cerber | f15a78efd211bae6dd492d449beeb3844bd758a5241cfa48d0fd19dbe766102d

Analysis

max time kernel
430s
max time network
431s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
26/01/2025, 00:37 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Perm.rar
Size

546KB
MD5

af6d56efa38a97c6ae552773d0ebed55
SHA1

4bfd6aa9fd1fcf161763fcfcd78f166462784a90
SHA256

f15a78efd211bae6dd492d449beeb3844bd758a5241cfa48d0fd19dbe766102d
SHA512

ff35805d195db830f4d7840208c081d1876791609350fde7fd36beec2ddddc04f4dc91b9b24b147bf209f8e02563fae464b5bf87e5e1974ed7422e7880e03959
SSDEEP

12288:Ynino1Rp78K3gxYT9GrXz32VJvCjl34NgrHJ3IWY/IjLsw8:27Di8SYhQz3Cfg1Y84

Score

10^/10

cerber ransomware

Malware Config

Signatures

Cerber 64 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	Process
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.EXE

Cerber family
cerber

Executes dropped EXE 64 IoCs

pid	Process
3612	AMIDEWINx64.EXE
4672	AMIDEWINx64.EXE
4708	AMIDEWINx64.EXE
1392	AMIDEWINx64.EXE
744	AMIDEWINx64.EXE
1256	AMIDEWINx64.EXE
1040	AMIDEWINx64.EXE
5832	AMIDEWINx64.EXE
5748	AMIDEWINx64.EXE
4344	AMIDEWINx64.EXE
232	AMIDEWINx64.EXE
4924	AMIDEWINx64.EXE
2432	AMIDEWINx64.EXE
4076	AMIDEWINx64.EXE
4548	AMIDEWINx64.EXE
1244	AMIDEWINx64.EXE
1212	AMIDEWINx64.EXE
4140	AMIDEWINx64.EXE
4260	AMIDEWINx64.EXE
5380	AMIDEWINx64.EXE
3400	AMIDEWINx64.EXE
5436	AMIDEWINx64.EXE
4776	AMIDEWINx64.EXE
3680	AMIDEWINx64.EXE
2940	AMIDEWINx64.EXE
5624	AMIDEWINx64.EXE
5588	AMIDEWINx64.EXE
4568	AMIDEWINx64.EXE
1448	AMIDEWINx64.EXE
3576	AMIDEWINx64.EXE
2472	AMIDEWINx64.EXE
2312	AMIDEWINx64.EXE
5116	AMIDEWINx64.EXE
2384	AMIDEWINx64.EXE
5028	AMIDEWINx64.EXE
5408	AMIDEWINx64.EXE
1152	AMIDEWINx64.EXE
660	AMIDEWINx64.EXE
3524	AMIDEWINx64.EXE
3020	AMIDEWINx64.EXE
6024	AMIDEWINx64.EXE
1976	AMIDEWINx64.EXE
1928	AMIDEWINx64.EXE
3404	AMIDEWINx64.EXE
3228	AMIDEWINx64.EXE
1536	AMIDEWINx64.EXE
2320	AMIDEWINx64.EXE
3464	AMIDEWINx64.EXE
5272	AMIDEWINx64.EXE
4920	AMIDEWINx64.EXE
3080	AMIDEWINx64.EXE
4052	AMIDEWINx64.EXE
3416	AMIDEWINx64.EXE
572	AMIDEWINx64.EXE
4680	AMIDEWINx64.EXE
1444	AMIDEWINx64.EXE
3108	AMIDEWINx64.EXE
3492	AMIDEWINx64.EXE
1180	AMIDEWINx64.EXE
864	AMIDEWINx64.EXE
6136	AMIDEWINx64.EXE
6108	AMIDEWINx64.EXE
6096	AMIDEWINx64.EXE
2892	AMIDEWINx64.EXE

Loads dropped DLL 1 IoCs

pid	Process
4872	RealTek_flash.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
5716	taskkill.exe
6012	taskkill.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5376	7zFM.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5376	7zFM.exe
Token: 35	5376	7zFM.exe
Token: SeSecurityPrivilege	5376	7zFM.exe
Token: SeIncreaseQuotaPrivilege	5692	WMIC.exe
Token: SeSecurityPrivilege	5692	WMIC.exe
Token: SeTakeOwnershipPrivilege	5692	WMIC.exe
Token: SeLoadDriverPrivilege	5692	WMIC.exe
Token: SeSystemProfilePrivilege	5692	WMIC.exe
Token: SeSystemtimePrivilege	5692	WMIC.exe
Token: SeProfSingleProcessPrivilege	5692	WMIC.exe
Token: SeIncBasePriorityPrivilege	5692	WMIC.exe
Token: SeCreatePagefilePrivilege	5692	WMIC.exe
Token: SeBackupPrivilege	5692	WMIC.exe
Token: SeRestorePrivilege	5692	WMIC.exe
Token: SeShutdownPrivilege	5692	WMIC.exe
Token: SeDebugPrivilege	5692	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5692	WMIC.exe
Token: SeRemoteShutdownPrivilege	5692	WMIC.exe
Token: SeUndockPrivilege	5692	WMIC.exe
Token: SeManageVolumePrivilege	5692	WMIC.exe
Token: 33	5692	WMIC.exe
Token: 34	5692	WMIC.exe
Token: 35	5692	WMIC.exe
Token: 36	5692	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5692	WMIC.exe
Token: SeSecurityPrivilege	5692	WMIC.exe
Token: SeTakeOwnershipPrivilege	5692	WMIC.exe
Token: SeLoadDriverPrivilege	5692	WMIC.exe
Token: SeSystemProfilePrivilege	5692	WMIC.exe
Token: SeSystemtimePrivilege	5692	WMIC.exe
Token: SeProfSingleProcessPrivilege	5692	WMIC.exe
Token: SeIncBasePriorityPrivilege	5692	WMIC.exe
Token: SeCreatePagefilePrivilege	5692	WMIC.exe
Token: SeBackupPrivilege	5692	WMIC.exe
Token: SeRestorePrivilege	5692	WMIC.exe
Token: SeShutdownPrivilege	5692	WMIC.exe
Token: SeDebugPrivilege	5692	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5692	WMIC.exe
Token: SeRemoteShutdownPrivilege	5692	WMIC.exe
Token: SeUndockPrivilege	5692	WMIC.exe
Token: SeManageVolumePrivilege	5692	WMIC.exe
Token: 33	5692	WMIC.exe
Token: 34	5692	WMIC.exe
Token: 35	5692	WMIC.exe
Token: 36	5692	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2948	WMIC.exe
Token: SeSecurityPrivilege	2948	WMIC.exe
Token: SeTakeOwnershipPrivilege	2948	WMIC.exe
Token: SeLoadDriverPrivilege	2948	WMIC.exe
Token: SeSystemProfilePrivilege	2948	WMIC.exe
Token: SeSystemtimePrivilege	2948	WMIC.exe
Token: SeProfSingleProcessPrivilege	2948	WMIC.exe
Token: SeIncBasePriorityPrivilege	2948	WMIC.exe
Token: SeCreatePagefilePrivilege	2948	WMIC.exe
Token: SeBackupPrivilege	2948	WMIC.exe
Token: SeRestorePrivilege	2948	WMIC.exe
Token: SeShutdownPrivilege	2948	WMIC.exe
Token: SeDebugPrivilege	2948	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2948	WMIC.exe
Token: SeRemoteShutdownPrivilege	2948	WMIC.exe
Token: SeUndockPrivilege	2948	WMIC.exe
Token: SeManageVolumePrivilege	2948	WMIC.exe
Token: 33	2948	WMIC.exe
Token: 34	2948	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5376	7zFM.exe
5376	7zFM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5608 wrote to memory of 5692	5608	cmd.exe	81
PID 5608 wrote to memory of 5692	5608	cmd.exe	81
PID 5608 wrote to memory of 2948	5608	cmd.exe	83
PID 5608 wrote to memory of 2948	5608	cmd.exe	83
PID 5608 wrote to memory of 2008	5608	cmd.exe	84
PID 5608 wrote to memory of 2008	5608	cmd.exe	84
PID 5608 wrote to memory of 2356	5608	cmd.exe	85
PID 5608 wrote to memory of 2356	5608	cmd.exe	85
PID 5608 wrote to memory of 1588	5608	cmd.exe	86
PID 5608 wrote to memory of 1588	5608	cmd.exe	86
PID 5608 wrote to memory of 2032	5608	cmd.exe	87
PID 5608 wrote to memory of 2032	5608	cmd.exe	87
PID 5952 wrote to memory of 3612	5952	cmd.exe	90
PID 5952 wrote to memory of 3612	5952	cmd.exe	90
PID 5952 wrote to memory of 4672	5952	cmd.exe	91
PID 5952 wrote to memory of 4672	5952	cmd.exe	91
PID 5952 wrote to memory of 4708	5952	cmd.exe	92
PID 5952 wrote to memory of 4708	5952	cmd.exe	92
PID 5952 wrote to memory of 1392	5952	cmd.exe	93
PID 5952 wrote to memory of 1392	5952	cmd.exe	93
PID 5952 wrote to memory of 744	5952	cmd.exe	94
PID 5952 wrote to memory of 744	5952	cmd.exe	94
PID 5952 wrote to memory of 1256	5952	cmd.exe	95
PID 5952 wrote to memory of 1256	5952	cmd.exe	95
PID 5952 wrote to memory of 1040	5952	cmd.exe	96
PID 5952 wrote to memory of 1040	5952	cmd.exe	96
PID 5952 wrote to memory of 5832	5952	cmd.exe	97
PID 5952 wrote to memory of 5832	5952	cmd.exe	97
PID 5952 wrote to memory of 5748	5952	cmd.exe	98
PID 5952 wrote to memory of 5748	5952	cmd.exe	98
PID 5952 wrote to memory of 4344	5952	cmd.exe	99
PID 5952 wrote to memory of 4344	5952	cmd.exe	99
PID 5952 wrote to memory of 232	5952	cmd.exe	100
PID 5952 wrote to memory of 232	5952	cmd.exe	100
PID 5952 wrote to memory of 4924	5952	cmd.exe	101
PID 5952 wrote to memory of 4924	5952	cmd.exe	101
PID 5952 wrote to memory of 2432	5952	cmd.exe	102
PID 5952 wrote to memory of 2432	5952	cmd.exe	102
PID 5952 wrote to memory of 4076	5952	cmd.exe	103
PID 5952 wrote to memory of 4076	5952	cmd.exe	103
PID 5952 wrote to memory of 4548	5952	cmd.exe	104
PID 5952 wrote to memory of 4548	5952	cmd.exe	104
PID 5952 wrote to memory of 1244	5952	cmd.exe	105
PID 5952 wrote to memory of 1244	5952	cmd.exe	105
PID 5952 wrote to memory of 1212	5952	cmd.exe	106
PID 5952 wrote to memory of 1212	5952	cmd.exe	106
PID 5952 wrote to memory of 4140	5952	cmd.exe	107
PID 5952 wrote to memory of 4140	5952	cmd.exe	107
PID 5952 wrote to memory of 4260	5952	cmd.exe	108
PID 5952 wrote to memory of 4260	5952	cmd.exe	108
PID 5952 wrote to memory of 5380	5952	cmd.exe	109
PID 5952 wrote to memory of 5380	5952	cmd.exe	109
PID 5952 wrote to memory of 3400	5952	cmd.exe	110
PID 5952 wrote to memory of 3400	5952	cmd.exe	110
PID 5952 wrote to memory of 5436	5952	cmd.exe	111
PID 5952 wrote to memory of 5436	5952	cmd.exe	111
PID 5952 wrote to memory of 4776	5952	cmd.exe	112
PID 5952 wrote to memory of 4776	5952	cmd.exe	112
PID 5952 wrote to memory of 3680	5952	cmd.exe	113
PID 5952 wrote to memory of 3680	5952	cmd.exe	113
PID 5952 wrote to memory of 2940	5952	cmd.exe	114
PID 5952 wrote to memory of 2940	5952	cmd.exe	114
PID 5952 wrote to memory of 5624	5952	cmd.exe	115
PID 5952 wrote to memory of 5624	5952	cmd.exe	115

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Perm.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5376

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:444

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\perm\serials\SerialsChecker.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5608
- C:\Windows\System32\Wbem\WMIC.exe
  wmic bios get serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5692
- C:\Windows\System32\Wbem\WMIC.exe
  wmic csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get serialnumber
  2⤵
  PID:2008
- C:\Windows\System32\Wbem\WMIC.exe
  wmic baseboard get serialnumber
  2⤵
  PID:2356
- C:\Windows\System32\Wbem\WMIC.exe
  wmic baseboard get manufacturer
  2⤵
  PID:1588
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
  2⤵
  PID:2032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\perm\serials\AmiSpoof.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5952
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /IVN "American Megatrends International, LLC."
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SM "ASRock Inc."
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:4672
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SP "ASRock Inc."
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:4708
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SV "10"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:1392
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SK "SKU"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:744
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /ID "10/02/2023"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:1256
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SS "To be filled by O.E.M."
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:1040
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SF "To be filled by O.E.M."
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:5832
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BT "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:5748
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BLC "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:4344
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BTH 2 "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:232
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BLCH 2 "Default string"
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CM "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:2432
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CV "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:4076
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CA "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:4548
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CSK "Default string"
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CMH 3 "Default string"
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CVH 3 "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:4140
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CSH 3 "Default string"
  2⤵
  - Executes dropped EXE
  PID:4260
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CAH 3 "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:5380
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CSKH 3 "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:3400
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /OS 1 "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:5436
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /OS 2 "Default string"
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /OS 3 "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:3680
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /OS 4 "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:2940
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /OS 5 "Default string"
  2⤵
  - Executes dropped EXE
  PID:5624
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /OS 6 "Default string"
  2⤵
  - Executes dropped EXE
  PID:5588
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /OS 7 "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:4568
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /OS 8 "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:1448
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SCO 1 "Default string"
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SCO 2 "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:2472
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SCO 3 "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:2312
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SCO 4 "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:5116
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CS "Default string"
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PAT "To be filled by O.E.M."
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:5028
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PSN "To be filled by O.E.M."
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:5408
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PPN "To be filled by O.E.M."
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SU auto
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:660
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BSH 2 M80-313720546
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:3524
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BS M80-313720546
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:3020
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CM "ASRock Inc."
  2⤵
  - Executes dropped EXE
  PID:6024
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BM "ASRock Inc."
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:1976
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM WmiPrvSE.exe
  2⤵
  - Kills process with taskkill
  PID:5716

C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
"C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE"
1⤵
- Cerber
- Executes dropped EXE
PID:1928

C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
"C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE"
1⤵
- Cerber
- Executes dropped EXE
PID:3404

C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
"C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE"
1⤵
- Cerber
- Executes dropped EXE
PID:3228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\perm\serials\AmiSpoof.bat"
1⤵
PID:4120
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /IVN "American Megatrends International, LLC."
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:1536
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SM "ASRock Inc."
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:2320
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SP "ASRock Inc."
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:3464
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SV "10"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:5272
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SK "SKU"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:4920
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /ID "10/02/2023"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:3080
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SS "To be filled by O.E.M."
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:4052
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SF "To be filled by O.E.M."
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:3416
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BT "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:572
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BLC "Default string"
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BTH 2 "Default string"
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BLCH 2 "Default string"
  2⤵
  - Executes dropped EXE
  PID:3108
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CM "Default string"
  2⤵
  - Executes dropped EXE
  PID:3492
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CV "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:1180
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CA "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:864
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CSK "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:6136
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CMH 3 "Default string"
  2⤵
  - Executes dropped EXE
  PID:6108
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CVH 3 "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:6096
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CSH 3 "Default string"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:2892
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CAH 3 "Default string"
  2⤵
  - Cerber
  PID:1136
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CSKH 3 "Default string"
  2⤵
  PID:3652
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /OS 1 "Default string"
  2⤵
  - Cerber
  PID:2776
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /OS 2 "Default string"
  2⤵
  PID:2768
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /OS 3 "Default string"
  2⤵
  PID:1604
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /OS 4 "Default string"
  2⤵
  - Cerber
  PID:1424
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /OS 5 "Default string"
  2⤵
  - Cerber
  PID:2560
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /OS 6 "Default string"
  2⤵
  - Cerber
  PID:3924
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /OS 7 "Default string"
  2⤵
  - Cerber
  PID:4996
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /OS 8 "Default string"
  2⤵
  - Cerber
  PID:4056
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SCO 1 "Default string"
  2⤵
  PID:5580
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SCO 2 "Default string"
  2⤵
  - Cerber
  PID:5836
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SCO 3 "Default string"
  2⤵
  - Cerber
  PID:3008
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SCO 4 "Default string"
  2⤵
  - Cerber
  PID:5176
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CS "Default string"
  2⤵
  - Cerber
  PID:488
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PAT "To be filled by O.E.M."
  2⤵
  - Cerber
  PID:3892
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PSN "To be filled by O.E.M."
  2⤵
  PID:3808
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PPN "To be filled by O.E.M."
  2⤵
  - Cerber
  PID:4304
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SU auto
  2⤵
  - Cerber
  PID:5648
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BSH 2 M80-318029203
  2⤵
  - Cerber
  PID:748
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BS M80-318029203
  2⤵
  PID:3912
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CM "ASRock Inc."
  2⤵
  - Cerber
  PID:5520
- C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BM "ASRock Inc."
  2⤵
  - Cerber
  PID:4252
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM WmiPrvSE.exe
  2⤵
  - Kills process with taskkill
  PID:6012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\perm\mac\spoof.bat"
1⤵
PID:4852
- C:\Users\Admin\Desktop\perm\mac\RealTek_flash.exe
  RealTek_flash.exe /# 1 /EFUSE /NODEID "0215230B93DE"
  2⤵
  - Loads dropped DLL
  PID:4872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\perm\serials\SerialsChecker.bat"
1⤵
PID:3448
- C:\Windows\System32\Wbem\WMIC.exe
  wmic bios get serialnumber
  2⤵
  PID:5316
- C:\Windows\System32\Wbem\WMIC.exe
  wmic csproduct get uuid
  2⤵
  PID:4236
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get serialnumber
  2⤵
  PID:3836
- C:\Windows\System32\Wbem\WMIC.exe
  wmic baseboard get serialnumber
  2⤵
  PID:3668
- C:\Windows\System32\Wbem\WMIC.exe
  wmic baseboard get manufacturer
  2⤵
  PID:1012
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
  2⤵
  PID:688

Network

DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR

Response
DNS

ctldl.windowsupdate.com

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

ctldl.windowsupdate.com.delivery.microsoft.com

ctldl.windowsupdate.com.delivery.microsoft.com

IN CNAME

wu-b-net.trafficmanager.net

wu-b-net.trafficmanager.net

IN CNAME

bg.microsoft.map.fastly.net

bg.microsoft.map.fastly.net

IN A

199.232.210.172

bg.microsoft.map.fastly.net

IN A

199.232.214.172
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

ctldl.windowsupdate.com

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

ctldl.windowsupdate.com.delivery.microsoft.com

ctldl.windowsupdate.com.delivery.microsoft.com

IN CNAME

wu-b-net.trafficmanager.net

wu-b-net.trafficmanager.net

IN CNAME

bg.microsoft.map.fastly.net

bg.microsoft.map.fastly.net

IN A

199.232.210.172

bg.microsoft.map.fastly.net

IN A

199.232.214.172

No results found

8.8.8.8:53

31.243.111.52.in-addr.arpa

dns

284 B
760 B
4
4

DNS Request

31.243.111.52.in-addr.arpa

DNS Request

ctldl.windowsupdate.com

DNS Response

199.232.210.172

199.232.214.172

DNS Request

172.210.232.199.in-addr.arpa

DNS Request

ctldl.windowsupdate.com

DNS Response

199.232.210.172

199.232.214.172

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\perm\serials\AMIDEWINx64.EXE

Filesize
377KB

MD5
64ae4aa4904d3b259dda8cc53769064f

SHA1
24be8fb54afd8182652819b9a307b6f66f3fc58d

SHA256
2c67fb6eb81630c917f08295e4ff3b5f777cb41b26f7b09dc36d79f089e61bc4

SHA512
6c16d2bc23c20a7456b4db7136e1bb5fcee9cbf83a73d8de507b7b3ffc618f81f020cde638d2cd1ef5f154541b745a2a0e27b4c654683a21571183f7a1bffd16

Download Submit
C:\Users\Admin\Desktop\perm\serials\AmiSpoof.bat

Filesize
1KB

MD5
bc8ad04cbe42db4c424cb586c8b012cd

SHA1
60e2c2e59bf363d109edd02d9c2d75eea4176a34

SHA256
6c94f726e939c3c699de60291d6fcb7dcf3b37bc18267db26719d22ed04fedbc

SHA512
ef7a5d971f4147e2b586b2f00bbde3b07f37d54ed168ec649a84b687e07817dd12d1ce62810914f63813c8f51ecd681b35d0e1e8812f024404fa905ab2cac019

Download Submit
C:\Users\Admin\Desktop\perm\serials\SerialsChecker.bat

Filesize
534B

MD5
24e3d5bcc9303227287318776960b7a2

SHA1
5c66afdccf6ac0f84a5ba218d4fbea8d5975b5c7

SHA256
28d007fe953bc08f5e41a5c1a25f9e0436bf3420ef788fcb7e8c9293badb9d42

SHA512
2998f2cd8349b94d538b0a69ebe04fd2288a2c0484e95ba90dcebf422eb012d0899cc0bf54ad9747e9d7d0d2909bb659a5fc6ecc4d602281be5384aaf3327033

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.