cerber | d424f28ef64b3e38d8b5133a47aa6f77394a2a1f8c507346d56886a97f1ac2f0

Analysis

max time kernel
68s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-01-2025 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1buttonBETA2-22.exe
Size

13.6MB
MD5

e92e66ade8266a34d040fb51ee5a379d
SHA1

5db9d87344f71afafaef958b206b42751570a210
SHA256

d424f28ef64b3e38d8b5133a47aa6f77394a2a1f8c507346d56886a97f1ac2f0
SHA512

7e8b28ed5a90fa9d27d1481286b6d0b22f6d02a66a27a083a6bc15dec0bf9e63c2d682ffd7286e34294ffc27deb2ede5a9217e2cbc02a125b1bb1fb5fbdd9706
SSDEEP

393216:F5PhlA9gwuDivSwwTmrgBNRY5zD2OgXv60XR0rI9KV3lPLZ:F5PTYgwp7wakBNRY5zU60XaPV3lP1

Score

10^/10

cerber defense_evasion discovery execution ransomware

Malware Config

Signatures

Cerber 12 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	pid	Process
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		2888	taskkill.exe
		1712	taskkill.exe
		1992	taskkill.exe
		2780	taskkill.exe
		1804	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE

Cerber family
cerber

Clears Windows event logs 1 TTPs 31 IoCs

defense_evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
768	wevtutil.exe
2292	wevtutil.exe
2764	wevtutil.exe
2904	wevtutil.exe
2812	wevtutil.exe
2892	wevtutil.exe
872	wevtutil.exe
2348	wevtutil.exe
1568	wevtutil.exe
2088	wevtutil.exe
2616	wevtutil.exe
2160	wevtutil.exe
992	wevtutil.exe
3004	wevtutil.exe
2844	wevtutil.exe
2820	wevtutil.exe
2860	wevtutil.exe
2988	wevtutil.exe
2380	wevtutil.exe
2828	wevtutil.exe
2136	wevtutil.exe
2848	wevtutil.exe
2760	wevtutil.exe
2060	wevtutil.exe
2648	wevtutil.exe
2656	wevtutil.exe
2604	wevtutil.exe
2868	wevtutil.exe
2068	wevtutil.exe
1596	wevtutil.exe
2264	wevtutil.exe

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/files/0x0006000000018c26-129.dat	Nirsoft

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 18 IoCs

pid	Process
2116	FIXusrTEMPv6.exe
2436	ddc.exe
1800	cleanerOLD1.exe
2184	Cleaner8.exe
1944	AdvancedEventCleaner.exe
1848	1-RUNFIRST.exe
2148	reset_adapters.exe
2668	AMIDEWINx64.EXE
2272	AMIDEWINx64.EXE
2112	AMIDEWINx64.EXE
2508	AMIDEWINx64.EXE
1928	AMIDEWINx64.EXE
1924	AMIDEWINx64.EXE
1108	AMIDEWINx64.EXE
288	moreCLEANhardware.exe
1964	reset2-Hardware Rescan after Adapter reset.exe
2984	devcon.exe
2380	DevManView.exe

Loads dropped DLL 13 IoCs

pid	Process
1720	cmd.exe
1964	cmd.exe
1720	cmd.exe
956	cmd.exe
1524	cmd.exe
1720	cmd.exe
2224	WerFault.exe
2224	WerFault.exe
2224	WerFault.exe
1556	cmd.exe
1396	cmd.exe
1396	cmd.exe
1676	cmd.exe

Checks system information in the registry 2 TTPs 1 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	ddc.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1776	sc.exe
2372	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reset2-Hardware Rescan after Adapter reset.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cleanerOLD1.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 21 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1900	PING.EXE
772	PING.EXE
1588	PING.EXE
568	PING.EXE
1968	PING.EXE
2232	PING.EXE
2920	PING.EXE
2584	PING.EXE
1060	PING.EXE
1604	PING.EXE
2580	PING.EXE
980	PING.EXE
2424	PING.EXE
1836	PING.EXE
2896	PING.EXE
3016	PING.EXE
1956	PING.EXE
332	PING.EXE
1756	PING.EXE
1260	PING.EXE
1712	PING.EXE

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Cleaner8.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Cleaner8.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Cleaner8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Cleaner8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	Cleaner8.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Cleaner8.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "58ba283d-8172d228-c"	Cleaner8.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1124	ipconfig.exe
1940	ipconfig.exe
2200	ipconfig.exe

Kills process with taskkill 8 IoCs

defense_evasion

pid	Process
1992	taskkill.exe
2780	taskkill.exe
2964	taskkill.exe
544	taskkill.exe
1148	taskkill.exe
1804	taskkill.exe
2888	taskkill.exe
1712	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = c7b8e9beb65707ae	Cleaner8.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2928	reg.exe
2936	reg.exe

Runs ping.exe 1 TTPs 21 IoCs

Remote System Discovery

T1018

pid	Process
568	PING.EXE
1836	PING.EXE
2584	PING.EXE
332	PING.EXE
1060	PING.EXE
2920	PING.EXE
1900	PING.EXE
980	PING.EXE
2424	PING.EXE
2232	PING.EXE
1712	PING.EXE
2896	PING.EXE
1604	PING.EXE
1756	PING.EXE
772	PING.EXE
1588	PING.EXE
1260	PING.EXE
2580	PING.EXE
3016	PING.EXE
1968	PING.EXE
1956	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs

pid	Process
2436	ddc.exe
1800	cleanerOLD1.exe
1964	reset2-Hardware Rescan after Adapter reset.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1848	1-RUNFIRST.exe
1800	cleanerOLD1.exe
1800	cleanerOLD1.exe

Suspicious behavior: LoadsDriver 7 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	2888	taskkill.exe
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	2780	taskkill.exe
Token: SeTakeOwnershipPrivilege	2184	Cleaner8.exe
Token: SeSecurityPrivilege	3028	wevtutil.exe
Token: SeBackupPrivilege	3028	wevtutil.exe
Token: SeSecurityPrivilege	2868	wevtutil.exe
Token: SeBackupPrivilege	2868	wevtutil.exe
Token: SeSecurityPrivilege	2068	wevtutil.exe
Token: SeBackupPrivilege	2068	wevtutil.exe
Token: SeSecurityPrivilege	2380	wevtutil.exe
Token: SeBackupPrivilege	2380	wevtutil.exe
Token: SeSecurityPrivilege	768	wevtutil.exe
Token: SeBackupPrivilege	768	wevtutil.exe
Token: SeSecurityPrivilege	872	wevtutil.exe
Token: SeBackupPrivilege	872	wevtutil.exe
Token: SeSecurityPrivilege	2136	wevtutil.exe
Token: SeBackupPrivilege	2136	wevtutil.exe
Token: SeSecurityPrivilege	2348	wevtutil.exe
Token: SeBackupPrivilege	2348	wevtutil.exe
Token: SeSecurityPrivilege	2292	wevtutil.exe
Token: SeBackupPrivilege	2292	wevtutil.exe
Token: SeSecurityPrivilege	1568	wevtutil.exe
Token: SeBackupPrivilege	1568	wevtutil.exe
Token: SeSecurityPrivilege	2160	wevtutil.exe
Token: SeBackupPrivilege	2160	wevtutil.exe
Token: SeSecurityPrivilege	1596	wevtutil.exe
Token: SeBackupPrivilege	1596	wevtutil.exe
Token: SeSecurityPrivilege	2088	wevtutil.exe
Token: SeBackupPrivilege	2088	wevtutil.exe
Token: SeSecurityPrivilege	992	wevtutil.exe
Token: SeBackupPrivilege	992	wevtutil.exe
Token: SeSecurityPrivilege	2820	wevtutil.exe
Token: SeBackupPrivilege	2820	wevtutil.exe
Token: SeSecurityPrivilege	2812	wevtutil.exe
Token: SeBackupPrivilege	2812	wevtutil.exe
Token: SeSecurityPrivilege	2848	wevtutil.exe
Token: SeBackupPrivilege	2848	wevtutil.exe
Token: SeSecurityPrivilege	3004	wevtutil.exe
Token: SeBackupPrivilege	3004	wevtutil.exe
Token: SeSecurityPrivilege	2760	wevtutil.exe
Token: SeBackupPrivilege	2760	wevtutil.exe
Token: SeSecurityPrivilege	2860	wevtutil.exe
Token: SeBackupPrivilege	2860	wevtutil.exe
Token: SeSecurityPrivilege	2844	wevtutil.exe
Token: SeBackupPrivilege	2844	wevtutil.exe
Token: SeSecurityPrivilege	2264	wevtutil.exe
Token: SeBackupPrivilege	2264	wevtutil.exe
Token: SeSecurityPrivilege	2988	wevtutil.exe
Token: SeBackupPrivilege	2988	wevtutil.exe
Token: SeSecurityPrivilege	2764	wevtutil.exe
Token: SeBackupPrivilege	2764	wevtutil.exe
Token: SeSecurityPrivilege	2904	wevtutil.exe
Token: SeBackupPrivilege	2904	wevtutil.exe
Token: SeSecurityPrivilege	2892	wevtutil.exe
Token: SeBackupPrivilege	2892	wevtutil.exe
Token: SeSecurityPrivilege	2060	wevtutil.exe
Token: SeBackupPrivilege	2060	wevtutil.exe
Token: SeSecurityPrivilege	2828	wevtutil.exe
Token: SeBackupPrivilege	2828	wevtutil.exe
Token: SeSecurityPrivilege	2648	wevtutil.exe
Token: SeBackupPrivilege	2648	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 1720	2976	1buttonBETA2-22.exe	32
PID 2976 wrote to memory of 1720	2976	1buttonBETA2-22.exe	32
PID 2976 wrote to memory of 1720	2976	1buttonBETA2-22.exe	32
PID 1720 wrote to memory of 1804	1720	cmd.exe	33
PID 1720 wrote to memory of 1804	1720	cmd.exe	33
PID 1720 wrote to memory of 1804	1720	cmd.exe	33
PID 1720 wrote to memory of 2888	1720	cmd.exe	35
PID 1720 wrote to memory of 2888	1720	cmd.exe	35
PID 1720 wrote to memory of 2888	1720	cmd.exe	35
PID 1720 wrote to memory of 1712	1720	cmd.exe	36
PID 1720 wrote to memory of 1712	1720	cmd.exe	36
PID 1720 wrote to memory of 1712	1720	cmd.exe	36
PID 1720 wrote to memory of 1992	1720	cmd.exe	37
PID 1720 wrote to memory of 1992	1720	cmd.exe	37
PID 1720 wrote to memory of 1992	1720	cmd.exe	37
PID 1720 wrote to memory of 2780	1720	cmd.exe	38
PID 1720 wrote to memory of 2780	1720	cmd.exe	38
PID 1720 wrote to memory of 2780	1720	cmd.exe	38
PID 1720 wrote to memory of 1776	1720	cmd.exe	39
PID 1720 wrote to memory of 1776	1720	cmd.exe	39
PID 1720 wrote to memory of 1776	1720	cmd.exe	39
PID 1720 wrote to memory of 2372	1720	cmd.exe	40
PID 1720 wrote to memory of 2372	1720	cmd.exe	40
PID 1720 wrote to memory of 2372	1720	cmd.exe	40
PID 1720 wrote to memory of 588	1720	cmd.exe	41
PID 1720 wrote to memory of 588	1720	cmd.exe	41
PID 1720 wrote to memory of 588	1720	cmd.exe	41
PID 1720 wrote to memory of 840	1720	cmd.exe	42
PID 1720 wrote to memory of 840	1720	cmd.exe	42
PID 1720 wrote to memory of 840	1720	cmd.exe	42
PID 1720 wrote to memory of 864	1720	cmd.exe	43
PID 1720 wrote to memory of 864	1720	cmd.exe	43
PID 1720 wrote to memory of 864	1720	cmd.exe	43
PID 1720 wrote to memory of 1108	1720	cmd.exe	44
PID 1720 wrote to memory of 1108	1720	cmd.exe	44
PID 1720 wrote to memory of 1108	1720	cmd.exe	44
PID 1720 wrote to memory of 2908	1720	cmd.exe	45
PID 1720 wrote to memory of 2908	1720	cmd.exe	45
PID 1720 wrote to memory of 2908	1720	cmd.exe	45
PID 1720 wrote to memory of 2704	1720	cmd.exe	46
PID 1720 wrote to memory of 2704	1720	cmd.exe	46
PID 1720 wrote to memory of 2704	1720	cmd.exe	46
PID 1720 wrote to memory of 2928	1720	cmd.exe	47
PID 1720 wrote to memory of 2928	1720	cmd.exe	47
PID 1720 wrote to memory of 2928	1720	cmd.exe	47
PID 1720 wrote to memory of 2936	1720	cmd.exe	48
PID 1720 wrote to memory of 2936	1720	cmd.exe	48
PID 1720 wrote to memory of 2936	1720	cmd.exe	48
PID 1720 wrote to memory of 2964	1720	cmd.exe	49
PID 1720 wrote to memory of 2964	1720	cmd.exe	49
PID 1720 wrote to memory of 2964	1720	cmd.exe	49
PID 1720 wrote to memory of 1916	1720	cmd.exe	50
PID 1720 wrote to memory of 1916	1720	cmd.exe	50
PID 1720 wrote to memory of 1916	1720	cmd.exe	50
PID 1720 wrote to memory of 2116	1720	cmd.exe	51
PID 1720 wrote to memory of 2116	1720	cmd.exe	51
PID 1720 wrote to memory of 2116	1720	cmd.exe	51
PID 1720 wrote to memory of 568	1720	cmd.exe	52
PID 1720 wrote to memory of 568	1720	cmd.exe	52
PID 1720 wrote to memory of 568	1720	cmd.exe	52
PID 2116 wrote to memory of 1332	2116	FIXusrTEMPv6.exe	53
PID 2116 wrote to memory of 1332	2116	FIXusrTEMPv6.exe	53
PID 2116 wrote to memory of 1332	2116	FIXusrTEMPv6.exe	53
PID 1332 wrote to memory of 1260	1332	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\1buttonBETA2-22.exe
"C:\Users\Admin\AppData\Local\Temp\1buttonBETA2-22.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1545.tmp\1546.tmp\1547.bat C:\Users\Admin\AppData\Local\Temp\1buttonBETA2-22.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EasyAntiCheat.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1804
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BEService_x64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2888
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1712
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2780
- - C:\Windows\system32\sc.exe
    sc stop BEService
    3⤵
    - Launches sc.exe
    PID:1776
- - C:\Windows\system32\sc.exe
    sc stop EasyAntiCheat
    3⤵
    - Launches sc.exe
    PID:2372
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
    3⤵
    PID:588
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
    3⤵
    PID:840
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games\Unreal Engine\Identifiers" /va /f
    3⤵
    PID:864
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games\Unreal Engine\Hardware Survey" /va /f
    3⤵
    PID:1108
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:2908
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games" /f
    3⤵
    PID:2704
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 10724 /f
    3⤵
    - Modifies registry key
    PID:2928
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 29454 /f
    3⤵
    - Modifies registry key
    PID:2936
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:2964
- - C:\Windows\system32\ARP.EXE
    arp -d
    3⤵
    PID:1916
- - C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe
    "C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\34D6.tmp\34D7.tmp\34D8.bat C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1332
    - - C:\Windows\system32\PING.EXE
        
        ping /n 1 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1260
    - - C:\Windows\system32\PING.EXE
        
        ping /n 1 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2580
    - - C:\Windows\system32\PING.EXE
        
        ping /n 1 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:980
    - - C:\Windows\system32\PING.EXE
        
        ping /n 2 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2424
- - C:\Windows\system32\PING.EXE
    PING localhost -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:568
- - C:\Users\Admin\AppData\Roaming\ddc.exe
    C:\Users\Admin\AppData\Roaming\ddc.exe b /target:c:\DriverBackup4u
    3⤵
    - Executes dropped EXE
    - Checks system information in the registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2436
- - C:\Windows\system32\PING.EXE
    PING localhost -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:1080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" start "" /wait /b "C:\Users\Admin\AppData\Roaming\cleanerOLD1.exe""
    3⤵
    PID:1308
  - - C:\Users\Admin\AppData\Roaming\cleanerOLD1.exe
      "C:\Users\Admin\AppData\Roaming\cleanerOLD1.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      PID:1800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:2260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" start "" /wait /b "C:\Users\Admin\AppData\Roaming\Cleaner8.exe""
    3⤵
    - Loads dropped DLL
    PID:1964
  - - C:\Users\Admin\AppData\Roaming\Cleaner8.exe
      "C:\Users\Admin\AppData\Roaming\Cleaner8.exe"
      4⤵
      Executes dropped EXE
      Enumerates system info in registry
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      PID:2184
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2184 -s 228
        5⤵
        Loads dropped DLL
        
        PID:2224
- - C:\Users\Admin\AppData\Roaming\AdvancedEventCleaner.exe
    "C:\Users\Admin\AppData\Roaming\AdvancedEventCleaner.exe"
    3⤵
    - Executes dropped EXE
    PID:1944
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\44FC.tmp\44FD.tmp\44FE.bat C:\Users\Admin\AppData\Roaming\AdvancedEventCleaner.exe"
      4⤵
      PID:800
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c bcdedit
        5⤵
        
        PID:1784
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit
        6⤵
        
        PID:1840
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wevtutil.exe el
        5⤵
        
        PID:772
      - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe el
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Analytic"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Application"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "DebugChannel"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "DirectShowFilterGraph"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "DirectShowPluginControl"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Els_Hyphenation/Analytic"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "EndpointMapper"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "ForwardedEvents"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "HardwareEvents"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Internet Explorer"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Key Management Service"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Media Center"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationDeviceProxy"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPerformance"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPipeline"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPlatform"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-IE/Diagnostic"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"
        5⤵
        Clears Windows event logs
        
        PID:2656
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
        5⤵
        Clears Windows event logs
        
        PID:2604
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
        5⤵
        Clears Windows event logs
        
        PID:2616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo N "
    3⤵
    PID:2008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" start "" /wait /b "C:\Users\Admin\AppData\Roaming\1-RUNFIRST.exe""
    3⤵
    - Loads dropped DLL
    PID:956
  - - C:\Users\Admin\AppData\Roaming\1-RUNFIRST.exe
      "C:\Users\Admin\AppData\Roaming\1-RUNFIRST.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1848
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ipconfig /flushdns > nul 2> nul
        5⤵
        
        PID:356
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        6⤵
        Gathers network information
        
        PID:1124
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ipconfig /release > nul 2> nul
        5⤵
        
        PID:1500
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        6⤵
        Gathers network information
        
        PID:1940
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ipconfig /renew > nul 2> nul
        5⤵
        
        PID:2392
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /renew
        6⤵
        Gathers network information
        
        PID:2200
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c .\reset_adapters.exe
        5⤵
        Loads dropped DLL
        
        PID:1524
      - C:\Users\Admin\AppData\Roaming\reset_adapters.exe
        
        .\reset_adapters.exe
        6⤵
        Executes dropped EXE
        
        PID:2148
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c pause
        5⤵
        
        PID:3056
- - C:\Windows\system32\PING.EXE
    PING localhost -n 2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1968
- - C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE
    "C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE" /BS 6654u-BS335
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:2668
- - C:\Windows\system32\PING.EXE
    PING localhost -n 2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1956
- - C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE
    "C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE" /SS 291504u-SS15377
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:2272
- - C:\Windows\system32\PING.EXE
    PING localhost -n 2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1836
- - C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE
    "C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE" /SV 92204u-SV2547
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:2112
- - C:\Windows\system32\PING.EXE
    PING localhost -n 2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2232
- - C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE
    "C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE" /SU AUTO
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:2508
- - C:\Windows\system32\PING.EXE
    PING localhost -n 2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1712
- - C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE
    "C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE" /SK 272634u-SK3772
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:1928
- - C:\Windows\system32\PING.EXE
    PING localhost -n 2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2896
- - C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE
    "C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE" /BM 65494u-BM30415
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:1924
- - C:\Windows\system32\PING.EXE
    PING localhost -n 2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1060
- - C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE
    "C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE" /BV 308504u-BV12085
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:1108
- - C:\Windows\system32\PING.EXE
    PING localhost -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2920
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cleaner1.exe
    3⤵
    - Kills process with taskkill
    PID:2964
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cleaner8.exe
    3⤵
    - Kills process with taskkill
    PID:544
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im 1-RUNFIRST.exe
    3⤵
    - Kills process with taskkill
    PID:1148
- - C:\Windows\system32\PING.EXE
    PING localhost -n 2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:2456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" start "" /wait /b "C:\Users\Admin\AppData\Roaming\moreCLEANhardware.exe""
    3⤵
    - Loads dropped DLL
    PID:1556
  - - C:\Users\Admin\AppData\Roaming\moreCLEANhardware.exe
      "C:\Users\Admin\AppData\Roaming\moreCLEANhardware.exe"
      4⤵
      Executes dropped EXE
      PID:288
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Msg * /TIME:10 4u4play.com for update
        5⤵
        
        PID:1100
      - C:\Windows\system32\msg.exe
        
        Msg * /TIME:10 4u4play.com for update
        6⤵
        
        PID:2492
- - C:\Windows\system32\PING.EXE
    PING localhost -n 4
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1900
- - C:\Windows\system32\PING.EXE
    PING localhost -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1604
- - C:\Users\Admin\AppData\Roaming\reset2-Hardware Rescan after Adapter reset.exe
    "C:\Users\Admin\AppData\Roaming\reset2-Hardware Rescan after Adapter reset.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1964
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\824A.tmp\824B.tmp\824C.bat "C:\Users\Admin\AppData\Roaming\reset2-Hardware Rescan after Adapter reset.exe""
      4⤵
      Loads dropped DLL
      PID:1396
    - - C:\Users\Admin\AppData\Roaming\devcon.exe
        
        devcon rescan
        5⤵
        Executes dropped EXE
        
        PID:2984
- - C:\Windows\system32\PING.EXE
    PING localhost -n 1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:332
- - C:\Windows\system32\PING.EXE
    PING localhost -n 1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1756
- - C:\Windows\system32\PING.EXE
    PING localhost -n 6
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:2956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" start "" /min ""C:\Users\Admin\AppData\Roaming\DevManView.exe /uninstall "PCI\VEN*" /use_wildcard"""
    3⤵
    - Loads dropped DLL
    PID:1676
  - - C:\Users\Admin\AppData\Roaming\DevManView.exe
      ""C:\Users\Admin\AppData\Roaming\DevManView.exe /uninstall "PCI\VEN*" /use_wildcard""
      4⤵
      Executes dropped EXE
      PID:2380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:2392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" start "" /min ""C:\Users\Admin\AppData\Roaming\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard"""
    3⤵
    PID:1736
  - - C:\Users\Admin\AppData\Roaming\DevManView.exe
      ""C:\Users\Admin\AppData\Roaming\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
      4⤵
      PID:2468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" start "" /min ""C:\Users\Admin\AppData\Roaming\DevManView.exe /uninstall "Realtek*" /use_wildcard"""
    3⤵
    PID:2360
  - - C:\Users\Admin\AppData\Roaming\DevManView.exe
      ""C:\Users\Admin\AppData\Roaming\DevManView.exe /uninstall "Realtek*" /use_wildcard""
      4⤵
      PID:2152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:1740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" start "" /min ""C:\Users\Admin\AppData\Roaming\DevManView.exe /uninstall "SWD\MS*" /use_wildcard"""
    3⤵
    PID:3056
  - - C:\Users\Admin\AppData\Roaming\DevManView.exe
      ""C:\Users\Admin\AppData\Roaming\DevManView.exe /uninstall "SWD\MS*" /use_wildcard""
      4⤵
      PID:844
- - C:\Windows\system32\PING.EXE
    PING localhost -n 10
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1588

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1545.tmp\1546.tmp\1547.bat

Filesize
39B

MD5
a9832ef693180ebedb5b6ed08f0b3227

SHA1
b4ebcabbafcb1dcd113cbb7f996c3ea6443ce2b2

SHA256
9f32b3a95a985d2022d6926411a54c8f2518da0d92ac4bb213f723eb7dd09567

SHA512
fb227ed1d0fc39c28981b2c8c3a7f6bdd74e19aabdb4a8209f7e1b5de16bea554a0f6e8580109097a5894b305c2d23fb3d68f65d009c28696fe1d6ee7ae8345b

Download Submit
C:\Users\Admin\AppData\Local\Temp\34D6.tmp\34D7.tmp\34D8.bat

Filesize
845B

MD5
54d18c0e0a34808017e53029d7875c09

SHA1
bca96014c545bd02f964cc3dd368b5c6ce9f2963

SHA256
6be64439c492ac7d840e56b01ba9691f30fbad8e9b296bfe55d0abbb2edc5fae

SHA512
95712df3c3bb07e561d778b0f95f9ab0a93def2d7111123dff22898565d059b10dc0ca13b1d528ed00ec77c511451d452b033bf8bf40898cb53eb9378f32a6b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\44FC.tmp\44FD.tmp\44FE.bat

Filesize
679B

MD5
064bb52705e97caeee4dcbb5c72c1413

SHA1
13107d14185397ad662c08dda51a0ebe7583fbe8

SHA256
a8ef3b7eaef87d32ea17f27c2f9ad0eb46d394fc6f381972657dbae63d0bbb26

SHA512
af599892866fd6bfbe067ee1b2f15e9d201401adedf9db624d0f31d7181754a03cb4ea0fa1fb666598cdb601f212ee79a1c4b437d7e9a25dba901c8c481dc095

Download Submit
C:\Users\Admin\AppData\Local\Temp\824A.tmp\824B.tmp\824C.bat

Filesize
24B

MD5
adf8254c3e44ca2685b52366457fc6c9

SHA1
eaeef81e015e18c274ae5debfa7c511b6d871442

SHA256
eb955b96ff2dabe61d2eb8272ba5e0a30b09364a6b15832a80da7daacb8b0c4f

SHA512
2eff22c775d6cdb21ed17ece2468e5f98c9d04e323a7f39f85552629fdd2e4addc728b2866324749f1b6a565b7cf90c98b2b403a8a6af11197270d5e1fad94a9

Download Submit
C:\Users\Admin\AppData\Roaming\1-RUNFIRST.exe

Filesize
43KB

MD5
6fbe881f1d6480e2e15d3ebe0f493d2d

SHA1
f698079150df242e156223f1b3e46f449bc01415

SHA256
49b84540d5b4b8d2344c25edb042e216592dd1dc78a5c00f2ad9457442c4581c

SHA512
2084a64ab503e214854e02dcb1ed8bff7cab40dad64cb624326d42a087f343a74b7470956c681268725e0ec2f8ab13182c814356d6d6d066a2b0c6da290d16ef

Download Submit
C:\Users\Admin\AppData\Roaming\3combined.bat

Filesize
12KB

MD5
a1140e73ee36be2d1d9b02c074669e99

SHA1
2bb50beaa05353074a65391d1939b6f68fc1d7bd

SHA256
e6c515101c862517a953031cdcecd77bb2164f01bd79616d929e43c320de1345

SHA512
100e3fdaa36adac1f1b1bd2e40780eb79b1fe2937ff5aed0b4b5f423f42268f76f58258f76ff6dae729f2f7333a89343acaf56997e2b52dd09b8f4c8741efa87

Download Submit
C:\Users\Admin\AppData\Roaming\AdvancedEventCleaner.exe

Filesize
219KB

MD5
9353ed7c3ba8e2417ce2664ae7afac16

SHA1
05699a2a2792795db1d8f59273172ad80bdc8b06

SHA256
069b31cb7f9054647b684da4fc5263fa690e32d75729ec6b5c808b0c532b9628

SHA512
cb456c14c9ef6f49a92c989668bedb423e4020b761e627c4d67f90e855e9385d58cf0d1e024a0c728126cccdad2836615d23cd3011a8447470482ca939795262

Download Submit
C:\Users\Admin\AppData\Roaming\DevManView.cfg

Filesize
1KB

MD5
c397462965258ee0bbe4742f83d7c977

SHA1
7a12c6504184c38b9e8096357f651a04c170b59c

SHA256
59f1e9118a106e15b2c151080e4167c4c1dc5fd33d2443ca160511ac7d9b781e

SHA512
9ccff5046bfc41e50707d36d0a9f0654f6ef86525a26656d6bc9f5759455a2b328525f4b79ed6102d5e3cf3300027264830067c6b22891a92ccfc7fc33bc9ce2

Download Submit
C:\Users\Admin\AppData\Roaming\amifldrv64.sys

Filesize
29KB

MD5
f22740ba54a400fd2be7690bb204aa08

SHA1
5812387783d61c6ab5702213bb968590a18065e3

SHA256
65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9

SHA512
ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500

Download Submit
C:\Users\Admin\AppData\Roaming\cleanerOLD1.exe

Filesize
103KB

MD5
59a7ce7a4d30e28e6bc356263693eb98

SHA1
a6ace03c0f719ce2e4f9839d0917778a5e798340

SHA256
baa7fb9cd0b15a926d8a34bc070c6cee839eb6bd2a7d4f133eed6b64a5607d8d

SHA512
8e6dac42e51945fc4bf8ab52a6642a548d7493796eda396ebd6dbe5e986f0ee46ae0e9f9d9fd714b020fda0c24f0265436278be62c1488097a777076a5e1c0c2

Download Submit
C:\Users\Admin\AppData\Roaming\ddc.exe

Filesize
377KB

MD5
97b963fd85ff4cc2a3b0da8164593cfc

SHA1
f29b0ba7cc01182f83845088375c2c18fd49f187

SHA256
af219747072341760396d686f2fe7350ec2dce713f1ec1977c21f8be7b9197d5

SHA512
232bcfb83387ed125f3c3a065031e36e3f7c494118aa2fa33c64fd3d81066531ad9de09c5358f5b0a24024b0a223a2fc4a5646e9b475853904b24729df808fae

Download Submit
C:\Users\Admin\AppData\Roaming\devcon.exe

Filesize
80KB

MD5
d153a0bc6f0476457b56fc38795dea01

SHA1
eb3c25afab996b84c52619c6f676d0663c241e01

SHA256
df048df347a738b6addec6f3fd65c73e371d0e11e2dc02f88f8ef307b964e1b7

SHA512
6322d98b356cfa9a4bc8559959de01cdd4d9c038a9d0d506d2211d9e329c6b938f5bccb5459217a4c471cf200287bdbf7068393ce6f69b37a103e5ae6e758414

Download Submit
C:\Users\Admin\AppData\Roaming\reset2-Hardware Rescan after Adapter reset.exe

Filesize
88KB

MD5
d144852c9d62d6e8d2e3ed532c853aac

SHA1
ea52d984ff2be5fa377a21b0af425f778e60fa77

SHA256
996d44d2331f60e8c158662200fcd1f5cfc60076503e940ce9db98e0e92adfe6

SHA512
af68d189a4480c5c54e256f6e39ef5fb9e35fa78dee4163d0805a6d406183f50cef725ed7bc677c46f8030523353a16e71aa90a388a1235a2b0dc86352cd9af7

Download Submit
\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE

Filesize
451KB

MD5
f17ecf761e70feb98c7f628857eedfe7

SHA1
b2c1263c641bdaee8266a05a0afbb455e29e240d

SHA256
311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf

SHA512
e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084

Download Submit
\Users\Admin\AppData\Roaming\Cleaner8.exe

Filesize
156KB

MD5
3546548be0b0940c52ec881d48404818

SHA1
0ded613db5266ffaeac2194bcdd86cec9559ee1c

SHA256
dec2a16531a09d05f1ae64a21c35d53cec5998be22c16a88b2e8b4a36878db9a

SHA512
79cb1de22f0789624e4dff532d28d9203ba231e5d511995562a25da8f112eb21a970cfddf28f14760459dda0407a8f856363fca07afffa5f0a954806af619838

Download Submit
\Users\Admin\AppData\Roaming\DevManView.exe

Filesize
162KB

MD5
33d7a84f8ef67fd005f37142232ae97e

SHA1
1f560717d8038221c9b161716affb7cd6b14056e

SHA256
a1be60039f125080560edf1eebee5b6d9e2d6039f5f5ac478e6273e05edadb4b

SHA512
c059db769b9d8a9f1726709c9ad71e565b8081a879b55d0f906d6927409166e1d5716c784146feba41114a2cf44ee90cf2e0891831245752238f20c41590b3f5

Download Submit
\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe

Filesize
219KB

MD5
303dbf6d5ce6b658919091240d5a4a80

SHA1
d45946e1d3c4d973042e0c1bdd88fbc1774f1385

SHA256
70ef91b18f6532b065712b31cd667d64d9fa4248baabaea3d33297250df0fd18

SHA512
666c82cb9ac94fa16739c2c34a23a9ade83f4ac3cad528109c2f255b8eeda6a31c00613346db3e9a0e3d46dc978df00d02bc4483001282bfd4f6861b44e1d408

Download Submit
\Users\Admin\AppData\Roaming\moreCLEANhardware.exe

Filesize
197KB

MD5
18d488ec260049b5f3a8861a44fd24e2

SHA1
d1aafbbc0bc7c50a48d669cd8190b73e1376300b

SHA256
18a1133cb2b69c9de39a5b42aefac7048bee9485257c092472be2ec7e2f1df2a

SHA512
d7c4a8e1fb9da1a7e4523a299d57b83b129bb5e930feeb2814001adca17add348d89ea8d0d8b32620d4324457ff093a04321cc1f06d59f415fc9806d30fb4484

Download Submit
\Users\Admin\AppData\Roaming\reset_adapters.exe

Filesize
335KB

MD5
bd624e99155ffa5868f39c73a1513cee

SHA1
0a6c46d21faefaf29c992193e5dac6b4b4a58719

SHA256
4f67490d6a7d952599180f26d167b74c70d4f840d36e73bb8ec7ffb29b6a6df8

SHA512
46471f61f44f97d63993349ed005b26d0a415b4082c1a48321aba18e58d3e10415f24d18ece3016cf65967a29ca85b8d935f70e06fd5ef96cb046d7074d9368c

Download Submit
memory/1800-99-0x0000000000E00000-0x0000000000E20000-memory.dmp

Filesize
128KB

Download
memory/2436-103-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download