Analysis
-
max time kernel
12s -
max time network
6s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
-
submitted
19-12-2024 22:47
General
-
Target
Perm Loader.vmp.exe
-
Size
5.7MB
-
MD5
50c87f75cb5583c0456b582ec37fba1e
-
SHA1
3c8625a583a3e7fd1f668150a5072b477182a4f1
-
SHA256
c83954ab01cc2d5ad6a91325fda5c3758769044143275690685d53b87c7bb588
-
SHA512
28211a4a90a335ca016f2b74e9f18dc4ca49f6c3c205f5ee4d7ef229220f576083284b8cd47888ccd20b24e378ecbdecd7eeffb2e172363e5aa9f6bfd1c99841
-
SSDEEP
98304:NP5gmktJUfGLCwRcIoMPPqpnNUjhfKwXV1b27OMvTUDsiBribTsOyCT+eiFZ:Nxgm4qf18PqpN4Kwq79TUDsii0OpiFZ
Score
10/10
Malware Config
Signatures
-
Cerber 47 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Cerber family
-
Executes dropped EXE 22 IoCs
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Drops file in System32 directory 2 IoCs
-
Kills process with taskkill 59 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: LoadsDriver 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 53 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Perm Loader.vmp.exe"C:\Users\Admin\AppData\Local\Temp\Perm Loader.vmp.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im KsDumperClient.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im KsDumper.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im ProcessHacker.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im idaq.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im idaq64.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im Wireshark.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im Fiddler.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im FiddlerEverywhere.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im Xenos64.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im Xenos.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im Xenos32.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im de4dot.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im Cheat Engine.exe3⤵
- Cerber
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im cheatengine-x86_64.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im MugenJinFuu-i386.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im cheatengine-x86_64.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im cheatengine-i386.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTP Debugger Windows Service (32 bit).exe3⤵
- Cerber
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im KsDumper.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /IVN "AMI"2⤵
-
C:\Windows\System32\AMIDEWINx64.EXEC:\Windows\System32\AMIDEWINx64.EXE /IVN "AMI"3⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im OllyDbg.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SP "System product name"2⤵
-
C:\Windows\System32\AMIDEWINx64.EXEC:\Windows\System32\AMIDEWINx64.EXE /SP "System product name"3⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im x64dbg.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SP "System product name"2⤵
-
C:\Windows\System32\AMIDEWINx64.EXEC:\Windows\System32\AMIDEWINx64.EXE /SP "System product name"3⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im x32dbg.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SV "System version"2⤵
-
C:\Windows\System32\AMIDEWINx64.EXEC:\Windows\System32\AMIDEWINx64.EXE /SV "System version"3⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SS MZ40GCAI0R2⤵
-
C:\Windows\System32\AMIDEWINx64.EXEC:\Windows\System32\AMIDEWINx64.EXE /SS MZ40GCAI0R3⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SU AUTO2⤵
-
C:\Windows\System32\AMIDEWINx64.EXEC:\Windows\System32\AMIDEWINx64.EXE /SU AUTO3⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SK "To Be Filled By O.E.M"2⤵
-
C:\Windows\System32\AMIDEWINx64.EXEC:\Windows\System32\AMIDEWINx64.EXE /SK "To Be Filled By O.E.M"3⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SK "To Be Filled By O.E.M"2⤵
-
C:\Windows\System32\AMIDEWINx64.EXEC:\Windows\System32\AMIDEWINx64.EXE /SK "To Be Filled By O.E.M"3⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Ida64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BM "ASRock"2⤵
-
C:\Windows\System32\AMIDEWINx64.EXEC:\Windows\System32\AMIDEWINx64.EXE /BM "ASRock"3⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im OllyDbg.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BP "B560M-C"2⤵
-
C:\Windows\System32\AMIDEWINx64.EXEC:\Windows\System32\AMIDEWINx64.EXE /BP "B560M-C"3⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Dbg64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BV " "2⤵
-
C:\Windows\System32\AMIDEWINx64.EXEC:\Windows\System32\AMIDEWINx64.EXE /BV " "3⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Dbg32.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BS PBC8ZFQ7FZ8W9S2⤵
-
C:\Windows\System32\AMIDEWINx64.EXEC:\Windows\System32\AMIDEWINx64.EXE /BS PBC8ZFQ7FZ8W9S3⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Taskmgr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BT "Default string"2⤵
-
C:\Windows\System32\AMIDEWINx64.EXEC:\Windows\System32\AMIDEWINx64.EXE /BT "Default string"3⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BLC "Default string"2⤵
-
C:\Windows\System32\AMIDEWINx64.EXEC:\Windows\System32\AMIDEWINx64.EXE /BLC "Default string"3⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CM "Default string"2⤵
-
C:\Windows\System32\AMIDEWINx64.EXEC:\Windows\System32\AMIDEWINx64.EXE /CM "Default string"3⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CV "Default string"2⤵
-
C:\Windows\System32\AMIDEWINx64.EXEC:\Windows\System32\AMIDEWINx64.EXE /CV "Default string"3⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CS SWCF9IZW372⤵
-
C:\Windows\System32\AMIDEWINx64.EXEC:\Windows\System32\AMIDEWINx64.EXE /CS SWCF9IZW373⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im KsDumperClient.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CA "Default string"2⤵
-
C:\Windows\System32\AMIDEWINx64.EXEC:\Windows\System32\AMIDEWINx64.EXE /CA "Default string"3⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CSK "SKU"2⤵
-
C:\Windows\System32\AMIDEWINx64.EXEC:\Windows\System32\AMIDEWINx64.EXE /CSK "SKU"3⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im KsDumper.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /PSN "To Be Filled By O.E.M."2⤵
-
C:\Windows\System32\AMIDEWINx64.EXEC:\Windows\System32\AMIDEWINx64.EXE /PSN "To Be Filled By O.E.M."3⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /PAT "To Be Filled By O.E.M."2⤵
-
C:\Windows\System32\AMIDEWINx64.EXEC:\Windows\System32\AMIDEWINx64.EXE /PAT "To Be Filled By O.E.M."3⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /PPN "To Be Filled By O.E.M."2⤵
-
C:\Windows\System32\AMIDEWINx64.EXEC:\Windows\System32\AMIDEWINx64.EXE /PPN "To Be Filled By O.E.M."3⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im ProcessHacker.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im idaq.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im idaq64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Wireshark.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Fiddler.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im FiddlerEverywhere.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Xenos64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Xenos.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Xenos32.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im de4dot.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Cheat Engine.exe3⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im cheatengine-x86_64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im MugenJinFuu-i386.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im cheatengine-x86_64.exe3⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im cheatengine-i386.exe3⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c shutdown /r /t 02⤵
-
C:\Windows\system32\shutdown.exeshutdown /r /t 03⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTP Debugger Windows Service (32 bit).exe3⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39da055 /state1:0x41c64e6d1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
455KB
MD59adfcdac59db3286690c7eede8da2528
SHA10b54d251438a634bd13b49a1f20587cf03d4598d
SHA25613037eedd91f9313ec0d807947db65c639642e5ae6497e87d12fa6d19951f78e
SHA512fde1700cdb4212593ec2733944a169c7d02f436ca6831719a33482fbfd0be289697c9aa6ce7ddfb6c245e87952b35416929bbf69753d21a24197ac6c2d1243cc
-
Filesize
29KB
MD5f22740ba54a400fd2be7690bb204aa08
SHA15812387783d61c6ab5702213bb968590a18065e3
SHA25665c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9
SHA512ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500
-
Filesize
3.4MB
-
Filesize
10.7MB
-
Filesize
8KB
-
Filesize
10.7MB
-
Filesize
3.4MB
-
Filesize
10.7MB