Analysis
-
max time kernel
197s -
max time network
195s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
01-10-2024 15:04
Static task
static1
Behavioral task
behavioral1
Sample
CucumberPerm.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
CucumberPerm.exe
Resource
win11-20240802-en
General
-
Target
CucumberPerm.exe
-
Size
4.4MB
-
MD5
fdc104e5c49f8dbecfd3cdae4cd1786b
-
SHA1
79e8c33151a53746865e13f4b12c4b6e7899c559
-
SHA256
ee86642427c5a1b6f949f6e3161da1b8bb05594d4730f815ebc34478a79e76fd
-
SHA512
b422308220a1adc81a7c0b082f9967e48f200b9de072ca56435d4ebb872709dcab00b1070e7c8cc5d927d24f760cf9eedae801f1a5ea13777d4807b7d2f326e2
-
SSDEEP
98304:6hPPkkqr3RwUo8UTEF0pflxoLQVHIk9jh1zlgu/ymvOpUypuJK7Cjgzn:6hPPWBwT8kFl9th1z6uxODpRCEL
Malware Config
Signatures
-
Cerber 64 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
description ioc pid Process Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe 3088 taskkill.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe 4384 taskkill.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cleaner.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3908 netsh.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cleaner.exe Set value (data) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = 32004f00370048005300200020002d002000640000000000 cleaner.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 64 IoCs
pid Process 4756 Cucumber-Permanently-Spoofer.exe 4516 Disk1.exe 2204 Disk2.exe 4780 inertia.exe 3664 inertia.exe 4728 inertia.exe 4200 inertia.exe 3160 inertia.exe 224 inertia.exe 4404 inertia.exe 2052 inertia.exe 4724 inertia.exe 4440 inertia.exe 2652 inertia.exe 4824 inertia.exe 4408 inertia.exe 2596 inertia.exe 2144 inertia.exe 3416 inertia.exe 1040 inertia.exe 4940 inertia.exe 3204 inertia.exe 2556 inertia.exe 2476 inertia.exe 992 inertia.exe 4880 inertia.exe 4752 inertia.exe 4640 inertia.exe 3484 inertia.exe 4972 inertia.exe 1128 inertia.exe 2716 inertia.exe 4472 inertia.exe 1260 inertia.exe 2440 inertia.exe 4120 inertia.exe 4352 inertia.exe 64 inertia.exe 3680 Cucumber-Permanently-Spoofer.exe 4360 Disk1.exe 3232 Disk2.exe 68 inertia.exe 2372 inertia.exe 3044 inertia.exe 2508 inertia.exe 2148 inertia.exe 5084 inertia.exe 4080 inertia.exe 2804 inertia.exe 652 inertia.exe 1456 inertia.exe 1120 inertia.exe 3596 inertia.exe 1508 inertia.exe 3088 inertia.exe 4496 inertia.exe 3384 inertia.exe 5096 inertia.exe 4748 inertia.exe 4260 inertia.exe 5048 inertia.exe 4356 inertia.exe 512 inertia.exe 3780 inertia.exe -
resource yara_rule behavioral1/files/0x000700000001ac79-107.dat themida behavioral1/memory/3160-108-0x00007FF707CB0000-0x00007FF708652000-memory.dmp themida behavioral1/memory/3160-111-0x00007FF707CB0000-0x00007FF708652000-memory.dmp themida behavioral1/memory/3160-110-0x00007FF707CB0000-0x00007FF708652000-memory.dmp themida behavioral1/memory/3160-109-0x00007FF707CB0000-0x00007FF708652000-memory.dmp themida behavioral1/memory/3160-112-0x00007FF707CB0000-0x00007FF708652000-memory.dmp themida behavioral1/memory/3160-113-0x00007FF707CB0000-0x00007FF708652000-memory.dmp themida behavioral1/memory/3160-355-0x00007FF707CB0000-0x00007FF708652000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cleaner.exe -
pid Process 1908 cmd.exe 5096 ARP.EXE -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer cleaner.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer = "3c20" cleaner.exe -
Drops file in System32 directory 21 IoCs
description ioc Process File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository svchost.exe File opened for modification C:\Windows\system32\wbem\repository svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR svchost.exe File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA svchost.exe File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA svchost.exe File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3160 cleaner.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe -
Launches sc.exe 18 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4612 sc.exe 5016 sc.exe 1400 sc.exe 2936 sc.exe 2524 sc.exe 4224 sc.exe 2580 sc.exe 3712 sc.exe 4176 sc.exe 2764 sc.exe 3376 sc.exe 3900 sc.exe 64 sc.exe 3000 sc.exe 2212 sc.exe 2064 sc.exe 4596 sc.exe 1320 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 21 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Disk1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Disk1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Disk1.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1492 cmd.exe 820 cmd.exe 4808 cmd.exe 4808 cmd.exe -
Enumerates system info in registry 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "875e7998-3b92b081-b" cleaner.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "225032b1-c09280b4-2" cleaner.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU cleaner.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion = "JQ8-G.L5.B-K-OQC2BK745-70DF1BF5.OD82.JCK" cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion cleaner.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName = "8F9MA9FF N1 (M4F + 3QAG, O1PF)" cleaner.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 cleaner.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer cleaner.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion cleaner.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemBiosVersion cleaner.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier cleaner.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily cleaner.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer = "LPMN" cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion cleaner.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion = "CQ-7MB-7.E" cleaner.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer cleaner.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral cleaner.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU cleaner.exe -
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
pid Process 4276 ipconfig.exe 5040 ipconfig.exe 4732 ipconfig.exe -
Kills process with taskkill 21 IoCs
pid Process 3088 taskkill.exe 4496 taskkill.exe 2476 taskkill.exe 3252 taskkill.exe 2816 taskkill.exe 5092 taskkill.exe 3280 taskkill.exe 64 taskkill.exe 3024 taskkill.exe 4384 taskkill.exe 1224 taskkill.exe 4880 taskkill.exe 4972 taskkill.exe 5072 taskkill.exe 4484 taskkill.exe 664 taskkill.exe 2076 taskkill.exe 5056 taskkill.exe 4640 taskkill.exe 2716 taskkill.exe 3084 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 2e1c4eac1314db01 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7c1f10ac1314db01 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000fb8f9591d39a95b55596fb6cdc4f07502b1fdbf037bd6abf20bfca536425ee1ca3ae695bd8de350c3bea44c762a719d9002aad93dfa11bccbaaf MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 52e233ac1314db01 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdgeCP.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3160 cleaner.exe 3160 cleaner.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found 632 Process not Found -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 220 MicrosoftEdgeCP.exe 220 MicrosoftEdgeCP.exe 220 MicrosoftEdgeCP.exe 220 MicrosoftEdgeCP.exe 220 MicrosoftEdgeCP.exe 220 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4384 taskkill.exe Token: SeDebugPrivilege 664 taskkill.exe Token: SeDebugPrivilege 1224 taskkill.exe Token: SeDebugPrivilege 2076 taskkill.exe Token: SeDebugPrivilege 3088 taskkill.exe Token: SeDebugPrivilege 4496 taskkill.exe Token: SeDebugPrivilege 5056 taskkill.exe Token: SeAssignPrimaryTokenPrivilege 2008 svchost.exe Token: SeIncreaseQuotaPrivilege 2008 svchost.exe Token: SeSecurityPrivilege 2008 svchost.exe Token: SeTakeOwnershipPrivilege 2008 svchost.exe Token: SeLoadDriverPrivilege 2008 svchost.exe Token: SeSystemtimePrivilege 2008 svchost.exe Token: SeBackupPrivilege 2008 svchost.exe Token: SeRestorePrivilege 2008 svchost.exe Token: SeShutdownPrivilege 2008 svchost.exe Token: SeSystemEnvironmentPrivilege 2008 svchost.exe Token: SeUndockPrivilege 2008 svchost.exe Token: SeManageVolumePrivilege 2008 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2008 svchost.exe Token: SeIncreaseQuotaPrivilege 2008 svchost.exe Token: SeSecurityPrivilege 2008 svchost.exe Token: SeTakeOwnershipPrivilege 2008 svchost.exe Token: SeLoadDriverPrivilege 2008 svchost.exe Token: SeSystemtimePrivilege 2008 svchost.exe Token: SeBackupPrivilege 2008 svchost.exe Token: SeRestorePrivilege 2008 svchost.exe Token: SeShutdownPrivilege 2008 svchost.exe Token: SeSystemEnvironmentPrivilege 2008 svchost.exe Token: SeUndockPrivilege 2008 svchost.exe Token: SeManageVolumePrivilege 2008 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2008 svchost.exe Token: SeIncreaseQuotaPrivilege 2008 svchost.exe Token: SeSecurityPrivilege 2008 svchost.exe Token: SeTakeOwnershipPrivilege 2008 svchost.exe Token: SeLoadDriverPrivilege 2008 svchost.exe Token: SeSystemtimePrivilege 2008 svchost.exe Token: SeBackupPrivilege 2008 svchost.exe Token: SeRestorePrivilege 2008 svchost.exe Token: SeShutdownPrivilege 2008 svchost.exe Token: SeSystemEnvironmentPrivilege 2008 svchost.exe Token: SeUndockPrivilege 2008 svchost.exe Token: SeManageVolumePrivilege 2008 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2008 svchost.exe Token: SeIncreaseQuotaPrivilege 2008 svchost.exe Token: SeSecurityPrivilege 2008 svchost.exe Token: SeTakeOwnershipPrivilege 2008 svchost.exe Token: SeLoadDriverPrivilege 2008 svchost.exe Token: SeSystemtimePrivilege 2008 svchost.exe Token: SeBackupPrivilege 2008 svchost.exe Token: SeRestorePrivilege 2008 svchost.exe Token: SeShutdownPrivilege 2008 svchost.exe Token: SeSystemEnvironmentPrivilege 2008 svchost.exe Token: SeUndockPrivilege 2008 svchost.exe Token: SeManageVolumePrivilege 2008 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2008 svchost.exe Token: SeIncreaseQuotaPrivilege 2008 svchost.exe Token: SeSecurityPrivilege 2008 svchost.exe Token: SeTakeOwnershipPrivilege 2008 svchost.exe Token: SeLoadDriverPrivilege 2008 svchost.exe Token: SeSystemtimePrivilege 2008 svchost.exe Token: SeBackupPrivilege 2008 svchost.exe Token: SeRestorePrivilege 2008 svchost.exe Token: SeShutdownPrivilege 2008 svchost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3932 MicrosoftEdge.exe 220 MicrosoftEdgeCP.exe 4964 MicrosoftEdgeCP.exe 220 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2536 wrote to memory of 4520 2536 CucumberPerm.exe 80 PID 2536 wrote to memory of 4520 2536 CucumberPerm.exe 80 PID 4520 wrote to memory of 4756 4520 cmd.exe 82 PID 4520 wrote to memory of 4756 4520 cmd.exe 82 PID 4756 wrote to memory of 4352 4756 Cucumber-Permanently-Spoofer.exe 84 PID 4756 wrote to memory of 4352 4756 Cucumber-Permanently-Spoofer.exe 84 PID 4352 wrote to memory of 1228 4352 cmd.exe 85 PID 4352 wrote to memory of 1228 4352 cmd.exe 85 PID 4756 wrote to memory of 624 4756 Cucumber-Permanently-Spoofer.exe 86 PID 4756 wrote to memory of 624 4756 Cucumber-Permanently-Spoofer.exe 86 PID 4756 wrote to memory of 3380 4756 Cucumber-Permanently-Spoofer.exe 87 PID 4756 wrote to memory of 3380 4756 Cucumber-Permanently-Spoofer.exe 87 PID 4756 wrote to memory of 4552 4756 Cucumber-Permanently-Spoofer.exe 88 PID 4756 wrote to memory of 4552 4756 Cucumber-Permanently-Spoofer.exe 88 PID 4552 wrote to memory of 4384 4552 cmd.exe 89 PID 4552 wrote to memory of 4384 4552 cmd.exe 89 PID 4756 wrote to memory of 3836 4756 Cucumber-Permanently-Spoofer.exe 91 PID 4756 wrote to memory of 3836 4756 Cucumber-Permanently-Spoofer.exe 91 PID 3836 wrote to memory of 664 3836 cmd.exe 92 PID 3836 wrote to memory of 664 3836 cmd.exe 92 PID 4756 wrote to memory of 1892 4756 Cucumber-Permanently-Spoofer.exe 93 PID 4756 wrote to memory of 1892 4756 Cucumber-Permanently-Spoofer.exe 93 PID 1892 wrote to memory of 1224 1892 cmd.exe 94 PID 1892 wrote to memory of 1224 1892 cmd.exe 94 PID 4756 wrote to memory of 1508 4756 Cucumber-Permanently-Spoofer.exe 95 PID 4756 wrote to memory of 1508 4756 Cucumber-Permanently-Spoofer.exe 95 PID 1508 wrote to memory of 2076 1508 cmd.exe 96 PID 1508 wrote to memory of 2076 1508 cmd.exe 96 PID 4756 wrote to memory of 5060 4756 Cucumber-Permanently-Spoofer.exe 97 PID 4756 wrote to memory of 5060 4756 Cucumber-Permanently-Spoofer.exe 97 PID 5060 wrote to memory of 3088 5060 cmd.exe 98 PID 5060 wrote to memory of 3088 5060 cmd.exe 98 PID 4756 wrote to memory of 1492 4756 Cucumber-Permanently-Spoofer.exe 99 PID 4756 wrote to memory of 1492 4756 Cucumber-Permanently-Spoofer.exe 99 PID 1492 wrote to memory of 4496 1492 cmd.exe 100 PID 1492 wrote to memory of 4496 1492 cmd.exe 100 PID 4756 wrote to memory of 4392 4756 Cucumber-Permanently-Spoofer.exe 101 PID 4756 wrote to memory of 4392 4756 Cucumber-Permanently-Spoofer.exe 101 PID 4392 wrote to memory of 4612 4392 cmd.exe 102 PID 4392 wrote to memory of 4612 4392 cmd.exe 102 PID 4756 wrote to memory of 4748 4756 Cucumber-Permanently-Spoofer.exe 103 PID 4756 wrote to memory of 4748 4756 Cucumber-Permanently-Spoofer.exe 103 PID 4748 wrote to memory of 2212 4748 cmd.exe 104 PID 4748 wrote to memory of 2212 4748 cmd.exe 104 PID 4756 wrote to memory of 4168 4756 Cucumber-Permanently-Spoofer.exe 105 PID 4756 wrote to memory of 4168 4756 Cucumber-Permanently-Spoofer.exe 105 PID 4168 wrote to memory of 2580 4168 cmd.exe 106 PID 4168 wrote to memory of 2580 4168 cmd.exe 106 PID 4756 wrote to memory of 2940 4756 Cucumber-Permanently-Spoofer.exe 107 PID 4756 wrote to memory of 2940 4756 Cucumber-Permanently-Spoofer.exe 107 PID 2940 wrote to memory of 2064 2940 cmd.exe 108 PID 2940 wrote to memory of 2064 2940 cmd.exe 108 PID 4756 wrote to memory of 2664 4756 Cucumber-Permanently-Spoofer.exe 109 PID 4756 wrote to memory of 2664 4756 Cucumber-Permanently-Spoofer.exe 109 PID 4756 wrote to memory of 4664 4756 Cucumber-Permanently-Spoofer.exe 110 PID 4756 wrote to memory of 4664 4756 Cucumber-Permanently-Spoofer.exe 110 PID 4664 wrote to memory of 4516 4664 cmd.exe 111 PID 4664 wrote to memory of 4516 4664 cmd.exe 111 PID 4664 wrote to memory of 4516 4664 cmd.exe 111 PID 4756 wrote to memory of 628 4756 Cucumber-Permanently-Spoofer.exe 112 PID 4756 wrote to memory of 628 4756 Cucumber-Permanently-Spoofer.exe 112 PID 4756 wrote to memory of 2640 4756 Cucumber-Permanently-Spoofer.exe 114 PID 4756 wrote to memory of 2640 4756 Cucumber-Permanently-Spoofer.exe 114 PID 2640 wrote to memory of 4780 2640 cmd.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\CucumberPerm.exe"C:\Users\Admin\AppData\Local\Temp\CucumberPerm.exe"1⤵PID:5064
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4824
-
C:\Users\Admin\Desktop\CucumberPerm.exe"C:\Users\Admin\Desktop\CucumberPerm.exe"1⤵PID:4948
-
C:\Users\Admin\Desktop\CucumberPerm.exe"C:\Users\Admin\Desktop\CucumberPerm.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\C7F0.tmp\C7F1.bat C:\Users\Admin\Desktop\CucumberPerm.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\Cucumber-Permanently-Spoofer.exeCucumber-Permanently-Spoofer.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mode con: cols=50 lines=204⤵
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\system32\mode.commode con: cols=50 lines=205⤵PID:1228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title %computername%4⤵PID:624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:3380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM EpicGamesLauncher.exe >nul 2>&14⤵
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\system32\taskkill.exetaskkill /F /IM EpicGamesLauncher.exe5⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM EasyAntiCheatLauncher.exe >nul 2>&14⤵
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\system32\taskkill.exetaskkill /F /IM EasyAntiCheatLauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM BEService.exe >nul 2>&14⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\system32\taskkill.exetaskkill /F /IM BEService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM Fortnite.exe >nul 2>&14⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\system32\taskkill.exetaskkill /F /IM Fortnite.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM BattleEyeLauncher.exe >nul 2>&14⤵
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\system32\taskkill.exetaskkill /F /IM BattleEyeLauncher.exe5⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM FortniteClient-Win64-Shipping.exe >nul 2>&14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\system32\taskkill.exetaskkill /F /IM FortniteClient-Win64-Shipping.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop BEService >nul 2>&14⤵
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\system32\sc.exesc stop BEService5⤵
- Launches sc.exe
PID:4612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop BEDaisy >nul 2>&14⤵
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\system32\sc.exesc stop BEDaisy5⤵
- Launches sc.exe
PID:2212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop EasyAntiCheat >nul 2>&14⤵
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\system32\sc.exesc stop EasyAntiCheat5⤵
- Launches sc.exe
PID:2580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop EasyAntiCheatSys >nul 2>&14⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\system32\sc.exesc stop EasyAntiCheatSys5⤵
- Launches sc.exe
PID:2064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:2664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Disk1.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\Disk1.exeDisk1.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Disk2.exe4⤵PID:628
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\Disk2.exeDisk2.exe5⤵
- Executes dropped EXE
PID:2204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Spoof.bat4⤵
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /IVN 24953-6777-282285⤵
- Cerber
- Executes dropped EXE
PID:4780
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /IV 13171-11107-44905⤵
- Executes dropped EXE
PID:3664
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /IV 18405-12879-130065⤵
- Cerber
- Executes dropped EXE
PID:4728
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /SM 31118-30276-205345⤵
- Cerber
- Executes dropped EXE
PID:4200
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /SP 18771-9103-299035⤵
- Cerber
- Executes dropped EXE
PID:3160
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /SV 3878-19465-38635⤵
- Executes dropped EXE
PID:224
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /SS 16507-17815-39955⤵
- Executes dropped EXE
PID:4404
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /SU AUTO5⤵
- Cerber
- Executes dropped EXE
PID:2052
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /SK 30195-17520-103325⤵
- Executes dropped EXE
PID:4724
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /SF 21150-17719-325145⤵
- Cerber
- Executes dropped EXE
PID:4440
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /BM 11211-10785-101145⤵
- Executes dropped EXE
PID:2652
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /BP 29412-29-73015⤵
- Cerber
- Executes dropped EXE
PID:4824
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /BV 1155-14488-115445⤵
- Cerber
- Executes dropped EXE
PID:4408
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /BS 24207-6588-174505⤵
- Cerber
- Executes dropped EXE
PID:2596
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /BT 4331-26299-42305⤵
- Cerber
- Executes dropped EXE
PID:2144
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /BLC 13086-18009-191555⤵
- Executes dropped EXE
PID:3416
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /CM 13654-13991-138495⤵
- Cerber
- Executes dropped EXE
PID:1040
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /CV 7105-13374-281865⤵
- Executes dropped EXE
PID:4940
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /CS 22397-13218-324395⤵
- Executes dropped EXE
PID:3204
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /CA 17825-25683-107795⤵
- Cerber
- Executes dropped EXE
PID:2556
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /CSK 16029-11572-10335⤵
- Cerber
- Executes dropped EXE
PID:2476
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /PSN 25328-31355-153015⤵
- Cerber
- Executes dropped EXE
PID:992
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /PAT 12820-27346-202335⤵
- Executes dropped EXE
PID:4880
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /PPN 4795-25489-57535⤵
- Cerber
- Executes dropped EXE
PID:4752
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /OS 1 25075-5538-123335⤵
- Cerber
- Executes dropped EXE
PID:4640
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /OS 2 6131-29148-189775⤵
- Executes dropped EXE
PID:3484
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /OS 3 579-32316-101475⤵
- Executes dropped EXE
PID:4972
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /OS 4 29740-4677-212625⤵
- Cerber
- Executes dropped EXE
PID:1128
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /OS 5 3301-17018-126375⤵
- Cerber
- Executes dropped EXE
PID:2716
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /OS 6 19194-19395-79945⤵
- Cerber
- Executes dropped EXE
PID:4472
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /OS 7 10068-15288-71415⤵
- Executes dropped EXE
PID:1260
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /OS 8 30978-10162-196445⤵
- Cerber
- Executes dropped EXE
PID:2440
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /OS 9 190-6152-87435⤵
- Cerber
- Executes dropped EXE
PID:4120
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /OS 10 5641-15634-213965⤵
- Cerber
- Executes dropped EXE
PID:4352
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /OS 11 29225-8522-81185⤵
- Cerber
- Executes dropped EXE
PID:64
-
-
C:\Windows\system32\net.exenet stop winmgmt /Y5⤵PID:2316
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop winmgmt /Y6⤵PID:3188
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop winmgmt /y4⤵PID:3932
-
C:\Windows\system32\net.exenet stop winmgmt /y5⤵PID:2804
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop winmgmt /y6⤵PID:1800
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net start winmgmt /y4⤵PID:1120
-
C:\Windows\system32\net.exenet start winmgmt /y5⤵PID:4592
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start winmgmt /y6⤵PID:1444
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop winmgmt4⤵PID:3436
-
C:\Windows\system32\sc.exesc stop winmgmt5⤵
- Launches sc.exe
PID:3712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc start winmgmt4⤵PID:3384
-
C:\Windows\system32\sc.exesc start winmgmt5⤵
- Launches sc.exe
PID:4596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mode con: cols=50 lines=204⤵PID:4260
-
C:\Windows\system32\mode.commode con: cols=50 lines=205⤵PID:4412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title %computername%4⤵PID:872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:4744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM EpicGamesLauncher.exe >nul 2>&14⤵PID:4920
-
C:\Windows\system32\taskkill.exetaskkill /F /IM EpicGamesLauncher.exe5⤵
- Kills process with taskkill
PID:3084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM EasyAntiCheatLauncher.exe >nul 2>&14⤵PID:3672
-
C:\Windows\system32\taskkill.exetaskkill /F /IM EasyAntiCheatLauncher.exe5⤵
- Kills process with taskkill
PID:3252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM BEService.exe >nul 2>&14⤵PID:3356
-
C:\Windows\system32\taskkill.exetaskkill /F /IM BEService.exe5⤵
- Kills process with taskkill
PID:5072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM Fortnite.exe >nul 2>&14⤵PID:1900
-
C:\Windows\system32\taskkill.exetaskkill /F /IM Fortnite.exe5⤵
- Kills process with taskkill
PID:4484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM BattleEyeLauncher.exe >nul 2>&14⤵PID:4520
-
C:\Windows\system32\taskkill.exetaskkill /F /IM BattleEyeLauncher.exe5⤵
- Kills process with taskkill
PID:2816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM FortniteClient-Win64-Shipping.exe >nul 2>&14⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4808 -
C:\Windows\system32\taskkill.exetaskkill /F /IM FortniteClient-Win64-Shipping.exe5⤵
- Kills process with taskkill
PID:5092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop BEService >nul 2>&14⤵PID:624
-
C:\Windows\system32\sc.exesc stop BEService5⤵
- Launches sc.exe
PID:64
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop BEDaisy >nul 2>&14⤵PID:4384
-
C:\Windows\system32\sc.exesc stop BEDaisy5⤵
- Launches sc.exe
PID:5016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop EasyAntiCheat >nul 2>&14⤵PID:2756
-
C:\Windows\system32\sc.exesc stop EasyAntiCheat5⤵
- Launches sc.exe
PID:1400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop EasyAntiCheatSys >nul 2>&14⤵PID:2648
-
C:\Windows\system32\sc.exesc stop EasyAntiCheatSys5⤵
- Launches sc.exe
PID:2936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:3228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Disk1.exe4⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\Disk1.exeDisk1.exe5⤵
- System Location Discovery: System Language Discovery
PID:4984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Disk2.exe4⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\Disk2.exeDisk2.exe5⤵PID:2640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Spoof.bat4⤵PID:5084
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /IVN 6363-6368-56695⤵PID:3836
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /IV 8261-20043-103665⤵
- Cerber
PID:664
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /IV 20677-18493-46355⤵
- Cerber
PID:1892
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /SM 24610-32214-116045⤵
- Cerber
PID:4592
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /SP 25914-2518-63475⤵PID:1456
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /SV 4222-10975-188795⤵
- Cerber
PID:2224
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /SS 3016-28577-297975⤵PID:4528
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /SU AUTO5⤵PID:5060
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /SK 2719-31250-302715⤵
- Cerber
PID:3436
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /SF 16216-5023-37815⤵
- Cerber
PID:4488
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /BM 24917-22992-110845⤵PID:4376
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /BP 9157-23171-248295⤵PID:4124
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /BV 27615-21750-36925⤵PID:4416
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /BS 3588-11457-214245⤵PID:4748
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /BT 608-17673-95505⤵PID:4744
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /BLC 3693-27961-67975⤵
- Cerber
PID:4356
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /CM 11482-197-60185⤵
- Cerber
PID:2332
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /CV 17147-15345-162855⤵PID:3740
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /CS 1759-8317-48355⤵
- Cerber
PID:3748
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /CA 5531-30888-253645⤵
- Cerber
PID:4380
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /CSK 10624-17373-286325⤵
- Cerber
PID:3984
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /PSN 28392-19489-150825⤵PID:2236
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /PAT 23078-31965-25365⤵PID:2192
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /PPN 24552-4209-105985⤵
- Cerber
PID:3116
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /OS 1 22600-12816-139215⤵
- Cerber
PID:1472
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /OS 2 26014-4039-256965⤵
- Cerber
PID:2064
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /OS 3 15692-32405-97305⤵PID:4712
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /OS 4 16271-3670-120075⤵PID:3664
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /OS 5 18674-24646-81575⤵
- Cerber
PID:1016
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /OS 6 28308-16239-96135⤵
- Cerber
PID:4200
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /OS 7 31252-29963-130425⤵
- Cerber
PID:360
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /OS 8 25476-28397-85845⤵PID:1304
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /OS 9 18079-11859-23655⤵
- Cerber
PID:4764
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /OS 10 15776-8067-208355⤵
- Cerber
PID:4824
-
-
C:\Users\Admin\AppData\Local\Temp\C7EF.tmp\inertia.exeinertia.exe /OS 11 30491-19995-169225⤵
- Cerber
PID:5076
-
-
C:\Windows\system32\net.exenet stop winmgmt /Y5⤵PID:4204
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop winmgmt /Y6⤵PID:4420
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop winmgmt /y4⤵PID:3416
-
C:\Windows\system32\net.exenet stop winmgmt /y5⤵PID:1720
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop winmgmt /y6⤵PID:4948
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net start winmgmt /y4⤵PID:1872
-
C:\Windows\system32\net.exenet start winmgmt /y5⤵PID:1340
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start winmgmt /y6⤵PID:4584
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop winmgmt4⤵PID:2912
-
C:\Windows\system32\sc.exesc stop winmgmt5⤵
- Launches sc.exe
PID:2764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc start winmgmt4⤵PID:1684
-
C:\Windows\system32\sc.exesc start winmgmt5⤵
- Launches sc.exe
PID:3000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mode con: cols=50 lines=204⤵PID:4776
-
C:\Windows\system32\mode.commode con: cols=50 lines=205⤵PID:68
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title %computername%4⤵PID:2696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:2936
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵PID:2076
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
C:\Users\Admin\Desktop\CucumberPerm.exe"C:\Users\Admin\Desktop\CucumberPerm.exe"1⤵PID:2064
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\70C1.tmp\70C2.tmp\70C3.bat C:\Users\Admin\Desktop\CucumberPerm.exe"2⤵PID:1356
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\Cucumber-Permanently-Spoofer.exeCucumber-Permanently-Spoofer.exe3⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mode con: cols=50 lines=204⤵PID:3664
-
C:\Windows\system32\mode.commode con: cols=50 lines=205⤵PID:700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title %computername%4⤵PID:4444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:4200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM EpicGamesLauncher.exe >nul 2>&14⤵PID:3840
-
C:\Windows\system32\taskkill.exetaskkill /F /IM EpicGamesLauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM EasyAntiCheatLauncher.exe >nul 2>&14⤵PID:928
-
C:\Windows\system32\taskkill.exetaskkill /F /IM EasyAntiCheatLauncher.exe5⤵
- Kills process with taskkill
PID:2476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM BEService.exe >nul 2>&14⤵PID:2096
-
C:\Windows\system32\taskkill.exetaskkill /F /IM BEService.exe5⤵
- Kills process with taskkill
PID:4880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM Fortnite.exe >nul 2>&14⤵PID:1328
-
C:\Windows\system32\taskkill.exetaskkill /F /IM Fortnite.exe5⤵
- Kills process with taskkill
PID:4640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM BattleEyeLauncher.exe >nul 2>&14⤵PID:4760
-
C:\Windows\system32\taskkill.exetaskkill /F /IM BattleEyeLauncher.exe5⤵
- Kills process with taskkill
PID:4972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM FortniteClient-Win64-Shipping.exe >nul 2>&14⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:820 -
C:\Windows\system32\taskkill.exetaskkill /F /IM FortniteClient-Win64-Shipping.exe5⤵
- Kills process with taskkill
PID:2716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop BEService >nul 2>&14⤵PID:4100
-
C:\Windows\system32\sc.exesc stop BEService5⤵
- Launches sc.exe
PID:2524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop BEDaisy >nul 2>&14⤵PID:4184
-
C:\Windows\system32\sc.exesc stop BEDaisy5⤵
- Launches sc.exe
PID:1320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop EasyAntiCheat >nul 2>&14⤵PID:4120
-
C:\Windows\system32\sc.exesc stop EasyAntiCheat5⤵
- Launches sc.exe
PID:4176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop EasyAntiCheatSys >nul 2>&14⤵PID:624
-
C:\Windows\system32\sc.exesc stop EasyAntiCheatSys5⤵
- Launches sc.exe
PID:3376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:64
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Disk1.exe4⤵PID:4832
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\Disk1.exeDisk1.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Disk2.exe4⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\Disk2.exeDisk2.exe5⤵
- Executes dropped EXE
PID:3232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Spoof.bat4⤵PID:2000
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /IVN 7931-9431-184765⤵
- Executes dropped EXE
PID:68
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /IV 13733-17470-151225⤵
- Cerber
- Executes dropped EXE
PID:2372
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /IV 14255-960-272005⤵
- Cerber
- Executes dropped EXE
PID:3044
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /SM 25941-31817-89625⤵
- Executes dropped EXE
PID:2508
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /SP 8069-32165-141445⤵
- Cerber
- Executes dropped EXE
PID:2148
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /SV 25004-8988-24025⤵
- Executes dropped EXE
PID:5084
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /SS 20670-24142-215405⤵
- Cerber
- Executes dropped EXE
PID:4080
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /SU AUTO5⤵
- Executes dropped EXE
PID:2804
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /SK 31426-887-299165⤵
- Cerber
- Executes dropped EXE
PID:652
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /SF 14991-9854-193395⤵
- Cerber
- Executes dropped EXE
PID:1456
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /BM 516-3366-168435⤵
- Executes dropped EXE
PID:1120
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /BP 15534-28863-227335⤵
- Cerber
- Executes dropped EXE
PID:3596
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /BV 31884-902-179595⤵
- Cerber
- Executes dropped EXE
PID:1508
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /BS 11529-3014-57165⤵
- Executes dropped EXE
PID:3088
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /BT 8072-29119-144205⤵
- Cerber
- Executes dropped EXE
PID:4496
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /BLC 22743-22201-190075⤵
- Executes dropped EXE
PID:3384
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /CM 17884-14190-165575⤵
- Cerber
- Executes dropped EXE
PID:5096
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /CV 10624-17921-321245⤵
- Cerber
- Executes dropped EXE
PID:4748
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /CS 14917-31661-112265⤵
- Executes dropped EXE
PID:4260
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /CA 27408-30568-22735⤵
- Executes dropped EXE
PID:5048
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /CSK 13219-19910-185185⤵
- Cerber
- Executes dropped EXE
PID:4356
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /PSN 30000-29363-84245⤵
- Executes dropped EXE
PID:512
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /PAT 18745-486-91345⤵
- Executes dropped EXE
PID:3780
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /PPN 30937-12286-297155⤵
- Cerber
PID:4980
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /OS 1 764-15796-113625⤵
- Cerber
PID:312
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /OS 2 17479-20346-310245⤵PID:2216
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /OS 3 3664-31642-172635⤵
- Cerber
PID:2192
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /OS 4 15303-9834-250715⤵
- Cerber
PID:1504
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /OS 5 6593-23831-53505⤵PID:1472
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /OS 6 24954-29545-70485⤵
- Cerber
PID:2940
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /OS 7 31387-17280-125805⤵PID:4712
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /OS 8 24367-16475-108465⤵PID:1052
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /OS 9 5483-9202-267565⤵
- Cerber
PID:1016
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /OS 10 27853-17062-202055⤵PID:700
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\inertia.exeinertia.exe /OS 11 7890-13924-270375⤵
- Cerber
PID:5068
-
-
C:\Windows\system32\net.exenet stop winmgmt /Y5⤵PID:3160
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop winmgmt /Y6⤵PID:400
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop winmgmt /y4⤵PID:1080
-
C:\Windows\system32\net.exenet stop winmgmt /y5⤵PID:4620
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop winmgmt /y6⤵PID:2860
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net start winmgmt /y4⤵PID:372
-
C:\Windows\system32\net.exenet start winmgmt /y5⤵PID:1272
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start winmgmt /y6⤵PID:2800
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop winmgmt4⤵PID:4276
-
C:\Windows\system32\sc.exesc stop winmgmt5⤵
- Launches sc.exe
PID:4224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc start winmgmt4⤵PID:4364
-
C:\Windows\system32\sc.exesc start winmgmt5⤵
- Launches sc.exe
PID:3900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mode con: cols=50 lines=204⤵PID:1104
-
C:\Windows\system32\mode.commode con: cols=50 lines=205⤵PID:3232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title %computername%4⤵PID:2692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:2920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:1188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cleaner.exe4⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\70C1.tmp\cleaner.execleaner.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Checks system information in the registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3160 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&16⤵PID:3100
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe7⤵
- Kills process with taskkill
PID:3280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4808 -
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe7⤵
- Kills process with taskkill
PID:64
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&16⤵PID:4384
-
C:\Windows\system32\taskkill.exetaskkill /f /im Battle.net.exe7⤵
- Kills process with taskkill
PID:3024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start https://applecheats.cc6⤵
- Checks computer location settings
PID:3228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause6⤵PID:3664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls6⤵PID:2596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NETSH WINSOCK RESET >nul 2>&16⤵PID:3568
-
C:\Windows\system32\netsh.exeNETSH WINSOCK RESET7⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NETSH INT IP RESET >nul 2>&16⤵PID:5028
-
C:\Windows\system32\netsh.exeNETSH INT IP RESET7⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall reset >nul 2>&16⤵PID:3000
-
C:\Windows\system32\netsh.exenetsh advfirewall reset7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NETSH INTERFACE IPV4 RESET >nul 2>&16⤵PID:3100
-
C:\Windows\system32\netsh.exeNETSH INTERFACE IPV4 RESET7⤵
- Event Triggered Execution: Netsh Helper DLL
PID:5016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NETSH INTERFACE IPV6 RESET >nul 2>&16⤵PID:4808
-
C:\Windows\system32\netsh.exeNETSH INTERFACE IPV6 RESET7⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NETSH INTERFACE TCP RESET >nul 2>&16⤵PID:4140
-
C:\Windows\system32\netsh.exeNETSH INTERFACE TCP RESET7⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NETSH INT RESET ALL >nul 2>&16⤵PID:2512
-
C:\Windows\system32\netsh.exeNETSH INT RESET ALL7⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c IPCONFIG /RELEASE >nul 2>&16⤵PID:2780
-
C:\Windows\system32\ipconfig.exeIPCONFIG /RELEASE7⤵
- Gathers network information
PID:4276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c IPCONFIG /RELEASE >nul 2>&16⤵PID:192
-
C:\Windows\system32\ipconfig.exeIPCONFIG /RELEASE7⤵
- Gathers network information
PID:5040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c IPCONFIG /FLUSHDNS >nul 2>&16⤵PID:1884
-
C:\Windows\system32\ipconfig.exeIPCONFIG /FLUSHDNS7⤵
- Gathers network information
PID:4732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NBTSTAT -R >nul 2>&16⤵PID:4736
-
C:\Windows\system32\nbtstat.exeNBTSTAT -R7⤵PID:2076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c NBTSTAT -RR >nul 2>&16⤵PID:1508
-
C:\Windows\system32\nbtstat.exeNBTSTAT -RR7⤵PID:3088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arp -a >nul 2>&16⤵
- Network Service Discovery
PID:1908 -
C:\Windows\system32\ARP.EXEarp -a7⤵
- Network Service Discovery
PID:5096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arp -d >nul 2>&16⤵PID:3384
-
C:\Windows\system32\ARP.EXEarp -d7⤵PID:756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE >nul 2>&16⤵PID:1420
-
C:\Windows\System32\Wbem\WMIC.exeWMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE7⤵PID:3188
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mode con: cols=50 lines=204⤵PID:2856
-
C:\Windows\system32\mode.commode con: cols=50 lines=205⤵PID:1080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title %computername%4⤵PID:4696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:4224
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵PID:3000
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
- Drops file in System32 directory
PID:3568
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵PID:4604
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
- Drops file in System32 directory
PID:3900
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3932
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:4168
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:220
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4964
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4480
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF83303B62A7F75716.TMP
Filesize16KB
MD52d25774a6660a03a4cbfc5e88d888a06
SHA17d7e115a6f0b7948f15b6c0303d5d5bd483168ed
SHA256f6639758204f80dbcacc1a606ce721c079acc1b1bf305eeda666254a2cd318b4
SHA512b0e95e4dbb1aed6ba3bb55e71c2451288b8dc36886d655e9c70c4d91c18c05ec49919eb2f1b18c84428cb627d34228067752329505189bdb1da6f55baaaa6fd4
-
Filesize
3.6MB
MD5f96eb2236970fb3ea97101b923af4228
SHA1e0eed80f1054acbf5389a7b8860a4503dd3e184a
SHA25646fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172
SHA5122fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7
-
Filesize
49B
MD576c808e336da42d4752793ac9e4d2de9
SHA1ee8a0c27f7365758bf4c8984e6db68cbb80edf1f
SHA2569544700233e231b3925cd07cf382b6f43c12f1d974e44cad084950c418712823
SHA512d945a0f4cfc11f39214927e4117837cf39427eaf733c91a525ca89a504afa13ade5ad35de090d7af38634c9944b9a09c7fff8f5f400e501cc61d4f95e7c5cb1a
-
Filesize
211KB
MD50182aba8c667b5110f198c5058205c58
SHA14508ce27dacdd910bdd768f28fd392eda6fed528
SHA25652b28946d63a85200a05c77ba866bc02a1f19b99f2894b312bbd7ad2ad887885
SHA512c9f04c1564601d65bb0ad2c2165fd7bf77697d49b7fb511f367e6d3ef22ba4c1bb075e653b967c4afc5f72e780d80b78f31697d85d09a0fc7a79bba2a5ea9bfe
-
Filesize
228KB
MD54d867033b27c8a603de4885b449c4923
SHA1f1ace1a241bab6efb3c7059a68b6e9bbe258da83
SHA25622a2484d7fa799e6e71e310141614884f3bc8dad8ac749b6f1c475b5398a72f3
SHA512b5d6d4a58d8780a43e69964f80525905224fa020c0032e637cd25557097e331f63d156cceaaacfe1a692ca8cea8d8bd1b219468b6b8e4827c90febe1535a5702
-
Filesize
165KB
MD581a45f1a91448313b76d2e6d5308aa7a
SHA10d615343d5de03da03bce52e11b233093b404083
SHA256fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd
SHA512675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d
-
Filesize
453KB
MD57f118633f542014d65ee13eb8d4f702a
SHA1a59117813003390187a45eec4116337d5b695b09
SHA256e27be45f00bce92b6f3c12e37723295e5a5959ecb8185f06028f3cfb88de3bb6
SHA512cf004560d6e3ce5cbb142a91445427dce58199dd3d1a254d2ae6d2e41df709c90844edfe9eff711c0a042f05338d72588da25591149edfd90860a76e2b0c9ff8
-
Filesize
1KB
MD58f4af8f8316597bee403a4a1ec435efb
SHA1a748c6d08d4af712ce290b5a96f46a8bde2d8fb8
SHA2569f2d4182cc30ff70228ccfc599d9afbed9aa21557802b2a422c643b9c7293f4b
SHA51260e07665d7e4d8369b83663ff2966abed1d22c28a9cfbb9222358d9c88d08791e848fd11246d6398864780f76162e06bccf975f8a2b988a3f18a5b4b6817adf6