cerber | 11c712b2b16eeb1652793fc8bad16d9177ef161398dceb95e136f8f2a349e56c

Resubmissions

12-03-2024 04:20

240312-eyaceaab88 10

12-03-2024 03:53

240312-ef5etshf87 10

Analysis

max time kernel
715s
max time network
720s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-03-2024 04:20

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

mw3reaper.rar
Size

13.2MB
MD5

c77fd8185dd3fe2ee5672a0531c4b3c7
SHA1

7e321783026506c06cd3c34dabdb2ec4f277d17b
SHA256

11c712b2b16eeb1652793fc8bad16d9177ef161398dceb95e136f8f2a349e56c
SHA512

b0c3696a406a34b5a1e7cf8413d416251959006162901a7934054f09f0b909e2e582ce215dd97b8f7170b47c5d054f95ea9109d1cbcff67c69844e89125dce7b
SSDEEP

393216:UN0mmXrXBwtGmoWtJVKSJgNn3TeGKLCM3v:UN8rXetGTWtJNJgNnDI/

Score

10^/10

cerber bootkit persistence ransomware

Malware Config

Signatures

Cerber 7 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	pid	Process
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.exe
		2940	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	OHT1k0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	pGml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	tXauTiJr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	tXauTiJr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	pGml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	tXauTiJr.exe

Executes dropped EXE 12 IoCs

pid	Process
3888	OHT1k0.exe
1608	pGml.exe
3284	tXauTiJr.exe
3476	AMIDEWINx64.exe
2120	AMIDEWINx64.exe
5084	tXauTiJr.exe
3700	AMIDEWINx64.exe
520	AMIDEWINx64.exe
2724	pGml.exe
3680	tXauTiJr.exe
4784	AMIDEWINx64.exe
2076	AMIDEWINx64.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	OHT1k0.exe
File opened for modification	\??\PhysicalDrive0	pGml.exe
File opened for modification	\??\PhysicalDrive0	pGml.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
3888	OHT1k0.exe
3888	OHT1k0.exe
1608	pGml.exe
1608	pGml.exe
2724	pGml.exe
2724	pGml.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 6 IoCs

evasion

pid	Process
2940	taskkill.exe
4872	taskkill.exe
2256	taskkill.exe
5080	taskkill.exe
4372	taskkill.exe
2564	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "156"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	cmd.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
1284	NOTEPAD.EXE
4944	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
3888	OHT1k0.exe
1608	pGml.exe
2724	pGml.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
3888	OHT1k0.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe
1608	pGml.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
3020	7zFM.exe
3888	OHT1k0.exe
1608	pGml.exe
2724	pGml.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	3020	7zFM.exe
Token: 35	3020	7zFM.exe
Token: SeSecurityPrivilege	3020	7zFM.exe
Token: SeSecurityPrivilege	3020	7zFM.exe
Token: SeDebugPrivilege	2940	taskkill.exe
Token: SeDebugPrivilege	4872	taskkill.exe
Token: SeDebugPrivilege	2256	taskkill.exe
Token: SeDebugPrivilege	5080	taskkill.exe
Token: SeDebugPrivilege	4372	taskkill.exe
Token: SeDebugPrivilege	2564	taskkill.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3020	7zFM.exe
3020	7zFM.exe
3020	7zFM.exe
3888	OHT1k0.exe
1608	pGml.exe
2724	pGml.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
3888	OHT1k0.exe
1608	pGml.exe
3284	tXauTiJr.exe
3476	AMIDEWINx64.exe
2120	AMIDEWINx64.exe
5084	tXauTiJr.exe
3700	AMIDEWINx64.exe
520	AMIDEWINx64.exe
2724	pGml.exe
3680	tXauTiJr.exe
4784	AMIDEWINx64.exe
2076	AMIDEWINx64.exe
4772	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 3020	2244	cmd.exe	91
PID 2244 wrote to memory of 3020	2244	cmd.exe	91
PID 3888 wrote to memory of 1608	3888	OHT1k0.exe	123
PID 3888 wrote to memory of 1608	3888	OHT1k0.exe	123
PID 3284 wrote to memory of 1680	3284	tXauTiJr.exe	127
PID 3284 wrote to memory of 1680	3284	tXauTiJr.exe	127
PID 3284 wrote to memory of 1552	3284	tXauTiJr.exe	128
PID 3284 wrote to memory of 1552	3284	tXauTiJr.exe	128
PID 3284 wrote to memory of 4812	3284	tXauTiJr.exe	129
PID 3284 wrote to memory of 4812	3284	tXauTiJr.exe	129
PID 3284 wrote to memory of 3908	3284	tXauTiJr.exe	130
PID 3284 wrote to memory of 3908	3284	tXauTiJr.exe	130
PID 3284 wrote to memory of 4720	3284	tXauTiJr.exe	131
PID 3284 wrote to memory of 4720	3284	tXauTiJr.exe	131
PID 4720 wrote to memory of 2940	4720	cmd.exe	133
PID 4720 wrote to memory of 2940	4720	cmd.exe	133
PID 3284 wrote to memory of 4380	3284	tXauTiJr.exe	138
PID 3284 wrote to memory of 4380	3284	tXauTiJr.exe	138
PID 4380 wrote to memory of 3476	4380	cmd.exe	141
PID 4380 wrote to memory of 3476	4380	cmd.exe	141
PID 3284 wrote to memory of 3492	3284	tXauTiJr.exe	142
PID 3284 wrote to memory of 3492	3284	tXauTiJr.exe	142
PID 3492 wrote to memory of 2120	3492	cmd.exe	145
PID 3492 wrote to memory of 2120	3492	cmd.exe	145
PID 3284 wrote to memory of 948	3284	tXauTiJr.exe	148
PID 3284 wrote to memory of 948	3284	tXauTiJr.exe	148
PID 948 wrote to memory of 4872	948	cmd.exe	150
PID 948 wrote to memory of 4872	948	cmd.exe	150
PID 3284 wrote to memory of 1828	3284	tXauTiJr.exe	153
PID 3284 wrote to memory of 1828	3284	tXauTiJr.exe	153
PID 3284 wrote to memory of 5092	3284	tXauTiJr.exe	155
PID 3284 wrote to memory of 5092	3284	tXauTiJr.exe	155
PID 3284 wrote to memory of 4704	3284	tXauTiJr.exe	157
PID 3284 wrote to memory of 4704	3284	tXauTiJr.exe	157
PID 3284 wrote to memory of 3144	3284	tXauTiJr.exe	159
PID 3284 wrote to memory of 3144	3284	tXauTiJr.exe	159
PID 5084 wrote to memory of 1988	5084	tXauTiJr.exe	170
PID 5084 wrote to memory of 1988	5084	tXauTiJr.exe	170
PID 5084 wrote to memory of 644	5084	tXauTiJr.exe	171
PID 5084 wrote to memory of 644	5084	tXauTiJr.exe	171
PID 5084 wrote to memory of 736	5084	tXauTiJr.exe	172
PID 5084 wrote to memory of 736	5084	tXauTiJr.exe	172
PID 5084 wrote to memory of 3212	5084	tXauTiJr.exe	173
PID 5084 wrote to memory of 3212	5084	tXauTiJr.exe	173
PID 5084 wrote to memory of 1668	5084	tXauTiJr.exe	174
PID 5084 wrote to memory of 1668	5084	tXauTiJr.exe	174
PID 1668 wrote to memory of 2256	1668	cmd.exe	176
PID 1668 wrote to memory of 2256	1668	cmd.exe	176
PID 5084 wrote to memory of 4380	5084	tXauTiJr.exe	177
PID 5084 wrote to memory of 4380	5084	tXauTiJr.exe	177
PID 4380 wrote to memory of 3700	4380	cmd.exe	179
PID 4380 wrote to memory of 3700	4380	cmd.exe	179
PID 5084 wrote to memory of 3320	5084	tXauTiJr.exe	180
PID 5084 wrote to memory of 3320	5084	tXauTiJr.exe	180
PID 3320 wrote to memory of 520	3320	cmd.exe	182
PID 3320 wrote to memory of 520	3320	cmd.exe	182
PID 5084 wrote to memory of 5048	5084	tXauTiJr.exe	183
PID 5084 wrote to memory of 5048	5084	tXauTiJr.exe	183
PID 5048 wrote to memory of 5080	5048	cmd.exe	185
PID 5048 wrote to memory of 5080	5048	cmd.exe	185
PID 5084 wrote to memory of 1568	5084	tXauTiJr.exe	187
PID 5084 wrote to memory of 1568	5084	tXauTiJr.exe	187
PID 5084 wrote to memory of 2000	5084	tXauTiJr.exe	189
PID 5084 wrote to memory of 2000	5084	tXauTiJr.exe	189

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\mw3reaper.rar
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\mw3reaper.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3020

C:\Users\Admin\Desktop\OHT1k0.exe
"C:\Users\Admin\Desktop\OHT1k0.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Users\Admin\Desktop\pGml.exe
  C:\Users\Admin\Desktop\pGml.exe -asec -upd -rmf=433a2f55736572732f41646d696e2f4465736b746f702f4f4854316b302e657865
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1608

C:\Users\Admin\Desktop\tXauTiJr.exe
"C:\Users\Admin\Desktop\tXauTiJr.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM WmiPrvSE.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Windows\system32\taskkill.exe
    TASKKILL /F /IM WmiPrvSE.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS %RANDOM%%RANDOM%%RANDOM%
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
    C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 4226281742507
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3476
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV %RANDOM%%RANDOM%%RANDOM%
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
    C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 4226281742507
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2120
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM WmiPrvSE.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\system32\taskkill.exe
    TASKKILL /F /IM WmiPrvSE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys
  2⤵
  PID:1828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys
  2⤵
  PID:5092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
  2⤵
  PID:4704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3144

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4168

C:\Users\Admin\Desktop\tXauTiJr.exe
"C:\Users\Admin\Desktop\tXauTiJr.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM WmiPrvSE.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\system32\taskkill.exe
    TASKKILL /F /IM WmiPrvSE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS %RANDOM%%RANDOM%%RANDOM%
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
    C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 4589883219350
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV %RANDOM%%RANDOM%%RANDOM%
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
    C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 4589883219350
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:520
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM WmiPrvSE.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\system32\taskkill.exe
    TASKKILL /F /IM WmiPrvSE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys
  2⤵
  PID:1568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys
  2⤵
  PID:2000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
  2⤵
  PID:4832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1572

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb edit "C:\odt\config.xml"
1⤵
PID:3532

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\odt\config.xml
1⤵
- Opens file in notepad (likely ransom note)
PID:1284

C:\Users\Admin\Desktop\pGml.exe
"C:\Users\Admin\Desktop\pGml.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2724

C:\Users\Admin\Desktop\tXauTiJr.exe
"C:\Users\Admin\Desktop\tXauTiJr.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM WmiPrvSE.exe
  2⤵
  PID:4468
- - C:\Windows\system32\taskkill.exe
    TASKKILL /F /IM WmiPrvSE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4372
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS %RANDOM%%RANDOM%%RANDOM%
  2⤵
  PID:3244
- - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
    C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 53202441123228
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4784
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV %RANDOM%%RANDOM%%RANDOM%
  2⤵
  PID:964
- - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
    C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 53202441123228
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2076
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM WmiPrvSE.exe
  2⤵
  PID:5008
- - C:\Windows\system32\taskkill.exe
    TASKKILL /F /IM WmiPrvSE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys
  2⤵
  PID:1672
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys
  2⤵
  PID:3388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
  2⤵
  PID:4828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4224

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\CopyDeny.ps1xml
1⤵
- Opens file in notepad (likely ransom note)
PID:4944

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38b2855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

Filesize
452KB

MD5
c4d09d3b3516550ad2ded3b09e28c10c

SHA1
7a5e77bb9ba74cf57cb1d119325b0b7f64199824

SHA256
66433a06884f28fdabb85a73c682d1587767e1dfa116907559ec00ed8d0919d3

SHA512
2e7800aae592d38c4a6c854b11d0883de70f938b29d78e257ab47a8a2bbf09121145d0a9aea9b56c16e18cde31b693d31d7ebfcd0473b7c15df5d7ae6708bbd2

Download Submit
C:\ProgramData\Microsoft\Windows\amifldrv64.sys

Filesize
18KB

MD5
785045f8b25cd2e937ddc6b09debe01a

SHA1
029c678674f482ababe8bbfdb93152392457109d

SHA256
37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba

SHA512
40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
299B

MD5
5ae8478af8dd6eec7ad4edf162dd3df1

SHA1
55670b9fd39da59a9d7d0bb0aecb52324cbacc5a

SHA256
fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca

SHA512
a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
b8f56b1f40fbdb545c1b1c5e9cbbdbd6

SHA1
be458ef0e5e7d7b5619a7d7634e87eadf327c167

SHA256
064c25747532ba4bb13ddb8e34eae138af04347f7da5189d12970b911cb1e3d2

SHA512
357b0fed37bfdc30838b6b421a9b914b8388ef843f6dde19426d101e4eede6043240b466fa81e1677dd8f1fcb2d4eb164d0f55f2194a4ef34b368da227ccec7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
192B

MD5
c450916832ea111b13c0a643f1d21d13

SHA1
ce54c4c3b1df32b86eb6d3f822ebbc8a1ffa19cc

SHA256
9778129200850bc73633b2bbdd7bd8d042e16beec4faf140401ba8b16131f394

SHA512
3084313f20350d76fda5f6c014098cb0f1948da8a3171ab18f3e5431d0751deb08b2355247a6f75ee08ac1d28548457445282c0a7ae7e662e416beb5804396ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\.ses

Filesize
53B

MD5
9adacf92227a4927432bedb0e76e65c2

SHA1
3af1e6b2457ddc756361d20e0717d14a42b2e8c0

SHA256
740b22f75ffd0953be969e66e7fcc557e0717578453a427681f43fb7e9aaea49

SHA512
3a99bd82a0b2742010d22464fe6ba314250427087771af0a097c2ff402f537ef363d85dd1e6e16c6f04b03a1f326cd96f26839483989f4e553de482e62e7326b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log

Filesize
1KB

MD5
06341a508e6c38f17b6fbbc69ea0c544

SHA1
be07f0b34cea34332e89c3b782b9ef50c5cf1d53

SHA256
1513ea1d5935cf8fbeaee54572da656a70602cc4b376bfe0ce997426b2ae0f89

SHA512
4d355109b661cb562ddd8c35b30d24541fff8b6fda473ba871ac4364ca84ec7715ec0a8e015012937df4073e0191bd432028e9f62273cf9f45b78aad3b0663f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FHOHZANM-20240226-1610.log

Filesize
57KB

MD5
6a16e2a6bd8698747848f67d03e9e852

SHA1
1b677667e679c823dc4268aa9a76c1581e8d95e9

SHA256
f8af4b2574c043d8db7143291356fea0a939b1311c74e4ba87dd6801b8c1f55f

SHA512
a314ec33cf31a3ee9c322a26d7f32c965075e5ffb9b5713aea9be62ac1c3c28f4ea2f6c3283412215d624d0749b3e640f6df9e78d471d1edbb9f6e647b6e56e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FHOHZANM-20240226-1610a.log

Filesize
181KB

MD5
38de32a9c13f9c27bef1fbb07df8dd9e

SHA1
5e4c0c4c0369e4696732c449c8a1db5e6ef923b2

SHA256
334b0a2a5b5561e52d01472887c299c37a46ad228450e86a8ae0c8cdac922bc1

SHA512
13883a76412382620b8da314fcad2b6337b3131ee984c6268885316e0b111d5b1dafe27e9958178caa366115b77f82a3899ad83f655f523cd2e16fe8adf88111

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log

Filesize
13KB

MD5
df855ce7e88a8afcc01d501c4014128d

SHA1
6939baf5e6df2ed3f8054918d6bbf47500c36ce1

SHA256
19992eb51ea2c9b4f2d69a3f3b66bfb38d8de5a50fa911623dd1206b1092bb5f

SHA512
9ffd284660dfd5efd30a705b828681163861d144eae3548e50ad2e5413f73d9a18fb90559ac897d0f11224c5be09fc3e7844ce29fe77f7d8842d6020ffff5eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240226_160545023.html

Filesize
93KB

MD5
6f33033740479b0c6e87e896b79a1de0

SHA1
8f7e146302ea2d458cd1d83d757f97dd3c8d3110

SHA256
599bedd2361568882293ec390671f8b1b97332ac9083d730bab3390657633bcd

SHA512
10baffbd8b734650caa2c093fa2754aae1e54abf0992139500c60e337ea821fe9b07a2be373ffc013ecc3aa5a69ecd0115cf33d4bba2a24b3fe2817b0949a4c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240226160625.log

Filesize
15KB

MD5
d0f54eb1bfca61ba2d2b30cd05673a6f

SHA1
4ff9750999363278a5a44188c124b64d608132f8

SHA256
69a1d47a09bcc81857aaf8a2684ea9fe9612749716471e94a5bf80ef3738784a

SHA512
e6b1795bd5aa0246663becec89eff216c972e6a0138b4c45265ad719122d519423b21442950a93b70479d733ee360d98ebc298bb8b1c32aa748b8d46fd24480e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240226160625_000_dotnet_runtime_6.0.25_win_x64.msi.log

Filesize
551KB

MD5
6f6a8b70df2daf8b4a2a1957cebb0522

SHA1
de0f0a0baf5d8f908d0193cb05c3f2859315118d

SHA256
2935ea1fd4a238fb2d795570d49bb0e1b11b1ab19b60c362f2eea2e690af8a7d

SHA512
3a51b327eea3e73581492339ed88404782121ac269cda7f9fdb19a192fd3d0065334cc88bbff901ec01bd48e32038793ce62959ff56424cf5ba1762da0b0fda6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240226160625_001_dotnet_hostfxr_6.0.25_win_x64.msi.log

Filesize
95KB

MD5
2bae6fdd2877d1214b22afc2a3fa5e35

SHA1
bed7ae237b99a235b62a1e2c0adab5eeefaa746c

SHA256
75f3b7785b9e622bf0e78a5f1fe995a0bf72c2d5d104e1857335b00f67ee38cb

SHA512
859f6e1b2695142caeef12f5f7c18a3974d9640253fed8bd7b52cf27a7b192e5e8a0ea0b069086d2756af7999b9b791d7d1c92db69661980939281e943869087

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240226160625_002_dotnet_host_6.0.25_win_x64.msi.log

Filesize
105KB

MD5
b08d03a3c2915387f97ae14075b6233a

SHA1
cac6d25e5c8fca69c8d7669af67227ee3805f863

SHA256
ee21a4a8eec4b1380899df28eb60859f452debdce13409b438f687b3955303a9

SHA512
4e54441716af36a28321dd63f4e1fb16cef87d0447e1595b11f6f20105d1e0adaa52061312461b33a7ddbaf52e69fb5f663e926bfc4b49c326ac596fa2a158ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240226160625_003_windowsdesktop_runtime_6.0.25_win_x64.msi.log

Filesize
849KB

MD5
99e1da1908fdb563ab39c0204df0608c

SHA1
7738578f4d9ee01b069dc99f97ff6df36a5ec90b

SHA256
238021e307df9b22311f420c1932736a2476e764f93fb6bf7c8e12f775184491

SHA512
4c99ece00382f809d728fe1d0e43c06b3437fac2fab5f5bff6dede670cf9447f4f773736d7bed6cb4a69e78c8740f61983f717e6674c421ada02fb5cbc0306e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.0_(x64)_20240226160708.log

Filesize
15KB

MD5
6525fb96c306c332e5c9d44e8d3c578c

SHA1
fd56e498884c7c16a7da599e73b874f770677387

SHA256
2f7696929a1f5954cfbbfd10b4caba411b1ed6cce9fd2e8a51dbbb85fd00c533

SHA512
a96e435b3e6e484899fa19da6c5e67a08f0567264ecb5f0900ce5f93a6487a9847b42c335702a2c46c5470e75082d32214de652ae3944fb35da4b716d724cf60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.0_(x64)_20240226160708_000_dotnet_runtime_8.0.0_win_x64.msi.log

Filesize
469KB

MD5
d479f945ad1d164acd16e15d8908d94c

SHA1
69ece1722b32ef97dd40f2ec408ea9f3312ae95a

SHA256
c6caa826460b9255ed6529796fea6f5ed8d0f3ef4875d64cf779af3ef9a9d7ed

SHA512
4aeb623fdeadd2511746962ffe8d00e3dff7aeed1d36056c04d978c9bdfe9b21858378de9d1fd133611410921037cd833569920211b8b1f870c046b5a16ab522

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.0_(x64)_20240226160708_001_dotnet_hostfxr_8.0.0_win_x64.msi.log

Filesize
95KB

MD5
025f6682daf3573c891690352f0a523d

SHA1
9334fdb962a1caff28f8b92031b1684a7e47f6a7

SHA256
841a0c93a34fb1b997de585d2980bd22266d1d8e9ba606d9315d99428c0f24e6

SHA512
36fdc947aa4300541676cba2ec7d42c38d2e2b01398055f9c6db85ca9b78db8ab41796a8bec173eb403c0cc802d4193091c0f77e3e36243cdecd7547804b0771

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.0_(x64)_20240226160708_002_dotnet_host_8.0.0_win_x64.msi.log

Filesize
109KB

MD5
4054ca53ccc064aea1bf03718b14be01

SHA1
77c0e5ee489d83865e428a60744476c2fc1b00ec

SHA256
3744ac402e8c01add702f879101a8c6757f9612a09b6fce500d288739d4ba7d9

SHA512
fabaea4bf591edb9412ee3276a420240bce4aa46d57d70719a95c3ff9bd0df15cde6e69d9eaed56c7842cfa4c1559dfb384900e93eb75a9957edc142119360c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.0_(x64)_20240226160708_003_windowsdesktop_runtime_8.0.0_win_x64.msi.log

Filesize
847KB

MD5
64554b2c976551e19ea00313199a888a

SHA1
2c434cfad8b4f38fcf0b4e3780acfc6888bb4b42

SHA256
d22bee033d9702d82f1374d5e5320f2d077885649edad1b62cfd1e193bfa6f33

SHA512
f9ab7c3c2e71bf121c43c6afaeeef3f800faaaf65759d083f46f77384bc63cf6c0f080e0affcf8ff8f32a56f4109f4e077c7da0079ce91dc6816a6df127768f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\StructuredQuery.log

Filesize
4KB

MD5
05f954f449d320fb50afbf03a8445b69

SHA1
93ffbc54ed9b041aefa80b32a8fafde76ce56512

SHA256
ede7fd7333b3a6467b4e7d01453faf656cb32aac481bcf06e5bdb9e8053d3f1c

SHA512
48085d6da0a907fb9a53d11167d294776e73deeb1b522bf4e859f8aee978ec9b037ac8f7d80e217c00343c86198789bcd8998c3a065c2fe60b52a17a5b06bd03

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-2484.log

Filesize
470B

MD5
a6825c7252e78c4db2108fecd17dc75c

SHA1
a036fb3ec82ea604e9b87b319b4b1b883cedf9da

SHA256
74f478e144a356ca393e41e798a7f1d05072560d86b95d099ea8980b51f2b073

SHA512
5d33c4314317d6a932f97471a39e4e7541412e877c46558159f178c417181bf6516dfffa52aa0cfdfee8483c2746c8c7e54442dfae8a8f236e5ab1464eb1cf74

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
d0d9f87e424e72a3dd34c35333708ee4

SHA1
9e164478dad84078bca6f7ffe5b4349238b17660

SHA256
43e02f6861d01d2ab6fd5a9a5cebefb48ac2e534a071d36b758607d22c4470f1

SHA512
bf26f35f29cec6f892335c0bebf6865727c804ce6c58403514114434ca37071bbf92c8fddd9a83062046a2940957edb14c7386eefc847c69e26ce353ce967ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt

Filesize
1KB

MD5
e9cac14c469fa28d1d7335d426283162

SHA1
ae16be05a6be98c9654fd01b471e591f6c4bc030

SHA256
a460c1a6d4fcb81a308990b73df8887e019501a2a34f4549bdbc911ea6c0616b

SHA512
ba5877ee4c2827a31275cc22eebd7cd6bf085c31c829d6d96285de52d2483f64d40797daef71c3c45e85186f116ff5b68c10df8606b6faef9ead9fbdcf95cbbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI12AB.txt

Filesize
427KB

MD5
4535ef5999cb6389c8281ab2521d43ed

SHA1
c0404b87521382dec08aa878a83b0021a72653f8

SHA256
57c84cbf23938f510ec234ff3cfb724459aa0eb95dbb86820048c5760e410288

SHA512
d01447c585b818ba15a3215db374825b6e25f20ec09caaa3e0f55954dea8b93391bbeda6b588e8ad064f5c2bb144a4a2c9ff4b7e8a5e99bb369d2830e72d0395

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI12CF.txt

Filesize
416KB

MD5
48d548dc7b2fb537178ef69d2fbad987

SHA1
5e9fdc225dff9a2b4f0132d27aa45408c6b7b1db

SHA256
6fe0c9f02539240b215b2afc94613accedf32e531d896b6fa6179bf4c5f6ca29

SHA512
37c1ce717348919cfd8bafaa0714b790587e8ae9bfe09b13d348a840a84d4b68c1aedf2988243ce48e2f3e3d17fcc2601131ce836463a150a2f439738b82a273

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI12AB.txt

Filesize
11KB

MD5
0b46662bc6fc4ba3f81f5161fe26cff5

SHA1
9d3b5b27dba2783db787594826bae1527b3953f9

SHA256
8509b559ff81edcdd7cd249e6ea15c0c94b6f27c333c54ea041ca7579fa1c5ac

SHA512
2416f1d2b62fa020e6d6e84dad288ba61cfdd8b858d76b6d4ed3978da428bccbcba1ef14cf7956bf99be15171665b93623593c566e8f9006dd4a09b710e6c8eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI12CF.txt

Filesize
11KB

MD5
3407fc3198d6041b52fe04c75472a6e1

SHA1
d4e5ced551b401f409878e816334e9df0aeea30c

SHA256
1db4d460e5e5215ac70c3275693297dc3f0bdb0361444ec1a727cd3bab7b24a2

SHA512
7eeb5b73e5ba56faa1cc0c2fff6c6a0129bae49ab5f69a0aac88ff0d98013821f7ff1624a6ca175ca18cf28a7f1271c58296caa3b760b9e0ec47d604f2c5ff4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jawshtml.html

Filesize
13B

MD5
b2a4bc176e9f29b0c439ef9a53a62a1a

SHA1
1ae520cbbf7e14af867232784194366b3d1c3f34

SHA256
7b4f72a40bd21934680f085afe8a30bf85acff1a8365af43102025c4ccf52b73

SHA512
e04b85d8d45d43479abbbe34f57265b64d1d325753ec3d2ecadb5f83fa5822b1d999b39571801ca39fa32e4a0a7caab073ccd003007e5b86dac7b1c892a5de3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
153KB

MD5
621b739fd58d24876b895f17e9e9f3f4

SHA1
eb80edd1b89c95df33b1eef20530e15f03cb835a

SHA256
fb354420ebeeb45ed4307cdace7167b78dc9176629d2358322bfbe97c5a2fff7

SHA512
6cee6da130b20b47467c986ce3eda891f4334a72ad80436c5a1c4871d5d7ece19c01db0bec3199b2512d36281b2f26dc9ee47d5b61b134f56c4d2f5f55c1d2fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge_installer.log

Filesize
6KB

MD5
bc2d9f5548e12fdc56d6379a6207d647

SHA1
f43e79203e715a703a159278e618497bd7dbe505

SHA256
70d9ff746bb99290dc663780d8e1c34337f001b5a61eeff6e541bac19572bc4e

SHA512
807dc321089bf94797d25f29fec116fcac3b690285025a7af2bf254eaefc66983e91c75017ec7a6fdb56591768644c2f917421532364a9344a4b621794ae8413

Download Submit
C:\Users\Admin\AppData\Local\Temp\sa.9NCBCSZSJRSB_0__.Public.InstallAgent.dat

Filesize
67KB

MD5
ddd05b9ec98ca7c9f09678b29701a344

SHA1
b3141a806babf1ba3dd499f093bd6ae1981e3d68

SHA256
5ad2bc43373729f2be68d56a99312356bfb602e5db63d1c93d959c1aff84be2a

SHA512
3d832bfac95c2adfcea771149f03852bb8608bd10cafb7e8cf439e6f99804fe27b0598af0cc365d28207fe2e78568de33479a78fc7ac6121612e4c045df7354b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct7CC1.tmp

Filesize
2.4MB

MD5
2c5c928b2dee6a83c8e0b2e0112b5b9e

SHA1
bbcc898180c01432dc656c70ed87a71d5ead93cf

SHA256
f0c0edcbdf08ff3b65dad0316300ff316a6fe0888754e207be66d1170e3a40a2

SHA512
0eebd9163604ff5db3b648babe64ee4799245ea5effa4c1742bd7c0c5e7b4dc514a20362a755e6524e675a61a0813055ee55bf48df5146f273c4fc07d0d43b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctE743.tmp

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
697B

MD5
eed865bd7e4f34afabb50833c71e779c

SHA1
53159c76eabcca54b0b1d167730695dd973ad5a9

SHA256
996fdc33c0b3e41727907106ed6e779e9ca334f01f91d1ac661b57e7d5e03a0b

SHA512
781c8be7c50d168fc0a5cb915db8b264b25d045389128fa91dd24630e58dbc17fbe2d2a8e40f03e94092d8ea55b66aafddebd373ca4440bb5e2bcb4426f1eb7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsuD3BB.tmp

Filesize
14KB

MD5
c01eaa0bdcd7c30a42bbb35a9acbf574

SHA1
0aee3e1b873e41d040f1991819d0027b6cc68f54

SHA256
32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

SHA512
d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

Download Submit
C:\Users\Admin\AppData\Local\pGml\cache\_qt_QGfxShaderBuilder_6.6.0\3745ede8b65f991bbb62ab1b7d252cf5895d42d0.qsb

Filesize
2KB

MD5
8f5aee93d91f3829a2f03d4966b052a4

SHA1
7e4f0e555e1a9a2a7aae778ccc8d39c2d94d96f1

SHA256
c96f8077f8c1647a2a3f5e987a8855dd0b8396c24430252fadd18408363d68ef

SHA512
1c9e827329f31378438b7774df093e671a3a085bfecc7587ec67ae51c7f043e0a8fcc8e496fe1b4675838ed2a41fdc3566adcbac5da133e548993da78ca1c4cc

Download Submit
C:\Users\Admin\AppData\Local\pGml\cache\_qt_QGfxShaderBuilder_6.6.0\bf24da5741ff0e08dc29e3ad448c19c1d9801ddb.qsb

Filesize
1KB

MD5
3b0fbcde6bd115d20b36b15a70dcf9fe

SHA1
a6d8fbf4904a372c669b43d11dc064002322c506

SHA256
63a9046eaa38a45e51b7ca5d9f831b4775c282a332eb54dbf3aaf3da88545caa

SHA512
41faff9359426b543884695012e919299c588de6cc0da649d78a73ca9f0ed1d4ef5096a6ab52fa15a393e23d3ab768085b8ad2a103a6ceee8b60de1f92e94e89

Download Submit
C:\Users\Admin\AppData\Local\pGml\cache\_qt_QGfxShaderBuilder_6.6.0\cb92c8294d94013808927b04d24c5ec816ceb106.qsb

Filesize
2KB

MD5
9d366af4bad4db837fb95bc9f63be9d7

SHA1
e893abd610f2cc47312dccaaee1c17aeffb898bf

SHA256
a2d21088cdbad6369c45ee19839972264598cc5120eb7c748a945a7b4cf73c4a

SHA512
42d42c55256913183fba64270d9d5ab892717d4269354eabfafbba444c51c21e27802aeae621d545320c53ae9471b1fb080f626942fdaebf8597de04a0e6149b

Download Submit
C:\Users\Admin\AppData\Local\pGml\cache\_qt_QGfxShaderBuilder_6.6.0\e8734fa707fb536d16ccc2a649e0ec2e26880490.qsb

Filesize
2KB

MD5
dfaa414fe332e3a792a33278aa56af64

SHA1
cfb93f3b3e0447fd25103453d343d27d86f7b933

SHA256
c9d2e019e039a4550dbea88263542d5163627ae60503ec293dc6c57fa15c1f9b

SHA512
47d6a02c16fce5fbf20b595623fd9b598bb528e3483e6fa0e94ef3eac6b97b2fd573724df2764cbcedf123d8fdf90a59ad374000d4bea3331f7a67f3c5bf44e4

Download Submit
C:\Users\Admin\Desktop\OHT1k0.exe

Filesize
12.9MB

MD5
209000b8071a178a1421366714a0f907

SHA1
95fa6042b6b42c411af821be54421455d709279c

SHA256
442fc05aef57c5fdfd89db77b609d3726d1d528cfd064d2706a6d4b4b4ee1473

SHA512
db018131dec1e9798ff5bd69c88bf8bb729462a7afc90328955ee38c7c4e9bd3429d001712789a7f73ecd443259b2559ced29ecca1976c2521deb603f1c5eb3e

Download Submit
C:\Users\Admin\Desktop\OHT1k0.exe

Filesize
12.8MB

MD5
ed89328e5974c6f355c272be70f9c3c8

SHA1
9b85850285b9d80ababcd029d0c92b94cc96196e

SHA256
20dcca38b86b472b9f2345a985694a0daf697db9b031f91afc794bd642524ead

SHA512
47da7ae2f7e838c8ad1a13f1812aeac0a1ce831555a94b438b3d01f1f0ded93955b70031d2da18e5b1824b20a0badf1618d489e90ec0a6225174d43f1c46a244

Download Submit
C:\Users\Admin\Desktop\pGml.exe

Filesize
6.5MB

MD5
3b3a8a771cbe8a6a142a928342deb903

SHA1
d2a623aaead2af7513911705ac60657ce1c813f1

SHA256
28ee29f2d8be7463951058a841e0278de3ef5d8f0c7477cc27dcaa853c9f0c74

SHA512
4279f9d62e508e0d1cab1b390e08051169b022b48f5623ff34b601cf83b7c8241ff40861ee4a53121d4351b1e80734bfbfbad6c4f889ccbf2c92a7bd94c5d81d

Download Submit
C:\Users\Admin\Desktop\pGml.exe

Filesize
6.8MB

MD5
5e547f357f9642cefcb874b93434eb90

SHA1
e0e43f7d88f3a69e0f3301832294943d2ebf7a9f

SHA256
7bacf91ce75d23c2dc6268cba52f32e89f402e67ec27fe23aad955df5f3b58dd

SHA512
4d23ab28c61c578176a418e0ea8880a6663c3b0ab5bb6aa72e1de09e723bb85ab739403a08d2664d4555f212fa86d4950e70d2d25017c851769db2bb6bf3cf21

Download Submit
C:\Users\Admin\Desktop\tXauTiJr.exe

Filesize
521KB

MD5
464c348f1bdf66a75c6b0d51256e916c

SHA1
fa7f683e451ab0a0c6c18a4dde7b9bbdde72ff27

SHA256
a58b1f94ba24a2d7f06c2b7a9840243c4e1b75b1b580cf1ce4c5d9af69cedc85

SHA512
cb07284fd3d33eef29f761fd0d044a9143b9e934eff49a625290c4da23580c1b0bb1f4cd9d5e574c698fbf791d13aa476be2a550baebb4f925ef019015710233

Download Submit
memory/3532-904-0x00007FFEC4610000-0x00007FFEC4620000-memory.dmp

Filesize
64KB

Download
memory/3532-903-0x00007FFF02230000-0x00007FFF024F9000-memory.dmp

Filesize
2.8MB

Download
memory/3532-905-0x00007FFF04590000-0x00007FFF04785000-memory.dmp

Filesize
2.0MB

Download
memory/3532-902-0x00007FFF04590000-0x00007FFF04785000-memory.dmp

Filesize
2.0MB

Download
memory/3888-59-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/3888-63-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/3888-20-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3888-19-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3888-17-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3888-22-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3888-23-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3888-25-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3888-28-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3888-29-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3888-30-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3888-31-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3888-32-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3888-34-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3888-35-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3888-37-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3888-39-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3888-40-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3888-42-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3888-44-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3888-49-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3888-68-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/3888-69-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/3888-64-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3888-67-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/3888-65-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/3888-66-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/3888-21-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3888-60-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/3888-61-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/3888-50-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3888-55-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/3888-58-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/3888-56-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/3888-57-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/3888-51-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3888-52-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3888-53-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3888-45-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3888-47-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3888-48-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3888-46-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3888-43-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3888-41-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3888-38-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3888-33-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3888-26-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3888-27-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3888-24-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3888-18-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3888-16-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3888-14-0x0000000003630000-0x0000000003832000-memory.dmp

Filesize
2.0MB

Download
memory/3888-12-0x00000000031E0000-0x0000000003622000-memory.dmp

Filesize
4.3MB

Download
memory/3888-7-0x0000000140000000-0x0000000143726000-memory.dmp

Filesize
55.1MB

Download
memory/3888-6-0x00007FFF04790000-0x00007FFF04792000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads