Analysis
-
max time kernel
107s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
24-06-2024 16:16
General
-
Target
UnBan Guide/step 6/1. Spoofer (RUN ME).bat
-
Size
3KB
-
MD5
f0b3b45759aca115f31f2aa16a942b6d
-
SHA1
5b0dbbfee935549167f2c89bdf8877ec61fb403d
-
SHA256
48ecb46f509169a6ab5a4c967fa8d9955b026478f3ab124c494b4eca1f79078b
-
SHA512
4f2a480c531385da8bf761ebc6c82b82ba9e293e770558c353b931009ba9bf57af184bb5b8de3df23fb1e707c06d431e0ada447c92b04214f5d6c92b3173089d
Score
10/10
Malware Config
Signatures
-
Cerber 32 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Stops running service(s) 4 TTPs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in Windows directory 26 IoCs
-
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 19 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Runs ping.exe 1 TTPs 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 21 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\1. Spoofer (RUN ME).bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping www.google.com -n 12⤵
- Runs ping.exe
-
-
C:\Windows\system32\find.exefind "="2⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EasyAntiCheat_Setup.exe2⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteLauncher.exe2⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicWebHelper.exe2⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe2⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EasyAntiCheat.exe2⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEService_x64.exe2⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe2⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_BE.exe2⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_EAC.exe2⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\sc.exesc stop BEService2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop EasyAntiCheat2⤵
- Launches sc.exe
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "SWD\MS*" /use_wildcard2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DeviceCleanupCmd.exeDeviceCleanupCmd.exe * -s2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DriveCleanup.exeDriveCleanup.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "C:\"2⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "F:\"2⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "C:\"2⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Disk drive*" /use_wildcard2⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Disk"2⤵
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "disk"2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Disk&*" /use_wildcard2⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard2⤵
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "USBSTOR*" /use_wildcard2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "SCSI\Disk*" /use_wildcard2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "STORAGE*" /use_wildcard2⤵
- Maps connected drives based on registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Motherboard*" /use_wildcard2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Volume*" /use_wildcard2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Microsoft*" /use_wildcard2⤵
- Maps connected drives based on registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "System*" /use_wildcard2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "ACPI\*" /use_wildcard2⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Remote*" /use_wildcard2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Standard*" /use_wildcard2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /SU AUTO2⤵
- Cerber
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /BS 281562560031232140252⤵
- Cerber
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /CS 39083066019743129062⤵
- Cerber
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /SS 237142895722004280442⤵
- Cerber
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /PSN 3486339929019214802⤵
- Cerber
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /IVN 6167326291866268602⤵
- Cerber
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /IV 327272101430471212722⤵
- Cerber
-
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM WmiPrvSE.exe2⤵
- Cerber
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM WmiPrvSE.exe2⤵
- Cerber
- Kills process with taskkill
-
-
C:\Windows\system32\PING.EXEPING localhost -n 152⤵
- Runs ping.exe
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "C:\"2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "F:\"2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "C:\"2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Disk drive*" /use_wildcard2⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Disk"2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "disk"2⤵
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Disk&*" /use_wildcard2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "USBSTOR*" /use_wildcard2⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "SCSI\Disk*" /use_wildcard2⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "STORAGE*" /use_wildcard2⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Motherboard*" /use_wildcard2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Volume*" /use_wildcard2⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Microsoft*" /use_wildcard2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "System*" /use_wildcard2⤵
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "ACPI\*" /use_wildcard2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Remote*" /use_wildcard2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Standard*" /use_wildcard2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /SU AUTO2⤵
- Cerber
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /BS 17514279915016139922⤵
- Cerber
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /CS 24879263451753290752⤵
- Cerber
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /SS 503932516783266752⤵
- Cerber
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /PSN 23598283322420277182⤵
- Cerber
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /IVN 277762744317575318922⤵
- Cerber
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /IV 310067672497684982⤵
- Cerber
-
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM WmiPrvSE.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM WmiPrvSE.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\PING.EXEPING localhost -n 152⤵
- Runs ping.exe
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "C:\"2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "F:\"2⤵
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "C:\"2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Disk drive*" /use_wildcard2⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Disk"2⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "disk"2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Disk&*" /use_wildcard2⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "USBSTOR*" /use_wildcard2⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "SCSI\Disk*" /use_wildcard2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "STORAGE*" /use_wildcard2⤵
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Motherboard*" /use_wildcard2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Volume*" /use_wildcard2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Microsoft*" /use_wildcard2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "System*" /use_wildcard2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "ACPI\*" /use_wildcard2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Remote*" /use_wildcard2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Standard*" /use_wildcard2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /SU AUTO2⤵
- Cerber
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /BS 8313142211351118152⤵
- Cerber
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /CS 23694309021747273092⤵
- Cerber
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /SS 129872590515774301702⤵
- Cerber
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /PSN 5585297865158241912⤵
- Cerber
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /IVN 118822795313044292652⤵
- Cerber
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /IV 32125201342248221182⤵
- Cerber
-
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM WmiPrvSE.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM WmiPrvSE.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\PING.EXEPING localhost -n 152⤵
- Runs ping.exe
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "C:\"2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "F:\"2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "C:\"2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Disk drive*" /use_wildcard2⤵
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Disk"2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "disk"2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Disk&*" /use_wildcard2⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "USBSTOR*" /use_wildcard2⤵
- Maps connected drives based on registry
- Checks SCSI registry key(s)
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "SCSI\Disk*" /use_wildcard2⤵
- Enumerates connected drives
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "STORAGE*" /use_wildcard2⤵
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Motherboard*" /use_wildcard2⤵
- Maps connected drives based on registry
- Checks SCSI registry key(s)
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Volume*" /use_wildcard2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Microsoft*" /use_wildcard2⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "System*" /use_wildcard2⤵
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "ACPI\*" /use_wildcard2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Remote*" /use_wildcard2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Standard*" /use_wildcard2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /SU AUTO2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /BS 3375334811577190102⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /CS 91961869913833168832⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /SS 11703254268572115132⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /PSN 2041446527005236272⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /IVN 23090235152776589182⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /IV 315767553258359912⤵
-
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM WmiPrvSE.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM WmiPrvSE.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\PING.EXEPING localhost -n 152⤵
- Runs ping.exe
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "C:\"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "F:\"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "C:\"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Disk drive*" /use_wildcard2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Disk"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "disk"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Disk&*" /use_wildcard2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "USBSTOR*" /use_wildcard2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "SCSI\Disk*" /use_wildcard2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "STORAGE*" /use_wildcard2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Motherboard*" /use_wildcard2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Volume*" /use_wildcard2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Microsoft*" /use_wildcard2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "System*" /use_wildcard2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "ACPI\*" /use_wildcard2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Remote*" /use_wildcard2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Standard*" /use_wildcard2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /SU AUTO2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /BS 24277277927421117222⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /CS 185201439430369274442⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /SS 12376864820112148142⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /PSN 107374112206081792⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /IVN 8824314375074239802⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXEAMIDEWINx64.EXE /IV 4239640125868140092⤵
-
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM WmiPrvSE.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM WmiPrvSE.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\PING.EXEPING localhost -n 152⤵
- Runs ping.exe
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "C:\"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "F:\"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "C:\"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Disk drive*" /use_wildcard2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Disk"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "disk"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "Disk&*" /use_wildcard2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "USBSTOR*" /use_wildcard2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "SCSI\Disk*" /use_wildcard2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exeDevManView.exe /uninstall "STORAGE*" /use_wildcard2⤵
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding1⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "ACPI\PNP0C01\2&daba3ff&2" "" "" "639932b5f" "0000000000000000" "00000000000005D0" "00000000000005A0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "ACPI\PNP0103\0" "" "" "6b512ed67" "0000000000000000" "00000000000005F8" "0000000000000618"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
178B
MD55f82c72d983c993bd0ac37b3006630ec
SHA14db01ae25c030c4216d3516b49f3dcbc6f0549d4
SHA256ff935ba3397204c5f09138636337a2a0f1d4132b966c7d0243a67a3f86bbf1af
SHA51275486a33739d91cc058d9fd52d61c12789c041230c21e6ee2412773b1b4f155dbc9fbd1e177ccb783aedf84002e4aafc1e742861a5832fa6fa4cc1d5bdcb13d8