cerber | 3d99b167af0de94e2d01b587daf40a5a9bfe7ec5668b06bae5788f7bbce995ed

Analysis

max time kernel
49s
max time network
56s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2024 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3d.exe
Size

2.7MB
MD5

e001605fa695282a2d3170d8d9e956c9
SHA1

4544155daae0335ada1d05a509e43b8c0434ffc8
SHA256

003dc05c74dedfb83f73982173d2ed293a84a2af8a7ef8b6e6ff928119859a2e
SHA512

11642791791255eea62db5b5058e651329d9b537cc9ffd734702b5bf5207351ecc3bbdb3499acb3dc43e7937da8efd9e23b1e1ccfaa6a077bd747a40926d40d6
SSDEEP

49152:wy8J1anDS2TFQTnQT2QT9QT1QTXCbAAKrqgvWAtY3o41MBXcOz5dD:CxYw1aCkX23o41MBXc4D

Score

10^/10

cerber defense_evasion discovery evasion execution ransomware

Malware Config

Signatures

Cerber 12 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	pid	Process
		4300	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		ifsutipx.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		ifsutipx.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		ifsutipx.exe
		3260	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		ifsutipx.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		ifsutipx.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		ifsutipx.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		ifsutipx.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		ifsutipx.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		ifsutipx.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		ifsutipx.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	d3d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	ntelidcx.dll

Executes dropped EXE 42 IoCs

pid	Process
1140	accessibility.dll
1628	accessibility.dll
2156	accessibility.dll
3552	accessibility.dll
5040	accessibility.dll
4196	accessibility.dll
4888	accessibility.dll
3408	accessibility.dll
376	accessibility.dll
4336	ifsutipx.exe
1604	ifsutipx.exe
808	ifsutipx.exe
2460	ifsutipx.exe
1828	ifsutipx.exe
4540	ifsutipx.exe
812	ifsutipx.exe
1368	ifsutipx.exe
3684	ifsutipx.exe
5104	ifsutipx.exe
1340	ntelidcx.dll
2492	AppVLicense.dll
1140	accessibility.dll
1628	accessibility.dll
2156	accessibility.dll
3552	accessibility.dll
5040	accessibility.dll
4196	accessibility.dll
4888	accessibility.dll
3408	accessibility.dll
376	accessibility.dll
4336	ifsutipx.exe
1604	ifsutipx.exe
808	ifsutipx.exe
2460	ifsutipx.exe
1828	ifsutipx.exe
4540	ifsutipx.exe
812	ifsutipx.exe
1368	ifsutipx.exe
3684	ifsutipx.exe
5104	ifsutipx.exe
1340	ntelidcx.dll
2492	AppVLicense.dll

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\accessibility.dll	d3d.exe
File created	C:\Windows\System32\amifldrv64.sys	d3d.exe
File created	C:\Windows\System32\ifsutipx.exe	d3d.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
228	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ntelidcx.dll	d3d.exe
File created	C:\Windows\AppVLicense.dll	d3d.exe

Launches sc.exe 20 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4548	sc.exe
4440	sc.exe
1620	sc.exe
3412	sc.exe
2628	sc.exe
3224	sc.exe
4472	sc.exe
1276	sc.exe
2184	sc.exe
3924	sc.exe
5088	sc.exe
5040	sc.exe
2976	sc.exe
3948	sc.exe
1788	sc.exe
4016	sc.exe
1168	sc.exe
1036	sc.exe
4752	sc.exe
5112	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ntelidcx.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppVLicense.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

Kills process with taskkill 34 IoCs

evasion

pid	Process
3860	taskkill.exe
4008	taskkill.exe
1620	taskkill.exe
868	taskkill.exe
1108	taskkill.exe
1972	taskkill.exe
4300	taskkill.exe
3760	taskkill.exe
4376	taskkill.exe
1364	taskkill.exe
5008	taskkill.exe
468	taskkill.exe
4312	taskkill.exe
4268	taskkill.exe
764	taskkill.exe
228	taskkill.exe
1728	taskkill.exe
2428	taskkill.exe
2492	taskkill.exe
532	taskkill.exe
3168	taskkill.exe
3084	taskkill.exe
3260	taskkill.exe
4024	taskkill.exe
1004	taskkill.exe
876	taskkill.exe
2476	taskkill.exe
4752	taskkill.exe
2488	taskkill.exe
1380	taskkill.exe
2604	taskkill.exe
3008	taskkill.exe
3628	taskkill.exe
5056	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\svcKBNumber = "KB3170605"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Migration	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Migration\IE Installed Date = 1506051441	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Registration	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Registration\ProductId = "00331-10000-00001-A4171"	reg.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionInventoryVersionGUID_DONOTUSEINSTORE	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionIn	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionIn = "{27720B92-5FCF-726F-5FCF-920500268B89}"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3292	d3d.exe
3292	d3d.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4300	taskkill.exe
Token: SeDebugPrivilege	3260	taskkill.exe
Token: SeDebugPrivilege	1004	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	3628	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3504	WMIC.exe
Token: SeSecurityPrivilege	3504	WMIC.exe
Token: SeTakeOwnershipPrivilege	3504	WMIC.exe
Token: SeLoadDriverPrivilege	3504	WMIC.exe
Token: SeSystemProfilePrivilege	3504	WMIC.exe
Token: SeSystemtimePrivilege	3504	WMIC.exe
Token: SeProfSingleProcessPrivilege	3504	WMIC.exe
Token: SeIncBasePriorityPrivilege	3504	WMIC.exe
Token: SeCreatePagefilePrivilege	3504	WMIC.exe
Token: SeBackupPrivilege	3504	WMIC.exe
Token: SeRestorePrivilege	3504	WMIC.exe
Token: SeShutdownPrivilege	3504	WMIC.exe
Token: SeDebugPrivilege	3504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3504	WMIC.exe
Token: SeRemoteShutdownPrivilege	3504	WMIC.exe
Token: SeUndockPrivilege	3504	WMIC.exe
Token: SeManageVolumePrivilege	3504	WMIC.exe
Token: 33	3504	WMIC.exe
Token: 34	3504	WMIC.exe
Token: 35	3504	WMIC.exe
Token: 36	3504	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3504	WMIC.exe
Token: SeSecurityPrivilege	3504	WMIC.exe
Token: SeTakeOwnershipPrivilege	3504	WMIC.exe
Token: SeLoadDriverPrivilege	3504	WMIC.exe
Token: SeSystemProfilePrivilege	3504	WMIC.exe
Token: SeSystemtimePrivilege	3504	WMIC.exe
Token: SeProfSingleProcessPrivilege	3504	WMIC.exe
Token: SeIncBasePriorityPrivilege	3504	WMIC.exe
Token: SeCreatePagefilePrivilege	3504	WMIC.exe
Token: SeBackupPrivilege	3504	WMIC.exe
Token: SeRestorePrivilege	3504	WMIC.exe
Token: SeShutdownPrivilege	3504	WMIC.exe
Token: SeDebugPrivilege	3504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3504	WMIC.exe
Token: SeRemoteShutdownPrivilege	3504	WMIC.exe
Token: SeUndockPrivilege	3504	WMIC.exe
Token: SeManageVolumePrivilege	3504	WMIC.exe
Token: 33	3504	WMIC.exe
Token: 34	3504	WMIC.exe
Token: 35	3504	WMIC.exe
Token: 36	3504	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3996	WMIC.exe
Token: SeSecurityPrivilege	3996	WMIC.exe
Token: SeTakeOwnershipPrivilege	3996	WMIC.exe
Token: SeLoadDriverPrivilege	3996	WMIC.exe
Token: SeSystemProfilePrivilege	3996	WMIC.exe
Token: SeSystemtimePrivilege	3996	WMIC.exe
Token: SeProfSingleProcessPrivilege	3996	WMIC.exe
Token: SeIncBasePriorityPrivilege	3996	WMIC.exe
Token: SeCreatePagefilePrivilege	3996	WMIC.exe
Token: SeBackupPrivilege	3996	WMIC.exe
Token: SeRestorePrivilege	3996	WMIC.exe
Token: SeShutdownPrivilege	3996	WMIC.exe
Token: SeDebugPrivilege	3996	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3996	WMIC.exe
Token: SeRemoteShutdownPrivilege	3996	WMIC.exe
Token: SeUndockPrivilege	3996	WMIC.exe
Token: SeManageVolumePrivilege	3996	WMIC.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe
3292	d3d.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 4664	3292	d3d.exe	83
PID 3292 wrote to memory of 4664	3292	d3d.exe	83
PID 4664 wrote to memory of 4300	4664	cmd.exe	84
PID 4664 wrote to memory of 4300	4664	cmd.exe	84
PID 3292 wrote to memory of 3316	3292	d3d.exe	86
PID 3292 wrote to memory of 3316	3292	d3d.exe	86
PID 3316 wrote to memory of 3260	3316	cmd.exe	87
PID 3316 wrote to memory of 3260	3316	cmd.exe	87
PID 3292 wrote to memory of 3068	3292	d3d.exe	88
PID 3292 wrote to memory of 3068	3292	d3d.exe	88
PID 3068 wrote to memory of 1620	3068	cmd.exe	89
PID 3068 wrote to memory of 1620	3068	cmd.exe	89
PID 3292 wrote to memory of 4816	3292	d3d.exe	90
PID 3292 wrote to memory of 4816	3292	d3d.exe	90
PID 4816 wrote to memory of 1004	4816	cmd.exe	91
PID 4816 wrote to memory of 1004	4816	cmd.exe	91
PID 3292 wrote to memory of 1100	3292	d3d.exe	92
PID 3292 wrote to memory of 1100	3292	d3d.exe	92
PID 1100 wrote to memory of 1728	1100	cmd.exe	93
PID 1100 wrote to memory of 1728	1100	cmd.exe	93
PID 3292 wrote to memory of 972	3292	d3d.exe	94
PID 3292 wrote to memory of 972	3292	d3d.exe	94
PID 972 wrote to memory of 3628	972	cmd.exe	95
PID 972 wrote to memory of 3628	972	cmd.exe	95
PID 3292 wrote to memory of 1364	3292	d3d.exe	96
PID 3292 wrote to memory of 1364	3292	d3d.exe	96
PID 1364 wrote to memory of 3504	1364	cmd.exe	97
PID 1364 wrote to memory of 3504	1364	cmd.exe	97
PID 3292 wrote to memory of 1792	3292	d3d.exe	98
PID 3292 wrote to memory of 1792	3292	d3d.exe	98
PID 1792 wrote to memory of 3996	1792	cmd.exe	99
PID 1792 wrote to memory of 3996	1792	cmd.exe	99
PID 3292 wrote to memory of 1612	3292	d3d.exe	100
PID 3292 wrote to memory of 1612	3292	d3d.exe	100
PID 1612 wrote to memory of 1824	1612	cmd.exe	101
PID 1612 wrote to memory of 1824	1612	cmd.exe	101
PID 3292 wrote to memory of 3212	3292	d3d.exe	102
PID 3292 wrote to memory of 3212	3292	d3d.exe	102
PID 3212 wrote to memory of 2028	3212	cmd.exe	103
PID 3212 wrote to memory of 2028	3212	cmd.exe	103
PID 3292 wrote to memory of 4036	3292	d3d.exe	104
PID 3292 wrote to memory of 4036	3292	d3d.exe	104
PID 4036 wrote to memory of 1368	4036	cmd.exe	105
PID 4036 wrote to memory of 1368	4036	cmd.exe	105
PID 3292 wrote to memory of 860	3292	d3d.exe	106
PID 3292 wrote to memory of 860	3292	d3d.exe	106
PID 860 wrote to memory of 4264	860	cmd.exe	107
PID 860 wrote to memory of 4264	860	cmd.exe	107
PID 3292 wrote to memory of 4348	3292	d3d.exe	108
PID 3292 wrote to memory of 4348	3292	d3d.exe	108
PID 3292 wrote to memory of 5060	3292	d3d.exe	109
PID 3292 wrote to memory of 5060	3292	d3d.exe	109
PID 5060 wrote to memory of 2260	5060	cmd.exe	110
PID 5060 wrote to memory of 2260	5060	cmd.exe	110
PID 3292 wrote to memory of 5104	3292	d3d.exe	111
PID 3292 wrote to memory of 5104	3292	d3d.exe	111
PID 5104 wrote to memory of 4728	5104	cmd.exe	112
PID 5104 wrote to memory of 4728	5104	cmd.exe	112
PID 3292 wrote to memory of 1340	3292	d3d.exe	113
PID 3292 wrote to memory of 1340	3292	d3d.exe	113
PID 1340 wrote to memory of 4524	1340	cmd.exe	114
PID 1340 wrote to memory of 4524	1340	cmd.exe	114
PID 3292 wrote to memory of 2680	3292	d3d.exe	118
PID 3292 wrote to memory of 2680	3292	d3d.exe	118

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
436	attrib.exe
3380	attrib.exe

C:\Users\Admin\AppData\Local\Temp\d3d.exe
"C:\Users\Admin\AppData\Local\Temp\d3d.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic bios get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    PID:1824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic systemenclosure get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic systemenclosure get serialnumber
    3⤵
    PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get serialnumber
    3⤵
    PID:1368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get serialnumber
    3⤵
    PID:4264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vol
  2⤵
  PID:4348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic memorychip get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic memorychip get serialnumber
    3⤵
    PID:2260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic os get serialnumber
    3⤵
    PID:4728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%PCI%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%PCI%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
    3⤵
    PID:4524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2680
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:4720
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:4752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:448
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:5112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:456
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:3948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
  2⤵
  PID:3464
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:3924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop cpuz150 >nul 2>&1
  2⤵
  PID:748
- - C:\Windows\system32\sc.exe
    sc stop cpuz150
    3⤵
    - Launches sc.exe
    PID:3412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop vgt >nul 2>&1
  2⤵
  PID:2668
- - C:\Windows\system32\sc.exe
    sc stop vgt
    3⤵
    - Launches sc.exe
    PID:2628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop vgrl >nul 2>&1
  2⤵
  PID:2116
- - C:\Windows\system32\sc.exe
    sc stop vgrl
    3⤵
    - Launches sc.exe
    PID:3224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop vgk >nul 2>&1
  2⤵
  PID:1692
- - C:\Windows\system32\sc.exe
    sc stop vgk
    3⤵
    - Launches sc.exe
    PID:4472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop vgc >nul 2>&1
  2⤵
  PID:4528
- - C:\Windows\system32\sc.exe
    sc stop vgc
    3⤵
    - Launches sc.exe
    PID:1788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete vgrl >nul 2>&1
  2⤵
  PID:2156
- - C:\Windows\system32\sc.exe
    sc delete vgrl
    3⤵
    - Launches sc.exe
    PID:4016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete vgk >nul 2>&1
  2⤵
  PID:1588
- - C:\Windows\system32\sc.exe
    sc delete vgk
    3⤵
    - Launches sc.exe
    PID:5088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete vgc >nul 2>&1
  2⤵
  PID:3384
- - C:\Windows\system32\sc.exe
    sc delete vgc
    3⤵
    - Launches sc.exe
    PID:1168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete vg >nul 2>&1
  2⤵
  PID:4520
- - C:\Windows\system32\sc.exe
    sc delete vg
    3⤵
    - Launches sc.exe
    PID:4548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im vgtray.exe >nul 2>&1
  2⤵
  PID:4428
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im vgtray.exe
    3⤵
    - Kills process with taskkill
    PID:468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete cpuz150 >nul 2>&1
  2⤵
  PID:1496
- - C:\Windows\system32\sc.exe
    sc delete cpuz150
    3⤵
    - Launches sc.exe
    PID:1036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config wuauserv start = disabled >nul 2>&1
  2⤵
  PID:3668
- - C:\Windows\system32\sc.exe
    sc config wuauserv start = disabled
    3⤵
    - Launches sc.exe
    PID:5040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop wuauserv >nul 2>&1
  2⤵
  PID:4644
- - C:\Windows\system32\net.exe
    net stop wuauserv
    3⤵
    PID:3624
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      PID:884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config bits start = disabled >nul 2>&1
  2⤵
  PID:4780
- - C:\Windows\system32\sc.exe
    sc config bits start = disabled
    3⤵
    - Launches sc.exe
    PID:4440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop bits >nul 2>&1
  2⤵
  PID:3408
- - C:\Windows\system32\net.exe
    net stop bits
    3⤵
    PID:2784
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop bits
      4⤵
      PID:1348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config dosvc start = disabled >nul 2>&1
  2⤵
  PID:2560
- - C:\Windows\system32\sc.exe
    sc config dosvc start = disabled
    3⤵
    - Launches sc.exe
    PID:1276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop dosvc >nul 2>&1
  2⤵
  PID:2764
- - C:\Windows\system32\net.exe
    net stop dosvc
    3⤵
    PID:1928
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop dosvc
      4⤵
      PID:2612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config UsoSvc start = disabled >nul 2>&1
  2⤵
  PID:1976
- - C:\Windows\system32\sc.exe
    sc config UsoSvc start = disabled
    3⤵
    - Launches sc.exe
    PID:2976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop UsoSvc >nul 2>&1
  2⤵
  PID:4408
- - C:\Windows\system32\net.exe
    net stop UsoSvc
    3⤵
    PID:4336
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop UsoSvc
      4⤵
      PID:2060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im smartscreen.exe
  2⤵
  PID:3880
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im smartscreen.exe
    3⤵
    - Kills process with taskkill
    PID:3760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im EasyAntiCheat.exe
  2⤵
  PID:1604
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im EasyAntiCheat.exe
    3⤵
    - Kills process with taskkill
    PID:4312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im dnf.exe
  2⤵
  PID:3840
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im dnf.exe
    3⤵
    - Kills process with taskkill
    PID:2488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im DNF.exe
  2⤵
  PID:4300
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im DNF.exe
    3⤵
    - Kills process with taskkill
    PID:3860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im CrossProxy.exe
  2⤵
  PID:2964
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im CrossProxy.exe
    3⤵
    - Kills process with taskkill
    PID:4008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im tensafe_1.exe
  2⤵
  PID:3596
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im tensafe_1.exe
    3⤵
    - Kills process with taskkill
    PID:1620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im TenSafe_1.exe
  2⤵
  PID:3068
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im TenSafe_1.exe
    3⤵
    - Kills process with taskkill
    PID:1380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im tensafe_2.exe
  2⤵
  PID:752
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im tensafe_2.exe
    3⤵
    - Kills process with taskkill
    PID:4024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im tencentdl.exe
  2⤵
  PID:4064
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im tencentdl.exe
    3⤵
    - Kills process with taskkill
    PID:5056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im TenioDL.exe
  2⤵
  PID:1440
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im TenioDL.exe
    3⤵
    - Kills process with taskkill
    PID:876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im uishell.exe
  2⤵
  PID:32
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im uishell.exe
    3⤵
    - Kills process with taskkill
    PID:2428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im BackgroundDownloader.exe
  2⤵
  PID:4852
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im BackgroundDownloader.exe
    3⤵
    - Kills process with taskkill
    PID:4268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im conime.exe
  2⤵
  PID:4836
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im conime.exe
    3⤵
    - Kills process with taskkill
    PID:1364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im QQDL.EXE
  2⤵
  PID:2280
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im QQDL.EXE
    3⤵
    - Kills process with taskkill
    PID:2604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im qqlogin.exe
  2⤵
  PID:1792
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im qqlogin.exe
    3⤵
    - Kills process with taskkill
    PID:764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im dnfchina.exe >nul 2>&1
  2⤵
  PID:3040
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im dnfchina.exe
    3⤵
    - Kills process with taskkill
    PID:5008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im dnfchinatest.exe
  2⤵
  PID:864
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im dnfchinatest.exe
    3⤵
    - Kills process with taskkill
    PID:2492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im dnf.exe
  2⤵
  PID:3636
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im dnf.exe
    3⤵
    - Kills process with taskkill
    PID:228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im txplatform.exe
  2⤵
  PID:1436
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im txplatform.exe
    3⤵
    - Kills process with taskkill
    PID:3008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im TXPlatform.exe
  2⤵
  PID:3328
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im TXPlatform.exe
    3⤵
    - Kills process with taskkill
    PID:3168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im OriginWebHelperService.exe
  2⤵
  PID:3684
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im OriginWebHelperService.exe
    3⤵
    - Kills process with taskkill
    PID:3084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im Origin.exe
  2⤵
  PID:4884
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im Origin.exe
    3⤵
    - Kills process with taskkill
    PID:868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im OriginClientService.exe
  2⤵
  PID:2732
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im OriginClientService.exe
    3⤵
    - Kills process with taskkill
    PID:1108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im OriginER.exe
  2⤵
  PID:3280
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im OriginER.exe
    3⤵
    - Kills process with taskkill
    PID:532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im OriginThinSetupInternal.exe
  2⤵
  PID:2056
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im OriginThinSetupInternal.exe
    3⤵
    - Kills process with taskkill
    PID:2476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im OriginLegacyCLI.exe
  2⤵
  PID:4028
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im OriginLegacyCLI.exe
    3⤵
    - Kills process with taskkill
    PID:1972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im Agent.exe
  2⤵
  PID:2032
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im Agent.exe
    3⤵
    - Kills process with taskkill
    PID:4376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im Client.exe
  2⤵
  PID:2768
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im Client.exe
    3⤵
    - Kills process with taskkill
    PID:4752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll /accepteula
  2⤵
  PID:3600
- - C:\Windows\System32\accessibility.dll
    C:\Windows\System32\accessibility.dll /accepteula
    3⤵
    - Executes dropped EXE
    PID:1140
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll
  2⤵
  PID:2628
- - C:\Windows\System32\accessibility.dll
    C:\Windows\System32\accessibility.dll
    3⤵
    - Executes dropped EXE
    PID:1628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll /accepteula
  2⤵
  PID:4012
- - C:\Windows\System32\accessibility.dll
    C:\Windows\System32\accessibility.dll /accepteula
    3⤵
    - Executes dropped EXE
    PID:2156
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll C: %random:~-1%%random:~-1%%random:~-1%%random:~-1%-%random:~-1%%random:~-1%%random:~-1%%random:~-1%
  2⤵
  PID:1588
- - C:\Windows\System32\accessibility.dll
    C:\Windows\System32\accessibility.dll C: 9569-3781
    3⤵
    - Executes dropped EXE
    PID:3552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll D: %random:~-1%%random:~-1%%random:~-1%%random:~-1%-%random:~-1%%random:~-1%%random:~-1%%random:~-1%
  2⤵
  PID:592
- - C:\Windows\System32\accessibility.dll
    C:\Windows\System32\accessibility.dll D: 6268-3137
    3⤵
    - Executes dropped EXE
    PID:5040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll E: %random:~-1%%random:~-1%%random:~-1%%random:~-1%-%random:~-1%%random:~-1%%random:~-1%%random:~-1%
  2⤵
  PID:4920
- - C:\Windows\System32\accessibility.dll
    C:\Windows\System32\accessibility.dll E: 9303-9780
    3⤵
    - Executes dropped EXE
    PID:4196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll F: %random:~-1%%random:~-1%%random:~-1%%random:~-1%-%random:~-1%%random:~-1%%random:~-1%%random:~-1%
  2⤵
  PID:2128
- - C:\Windows\System32\accessibility.dll
    C:\Windows\System32\accessibility.dll F: 2178-4402
    3⤵
    - Executes dropped EXE
    PID:4888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll G: %random:~-1%%random:~-1%%random:~-1%%random:~-1%-%random:~-1%%random:~-1%%random:~-1%%random:~-1%
  2⤵
  PID:4780
- - C:\Windows\System32\accessibility.dll
    C:\Windows\System32\accessibility.dll G: 5914-8135
    3⤵
    - Executes dropped EXE
    PID:3408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll
  2⤵
  PID:2864
- - C:\Windows\System32\accessibility.dll
    C:\Windows\System32\accessibility.dll
    3⤵
    - Executes dropped EXE
    PID:376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /SS %random%%random%%random%
  2⤵
  PID:312
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /SS 157921322830351
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:4336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /BS %random%%random%%random%
  2⤵
  PID:4916
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /BS 157952397715447
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:1604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /SU auto
  2⤵
  PID:3836
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /SU auto
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /IV %random:~-1%.%random:~-1%.%random:~-1%
  2⤵
  PID:636
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /IV 2.5.8
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:2460
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /ID 0%random:~-1%/0%random:~-1%/2021
  2⤵
  PID:1664
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /ID 05/04/2021
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:1828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /SP MS-%random:~-1%C%random:~-1%%random:~-1%F
  2⤵
  PID:3364
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /SP MS-8C48F
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:4540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /SK A%random:~-1%%random:~-1%%random:~-1%S%random:~-1%%random:~-1%%random:~-1%O%random:~-1%
  2⤵
  PID:4984
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /SK A134S017O4
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:812
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /SF B%random:~-1%%random:~-1%%random:~-1%S%random:~-1%%random:~-1%%random:~-1%Z%random:~-1%
  2⤵
  PID:864
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /SF B518S563Z7
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:1368
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /BT X%random:~-1%%random:~-1%%random:~-1%S%random:~-1%%random:~-1%%random:~-1%X%random:~-1%
  2⤵
  PID:1500
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /BT X815S100X9
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:3684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /PSN %random%%random%%random%
  2⤵
  PID:536
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /PSN 158211166027289
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:5104
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\ntelidcx.dll
  2⤵
  PID:1076
- - C:\Windows\ntelidcx.dll
    C:\Windows\ntelidcx.dll
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t20461.bat" "C:\Windows\ntelidcx.dll" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4760
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
        5⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:436
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic useraccount where caption='Admin' rename
        5⤵
        
        PID:2844
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v "NV Hostname" /t REG_SZ /d 0F70-4171 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2440
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v Hostname /t REG_SZ /d 0F70-4171 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4012
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName" /v ComputerName /t REG_SZ /d 0F70-4171 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1788
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName" /v ComputerName /t REG_SZ /d 0F70-4171 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4932
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v RegisteredOwner /t REG_SZ /d 0F70-4171 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3864
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 00331--00001-A4171 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3552
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId /t REG_BINARY /d A4000000000003030312D3836382D303030303030372D383535353700AA0000005831352D3333000000000000000C3AABF726FBA18B8878E89D726F000000000000396CC459BD03000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005FCF6736 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4368
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId4 /t REG_BINARY /d 437F653904000000300030003300375FCF002D00300030003100370030002D003800360038002D003000300030003000300030002D00300033002D0031003000330033002D0037003600300031002E0030003000300030002D003200360035003200300031003700000000000000000000000000000000000000000000000000000000000000000062003900320065003437F653980030002D0062003900035002D0034003800320031002D0039006300390034002D0031003400300066003600330032006600360033003100320000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050006F00660065007300730065FCFF006E0061006C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000C3AABFA65BBA18B889D24ED80000C61437F6539D0BEDFD25E5FCF45B89FFF45564B84E87CB968EC7F4D18F6E5066261A0B704B9D2739558B7E97DF882AB087AB0D8A314BA9BB1E06029EA28D5800310035002D0033003900310037003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000056006F006C0075006D006A00470056004C004B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000056006F006C007D0065000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3512
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Registration" /v ProductId /t REG_SZ /d 00331-10000-00001-A4171 /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3348
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer" /v svcKBNumber /t REG_SZ /d KB3170605 /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:5040
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v InstallDate /t REG_DWORD /d 1506051441 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1496
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration" /v "IE Installed Date" /t REG_BINARY /d 1506051441 /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:4552
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001" /v HwProfileGuid /t REG_SZ /d {437F6539-5FCF-726F-5FCF-800500268B89} /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4820
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d {437F6539-5FCF-726F-5FCF-6a0500268B89} /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3932
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d {437F6539-5FCF-726F-5FCF-6a0500268B89} /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4196
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Diagnostics\Performance\BootCKCLSettings" /v GUID /t REG_SZ /d {437F6539-5FCF-726F-5FCF-3e0500268B89} /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4976
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Diagnostics\Performance\SecondaryLogonCKCLSettings" /v GUID /t REG_SZ /d {437F6539-5FCF-726F-5FCF-3e0500268B89} /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1352
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Diagnostics\Performance\ShutdownCKCLSettings" /v GUID /t REG_SZ /d {437F6539-5FCF-726F-5FCF-3e0500268B89} /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\IDConfigDB\Hardware Profiles\0001" /v HwProfileGuid /t REG_SZ /d {437F6539-5FCF-726F-5FCF-800500268B89} /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:552
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d 437F6539-5FCF-726F-5FCF-e70500268B89 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1776
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild /t REG_SZ /d 14246 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3624
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuildNumber /t REG_SZ /d 14246 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4888
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLab /t REG_SZ /d 14246.rs1_release.171254-2100 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx /t REG_SZ /d 14246.1944.amd64fre.rs1_release.171254-2100 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1848
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildGUID /t REG_SZ /d 437F6539-5FCF-726F-5FCF-0500268B89 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4780
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\Connected" /v GUID /t REG_SZ /d {A28BBADE-5FCF-726F-5FCF-000500268B89} /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4764
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\Disconnected" /v GUID /t REG_SZ /d {143E4E83-5FCF-726F-5FCF-000500268B89} /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4216
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\EmailImage" /v GUID /t REG_SZ /d {C66DCEE1-5FCF-726F-5FCF-2F0500268B89} /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\FaxImage" /v GUID /t REG_SZ /d {C00EB793-5FCF-726F-5FCF-000500268B89} /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\PrintImage" /v GUID /t REG_SZ /d {B441F425-5FCF-726F-5FCF-000500268B89} /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:368
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\ScanButton" /v GUID /t REG_SZ /d {A6C5A715-5FCF-726F-5FCF-000500268B89} /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\STIproxyEvent" /v GUID /t REG_SZ /d {d711f81f-5FCF-726F-5FCF-920500268B89} /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionInventoryVersionGUID_DONOTUSEINSTORE" /v value /t REG_SZ /d {27720B92-5FCF-726F-5FCF-920500268B89} /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4324
    - - C:\Windows\SysWOW64\net.exe
        
        net stop wuauserv
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:312
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wuauserv
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1216
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /t REG_SZ /d 437F6539-5FCF-726F-5FCF-c90500268B89 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3760
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /t REG_BINARY /d A4000000000003030312D3836382D303030500268B89D383535353700AA0000005831352D3333000000000000000C3AABF726FBA18B8878E89D726F000000000000396CC459BD03000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005FCF6736 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
    - - C:\Windows\SysWOW64\net.exe
        
        net start wuauserv
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4992
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start wuauserv
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1044
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1956
      - C:\Windows\SysWOW64\reg.exe
        
        reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId
        6⤵
        
        PID:1268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c shutdown /r /t 25
  2⤵
  PID:4260
- - C:\Windows\system32\shutdown.exe
    shutdown /r /t 25
    3⤵
    PID:1328
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\AppVLicense.dll
  2⤵
  PID:1388
- - C:\Windows\AppVLicense.dll
    C:\Windows\AppVLicense.dll
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ytmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ytmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
      4⤵
      Hide Artifacts: Hidden Files and Directories
      System Location Discovery: System Language Discovery
      PID:228
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
        5⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp645.bat" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp645.bat"
      4⤵
      PID:1368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp2608.exe" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp2608.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytmp\tmp645.bat "C:\Windows\AppVLicense.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2744
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5072
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic nic where physicaladapter=true get deviceid
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:860
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr [0-9]
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4840
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4180
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5104
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4728
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 26D9CCFADCC3 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2500
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic nic where physicaladapter=true get deviceid
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr [0-9]
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
        5⤵
        
        PID:2840
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2312
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
        5⤵
        
        PID:2628
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3876
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh interface set interface name="Ethernet" disable
        5⤵
        
        PID:4012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ytmp\t20461.bat

Filesize
12KB

MD5
a1bf7fb8d8f6332c097ccdac8940b652

SHA1
faff60a2042cffe23613a5225dc1280d14f9c74d

SHA256
067fa831a43143846d24e00c4417ac6d8631a2ce8c5c2919886ddb6e4e8cb820

SHA512
1be8a1aa3b9241a630f314a7297a6782bc8d7fb77ff98e6c9f6b246e1d0c879f03097b2735de102a1fd4286d20fc36b46360b42d17b4246ea39e9aed52ade072

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytmp\tmp645.bat

Filesize
2KB

MD5
2812a7b165fe385c1a6f6596a410f743

SHA1
4b0bc277ba23a046b27e05598234f4694c4f5148

SHA256
88b9b173ccc979af95537d6acd37ef6a27e8771582687a0dda1aa6eb70db8aa0

SHA512
d598fac3527e4641b613d6860b6e77ce7d1fd98c7f51c6a13399af835f9e5c8d4c79c877e7bcd041592b7b17815bd7666eda76256ecded18a450b80046420e51

Download Submit
C:\Windows\AppVLicense.dll

Filesize
78KB

MD5
d74f8515a65300b04ca04d622023f41f

SHA1
50689adb85e0e18625f1200c4a2d4b49c7270a9d

SHA256
a8b7df4fa86ec5cddd13fd650a553fac8611b8904f35529d8dfa2492f48f76b2

SHA512
9f95ee019da5734e14801f3fc1257d50fd078cd818288f681bdd6399244450cef901151b003e079d455c50247fc75fabd6e2237d47dd9bfcf8ac1e4287ffd672

Download Submit
C:\Windows\System32\accessibility.dll

Filesize
165KB

MD5
42b7d0cdd6a7ce9791b11d69315523dc

SHA1
8de659e46ea55b5ab3eb32b8216f74fe53f7d0a2

SHA256
5b85d64218283c933ca9afd194d5b8f451a519dcec58369434009d0dbd04e9e1

SHA512
f5141adbf226f15128e553088b2625f2cb38a1fbf3cff98dda205e1686ce186537abf5daa7c7148f887ab3bafcf03a9fa487844cad95e77ae38eae5d00af41cf

Download Submit
C:\Windows\System32\amifldrv64.sys

Filesize
29KB

MD5
f22740ba54a400fd2be7690bb204aa08

SHA1
5812387783d61c6ab5702213bb968590a18065e3

SHA256
65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9

SHA512
ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500

Download Submit
C:\Windows\System32\ifsutipx.exe

Filesize
459KB

MD5
92a410010d0fb650385e88c1474ac29d

SHA1
7ab69e5c7442a94fb5fa25705ca4eb2028a0c32c

SHA256
47d8117f0f7ecdc6843fe7f33cfa8a4a12bcf657fe648bde19050a12950e9555

SHA512
ff698acfef1270daebf5c4788e414ced15fd724c61e45a9cfa5f9220aa70866e43d0cb3348f06cd2741a13c2e5e42ae49eaf266263ab2777378244d4d7d1131e

Download Submit
C:\Windows\ntelidcx.dll

Filesize
72KB

MD5
6811536b3f22331c79f54b4b9dc4fa7b

SHA1
430c3222443590554a9ff932882c666ec91a2944

SHA256
2690ca7e6d7f8c28b43616e0a31ac8a8535a44506e145885e06072b51aeec787

SHA512
23765a39cbeb75010be44e218ad0626ba05f3615c202b74f561a579ed3cbd31da74d2639d9a7c7af6e0bf6fb25ec26d6895d2f020d167cffa0754f8a9041849e

Download Submit