 wrote to memory of 1584 2744 cmd.exe taskkill.exe PID 2744 wrote to memory of 1584 2744 cmd.exe taskkill.exe PID 2744 wrote to memory of 1584 2744 cmd.exe taskkill.exe PID 2744 wrote to memory of 1512 2744 cmd.exe taskkill.exe PID 2744 wrote to memory of 1512 2744 cmd.exe taskkill.exe PID 2744 wrote to memory of 1512 2744 cmd.exe taskkill.exe PID 2744 wrote to memory of 768 2744 cmd.exe sc.exe PID 2744 wrote to memory of 768 2744 cmd.exe sc.exe PID 2744 wrote to memory of 768 2744 cmd.exe sc.exe PID 2744 wrote to memory of 496 2744 cmd.exe sc.exe PID 2744 wrote to memory of 496 2744 cmd.exe sc.exe PID 2744 wrote to memory of 496 2744 cmd.exe sc.exe PID 2744 wrote to memory of 2668 2744 cmd.exe reg.exe PID 2744 wrote to memory of 2668 2744 cmd.exe reg.exe PID 2744 wrote to memory of 2668 2744 cmd.exe reg.exe PID 2744 wrote to memory of 1472 2744 cmd.exe reg.exe PID 2744 wrote to memory of 1472 2744 cmd.exe reg.exe PID 2744 wrote to memory of 1472 2744 cmd.exe reg.exe PID 2744 wrote to memory of 1852 2744 cmd.exe reg.exe PID 2744 wrote to memory of 1852 2744 cmd.exe reg.exe PID 2744 wrote to memory of 1852 2744 cmd.exe reg.exe PID 2744 wrote to memory of 1420 2744 cmd.exe reg.exe PID 2744 wrote to memory of 1420 2744 cmd.exe reg.exe PID 2744 wrote to memory of 1420 2744 cmd.exe reg.exe PID 2744 wrote to memory of 1356 2744 cmd.exe reg.exe PID 2744 wrote to memory of 1356 2744 cmd.exe reg.exe PID 2744 wrote to memory of 1356 2744 cmd.exe reg.exe PID 2744 wrote to memory of 1436 2744 cmd.exe reg.exe PID 2744 wrote to memory of 1436 2744 cmd.exe reg.exe PID 2744 wrote to memory of 1436 2744 cmd.exe reg.exe PID 2744 wrote to memory of 2880 2744 cmd.exe reg.exe PID 2744 wrote to memory of 2880 2744 cmd.exe reg.exe PID 2744 wrote to memory of 2880 2744 cmd.exe reg.exe PID 2744 wrote to memory of 1448 2744 cmd.exe reg.exe PID 2744 wrote to memory of 1448 2744 cmd.exe reg.exe PID 2744 wrote to memory of 1448 2744 cmd.exe reg.exe PID 2744 wrote to memory of 1340 2744 cmd.exe reg.exe PID 2744 wrote to memory of 1340 2744 cmd.exe reg.exe PID 2744 wrote to memory of 1340 2744 cmd.exe reg.exe PID 2744 wrote to memory of 1264 2744 cmd.exe ARP.EXE PID 2744 wrote to memory of 1264 2744 cmd.exe ARP.EXE PID 2744 wrote to memory of 1264 2744 cmd.exe ARP.EXE PID 2744 wrote to memory of 2936 2744 cmd.exe FIXusrTEMPv6.exe PID 2744 wrote to memory of 2936 2744 cmd.exe FIXusrTEMPv6.exe PID 2744 wrote to memory of 2936 2744 cmd.exe FIXusrTEMPv6.exe PID 2744 wrote to memory of 2404 2744 cmd.exe PING.EXE PID 2744 wrote to memory of 2404 2744 cmd.exe PING.EXE PID 2744 wrote to memory of 2404 2744 cmd.exe PING.EXE PID 2936 wrote to memory of 2940 2936 FIXusrTEMPv6.exe cmd.exe PID 2936 wrote to memory of 2940 2936 FIXusrTEMPv6.exe cmd.exe PID 2936 wrote to memory of 2940 2936 FIXusrTEMPv6.exe cmd.exe PID 2940 wrote to memory of 2020 2940 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1buttonBETA10-22b.exe"C:\Users\Admin\AppData\Local\Temp\1buttonBETA10-22b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3F32.tmp\3F33.tmp\3F34.bat C:\Users\Admin\AppData\Local\Temp\1buttonBETA10-22b.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\system32\taskkill.exetaskkill /f /im EasyAntiCheat.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2776 -
C:\Windows\system32\taskkill.exetaskkill /f /im BEService_x64.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1484 -
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1620 -
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_BE.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1584 -
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_EAC.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1512 -
C:\Windows\system32\sc.exesc stop BEService3⤵
- Launches sc.exe
PID:768 -
C:\Windows\system32\sc.exesc stop EasyAntiCheat3⤵
- Launches sc.exe
PID:496 -
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f3⤵PID:2668
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f3⤵PID:1472
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games\Unreal Engine\Identifiers" /va /f3⤵PID:1852
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games\Unreal Engine\Hardware Survey" /va /f3⤵PID:1420
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f3⤵PID:1356
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games" /f3⤵PID:1436
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 659 /f3⤵
- Modifies registry key
PID:2880 -
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 9720 /f3⤵
- Modifies registry key
PID:1448 -
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f3⤵PID:1340
-
C:\Windows\system32\ARP.EXEarp -d3⤵PID:1264
-
C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe"C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7935.tmp\7936.tmp\7947.bat C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\system32\PING.EXEping /n 1 localhost5⤵
- Runs ping.exe
PID:2020 -
C:\Windows\system32\PING.EXEping /n 1 localhost5⤵
- Runs ping.exe
PID:2188 -
C:\Windows\system32\PING.EXEping /n 1 localhost5⤵
- Runs ping.exe
PID:1668 -
C:\Windows\system32\PING.EXEping /n 2 localhost5⤵
- Runs ping.exe
PID:2216 -
C:\Windows\system32\PING.EXEPING localhost -n 33⤵
- Runs ping.exe
PID:2404 -
C:\Users\Admin\AppData\Roaming\ddc.exeC:\Users\Admin\AppData\Roaming\ddc.exe b /target:c:\DriverBackup4u3⤵
- Executes dropped EXE
- Checks system information in the registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:732 -
C:\Windows\system32\PING.EXEPING localhost -n 33⤵
- Runs ping.exe
PID:988 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "3⤵PID:1780
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" start "" /wait /b "C:\Users\Admin\AppData\Roaming\cleanerOLD1.exe""3⤵PID:2792
-
C:\Users\Admin\AppData\Roaming\cleanerOLD1.exe"C:\Users\Admin\AppData\Roaming\cleanerOLD1.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
PID:812 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "3⤵PID:2044
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" start "" /wait /b "C:\Users\Admin\AppData\Roaming\Cleaner8.exe""3⤵
- Loads dropped DLL
PID:2336 -
C:\Users\Admin\AppData\Roaming\Cleaner8.exe"C:\Users\Admin\AppData\Roaming\Cleaner8.exe"4⤵
- Executes dropped EXE
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
PID:1132 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1132 -s 3085⤵
- Loads dropped DLL
PID:1896 -
C:\Users\Admin\AppData\Roaming\AdvancedEventCleaner.exe"C:\Users\Admin\AppData\Roaming\AdvancedEventCleaner.exe"3⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\896B.tmp\896C.tmp\896D.bat C:\Users\Admin\AppData\Roaming\AdvancedEventCleaner.exe"4⤵PID:1784
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit5⤵PID:1312
-
C:\Windows\system32\bcdedit.exebcdedit6⤵PID:1728
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil.exe el5⤵PID:760
-
C:\Windows\system32\wevtutil.exewevtutil.exe el6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Analytic"5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2832 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Application"5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1488 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DebugChannel"5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2872 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DirectShowFilterGraph"5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2948 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DirectShowPluginControl"5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2972 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Els_Hyphenation/Analytic"5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:984 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "EndpointMapper"5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:880 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "ForwardedEvents"5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2276 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "HardwareEvents"5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1520 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Internet Explorer"5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1652 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Key Management Service"5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2996 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MF_MediaFoundationDeviceProxy"5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2632 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Media Center"5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2328 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationDeviceProxy"5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2160 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPerformance"5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1008 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPipeline"5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1884 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPlatform"5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:796 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IE/Diagnostic"5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2620 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2556 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2568 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2520 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2172 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2808 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ADSI/Debug"5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2524 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2612 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ATAPort/General"5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2728 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2392 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2944 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"5⤵
- Clears Windows event logs
PID:2608 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppID/Operational"5⤵
- Clears Windows event logs
PID:2624 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"5⤵
- Clears Windows event logs
PID:2420 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"5⤵
- Clears Windows event logs
PID:2364 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"5⤵
- Clears Windows event logs
PID:2376 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"5⤵
- Clears Windows event logs
PID:2396 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"5⤵
- Clears Windows event logs
PID:2436 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"5⤵
- Clears Windows event logs
PID:2532 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"5⤵
- Clears Windows event logs
PID:2956 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"5⤵
- Clears Windows event logs
PID:2068 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"5⤵
- Clears Windows event logs
PID:2904 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"5⤵
- Clears Windows event logs
PID:1856 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"5⤵
- Clears Windows event logs
PID:1636 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"5⤵
- Clears Windows event logs
PID:2664 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"5⤵
- Clears Windows event logs
PID:2452 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/Operational"5⤵
- Clears Windows event logs
PID:2760 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo N "3⤵PID:2004
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" start "" /wait /b "C:\Users\Admin\AppData\Roaming\1-RUNFIRST.exe""3⤵
- Loads dropped DLL
PID:3020 -
C:\Users\Admin\AppData\Roaming\1-RUNFIRST.exe"C:\Users\Admin\AppData\Roaming\1-RUNFIRST.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:844 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns > nul 2> nul5⤵PID:2860
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns6⤵
- Gathers network information
PID:2960 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /release > nul 2> nul5⤵PID:1632
-
C:\Windows\system32\ipconfig.exeipconfig /release6⤵
- Gathers network information
PID:1536 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /renew > nul 2> nul5⤵PID:2212
-
C:\Windows\system32\ipconfig.exeipconfig /renew6⤵
- Gathers network information
PID:2852 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c .\reset_adapters.exe5⤵
- Loads dropped DLL
PID:2280 -
C:\Users\Admin\AppData\Roaming\reset_adapters.exe.\reset_adapters.exe6⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause5⤵PID:1532
-
C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE"C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE" /BS 28104u-BS319543⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3000 -
C:\Windows\system32\PING.EXEPING localhost -n 33⤵
- Runs ping.exe
PID:2116 -
C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE"C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE" /SS 228824u-SS121223⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2548 -
C:\Windows\system32\PING.EXEPING localhost -n 33⤵
- Runs ping.exe
PID:2784 -
C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE"C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE" /SV 93844u-SV288123⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:764 -
C:\Windows\system32\PING.EXEPING localhost -n 33⤵
- Runs ping.exe
PID:2104 -
C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE"C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE" /SU AUTO3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1452 -
C:\Windows\system32\PING.EXEPING localhost -n 33⤵
- Runs ping.exe
PID:2644 -
C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE"C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE" /SK 54114u-SK111433⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:320 -
C:\Windows\system32\PING.EXEPING localhost -n 33⤵
- Runs ping.exe
PID:1356 -
C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE"C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE" /BM 176824u-BM263013⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1208 -
C:\Windows\system32\PING.EXEPING localhost -n 33⤵
- Runs ping.exe
PID:2000 -
C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE"C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE" /BV 270144u-BV209263⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2056 -
C:\Windows\system32\PING.EXEPING localhost -n 53⤵
- Runs ping.exe
PID:1996 -
C:\Windows\system32\PING.EXEPING localhost -n 23⤵
- Runs ping.exe
PID:536 -
C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE"C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE" /BS 39794u-BS230993⤵
- Cerber
- Executes dropped EXE
PID:1776 -
C:\Windows\system32\PING.EXEPING localhost -n 23⤵
- Runs ping.exe
PID:2792 -
C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE"C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE" /SS 306154u-SS189913⤵
- Cerber
- Executes dropped EXE
PID:1724 -
C:\Windows\system32\PING.EXEPING localhost -n 23⤵
- Runs ping.exe
PID:1116 -
C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE"C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE" /SV 106414u-SV164733⤵
- Cerber
- Executes dropped EXE
PID:1476 -
C:\Windows\system32\PING.EXEPING localhost -n 23⤵
- Runs ping.exe
PID:1696 -
C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE"C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE" /SU AUTO3⤵
- Cerber
- Executes dropped EXE
PID:1600 -
C:\Windows\system32\PING.EXEPING localhost -n 23⤵
- Runs ping.exe
PID:568 -
C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE"C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE" /SK 281404u-SK75213⤵
- Cerber
- Executes dropped EXE
PID:1744 -
C:\Windows\system32\PING.EXEPING localhost -n 23⤵
- Runs ping.exe
PID:1488 -
C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE"C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE" /BM 319084u-BM49683⤵
- Cerber
- Executes dropped EXE
PID:2616 -
C:\Windows\system32\PING.EXEPING localhost -n 23⤵
- Runs ping.exe
PID:2856 -
C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE"C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE" /BV 310114u-BV130093⤵
- Cerber
- Executes dropped EXE
PID:1536 -
C:\Windows\system32\PING.EXEPING localhost -n 33⤵
- Runs ping.exe
PID:2284 -
C:\Windows\system32\taskkill.exetaskkill /f /im Cleaner1.exe3⤵
- Kills process with taskkill
PID:1432 -
C:\Windows\system32\taskkill.exetaskkill /f /im Cleaner8.exe3⤵
- Kills process with taskkill
PID:1664 -
C:\Windows\system32\taskkill.exetaskkill /f /im 1-RUNFIRST.exe3⤵
- Kills process with taskkill
PID:1704 -
C:\Windows\system32\PING.EXEPING localhost -n 23⤵
- Runs ping.exe
PID:844 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "3⤵PID:2996
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" start "" /wait /b "C:\Users\Admin\AppData\Roaming\moreCLEANhardware.exe""3⤵
- Loads dropped DLL
PID:2636 -
C:\Users\Admin\AppData\Roaming\moreCLEANhardware.exe"C:\Users\Admin\AppData\Roaming\moreCLEANhardware.exe"4⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Msg * /TIME:100 EXPIRED or NOT AUTHORIZED ON THIS PC - 2 (if you paid for this you got scammed)..5⤵PID:1540
-
C:\Windows\system32\msg.exeMsg * /TIME:100 EXPIRED or NOT AUTHORIZED ON THIS PC - 2 (if you paid for this you got scammed)..6⤵PID:1256
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2576 -s 885⤵
- Loads dropped DLL
PID:2556 -
C:\Windows\system32\PING.EXEPING localhost -n 43⤵
- Runs ping.exe
PID:2160 -
C:\Windows\system32\PING.EXEPING localhost -n 33⤵
- Runs ping.exe
PID:2808 -
C:\Users\Admin\AppData\Roaming\reset2-Hardware Rescan after Adapter reset.exe"C:\Users\Admin\AppData\Roaming\reset2-Hardware Rescan after Adapter reset.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2400 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\57D.tmp\57E.tmp\57F.bat "C:\Users\Admin\AppData\Roaming\reset2-Hardware Rescan after Adapter reset.exe""4⤵
- Loads dropped DLL
PID:2536 -
C:\Users\Admin\AppData\Roaming\devcon.exedevcon rescan5⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\system32\PING.EXEPING localhost -n 13⤵
- Runs ping.exe
PID:2728 -
C:\Windows\system32\PING.EXEPING localhost -n 13⤵
- Runs ping.exe
PID:2096 -
C:\Windows\system32\PING.EXEPING localhost -n 63⤵
- Runs ping.exe
PID:2380 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "3⤵PID:2344
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" start "" /min ""C:\Users\Admin\AppData\Roaming\DevManView.exe /uninstall "PCI\VEN*" /use_wildcard"""3⤵
- Loads dropped DLL
PID:872 -
C:\Users\Admin\AppData\Roaming\DevManView.exe""C:\Users\Admin\AppData\Roaming\DevManView.exe /uninstall "PCI\VEN*" /use_wildcard""4⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "3⤵PID:2956
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" start "" /min ""C:\Users\Admin\AppData\Roaming\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard"""3⤵PID:2088
-
C:\Users\Admin\AppData\Roaming\DevManView.exe""C:\Users\Admin\AppData\Roaming\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""4⤵PID:2904
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "3⤵PID:2896
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" start "" /min ""C:\Users\Admin\AppData\Roaming\DevManView.exe /uninstall "Realtek*" /use_wildcard"""3⤵PID:2660
-
C:\Users\Admin\AppData\Roaming\DevManView.exe""C:\Users\Admin\AppData\Roaming\DevManView.exe /uninstall "Realtek*" /use_wildcard""4⤵PID:2696
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "3⤵PID:2540
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" start "" /min ""C:\Users\Admin\AppData\Roaming\DevManView.exe /uninstall "SWD\MS*" /use_wildcard"""3⤵PID:1564
-
C:\Users\Admin\AppData\Roaming\DevManView.exe""C:\Users\Admin\AppData\Roaming\DevManView.exe /uninstall "SWD\MS*" /use_wildcard""4⤵PID:1184
-
C:\Windows\system32\PING.EXEPING localhost -n 103⤵
- Runs ping.exe
PID:2988
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2796
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding1⤵PID:2548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3F32.tmp\3F33.tmp\3F34.batFilesize
39B
MD5a9832ef693180ebedb5b6ed08f0b3227
SHA1b4ebcabbafcb1dcd113cbb7f996c3ea6443ce2b2
SHA2569f32b3a95a985d2022d6926411a54c8f2518da0d92ac4bb213f723eb7dd09567
SHA512fb227ed1d0fc39c28981b2c8c3a7f6bdd74e19aabdb4a8209f7e1b5de16bea554a0f6e8580109097a5894b305c2d23fb3d68f65d009c28696fe1d6ee7ae8345b
-
C:\Users\Admin\AppData\Local\Temp\57D.tmp\57E.tmp\57F.batFilesize
24B
MD5adf8254c3e44ca2685b52366457fc6c9
SHA1eaeef81e015e18c274ae5debfa7c511b6d871442
SHA256eb955b96ff2dabe61d2eb8272ba5e0a30b09364a6b15832a80da7daacb8b0c4f
SHA5122eff22c775d6cdb21ed17ece2468e5f98c9d04e323a7f39f85552629fdd2e4addc728b2866324749f1b6a565b7cf90c98b2b403a8a6af11197270d5e1fad94a9
-
C:\Users\Admin\AppData\Local\Temp\7935.tmp\7936.tmp\7947.batFilesize
845B
MD554d18c0e0a34808017e53029d7875c09
SHA1bca96014c545bd02f964cc3dd368b5c6ce9f2963
SHA2566be64439c492ac7d840e56b01ba9691f30fbad8e9b296bfe55d0abbb2edc5fae
SHA51295712df3c3bb07e561d778b0f95f9ab0a93def2d7111123dff22898565d059b10dc0ca13b1d528ed00ec77c511451d452b033bf8bf40898cb53eb9378f32a6b2
-
C:\Users\Admin\AppData\Local\Temp\896B.tmp\896C.tmp\896D.batFilesize
679B
MD5064bb52705e97caeee4dcbb5c72c1413
SHA113107d14185397ad662c08dda51a0ebe7583fbe8
SHA256a8ef3b7eaef87d32ea17f27c2f9ad0eb46d394fc6f381972657dbae63d0bbb26
SHA512af599892866fd6bfbe067ee1b2f15e9d201401adedf9db624d0f31d7181754a03cb4ea0fa1fb666598cdb601f212ee79a1c4b437d7e9a25dba901c8c481dc095
-
C:\Users\Admin\AppData\Roaming\1-RUNFIRST.exeFilesize
43KB
MD56fbe881f1d6480e2e15d3ebe0f493d2d
SHA1f698079150df242e156223f1b3e46f449bc01415
SHA25649b84540d5b4b8d2344c25edb042e216592dd1dc78a5c00f2ad9457442c4581c
SHA5122084a64ab503e214854e02dcb1ed8bff7cab40dad64cb624326d42a087f343a74b7470956c681268725e0ec2f8ab13182c814356d6d6d066a2b0c6da290d16ef
-
C:\Users\Admin\AppData\Roaming\3combined.batFilesize
13KB
MD5790f1b1425f17c7dc0712486361de838
SHA1d0056beff646d466a34346ef5c889bfec5cf0986
SHA2567f01e60396f3dd00c16226f74ab87cd0638368b83c455b04d032f4cba436656a
SHA51212b1faa363910ed861b831ab4209b93491d78e19ca630650425ed28856435119a1220e675e1971f237139c9140fdf6f70cf6a3ba9083bf2674c0f82fb3df3d4a
-
C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXEFilesize
148KB
MD5182ec3a59bd847fb1bc3e12a41d48fa6
SHA12f548bceb819d3843827c1e218af6708db447d4b
SHA256948dbd2bc128f8dc08267e110020fee3ff5de17cf4aaef89372de29623af96fa
SHA51291ecc5a76edc2aea4219f68569b54d3e9fe15c2a30a146edc0d09e713feaa739a5c1e7dbfa97e60828696078d43d1f8fd3466234525b099ed6e614e854ac6c4c
-
C:\Users\Admin\AppData\Roaming\AdvancedEventCleaner.exeFilesize
219KB
MD59353ed7c3ba8e2417ce2664ae7afac16
SHA105699a2a2792795db1d8f59273172ad80bdc8b06
SHA256069b31cb7f9054647b684da4fc5263fa690e32d75729ec6b5c808b0c532b9628
SHA512cb456c14c9ef6f49a92c989668bedb423e4020b761e627c4d67f90e855e9385d58cf0d1e024a0c728126cccdad2836615d23cd3011a8447470482ca939795262
-
C:\Users\Admin\AppData\Roaming\Cleaner8.exeFilesize
156KB
MD53546548be0b0940c52ec881d48404818
SHA10ded613db5266ffaeac2194bcdd86cec9559ee1c
SHA256dec2a16531a09d05f1ae64a21c35d53cec5998be22c16a88b2e8b4a36878db9a
SHA51279cb1de22f0789624e4dff532d28d9203ba231e5d511995562a25da8f112eb21a970cfddf28f14760459dda0407a8f856363fca07afffa5f0a954806af619838
-
C:\Users\Admin\AppData\Roaming\DevManView.cfgFilesize
1KB
MD5c397462965258ee0bbe4742f83d7c977
SHA17a12c6504184c38b9e8096357f651a04c170b59c
SHA25659f1e9118a106e15b2c151080e4167c4c1dc5fd33d2443ca160511ac7d9b781e
SHA5129ccff5046bfc41e50707d36d0a9f0654f6ef86525a26656d6bc9f5759455a2b328525f4b79ed6102d5e3cf3300027264830067c6b22891a92ccfc7fc33bc9ce2
-
C:\Users\Admin\AppData\Roaming\UCORESYS.sysFilesize
15KB
MD59555d36fb21b993e5c4b98c2fc2b3671
SHA1210a98be7da32cea98618c5a9640c23ce518c0ee
SHA256fd6f56189cd723b32fc06392867fcd5128e63d8b5801e4f7a83523f820531981
SHA5123ec96ba6fca7a4aa45becfef84b23b12c305f34045ac1a15b22745289e33b9326103e853bad698434df772a76515e7e8109fa8724d65f0351ee380c16d888c60
-
C:\Users\Admin\AppData\Roaming\UCOREW64.sysFilesize
14KB
MD5a17c58c0582ee560c72f60764ed63224
SHA1bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825
SHA256a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200
SHA512a820a3280da690980a9297fe1e62356eba1983356c579d1c7ea8d6f64bc710b11b0a659c5d6b011690863065541f5627c4e3bc13c02087493de7e63d60981063
-
C:\Users\Admin\AppData\Roaming\amifldrv64.sysFilesize
29KB
MD5f22740ba54a400fd2be7690bb204aa08
SHA15812387783d61c6ab5702213bb968590a18065e3
SHA25665c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9
SHA512ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500
-
C:\Users\Admin\AppData\Roaming\cleanerOLD1.exeFilesize
103KB
MD559a7ce7a4d30e28e6bc356263693eb98
SHA1a6ace03c0f719ce2e4f9839d0917778a5e798340
SHA256baa7fb9cd0b15a926d8a34bc070c6cee839eb6bd2a7d4f133eed6b64a5607d8d
SHA5128e6dac42e51945fc4bf8ab52a6642a548d7493796eda396ebd6dbe5e986f0ee46ae0e9f9d9fd714b020fda0c24f0265436278be62c1488097a777076a5e1c0c2
-
C:\Users\Admin\AppData\Roaming\ddc.exeFilesize
316KB
MD5d38a6b420781dfee4c2f32b8d04c9072
SHA1ebf54301ffc5d594af66e603163999b989b1d53c
SHA256bcd9729442c248d794a6e227a1530a26e5a08ff9345b92aec8bcebd00cce31f6
SHA5122128fa73033e8eea245b89c42229609f2c196a903188f7a3eb4eb856f16c8602d0f3ae6753199a0b99026d251923ae124f5054c4adf426605f9dd8476619e241
-
C:\Users\Admin\AppData\Roaming\ddc.exeFilesize
377KB
MD597b963fd85ff4cc2a3b0da8164593cfc
SHA1f29b0ba7cc01182f83845088375c2c18fd49f187
SHA256af219747072341760396d686f2fe7350ec2dce713f1ec1977c21f8be7b9197d5
SHA512232bcfb83387ed125f3c3a065031e36e3f7c494118aa2fa33c64fd3d81066531ad9de09c5358f5b0a24024b0a223a2fc4a5646e9b475853904b24729df808fae
-
C:\Users\Admin\AppData\Roaming\moreCLEANhardware.exeFilesize
267KB
MD5565825f715521b9dcccab692f1191414
SHA1ff3eb2f1fffbd9e82132a893166b05b1db64064d
SHA2560354388341d5f97f0ab8ed5bbef1d0ff14a233770619dd33b09cfa5f52bffe85
SHA512888aac72349aa265d397e132e53fffcbb4632c975c8b5bb896d8a4b1ebf4e2d09bdf1b3df12407c273e0e2023bc7950ad5b49ceb27592f9c0c325214af8dd033
-
C:\Users\Admin\AppData\Roaming\reset2-Hardware Rescan after Adapter reset.exeFilesize
88KB
MD5d144852c9d62d6e8d2e3ed532c853aac
SHA1ea52d984ff2be5fa377a21b0af425f778e60fa77
SHA256996d44d2331f60e8c158662200fcd1f5cfc60076503e940ce9db98e0e92adfe6
SHA512af68d189a4480c5c54e256f6e39ef5fb9e35fa78dee4163d0805a6d406183f50cef725ed7bc677c46f8030523353a16e71aa90a388a1235a2b0dc86352cd9af7
-
C:\Users\Admin\AppData\Roaming\reset_adapters.exeFilesize
335KB
MD5bd624e99155ffa5868f39c73a1513cee
SHA10a6c46d21faefaf29c992193e5dac6b4b4a58719
SHA2564f67490d6a7d952599180f26d167b74c70d4f840d36e73bb8ec7ffb29b6a6df8
SHA51246471f61f44f97d63993349ed005b26d0a415b4082c1a48321aba18e58d3e10415f24d18ece3016cf65967a29ca85b8d935f70e06fd5ef96cb046d7074d9368c
-
\Users\Admin\AppData\Roaming\AMIDEWINx64.EXEFilesize
451KB
MD5f17ecf761e70feb98c7f628857eedfe7
SHA1b2c1263c641bdaee8266a05a0afbb455e29e240d
SHA256311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf
SHA512e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084
-
\Users\Admin\AppData\Roaming\DevManView.exeFilesize
162KB
MD533d7a84f8ef67fd005f37142232ae97e
SHA11f560717d8038221c9b161716affb7cd6b14056e
SHA256a1be60039f125080560edf1eebee5b6d9e2d6039f5f5ac478e6273e05edadb4b
SHA512c059db769b9d8a9f1726709c9ad71e565b8081a879b55d0f906d6927409166e1d5716c784146feba41114a2cf44ee90cf2e0891831245752238f20c41590b3f5
-
\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exeFilesize
219KB
MD5303dbf6d5ce6b658919091240d5a4a80
SHA1d45946e1d3c4d973042e0c1bdd88fbc1774f1385
SHA25670ef91b18f6532b065712b31cd667d64d9fa4248baabaea3d33297250df0fd18
SHA512666c82cb9ac94fa16739c2c34a23a9ade83f4ac3cad528109c2f255b8eeda6a31c00613346db3e9a0e3d46dc978df00d02bc4483001282bfd4f6861b44e1d408
-
\Users\Admin\AppData\Roaming\devcon.exeFilesize
80KB
MD5d153a0bc6f0476457b56fc38795dea01
SHA1eb3c25afab996b84c52619c6f676d0663c241e01
SHA256df048df347a738b6addec6f3fd65c73e371d0e11e2dc02f88f8ef307b964e1b7
SHA5126322d98b356cfa9a4bc8559959de01cdd4d9c038a9d0d506d2211d9e329c6b938f5bccb5459217a4c471cf200287bdbf7068393ce6f69b37a103e5ae6e758414
-
memory/732-110-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/812-105-0x00000000009A0000-0x00000000009C0000-memory.dmpFilesize
128KB
-
memory/812-131-0x0000000074370000-0x0000000074A5E000-memory.dmpFilesize
6.9MB
-
memory/812-126-0x0000000074370000-0x0000000074A5E000-memory.dmpFilesize
6.9MB
-
memory/812-106-0x0000000074370000-0x0000000074A5E000-memory.dmpFilesize
6.9MB