cerber | eb04c7fde0ba573eae3e9307a3c91613e2eb4c41e97e0ad7a3979d2ac0e1dff1

Analysis

max time kernel
9s
max time network
19s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2024 18:02

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

LARKSHARP SPOOFER.exe
Size

10.0MB
MD5

1e61aac32833d7e38884ae4df8e9748e
SHA1

b2f17de7878360c69f6c103cfb0d2f77c530cd39
SHA256

eb04c7fde0ba573eae3e9307a3c91613e2eb4c41e97e0ad7a3979d2ac0e1dff1
SHA512

947758430b35760ac87cacf9ba42c04b13628b67c9ce1bd866cb362021537f10f99869c73c62cbf7cf177fa2da285ebce11e23688e79eda22b157fa47ef9bd01
SSDEEP

196608:v6Dg6CsXDjDVdJolpPgToa10/inHu7eu0jr5MJLheXAxFg6XVnZ+YtlBGFOnJBDP:SE6CED/J83a10anHKeT/5QKAHBlZ7l4C

Score

10^/10

cerber ransomware

Malware Config

Signatures

Cerber 41 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	pid	Process
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		3136	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE

Executes dropped EXE 64 IoCs

pid	Process
3756	randomizer.exe
3380	randomizer.exe
848	AMIDEWINx64.EXE
5084	AMIDEWINx64.EXE
4644	AMIDEWINx64.EXE
1452	AMIDEWINx64.EXE
3968	AMIDEWINx64.EXE
1972	AMIDEWINx64.EXE
3932	AMIDEWINx64.EXE
4340	AMIDEWINx64.EXE
5000	AMIDEWINx64.EXE
4220	AMIDEWINx64.EXE
1216	AMIDEWINx64.EXE
1616	AMIDEWINx64.EXE
4264	AMIDEWINx64.EXE
4504	AMIDEWINx64.EXE
1184	AMIDEWINx64.EXE
1876	AMIDEWINx64.EXE
4616	AMIDEWINx64.EXE
1164	AMIDEWINx64.EXE
1528	AMIDEWINx64.EXE
1348	AMIDEWINx64.EXE
4932	AMIDEWINx64.EXE
2896	AMIDEWINx64.EXE
1596	AMIDEWINx64.EXE
2124	AMIDEWINx64.EXE
432	AMIDEWINx64.EXE
4568	AMIDEWINx64.EXE
2316	AMIDEWINx64.EXE
4860	AMIDEWINx64.EXE
532	AMIDEWINx64.EXE
1656	AMIDEWINx64.EXE
1332	AMIDEWINx64.EXE
3844	AMIDEWINx64.EXE
3140	AMIDEWINx64.EXE
1308	AMIDEWINx64.EXE
4472	AMIDEWINx64.EXE
4008	AMIDEWINx64.EXE
3720	AMIDEWINx64.EXE
1840	AMIDEWINx64.EXE
2100	AMIDEWINx64.EXE
1540	AMIDEWINx64.EXE
4140	AMIDEWINx64.EXE
1016	mac.exe
3756	randomizer.exe
3380	randomizer.exe
848	AMIDEWINx64.EXE
5084	AMIDEWINx64.EXE
4644	AMIDEWINx64.EXE
1452	AMIDEWINx64.EXE
3968	AMIDEWINx64.EXE
1972	AMIDEWINx64.EXE
3932	AMIDEWINx64.EXE
4340	AMIDEWINx64.EXE
5000	AMIDEWINx64.EXE
4220	AMIDEWINx64.EXE
1216	AMIDEWINx64.EXE
1616	AMIDEWINx64.EXE
4264	AMIDEWINx64.EXE
4504	AMIDEWINx64.EXE
1184	AMIDEWINx64.EXE
1876	AMIDEWINx64.EXE
4616	AMIDEWINx64.EXE
1164	AMIDEWINx64.EXE

Loads dropped DLL 24 IoCs

pid	Process
620	LARKSHARP SPOOFER.exe
620	LARKSHARP SPOOFER.exe
620	LARKSHARP SPOOFER.exe
620	LARKSHARP SPOOFER.exe
620	LARKSHARP SPOOFER.exe
620	LARKSHARP SPOOFER.exe
3380	randomizer.exe
3380	randomizer.exe
1016	mac.exe
1016	mac.exe
1016	mac.exe
1016	mac.exe
620	LARKSHARP SPOOFER.exe
620	LARKSHARP SPOOFER.exe
620	LARKSHARP SPOOFER.exe
620	LARKSHARP SPOOFER.exe
620	LARKSHARP SPOOFER.exe
620	LARKSHARP SPOOFER.exe
3380	randomizer.exe
3380	randomizer.exe
1016	mac.exe
1016	mac.exe
1016	mac.exe
1016	mac.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3136	taskkill.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3136	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2632	WMIC.exe
Token: SeSecurityPrivilege	2632	WMIC.exe
Token: SeTakeOwnershipPrivilege	2632	WMIC.exe
Token: SeLoadDriverPrivilege	2632	WMIC.exe
Token: SeSystemProfilePrivilege	2632	WMIC.exe
Token: SeSystemtimePrivilege	2632	WMIC.exe
Token: SeProfSingleProcessPrivilege	2632	WMIC.exe
Token: SeIncBasePriorityPrivilege	2632	WMIC.exe
Token: SeCreatePagefilePrivilege	2632	WMIC.exe
Token: SeBackupPrivilege	2632	WMIC.exe
Token: SeRestorePrivilege	2632	WMIC.exe
Token: SeShutdownPrivilege	2632	WMIC.exe
Token: SeDebugPrivilege	2632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2632	WMIC.exe
Token: SeRemoteShutdownPrivilege	2632	WMIC.exe
Token: SeUndockPrivilege	2632	WMIC.exe
Token: SeManageVolumePrivilege	2632	WMIC.exe
Token: 33	2632	WMIC.exe
Token: 34	2632	WMIC.exe
Token: 35	2632	WMIC.exe
Token: 36	2632	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2632	WMIC.exe
Token: SeSecurityPrivilege	2632	WMIC.exe
Token: SeTakeOwnershipPrivilege	2632	WMIC.exe
Token: SeLoadDriverPrivilege	2632	WMIC.exe
Token: SeSystemProfilePrivilege	2632	WMIC.exe
Token: SeSystemtimePrivilege	2632	WMIC.exe
Token: SeProfSingleProcessPrivilege	2632	WMIC.exe
Token: SeIncBasePriorityPrivilege	2632	WMIC.exe
Token: SeCreatePagefilePrivilege	2632	WMIC.exe
Token: SeBackupPrivilege	2632	WMIC.exe
Token: SeRestorePrivilege	2632	WMIC.exe
Token: SeShutdownPrivilege	2632	WMIC.exe
Token: SeDebugPrivilege	2632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2632	WMIC.exe
Token: SeRemoteShutdownPrivilege	2632	WMIC.exe
Token: SeUndockPrivilege	2632	WMIC.exe
Token: SeManageVolumePrivilege	2632	WMIC.exe
Token: 33	2632	WMIC.exe
Token: 34	2632	WMIC.exe
Token: 35	2632	WMIC.exe
Token: 36	2632	WMIC.exe
Token: SeDebugPrivilege	3136	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2632	WMIC.exe
Token: SeSecurityPrivilege	2632	WMIC.exe
Token: SeTakeOwnershipPrivilege	2632	WMIC.exe
Token: SeLoadDriverPrivilege	2632	WMIC.exe
Token: SeSystemProfilePrivilege	2632	WMIC.exe
Token: SeSystemtimePrivilege	2632	WMIC.exe
Token: SeProfSingleProcessPrivilege	2632	WMIC.exe
Token: SeIncBasePriorityPrivilege	2632	WMIC.exe
Token: SeCreatePagefilePrivilege	2632	WMIC.exe
Token: SeBackupPrivilege	2632	WMIC.exe
Token: SeRestorePrivilege	2632	WMIC.exe
Token: SeShutdownPrivilege	2632	WMIC.exe
Token: SeDebugPrivilege	2632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2632	WMIC.exe
Token: SeRemoteShutdownPrivilege	2632	WMIC.exe
Token: SeUndockPrivilege	2632	WMIC.exe
Token: SeManageVolumePrivilege	2632	WMIC.exe
Token: 33	2632	WMIC.exe
Token: 34	2632	WMIC.exe
Token: 35	2632	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 620	5060	LARKSHARP SPOOFER.exe	85
PID 5060 wrote to memory of 620	5060	LARKSHARP SPOOFER.exe	85
PID 620 wrote to memory of 3324	620	LARKSHARP SPOOFER.exe	87
PID 620 wrote to memory of 3324	620	LARKSHARP SPOOFER.exe	87
PID 3324 wrote to memory of 1360	3324	cmd.exe	88
PID 3324 wrote to memory of 1360	3324	cmd.exe	88
PID 620 wrote to memory of 3136	620	LARKSHARP SPOOFER.exe	92
PID 620 wrote to memory of 3136	620	LARKSHARP SPOOFER.exe	92
PID 620 wrote to memory of 3756	620	LARKSHARP SPOOFER.exe	96
PID 620 wrote to memory of 3756	620	LARKSHARP SPOOFER.exe	96
PID 3756 wrote to memory of 3380	3756	randomizer.exe	98
PID 3756 wrote to memory of 3380	3756	randomizer.exe	98
PID 620 wrote to memory of 3496	620	LARKSHARP SPOOFER.exe	99
PID 620 wrote to memory of 3496	620	LARKSHARP SPOOFER.exe	99
PID 3496 wrote to memory of 4244	3496	cmd.exe	101
PID 3496 wrote to memory of 4244	3496	cmd.exe	101
PID 4244 wrote to memory of 848	4244	cmd.exe	102
PID 4244 wrote to memory of 848	4244	cmd.exe	102
PID 4244 wrote to memory of 5084	4244	cmd.exe	103
PID 4244 wrote to memory of 5084	4244	cmd.exe	103
PID 4244 wrote to memory of 4644	4244	cmd.exe	104
PID 4244 wrote to memory of 4644	4244	cmd.exe	104
PID 4244 wrote to memory of 1452	4244	cmd.exe	105
PID 4244 wrote to memory of 1452	4244	cmd.exe	105
PID 4244 wrote to memory of 3968	4244	cmd.exe	106
PID 4244 wrote to memory of 3968	4244	cmd.exe	106
PID 4244 wrote to memory of 1972	4244	cmd.exe	107
PID 4244 wrote to memory of 1972	4244	cmd.exe	107
PID 4244 wrote to memory of 3932	4244	cmd.exe	108
PID 4244 wrote to memory of 3932	4244	cmd.exe	108
PID 4244 wrote to memory of 4340	4244	cmd.exe	109
PID 4244 wrote to memory of 4340	4244	cmd.exe	109
PID 4244 wrote to memory of 5000	4244	cmd.exe	110
PID 4244 wrote to memory of 5000	4244	cmd.exe	110
PID 4244 wrote to memory of 4220	4244	cmd.exe	111
PID 4244 wrote to memory of 4220	4244	cmd.exe	111
PID 4244 wrote to memory of 1216	4244	cmd.exe	112
PID 4244 wrote to memory of 1216	4244	cmd.exe	112
PID 4244 wrote to memory of 1616	4244	cmd.exe	113
PID 4244 wrote to memory of 1616	4244	cmd.exe	113
PID 4244 wrote to memory of 4264	4244	cmd.exe	114
PID 4244 wrote to memory of 4264	4244	cmd.exe	114
PID 4244 wrote to memory of 4504	4244	cmd.exe	115
PID 4244 wrote to memory of 4504	4244	cmd.exe	115
PID 4244 wrote to memory of 1184	4244	cmd.exe	116
PID 4244 wrote to memory of 1184	4244	cmd.exe	116
PID 4244 wrote to memory of 1876	4244	cmd.exe	117
PID 4244 wrote to memory of 1876	4244	cmd.exe	117
PID 4244 wrote to memory of 4616	4244	cmd.exe	118
PID 4244 wrote to memory of 4616	4244	cmd.exe	118
PID 4244 wrote to memory of 1164	4244	cmd.exe	119
PID 4244 wrote to memory of 1164	4244	cmd.exe	119
PID 4244 wrote to memory of 1528	4244	cmd.exe	120
PID 4244 wrote to memory of 1528	4244	cmd.exe	120
PID 4244 wrote to memory of 1348	4244	cmd.exe	121
PID 4244 wrote to memory of 1348	4244	cmd.exe	121
PID 4244 wrote to memory of 4932	4244	cmd.exe	122
PID 4244 wrote to memory of 4932	4244	cmd.exe	122
PID 4244 wrote to memory of 2896	4244	cmd.exe	123
PID 4244 wrote to memory of 2896	4244	cmd.exe	123
PID 4244 wrote to memory of 1596	4244	cmd.exe	124
PID 4244 wrote to memory of 1596	4244	cmd.exe	124
PID 4244 wrote to memory of 2124	4244	cmd.exe	125
PID 4244 wrote to memory of 2124	4244	cmd.exe	125

C:\Users\Admin\AppData\Local\Temp\LARKSHARP SPOOFER.exe
"C:\Users\Admin\AppData\Local\Temp\LARKSHARP SPOOFER.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Users\Admin\AppData\Local\Temp\LARKSHARP SPOOFER.exe
  "C:\Users\Admin\AppData\Local\Temp\LARKSHARP SPOOFER.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mode con: cols=110 lines=30
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3324
  - - C:\Windows\system32\mode.com
      mode con: cols=110 lines=30
      4⤵
      PID:1360
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /F /IM explorer.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3136
- - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\randomizer.exe
    C:\Users\Admin\AppData\Roaming\tmpues1aqz1\randomizer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3756
  - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\randomizer.exe
      C:\Users\Admin\AppData\Roaming\tmpues1aqz1\randomizer.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c "C:\Users\Admin\AppData\Roaming\tmpues1aqz1\spoof.bat >nul 2>&1""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c "C:\Users\Admin\AppData\Roaming\tmpues1aqz1\spoof.bat >nul 2>&1"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4244
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /ID 04/05/2015
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:848
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /SV vx6pGxAvFRd8Fvf
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:5084
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /SS zk2nW1Q3sLWm9XD
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:4644
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /SF M0ZHWg4mtckVe37
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:1452
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /SU AUTO
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:3968
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /SK YUGzn3AL1XATi3h
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:1972
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /SF sEvKL7k4xCTH8Ti
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:3932
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /BV a57NaiJ4J86Gnix
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:4340
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /BS 8LQqwcF43Y9PRYs
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:5000
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /BT 4BOfVepe8MBaPZb
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:4220
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /BLC jKhANdRGqWou38I
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:1216
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /CV BJ2mNolTJYvsCh2
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:1616
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /CS PEytpRO3EilkG1Y
        5⤵
        Executes dropped EXE
        
        PID:4264
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /CM Yk5lG46AcymHlWt
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:4504
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /CA GJccZOcffU4BQ9f
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:1184
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /CSK z6SbvX0x50yz83C
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:1876
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /PSN eu0XAapUIA2HXRU
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:4616
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /PAT EuobixCXqlPviEs
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:1164
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /PPN fZCeQjrMBoN77pJ
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:1528
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /BSH 3 BKJdb7zwmlgTkzz
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:1348
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /BMH 3 fyBLf0gGebsDObm
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:4932
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /BPH 3 bBgz1vCoJTSwSfd
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:2896
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /BVH 3 5q4Iic73wppxywR
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:1596
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /CSH 4 6e3hPvmbIPDSUaD
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:2124
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /CMH 4 uFCUmVmIzKOMX7w
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:432
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /CVH 4 j02H5XbcQ3H3mUp
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:4568
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /CAH 4 VForlWQdOmI3t4q
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:2316
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /CSKH 4 Vrua52dxoitzwqw
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:4860
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /BTH 3 cEmGDpRtrBZl2gR
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:532
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /BLCH 3 qgCpBtmvGEKa8Bq
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:1656
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /IVN DzztL8NcSbdVPaH
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:1332
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /IV 2.3.6
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:3844
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /SM B0oO4Vo7dP1jXcK
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:3140
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /SP DCD0ULXB8xzpdym
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:1308
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /BM fvLioBiXywsnLi8
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:4472
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /BP e5ZAVy3TyB1yPvd
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:4008
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /SCO 1 McxyfAVCBRCLXNi
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:3720
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /OS 1 rHchpDyfQBQATo5
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:1840
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /OS 3 hjv6FkrMWR30EIK
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:2100
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /OS 4 h508twJBCeq8OAi
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:1540
    - - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /OS 5 ZWmb4KbskC8qMZT
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:4140
- - C:\Users\Admin\AppData\Roaming\tmpues1aqz1\mac.exe
    C:\Users\Admin\AppData\Roaming\tmpues1aqz1\mac.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE >nul 2>&1
      4⤵
      PID:4068
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI37562\base_library.zip

Filesize
824KB

MD5
09f7062e078379845347034c2a63943e

SHA1
9683dd8ef7d72101674850f3db0e05c14039d5fd

SHA256
7c1c73de4909d11efb20028f4745a9c8494fb4ee8dcf2f049907115def3d2629

SHA512
a169825e9b0bb995a115134cf1f7b76a96b651acd472dc4ce8473900d8852fc93b9f87a26d2c64f7bb3dd76d5feb01eeb4af4945e0c0b95d5c9c97938fa85b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\AMIDEWINx64.EXE

Filesize
379KB

MD5
6bfe0519e242720f965bb1680356728c

SHA1
f6a5392214ade1750af15fdcaa6f05bf8ee06f9e

SHA256
a922b1906f9b04b582e8ace9a17e6b6d405df15f4ab30bdc55f2fc5df7a5c9c3

SHA512
cf47a256fd970d1de50645c23fc68a18cec6873475e06d567d7ef065ea913d8ac98cc5e811113ff5c161786544898d03d375f683b1e31551e9dd41ac036433af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\MSVCP140.dll

Filesize
561KB

MD5
72f3d84384e888bf0d38852eb863026b

SHA1
8e6a0257591eb913ae7d0e975c56306b3f680b3f

SHA256
a4c2229bdc2a2a630acdc095b4d86008e5c3e3bc7773174354f3da4f5beb9cde

SHA512
6d53634bc51bd383358e0d55988d70aee6ed3897bc6ae5e0d2413bed27ecff4c8092020682cd089859023b02d9a1858ac42e64d59c38ba90fbaf89b656c539a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\VCRUNTIME140.dll

Filesize
93KB

MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\VCRUNTIME140_1.dll

Filesize
35KB

MD5
9cff894542dc399e0a46dee017331edf

SHA1
d1e889d22a5311bd518517537ca98b3520fc99ff

SHA256
b1d3b6b3cdeb5b7b8187767cd86100b76233e7bbb9acf56c64f8288f34b269ca

SHA512
ca254231f12bdfc300712a37d31777ff9d3aa990ccc129129fa724b034f3b59c88ed5006a5f057348fa09a7de4a0c2e0fb479ce06556e2059f919ddd037f239e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\_bz2.pyd

Filesize
85KB

MD5
a49c5f406456b79254eb65d015b81088

SHA1
cfc2a2a89c63df52947af3610e4d9b8999399c91

SHA256
ce4ef8ed1e72c1d3a6082d500a17a009eb6e8ed15022bf3b68a22291858feced

SHA512
bbafeff8c101c7425dc9b8789117fe4c5e516d217181d3574d9d81b8fec4b0bd34f1e1fe6e406ae95584dc671f788cd7b05c8d700baf59fbf21de9c902edf7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\_ctypes.pyd

Filesize
124KB

MD5
291a0a9b63bae00a4222a6df71a22023

SHA1
7a6a2aad634ec30e8edb2d2d8d0895c708d84551

SHA256
820e840759eed12e19f3c485fd819b065b49d9dc704ae3599a63077416d63324

SHA512
d43ef6fc2595936b17b0a689a00be04968f11d7c28945af4c3a74589bd05f415bf4cb3b4e22ac496490daff533755999a69d5962ccffd12e09c16130ed57fd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\_hashlib.pyd

Filesize
46KB

MD5
5e5af52f42eaf007e3ac73fd2211f048

SHA1
1a981e66ab5b03f4a74a6bac6227cd45df78010b

SHA256
a30cf1a40e0b09610e34be187f1396ac5a44dcfb27bc7ff9b450d1318b694c1b

SHA512
bc37625005c3dad1129b158a2f1e91628d5c973961e0efd61513bb6c7b97d77922809afca8039d08c11903734450bc098c6e7b63655ff1e9881323e5cfd739fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\_lzma.pyd

Filesize
159KB

MD5
cf9fd17b1706f3044a8f74f6d398d5f1

SHA1
c5cd0debbde042445b9722a676ff36a0ac3959ad

SHA256
9209ccc60115727b192bf7771551040ca6fdd50f9bf8c3d2eacbfd424e8245e4

SHA512
5fe922c00c6f7fd3cd9bc56fc51de1f44adffbdb0afc0583f1bb08008be628b9ac16f8560b0c3ba16138e1cdcaf1c525ef24241bed804804cdeb5961aed6385a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\_socket.pyd

Filesize
78KB

MD5
4827652de133c83fa1cae839b361856c

SHA1
182f9a04bdc42766cfd5fb352f2cb22e5c26665e

SHA256
87832a3b89e2ada8f704a8f066013660d591d9ce01ce901cc57a3b973f0858ba

SHA512
8d66d68613fdba0820257550de3c39b308b1dce659dca953d10a95ff2cf89c31afe512d30ed44422b31117058dc9fa15279e5ac84694da89b47f99b0ad7e338a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\amifldrv64.sys

Filesize
18KB

MD5
785045f8b25cd2e937ddc6b09debe01a

SHA1
029c678674f482ababe8bbfdb93152392457109d

SHA256
37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba

SHA512
40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\amigendrv64.sys

Filesize
36KB

MD5
9accebd928a8926fecf317f53cd1c44e

SHA1
d7d71135cc3cf7320f8e63cefb6298dd44e5b1d4

SHA256
811e5d65df60dfb8c6e1713da708be16d9a13ef8dfcd1022d8d1dda52ed057b2

SHA512
2563402cc8e1402d9ac3a76a72b7dab0baa4ecd03629cc350e7199c7e1e1da4000e665bd02ac3a75fd9883fa678b924c8b73d88d8c50bf9d2ae59254a057911e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\base_library.zip

Filesize
824KB

MD5
35cd9399c279aab402d2285429b666ac

SHA1
9882206919c386d399cb0af53f4f89cf3ab9ed68

SHA256
ff2a2d425b9e5ea63934f72adad3a53e9e61174a235af0f61a83816d3c5cabc6

SHA512
1652a829c6f45f2cf53d42e9ff4ad8f5e007856fd784e854a9f02d3367e509f734fa2bd1d1d387f074d51dfde132511b338c4ba9ecf3a742acd908891a4e944d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\libcrypto-1_1.dll

Filesize
3.2MB

MD5
89511df61678befa2f62f5025c8c8448

SHA1
df3961f833b4964f70fcf1c002d9fd7309f53ef8

SHA256
296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf

SHA512
9af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\mac.EXE

Filesize
33KB

MD5
aed42ff110a595753bb2f83171727285

SHA1
492ab23acf2cf384183f0a4c0716c0871b597bf5

SHA256
a124932386dbcc5e6b5901f2460f68e7cfb1dff1406cd899620e8880461c60fb

SHA512
6ba035f8d3c719adcd99f28f8b6e8e10fab15ea11f7e6753a3c1119221bffb070ccbf9ed68e1053fc55a9cd68d17ec240fb83a35fb2dd0029f256a6626eb3d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\microsoft.vbs

Filesize
1KB

MD5
af1905dc8bd39d2d407f12fb08272beb

SHA1
3f512317103d610146318aa6dd629f534647fa1e

SHA256
bb113a896a43cb1b03a8b57a85e8d46faf39fe4ae4af97581b264415ef32bd3b

SHA512
9b1f9262410ea87726587d8531f8fbe0562b54e56d66b66ac7d52bdd37c6562fcbbb11e71a4c778605beedbe89d7196f15341687964b497b7efd513c7895652e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\python38.dll

Filesize
4.0MB

MD5
26ba25d468a778d37f1a24f4514d9814

SHA1
b64fe169690557656ede3ae50d3c5a197fea6013

SHA256
2f3e368f5bcc1dda5e951682008a509751e6395f7328fd0f02c4e1a11f67c128

SHA512
80471bfeeab279ce4adfb9ee1962597fb8e1886b861e31bdff1e3aa0df06d93afeb3a3398e9519bab7152d4bd7d88fa9b328a2d7eb50a91eb60fead268912080

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\randomizer.EXE

Filesize
4.8MB

MD5
6e4421d0c8e459b2b378ea968510182e

SHA1
8bb44092d97898424c2afb30e5db11a2cbb70acd

SHA256
63534bf58d0657aee6def9711bd75310fc58724bda6200f34a11df0de9f49f96

SHA512
8f4ae909f1992e10cb88dda6b023a15b3e23543f6345853588a678b7354890d4979c1f4ddc69c1ae66ac486bab284d1fbbe369b19b8097c61bc38fcd24a08dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\reg.vbs

Filesize
5KB

MD5
3e3b30da6cc5283f8716e0fe2eabee5e

SHA1
8d70d981bb7a68f08920913b12eac31372470ba5

SHA256
6c9dd5bb8c4c7b8e55c538d0d77937e6a1edb0d7ceed1b3340ba6f053a729f82

SHA512
49423575a64a34ac0d106b0d406e64da287bd651a771b637eee49442ed7c88265b2555bbbbeecadacad57bfcf565ab2b98a3dfa78a67269b4aa10034ee7f4c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\select.pyd

Filesize
27KB

MD5
e21cff76db11c1066fd96af86332b640

SHA1
e78ef7075c479b1d218132d89bf4bec13d54c06a

SHA256
fcc2e09a2355a5546922874fb4cac92ee00a33c0ed6adbc440d128d1e9f4ec28

SHA512
e86dba2326ca5ea3f5ef3af2abd3c23d5b29b6211acc865b6be5a51d5c8850b7cda8c069e6f631ac62f2047224c4b675bbe6ac97c7ba781de5b8016ebaffd46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\spoof.bat

Filesize
1KB

MD5
596866dc4485091a5f124f2809e9be67

SHA1
fe238fbd9dd8247b092712ab320ba304515a67de

SHA256
ab3993b6d78b0dfad3a288d7edb6d04f7580aac6702af3bd6bd2cf9f4f91d8aa

SHA512
12f4e5e89b8531e290b0f240906a861305ba10ade8aa0dfb358c4115924774f8518ba342d5ebc4a8fdbd9fed0f5bb37f6949f59950b22c9453fc35e96fcb1e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\unicodedata.pyd

Filesize
1.0MB

MD5
601aee84e12b87ca66826dfc7ca57231

SHA1
3a7812433ca7d443d4494446a9ced24b6774ceca

SHA256
d8091e62c74e1b2b648086f778c3c41ce01f09661a75ea207d3fea2cf26a8762

SHA512
7c2d64623c6cfd66d6729f59909c90aa944e810ff6514c58b2b3142ee90e8660b7ddf7fa187389dd333e47efe8b19e935dd4e9119c15375b69b4880d043877d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\volumeid.EXE

Filesize
228KB

MD5
4d867033b27c8a603de4885b449c4923

SHA1
f1ace1a241bab6efb3c7059a68b6e9bbe258da83

SHA256
22a2484d7fa799e6e71e310141614884f3bc8dad8ac749b6f1c475b5398a72f3

SHA512
b5d6d4a58d8780a43e69964f80525905224fa020c0032e637cd25557097e331f63d156cceaaacfe1a692ca8cea8d8bd1b219468b6b8e4827c90febe1535a5702

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\volumeid64.EXE

Filesize
165KB

MD5
81a45f1a91448313b76d2e6d5308aa7a

SHA1
0d615343d5de03da03bce52e11b233093b404083

SHA256
fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

SHA512
675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

Download Submit
C:\Users\Admin\AppData\Roaming\tmpues1aqz1\spoof.bat

Filesize
1KB

MD5
0e636205a98ee94c9d3c860a4826be2d

SHA1
c9f0eef38617b0ec921d3ab55a3bb77caf16e93b

SHA256
37003da767d282f409948d497b413aa613ea95b70bb15dafbae541f65200c50a

SHA512
5b6993adcffe377f48177ede9aa40e2518f56b1901018542b35e050e710bc14421f7428e5eba2b634a3b50bd4d68283713a0013b8fc9a3b3e2ed98883b45e115

Download Submit