cerber | 628a2b6ad14cb09e3432f369c7ac3f2d341c5c518bfb9af16ee77e1d62601deb

Analysis

max time kernel
65s
max time network
21s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
11-03-2024 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1buttonBETA10-22b.exe
Size

31.9MB
MD5

a48537d35ede9fe4d15b0818870c6ff2
SHA1

e760863c4db17e55e72ba507ebb22a5b9396c304
SHA256

628a2b6ad14cb09e3432f369c7ac3f2d341c5c518bfb9af16ee77e1d62601deb
SHA512

c6556320d20a051cbfe08febbdf80ff3168b4a7654ce1d77bada1329d499497462cef1d978abfa95d064dac49eb14dc7e914d0b9391aec6546991d499f3aaf97
SSDEEP

786432:LCnT9Z2zDfgQwtKa41MOYS0ndZNEMans/GtxeUVMGHKc6j:YLSMQwwa41ro9EManrtxTMx

Score

10^/10

cerber evasion ransomware

Malware Config

Signatures

Cerber 12 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

Processes:

taskkill.exetaskkill.exetaskkill.exeAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEtaskkill.exetaskkill.exeAMIDEWINx64.EXEAMIDEWINx64.EXE

pid	process
1620	taskkill.exe
1584	taskkill.exe
1484	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
1512	taskkill.exe
2776	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE

Clears Windows event logs 1 TTPs 44 IoCs

evasion ransomware

Indicator Removal

T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid	process
1856	wevtutil.exe
2948	wevtutil.exe
2996	wevtutil.exe
2612	wevtutil.exe
2364	wevtutil.exe
1652	wevtutil.exe
2068	wevtutil.exe
1488	wevtutil.exe
2276	wevtutil.exe
2808	wevtutil.exe
1636	wevtutil.exe
2664	wevtutil.exe
1520	wevtutil.exe
2620	wevtutil.exe
2420	wevtutil.exe
984	wevtutil.exe
2872	wevtutil.exe
2832	wevtutil.exe
1008	wevtutil.exe
2328	wevtutil.exe
2520	wevtutil.exe
2624	wevtutil.exe
2452	wevtutil.exe
2944	wevtutil.exe
2608	wevtutil.exe
2956	wevtutil.exe
2904	wevtutil.exe
880	wevtutil.exe
2532	wevtutil.exe
2760	wevtutil.exe
2972	wevtutil.exe
2172	wevtutil.exe
2392	wevtutil.exe
2436	wevtutil.exe
2396	wevtutil.exe
2568	wevtutil.exe
2524	wevtutil.exe
2376	wevtutil.exe
2556	wevtutil.exe
2632	wevtutil.exe
2160	wevtutil.exe
1884	wevtutil.exe
796	wevtutil.exe
2728	wevtutil.exe

Nirsoft 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\DevManView.exe	Nirsoft

Drops file in Drivers directory 8 IoCs

Processes:

AMIDEWIN.EXEAMIDEWIN.EXEAMIDEWIN.EXEAMIDEWIN.EXEAMIDEWIN.EXEAMIDEWIN.EXEAMIDEWIN.EXE

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys	AMIDEWIN.EXE
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys	AMIDEWIN.EXE
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys	AMIDEWIN.EXE
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys	AMIDEWIN.EXE
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys	AMIDEWIN.EXE
File created	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys	AMIDEWIN.EXE
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys	AMIDEWIN.EXE
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys	AMIDEWIN.EXE

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 25 IoCs

Processes:

FIXusrTEMPv6.exeddc.execleanerOLD1.exeCleaner8.exeAdvancedEventCleaner.exe1-RUNFIRST.exeAMIDEWIN.EXEreset_adapters.exeAMIDEWIN.EXEAMIDEWIN.EXEAMIDEWIN.EXEAMIDEWIN.EXEAMIDEWIN.EXEAMIDEWIN.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEmoreCLEANhardware.exereset2-Hardware Rescan after Adapter reset.exedevcon.exeDevManView.exe

pid	process
2936	FIXusrTEMPv6.exe
732	ddc.exe
812	cleanerOLD1.exe
1132	Cleaner8.exe
2092	AdvancedEventCleaner.exe
844	1-RUNFIRST.exe
3000	AMIDEWIN.EXE
2268	reset_adapters.exe
2548	AMIDEWIN.EXE
764	AMIDEWIN.EXE
1452	AMIDEWIN.EXE
320	AMIDEWIN.EXE
1208	AMIDEWIN.EXE
2056	AMIDEWIN.EXE
1776	AMIDEWINx64.EXE
1724	AMIDEWINx64.EXE
1476	AMIDEWINx64.EXE
1600	AMIDEWINx64.EXE
1744	AMIDEWINx64.EXE
2616	AMIDEWINx64.EXE
1536	AMIDEWINx64.EXE
2576	moreCLEANhardware.exe
2400	reset2-Hardware Rescan after Adapter reset.exe
1012	devcon.exe
2888	DevManView.exe

Loads dropped DLL 17 IoCs

Processes:

cmd.execmd.execmd.execmd.exeWerFault.execmd.exeWerFault.execmd.execmd.exe

pid	process
2744	cmd.exe
2336	cmd.exe
2744	cmd.exe
3020	cmd.exe
2280	cmd.exe
1896	WerFault.exe
1896	WerFault.exe
1896	WerFault.exe
2744	cmd.exe
2636	cmd.exe
2556	WerFault.exe
2556	WerFault.exe
2556	WerFault.exe
2556	WerFault.exe
2536	cmd.exe
2536	cmd.exe
872	cmd.exe

Checks system information in the registry 2 TTPs 1 IoCs
System information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

ddc.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName ddc.exe
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

496 sc.exe
768 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	ddc.exe

pid	process
496	sc.exe
768	sc.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Cleaner8.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Cleaner8.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Cleaner8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Cleaner8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	Cleaner8.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Cleaner8.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "033bffbe-52d25dfb-a"	Cleaner8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Cleaner8.exe

Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exe

pid process

1536 ipconfig.exe
2852 ipconfig.exe
2960 ipconfig.exe
Kills process with taskkill 8 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1432 taskkill.exe
1620 taskkill.exe
1584 taskkill.exe
1512 taskkill.exe
1484 taskkill.exe
2776 taskkill.exe
1664 taskkill.exe
1704 taskkill.exe

pid	process
1536	ipconfig.exe
2852	ipconfig.exe
2960	ipconfig.exe

pid	process
1432	taskkill.exe
1620	taskkill.exe
1584	taskkill.exe
1512	taskkill.exe
1484	taskkill.exe
2776	taskkill.exe
1664	taskkill.exe
1704	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

Cleaner8.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 4a33a2853a3275d8	Cleaner8.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

2880 reg.exe
1448 reg.exe

pid	process
2880	reg.exe
1448	reg.exe

Runs ping.exe 1 TTPs 28 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2644	PING.EXE
2096	PING.EXE
2404	PING.EXE
1668	PING.EXE
2792	PING.EXE
844	PING.EXE
2808	PING.EXE
536	PING.EXE
1488	PING.EXE
2988	PING.EXE
2104	PING.EXE
568	PING.EXE
2216	PING.EXE
2188	PING.EXE
988	PING.EXE
1116	PING.EXE
1696	PING.EXE
2020	PING.EXE
2784	PING.EXE
1356	PING.EXE
2380	PING.EXE
2856	PING.EXE
2284	PING.EXE
2728	PING.EXE
2116	PING.EXE
2000	PING.EXE
1996	PING.EXE
2160	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 10 IoCs

Processes:

ddc.execleanerOLD1.exeAMIDEWIN.EXEAMIDEWIN.EXEAMIDEWIN.EXEAMIDEWIN.EXEAMIDEWIN.EXEAMIDEWIN.EXEAMIDEWIN.EXEreset2-Hardware Rescan after Adapter reset.exe

pid	process
732	ddc.exe
812	cleanerOLD1.exe
3000	AMIDEWIN.EXE
2548	AMIDEWIN.EXE
764	AMIDEWIN.EXE
1452	AMIDEWIN.EXE
320	AMIDEWIN.EXE
1208	AMIDEWIN.EXE
2056	AMIDEWIN.EXE
2400	reset2-Hardware Rescan after Adapter reset.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

1-RUNFIRST.execleanerOLD1.exe

pid process

844 1-RUNFIRST.exe
812 cleanerOLD1.exe
812 cleanerOLD1.exe
Suspicious behavior: LoadsDriver 21 IoCs

Processes:

pid process

476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476

pid	process
844	1-RUNFIRST.exe
812	cleanerOLD1.exe
812	cleanerOLD1.exe

pid	process
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeCleaner8.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeTakeOwnershipPrivilege	1132	Cleaner8.exe
Token: SeSecurityPrivilege	2180	wevtutil.exe
Token: SeBackupPrivilege	2180	wevtutil.exe
Token: SeSecurityPrivilege	2832	wevtutil.exe
Token: SeBackupPrivilege	2832	wevtutil.exe
Token: SeSecurityPrivilege	1488	wevtutil.exe
Token: SeBackupPrivilege	1488	wevtutil.exe
Token: SeSecurityPrivilege	2872	wevtutil.exe
Token: SeBackupPrivilege	2872	wevtutil.exe
Token: SeSecurityPrivilege	2948	wevtutil.exe
Token: SeBackupPrivilege	2948	wevtutil.exe
Token: SeSecurityPrivilege	2972	wevtutil.exe
Token: SeBackupPrivilege	2972	wevtutil.exe
Token: SeSecurityPrivilege	984	wevtutil.exe
Token: SeBackupPrivilege	984	wevtutil.exe
Token: SeSecurityPrivilege	880	wevtutil.exe
Token: SeBackupPrivilege	880	wevtutil.exe
Token: SeSecurityPrivilege	2276	wevtutil.exe
Token: SeBackupPrivilege	2276	wevtutil.exe
Token: SeSecurityPrivilege	1520	wevtutil.exe
Token: SeBackupPrivilege	1520	wevtutil.exe
Token: SeSecurityPrivilege	1652	wevtutil.exe
Token: SeBackupPrivilege	1652	wevtutil.exe
Token: SeSecurityPrivilege	2996	wevtutil.exe
Token: SeBackupPrivilege	2996	wevtutil.exe
Token: SeSecurityPrivilege	2632	wevtutil.exe
Token: SeBackupPrivilege	2632	wevtutil.exe
Token: SeSecurityPrivilege	2328	wevtutil.exe
Token: SeBackupPrivilege	2328	wevtutil.exe
Token: SeSecurityPrivilege	2160	wevtutil.exe
Token: SeBackupPrivilege	2160	wevtutil.exe
Token: SeSecurityPrivilege	1008	wevtutil.exe
Token: SeBackupPrivilege	1008	wevtutil.exe
Token: SeSecurityPrivilege	1884	wevtutil.exe
Token: SeBackupPrivilege	1884	wevtutil.exe
Token: SeSecurityPrivilege	796	wevtutil.exe
Token: SeBackupPrivilege	796	wevtutil.exe
Token: SeSecurityPrivilege	2620	wevtutil.exe
Token: SeBackupPrivilege	2620	wevtutil.exe
Token: SeSecurityPrivilege	2556	wevtutil.exe
Token: SeBackupPrivilege	2556	wevtutil.exe
Token: SeSecurityPrivilege	2568	wevtutil.exe
Token: SeBackupPrivilege	2568	wevtutil.exe
Token: SeSecurityPrivilege	2520	wevtutil.exe
Token: SeBackupPrivilege	2520	wevtutil.exe
Token: SeSecurityPrivilege	2172	wevtutil.exe
Token: SeBackupPrivilege	2172	wevtutil.exe
Token: SeSecurityPrivilege	2808	wevtutil.exe
Token: SeBackupPrivilege	2808	wevtutil.exe
Token: SeSecurityPrivilege	2524	wevtutil.exe
Token: SeBackupPrivilege	2524	wevtutil.exe
Token: SeSecurityPrivilege	2612	wevtutil.exe
Token: SeBackupPrivilege	2612	wevtutil.exe
Token: SeSecurityPrivilege	2728	wevtutil.exe
Token: SeBackupPrivilege	2728	wevtutil.exe
Token: SeSecurityPrivilege	2392	wevtutil.exe
Token: SeBackupPrivilege	2392	wevtutil.exe
Token: SeSecurityPrivilege	2944	wevtutil.exe
Token: SeBackupPrivilege	2944	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1buttonBETA10-22b.execmd.exeFIXusrTEMPv6.execmd.exe

description	pid	process	target process
PID 2256 wrote to memory of 2744	2256	1buttonBETA10-22b.exe	cmd.exe
PID 2256 wrote to memory of 2744	2256	1buttonBETA10-22b.exe	cmd.exe
PID 2256 wrote to memory of 2744	2256	1buttonBETA10-22b.exe	cmd.exe
PID 2744 wrote to memory of 2776	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 2776	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 2776	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1484	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1484	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1484	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1620	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1620	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1620	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1584	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1584	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1584	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1512	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1512	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 1512	2744	cmd.exe	taskkill.exe
PID 2744 wrote to memory of 768	2744	cmd.exe	sc.exe
PID 2744 wrote to memory of 768	2744	cmd.exe	sc.exe
PID 2744 wrote to memory of 768	2744	cmd.exe	sc.exe
PID 2744 wrote to memory of 496	2744	cmd.exe	sc.exe
PID 2744 wrote to memory of 496	2744	cmd.exe	sc.exe
PID 2744 wrote to memory of 496	2744	cmd.exe	sc.exe
PID 2744 wrote to memory of 2668	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 2668	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 2668	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 1472	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 1472	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 1472	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 1852	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 1852	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 1852	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 1420	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 1420	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 1420	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 1356	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 1356	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 1356	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 1436	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 1436	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 1436	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 2880	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 2880	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 2880	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 1448	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 1448	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 1448	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 1340	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 1340	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 1340	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 1264	2744	cmd.exe	ARP.EXE
PID 2744 wrote to memory of 1264	2744	cmd.exe	ARP.EXE
PID 2744 wrote to memory of 1264	2744	cmd.exe	ARP.EXE
PID 2744 wrote to memory of 2936	2744	cmd.exe	FIXusrTEMPv6.exe
PID 2744 wrote to memory of 2936	2744	cmd.exe	FIXusrTEMPv6.exe
PID 2744 wrote to memory of 2936	2744	cmd.exe	FIXusrTEMPv6.exe
PID 2744 wrote to memory of 2404	2744	cmd.exe	PING.EXE
PID 2744 wrote to memory of 2404	2744	cmd.exe	PING.EXE
PID 2744 wrote to memory of 2404	2744	cmd.exe	PING.EXE
PID 2936 wrote to memory of 2940	2936	FIXusrTEMPv6.exe	cmd.exe
PID 2936 wrote to memory of 2940	2936	FIXusrTEMPv6.exe	cmd.exe
PID 2936 wrote to memory of 2940	2936	FIXusrTEMPv6.exe	cmd.exe
PID 2940 wrote to memory of 2020	2940	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\1buttonBETA10-22b.exe
"C:\Users\Admin\AppData\Local\Temp\1buttonBETA10-22b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3F32.tmp\3F33.tmp\3F34.bat C:\Users\Admin\AppData\Local\Temp\1buttonBETA10-22b.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\system32\taskkill.exe
taskkill /f /im EasyAntiCheat.exe
3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\system32\taskkill.exe
taskkill /f /im BEService_x64.exe
3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\system32\sc.exe
sc stop BEService
3⤵
- Launches sc.exe
PID:768

C:\Windows\system32\sc.exe
sc stop EasyAntiCheat
3⤵
- Launches sc.exe
PID:496

C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
3⤵
PID:2668

C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
3⤵
PID:1472

C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games\Unreal Engine\Identifiers" /va /f
3⤵
PID:1852

C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games\Unreal Engine\Hardware Survey" /va /f
3⤵
PID:1420

C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
3⤵
PID:1356

C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games" /f
3⤵
PID:1436

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 659 /f
3⤵
- Modifies registry key
PID:2880

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 9720 /f
3⤵
- Modifies registry key
PID:1448

C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
3⤵
PID:1340

C:\Windows\system32\ARP.EXE
arp -d
3⤵
PID:1264

C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe
"C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7935.tmp\7936.tmp\7947.bat C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\system32\PING.EXE
ping /n 1 localhost
5⤵
- Runs ping.exe
PID:2020

C:\Windows\system32\PING.EXE
ping /n 1 localhost
5⤵
- Runs ping.exe
PID:2188

C:\Windows\system32\PING.EXE
ping /n 1 localhost
5⤵
- Runs ping.exe
PID:1668

C:\Windows\system32\PING.EXE
ping /n 2 localhost
5⤵
- Runs ping.exe
PID:2216

C:\Windows\system32\PING.EXE
PING localhost -n 3
3⤵
- Runs ping.exe
PID:2404

C:\Users\Admin\AppData\Roaming\ddc.exe
C:\Users\Admin\AppData\Roaming\ddc.exe b /target:c:\DriverBackup4u
3⤵
- Executes dropped EXE
- Checks system information in the registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:732

C:\Windows\system32\PING.EXE
PING localhost -n 3
3⤵
- Runs ping.exe
PID:988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
3⤵
PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" start "" /wait /b "C:\Users\Admin\AppData\Roaming\cleanerOLD1.exe""
3⤵
PID:2792

C:\Users\Admin\AppData\Roaming\cleanerOLD1.exe
"C:\Users\Admin\AppData\Roaming\cleanerOLD1.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
PID:812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
3⤵
PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" start "" /wait /b "C:\Users\Admin\AppData\Roaming\Cleaner8.exe""
3⤵
- Loads dropped DLL
PID:2336

C:\Users\Admin\AppData\Roaming\Cleaner8.exe
"C:\Users\Admin\AppData\Roaming\Cleaner8.exe"
4⤵
- Executes dropped EXE
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1132 -s 308
5⤵
- Loads dropped DLL
PID:1896

C:\Users\Admin\AppData\Roaming\AdvancedEventCleaner.exe
"C:\Users\Admin\AppData\Roaming\AdvancedEventCleaner.exe"
3⤵
- Executes dropped EXE
PID:2092

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\896B.tmp\896C.tmp\896D.bat C:\Users\Admin\AppData\Roaming\AdvancedEventCleaner.exe"
4⤵
PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit
5⤵
PID:1312

C:\Windows\system32\bcdedit.exe
bcdedit
6⤵
PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe el
5⤵
PID:760

C:\Windows\system32\wevtutil.exe
wevtutil.exe el
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Analytic"
5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Application"
5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DebugChannel"
5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowFilterGraph"
5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowPluginControl"
5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Els_Hyphenation/Analytic"
5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "EndpointMapper"
5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:880

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "ForwardedEvents"
5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "HardwareEvents"
5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Internet Explorer"
5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Key Management Service"
5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Media Center"
5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationDeviceProxy"
5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformance"
5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPipeline"
5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPlatform"
5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IE/Diagnostic"
5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"
5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"
5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
5⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"
5⤵
- Clears Windows event logs
PID:2608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
5⤵
- Clears Windows event logs
PID:2624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
5⤵
- Clears Windows event logs
PID:2420

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
5⤵
- Clears Windows event logs
PID:2364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
5⤵
- Clears Windows event logs
PID:2376

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
5⤵
- Clears Windows event logs
PID:2396

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
5⤵
- Clears Windows event logs
PID:2436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
5⤵
- Clears Windows event logs
PID:2532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
5⤵
- Clears Windows event logs
PID:2956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
5⤵
- Clears Windows event logs
PID:2068

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
5⤵
- Clears Windows event logs
PID:2904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
5⤵
- Clears Windows event logs
PID:1856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
5⤵
- Clears Windows event logs
PID:1636

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
5⤵
- Clears Windows event logs
PID:2664

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
5⤵
- Clears Windows event logs
PID:2452

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
5⤵
- Clears Windows event logs
PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo N "
3⤵
PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" start "" /wait /b "C:\Users\Admin\AppData\Roaming\1-RUNFIRST.exe""
3⤵
- Loads dropped DLL
PID:3020

C:\Users\Admin\AppData\Roaming\1-RUNFIRST.exe
"C:\Users\Admin\AppData\Roaming\1-RUNFIRST.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns > nul 2> nul
5⤵
PID:2860

C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
6⤵
- Gathers network information
PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /release > nul 2> nul
5⤵
PID:1632

C:\Windows\system32\ipconfig.exe
ipconfig /release
6⤵
- Gathers network information
PID:1536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /renew > nul 2> nul
5⤵
PID:2212

C:\Windows\system32\ipconfig.exe
ipconfig /renew
6⤵
- Gathers network information
PID:2852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c .\reset_adapters.exe
5⤵
- Loads dropped DLL
PID:2280

C:\Users\Admin\AppData\Roaming\reset_adapters.exe
.\reset_adapters.exe
6⤵
- Executes dropped EXE
PID:2268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause
5⤵
PID:1532

C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE
"C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE" /BS 28104u-BS31954
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3000

C:\Windows\system32\PING.EXE
PING localhost -n 3
3⤵
- Runs ping.exe
PID:2116

C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE
"C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE" /SS 228824u-SS12122
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2548

C:\Windows\system32\PING.EXE
PING localhost -n 3
3⤵
- Runs ping.exe
PID:2784

C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE
"C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE" /SV 93844u-SV28812
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:764

C:\Windows\system32\PING.EXE
PING localhost -n 3
3⤵
- Runs ping.exe
PID:2104

C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE
"C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE" /SU AUTO
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1452

C:\Windows\system32\PING.EXE
PING localhost -n 3
3⤵
- Runs ping.exe
PID:2644

C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE
"C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE" /SK 54114u-SK11143
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:320

C:\Windows\system32\PING.EXE
PING localhost -n 3
3⤵
- Runs ping.exe
PID:1356

C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE
"C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE" /BM 176824u-BM26301
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1208

C:\Windows\system32\PING.EXE
PING localhost -n 3
3⤵
- Runs ping.exe
PID:2000

C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE
"C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE" /BV 270144u-BV20926
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2056

C:\Windows\system32\PING.EXE
PING localhost -n 5
3⤵
- Runs ping.exe
PID:1996

C:\Windows\system32\PING.EXE
PING localhost -n 2
3⤵
- Runs ping.exe
PID:536

C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE
"C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE" /BS 39794u-BS23099
3⤵
- Cerber
- Executes dropped EXE
PID:1776

C:\Windows\system32\PING.EXE
PING localhost -n 2
3⤵
- Runs ping.exe
PID:2792

C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE
"C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE" /SS 306154u-SS18991
3⤵
- Cerber
- Executes dropped EXE
PID:1724

C:\Windows\system32\PING.EXE
PING localhost -n 2
3⤵
- Runs ping.exe
PID:1116

C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE
"C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE" /SV 106414u-SV16473
3⤵
- Cerber
- Executes dropped EXE
PID:1476

C:\Windows\system32\PING.EXE
PING localhost -n 2
3⤵
- Runs ping.exe
PID:1696

C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE
"C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE" /SU AUTO
3⤵
- Cerber
- Executes dropped EXE
PID:1600

C:\Windows\system32\PING.EXE
PING localhost -n 2
3⤵
- Runs ping.exe
PID:568

C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE
"C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE" /SK 281404u-SK7521
3⤵
- Cerber
- Executes dropped EXE
PID:1744

C:\Windows\system32\PING.EXE
PING localhost -n 2
3⤵
- Runs ping.exe
PID:1488

C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE
"C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE" /BM 319084u-BM4968
3⤵
- Cerber
- Executes dropped EXE
PID:2616

C:\Windows\system32\PING.EXE
PING localhost -n 2
3⤵
- Runs ping.exe
PID:2856

C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE
"C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE" /BV 310114u-BV13009
3⤵
- Cerber
- Executes dropped EXE
PID:1536

C:\Windows\system32\PING.EXE
PING localhost -n 3
3⤵
- Runs ping.exe
PID:2284

C:\Windows\system32\taskkill.exe
taskkill /f /im Cleaner1.exe
3⤵
- Kills process with taskkill
PID:1432

C:\Windows\system32\taskkill.exe
taskkill /f /im Cleaner8.exe
3⤵
- Kills process with taskkill
PID:1664

C:\Windows\system32\taskkill.exe
taskkill /f /im 1-RUNFIRST.exe
3⤵
- Kills process with taskkill
PID:1704

C:\Windows\system32\PING.EXE
PING localhost -n 2
3⤵
- Runs ping.exe
PID:844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
3⤵
PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" start "" /wait /b "C:\Users\Admin\AppData\Roaming\moreCLEANhardware.exe""
3⤵
- Loads dropped DLL
PID:2636

C:\Users\Admin\AppData\Roaming\moreCLEANhardware.exe
"C:\Users\Admin\AppData\Roaming\moreCLEANhardware.exe"
4⤵
- Executes dropped EXE
PID:2576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Msg * /TIME:100 EXPIRED or NOT AUTHORIZED ON THIS PC - 2 (if you paid for this you got scammed)..
5⤵
PID:1540

C:\Windows\system32\msg.exe
Msg * /TIME:100 EXPIRED or NOT AUTHORIZED ON THIS PC - 2 (if you paid for this you got scammed)..
6⤵
PID:1256

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2576 -s 88
5⤵
- Loads dropped DLL
PID:2556

C:\Windows\system32\PING.EXE
PING localhost -n 4
3⤵
- Runs ping.exe
PID:2160

C:\Windows\system32\PING.EXE
PING localhost -n 3
3⤵
- Runs ping.exe
PID:2808

C:\Users\Admin\AppData\Roaming\reset2-Hardware Rescan after Adapter reset.exe
"C:\Users\Admin\AppData\Roaming\reset2-Hardware Rescan after Adapter reset.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2400

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\57D.tmp\57E.tmp\57F.bat "C:\Users\Admin\AppData\Roaming\reset2-Hardware Rescan after Adapter reset.exe""
4⤵
- Loads dropped DLL
PID:2536

C:\Users\Admin\AppData\Roaming\devcon.exe
devcon rescan
5⤵
- Executes dropped EXE
PID:1012

C:\Windows\system32\PING.EXE
PING localhost -n 1
3⤵
- Runs ping.exe
PID:2728

C:\Windows\system32\PING.EXE
PING localhost -n 1
3⤵
- Runs ping.exe
PID:2096

C:\Windows\system32\PING.EXE
PING localhost -n 6
3⤵
- Runs ping.exe
PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
3⤵
PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" start "" /min ""C:\Users\Admin\AppData\Roaming\DevManView.exe /uninstall "PCI\VEN*" /use_wildcard"""
3⤵
- Loads dropped DLL
PID:872

C:\Users\Admin\AppData\Roaming\DevManView.exe
""C:\Users\Admin\AppData\Roaming\DevManView.exe /uninstall "PCI\VEN*" /use_wildcard""
4⤵
- Executes dropped EXE
PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
3⤵
PID:2956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" start "" /min ""C:\Users\Admin\AppData\Roaming\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard"""
3⤵
PID:2088

C:\Users\Admin\AppData\Roaming\DevManView.exe
""C:\Users\Admin\AppData\Roaming\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
4⤵
PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
3⤵
PID:2896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" start "" /min ""C:\Users\Admin\AppData\Roaming\DevManView.exe /uninstall "Realtek*" /use_wildcard"""
3⤵
PID:2660

C:\Users\Admin\AppData\Roaming\DevManView.exe
""C:\Users\Admin\AppData\Roaming\DevManView.exe /uninstall "Realtek*" /use_wildcard""
4⤵
PID:2696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y "
3⤵
PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" start "" /min ""C:\Users\Admin\AppData\Roaming\DevManView.exe /uninstall "SWD\MS*" /use_wildcard"""
3⤵
PID:1564

C:\Users\Admin\AppData\Roaming\DevManView.exe
""C:\Users\Admin\AppData\Roaming\DevManView.exe /uninstall "SWD\MS*" /use_wildcard""
4⤵
PID:1184

C:\Windows\system32\PING.EXE
PING localhost -n 10
3⤵
- Runs ping.exe
PID:2988

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:2548

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3F32.tmp\3F33.tmp\3F34.bat
Filesize
39B

MD5
a9832ef693180ebedb5b6ed08f0b3227

SHA1
b4ebcabbafcb1dcd113cbb7f996c3ea6443ce2b2

SHA256
9f32b3a95a985d2022d6926411a54c8f2518da0d92ac4bb213f723eb7dd09567

SHA512
fb227ed1d0fc39c28981b2c8c3a7f6bdd74e19aabdb4a8209f7e1b5de16bea554a0f6e8580109097a5894b305c2d23fb3d68f65d009c28696fe1d6ee7ae8345b

Download Submit
C:\Users\Admin\AppData\Local\Temp\57D.tmp\57E.tmp\57F.bat
Filesize
24B

MD5
adf8254c3e44ca2685b52366457fc6c9

SHA1
eaeef81e015e18c274ae5debfa7c511b6d871442

SHA256
eb955b96ff2dabe61d2eb8272ba5e0a30b09364a6b15832a80da7daacb8b0c4f

SHA512
2eff22c775d6cdb21ed17ece2468e5f98c9d04e323a7f39f85552629fdd2e4addc728b2866324749f1b6a565b7cf90c98b2b403a8a6af11197270d5e1fad94a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7935.tmp\7936.tmp\7947.bat
Filesize
845B

MD5
54d18c0e0a34808017e53029d7875c09

SHA1
bca96014c545bd02f964cc3dd368b5c6ce9f2963

SHA256
6be64439c492ac7d840e56b01ba9691f30fbad8e9b296bfe55d0abbb2edc5fae

SHA512
95712df3c3bb07e561d778b0f95f9ab0a93def2d7111123dff22898565d059b10dc0ca13b1d528ed00ec77c511451d452b033bf8bf40898cb53eb9378f32a6b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\896B.tmp\896C.tmp\896D.bat
Filesize
679B

MD5
064bb52705e97caeee4dcbb5c72c1413

SHA1
13107d14185397ad662c08dda51a0ebe7583fbe8

SHA256
a8ef3b7eaef87d32ea17f27c2f9ad0eb46d394fc6f381972657dbae63d0bbb26

SHA512
af599892866fd6bfbe067ee1b2f15e9d201401adedf9db624d0f31d7181754a03cb4ea0fa1fb666598cdb601f212ee79a1c4b437d7e9a25dba901c8c481dc095

Download Submit
C:\Users\Admin\AppData\Roaming\1-RUNFIRST.exe
Filesize
43KB

MD5
6fbe881f1d6480e2e15d3ebe0f493d2d

SHA1
f698079150df242e156223f1b3e46f449bc01415

SHA256
49b84540d5b4b8d2344c25edb042e216592dd1dc78a5c00f2ad9457442c4581c

SHA512
2084a64ab503e214854e02dcb1ed8bff7cab40dad64cb624326d42a087f343a74b7470956c681268725e0ec2f8ab13182c814356d6d6d066a2b0c6da290d16ef

Download Submit
C:\Users\Admin\AppData\Roaming\3combined.bat
Filesize
13KB

MD5
790f1b1425f17c7dc0712486361de838

SHA1
d0056beff646d466a34346ef5c889bfec5cf0986

SHA256
7f01e60396f3dd00c16226f74ab87cd0638368b83c455b04d032f4cba436656a

SHA512
12b1faa363910ed861b831ab4209b93491d78e19ca630650425ed28856435119a1220e675e1971f237139c9140fdf6f70cf6a3ba9083bf2674c0f82fb3df3d4a

Download Submit
C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE
Filesize
148KB

MD5
182ec3a59bd847fb1bc3e12a41d48fa6

SHA1
2f548bceb819d3843827c1e218af6708db447d4b

SHA256
948dbd2bc128f8dc08267e110020fee3ff5de17cf4aaef89372de29623af96fa

SHA512
91ecc5a76edc2aea4219f68569b54d3e9fe15c2a30a146edc0d09e713feaa739a5c1e7dbfa97e60828696078d43d1f8fd3466234525b099ed6e614e854ac6c4c

Download Submit
C:\Users\Admin\AppData\Roaming\AdvancedEventCleaner.exe
Filesize
219KB

MD5
9353ed7c3ba8e2417ce2664ae7afac16

SHA1
05699a2a2792795db1d8f59273172ad80bdc8b06

SHA256
069b31cb7f9054647b684da4fc5263fa690e32d75729ec6b5c808b0c532b9628

SHA512
cb456c14c9ef6f49a92c989668bedb423e4020b761e627c4d67f90e855e9385d58cf0d1e024a0c728126cccdad2836615d23cd3011a8447470482ca939795262

Download Submit
C:\Users\Admin\AppData\Roaming\Cleaner8.exe
Filesize
156KB

MD5
3546548be0b0940c52ec881d48404818

SHA1
0ded613db5266ffaeac2194bcdd86cec9559ee1c

SHA256
dec2a16531a09d05f1ae64a21c35d53cec5998be22c16a88b2e8b4a36878db9a

SHA512
79cb1de22f0789624e4dff532d28d9203ba231e5d511995562a25da8f112eb21a970cfddf28f14760459dda0407a8f856363fca07afffa5f0a954806af619838

Download Submit
C:\Users\Admin\AppData\Roaming\DevManView.cfg
Filesize
1KB

MD5
c397462965258ee0bbe4742f83d7c977

SHA1
7a12c6504184c38b9e8096357f651a04c170b59c

SHA256
59f1e9118a106e15b2c151080e4167c4c1dc5fd33d2443ca160511ac7d9b781e

SHA512
9ccff5046bfc41e50707d36d0a9f0654f6ef86525a26656d6bc9f5759455a2b328525f4b79ed6102d5e3cf3300027264830067c6b22891a92ccfc7fc33bc9ce2

Download Submit
C:\Users\Admin\AppData\Roaming\UCORESYS.sys
Filesize
15KB

MD5
9555d36fb21b993e5c4b98c2fc2b3671

SHA1
210a98be7da32cea98618c5a9640c23ce518c0ee

SHA256
fd6f56189cd723b32fc06392867fcd5128e63d8b5801e4f7a83523f820531981

SHA512
3ec96ba6fca7a4aa45becfef84b23b12c305f34045ac1a15b22745289e33b9326103e853bad698434df772a76515e7e8109fa8724d65f0351ee380c16d888c60

Download Submit
C:\Users\Admin\AppData\Roaming\UCOREW64.sys
Filesize
14KB

MD5
a17c58c0582ee560c72f60764ed63224

SHA1
bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825

SHA256
a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200

SHA512
a820a3280da690980a9297fe1e62356eba1983356c579d1c7ea8d6f64bc710b11b0a659c5d6b011690863065541f5627c4e3bc13c02087493de7e63d60981063

Download Submit
C:\Users\Admin\AppData\Roaming\amifldrv64.sys
Filesize
29KB

MD5
f22740ba54a400fd2be7690bb204aa08

SHA1
5812387783d61c6ab5702213bb968590a18065e3

SHA256
65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9

SHA512
ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500

Download Submit
C:\Users\Admin\AppData\Roaming\cleanerOLD1.exe
Filesize
103KB

MD5
59a7ce7a4d30e28e6bc356263693eb98

SHA1
a6ace03c0f719ce2e4f9839d0917778a5e798340

SHA256
baa7fb9cd0b15a926d8a34bc070c6cee839eb6bd2a7d4f133eed6b64a5607d8d

SHA512
8e6dac42e51945fc4bf8ab52a6642a548d7493796eda396ebd6dbe5e986f0ee46ae0e9f9d9fd714b020fda0c24f0265436278be62c1488097a777076a5e1c0c2

Download Submit
C:\Users\Admin\AppData\Roaming\ddc.exe
Filesize
316KB

MD5
d38a6b420781dfee4c2f32b8d04c9072

SHA1
ebf54301ffc5d594af66e603163999b989b1d53c

SHA256
bcd9729442c248d794a6e227a1530a26e5a08ff9345b92aec8bcebd00cce31f6

SHA512
2128fa73033e8eea245b89c42229609f2c196a903188f7a3eb4eb856f16c8602d0f3ae6753199a0b99026d251923ae124f5054c4adf426605f9dd8476619e241

Download Submit
C:\Users\Admin\AppData\Roaming\ddc.exe
Filesize
377KB

MD5
97b963fd85ff4cc2a3b0da8164593cfc

SHA1
f29b0ba7cc01182f83845088375c2c18fd49f187

SHA256
af219747072341760396d686f2fe7350ec2dce713f1ec1977c21f8be7b9197d5

SHA512
232bcfb83387ed125f3c3a065031e36e3f7c494118aa2fa33c64fd3d81066531ad9de09c5358f5b0a24024b0a223a2fc4a5646e9b475853904b24729df808fae

Download Submit
C:\Users\Admin\AppData\Roaming\moreCLEANhardware.exe
Filesize
267KB

MD5
565825f715521b9dcccab692f1191414

SHA1
ff3eb2f1fffbd9e82132a893166b05b1db64064d

SHA256
0354388341d5f97f0ab8ed5bbef1d0ff14a233770619dd33b09cfa5f52bffe85

SHA512
888aac72349aa265d397e132e53fffcbb4632c975c8b5bb896d8a4b1ebf4e2d09bdf1b3df12407c273e0e2023bc7950ad5b49ceb27592f9c0c325214af8dd033

Download Submit
C:\Users\Admin\AppData\Roaming\reset2-Hardware Rescan after Adapter reset.exe
Filesize
88KB

MD5
d144852c9d62d6e8d2e3ed532c853aac

SHA1
ea52d984ff2be5fa377a21b0af425f778e60fa77

SHA256
996d44d2331f60e8c158662200fcd1f5cfc60076503e940ce9db98e0e92adfe6

SHA512
af68d189a4480c5c54e256f6e39ef5fb9e35fa78dee4163d0805a6d406183f50cef725ed7bc677c46f8030523353a16e71aa90a388a1235a2b0dc86352cd9af7

Download Submit
C:\Users\Admin\AppData\Roaming\reset_adapters.exe
Filesize
335KB

MD5
bd624e99155ffa5868f39c73a1513cee

SHA1
0a6c46d21faefaf29c992193e5dac6b4b4a58719

SHA256
4f67490d6a7d952599180f26d167b74c70d4f840d36e73bb8ec7ffb29b6a6df8

SHA512
46471f61f44f97d63993349ed005b26d0a415b4082c1a48321aba18e58d3e10415f24d18ece3016cf65967a29ca85b8d935f70e06fd5ef96cb046d7074d9368c

Download Submit
\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE
Filesize
451KB

MD5
f17ecf761e70feb98c7f628857eedfe7

SHA1
b2c1263c641bdaee8266a05a0afbb455e29e240d

SHA256
311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf

SHA512
e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084

Download Submit
\Users\Admin\AppData\Roaming\DevManView.exe
Filesize
162KB

MD5
33d7a84f8ef67fd005f37142232ae97e

SHA1
1f560717d8038221c9b161716affb7cd6b14056e

SHA256
a1be60039f125080560edf1eebee5b6d9e2d6039f5f5ac478e6273e05edadb4b

SHA512
c059db769b9d8a9f1726709c9ad71e565b8081a879b55d0f906d6927409166e1d5716c784146feba41114a2cf44ee90cf2e0891831245752238f20c41590b3f5

Download Submit
\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe
Filesize
219KB

MD5
303dbf6d5ce6b658919091240d5a4a80

SHA1
d45946e1d3c4d973042e0c1bdd88fbc1774f1385

SHA256
70ef91b18f6532b065712b31cd667d64d9fa4248baabaea3d33297250df0fd18

SHA512
666c82cb9ac94fa16739c2c34a23a9ade83f4ac3cad528109c2f255b8eeda6a31c00613346db3e9a0e3d46dc978df00d02bc4483001282bfd4f6861b44e1d408

Download Submit
\Users\Admin\AppData\Roaming\devcon.exe
Filesize
80KB

MD5
d153a0bc6f0476457b56fc38795dea01

SHA1
eb3c25afab996b84c52619c6f676d0663c241e01

SHA256
df048df347a738b6addec6f3fd65c73e371d0e11e2dc02f88f8ef307b964e1b7

SHA512
6322d98b356cfa9a4bc8559959de01cdd4d9c038a9d0d506d2211d9e329c6b938f5bccb5459217a4c471cf200287bdbf7068393ce6f69b37a103e5ae6e758414

Download Submit
memory/732-110-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/812-105-0x00000000009A0000-0x00000000009C0000-memory.dmp

Filesize
128KB

Download
memory/812-131-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/812-126-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/812-106-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download

pid	process
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476

pid	process
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

pid	process
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476