Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
60s -
max time network
76s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
10/03/2025, 16:28
Static task
static1
Behavioral task
behavioral1
Sample
frog/D3DX9_43.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
frog/D3DX9_43.dll
Resource
win10v2004-20250217-en
Behavioral task
behavioral3
Sample
frog/Frog Spoofer (1).exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
frog/Frog Spoofer (1).exe
Resource
win10v2004-20250217-en
General
-
Target
frog/Frog Spoofer (1).exe
-
Size
2.7MB
-
MD5
e001605fa695282a2d3170d8d9e956c9
-
SHA1
4544155daae0335ada1d05a509e43b8c0434ffc8
-
SHA256
003dc05c74dedfb83f73982173d2ed293a84a2af8a7ef8b6e6ff928119859a2e
-
SHA512
11642791791255eea62db5b5058e651329d9b537cc9ffd734702b5bf5207351ecc3bbdb3499acb3dc43e7937da8efd9e23b1e1ccfaa6a077bd747a40926d40d6
-
SSDEEP
49152:wy8J1anDS2TFQTnQT2QT9QT1QTXCbAAKrqgvWAtY3o41MBXcOz5dD:CxYw1aCkX23o41MBXc4D
Malware Config
Signatures
-
Cerber 12 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
description ioc pid Process Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} ifsutipx.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} ifsutipx.exe 4204 taskkill.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} ifsutipx.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} ifsutipx.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} ifsutipx.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} ifsutipx.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} ifsutipx.exe 3800 taskkill.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} ifsutipx.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} ifsutipx.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} ifsutipx.exe -
Cerber family
-
Stops running service(s) 4 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation Frog Spoofer (1).exe Key value queried \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation ntelidcx.dll -
Executes dropped EXE 42 IoCs
pid Process 2732 accessibility.dll 3504 accessibility.dll 2720 accessibility.dll 1792 accessibility.dll 628 accessibility.dll 3540 accessibility.dll 4388 accessibility.dll 1596 accessibility.dll 3364 accessibility.dll 1960 ifsutipx.exe 3420 ifsutipx.exe 4972 ifsutipx.exe 4244 ifsutipx.exe 3396 ifsutipx.exe 1916 ifsutipx.exe 1680 ifsutipx.exe 964 ifsutipx.exe 4504 ifsutipx.exe 4520 ifsutipx.exe 1556 ntelidcx.dll 4644 AppVLicense.dll 2732 accessibility.dll 3504 accessibility.dll 2720 accessibility.dll 1792 accessibility.dll 628 accessibility.dll 3540 accessibility.dll 4388 accessibility.dll 1596 accessibility.dll 3364 accessibility.dll 1960 ifsutipx.exe 3420 ifsutipx.exe 4972 ifsutipx.exe 4244 ifsutipx.exe 3396 ifsutipx.exe 1916 ifsutipx.exe 1680 ifsutipx.exe 964 ifsutipx.exe 4504 ifsutipx.exe 4520 ifsutipx.exe 1556 ntelidcx.dll 4644 AppVLicense.dll -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\System32\accessibility.dll Frog Spoofer (1).exe File created C:\Windows\System32\amifldrv64.sys Frog Spoofer (1).exe File created C:\Windows\System32\ifsutipx.exe Frog Spoofer (1).exe -
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
pid Process 2576 cmd.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\AppVLicense.dll Frog Spoofer (1).exe File created C:\Windows\ntelidcx.dll Frog Spoofer (1).exe -
Launches sc.exe 20 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4312 sc.exe 1896 sc.exe 540 sc.exe 4920 sc.exe 2900 sc.exe 4888 sc.exe 2700 sc.exe 3888 sc.exe 3548 sc.exe 4080 sc.exe 3800 sc.exe 3364 sc.exe 1972 sc.exe 4268 sc.exe 2884 sc.exe 3660 sc.exe 1296 sc.exe 944 sc.exe 3228 sc.exe 4892 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntelidcx.dll Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
Kills process with taskkill 34 IoCs
pid Process 212 taskkill.exe 3800 taskkill.exe 2176 taskkill.exe 3296 taskkill.exe 1200 taskkill.exe 860 taskkill.exe 632 taskkill.exe 2136 taskkill.exe 964 taskkill.exe 1596 taskkill.exe 2660 taskkill.exe 4344 taskkill.exe 2028 taskkill.exe 4004 taskkill.exe 224 taskkill.exe 3548 taskkill.exe 116 taskkill.exe 716 taskkill.exe 5076 taskkill.exe 1800 taskkill.exe 4204 taskkill.exe 3416 taskkill.exe 1372 taskkill.exe 4520 taskkill.exe 4184 taskkill.exe 1280 taskkill.exe 3416 taskkill.exe 4324 taskkill.exe 4316 taskkill.exe 444 taskkill.exe 3672 taskkill.exe 536 taskkill.exe 4264 taskkill.exe 1796 taskkill.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Migration\IE Installed Date = 1505478562 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Registration reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Registration\ProductId = "00331-10000-00001-AF990" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\svcKBNumber = "KB3170547" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Migration reg.exe -
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionInventoryVersionGUID_DONOTUSEINSTORE reg.exe Key created \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software reg.exe Key created \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows reg.exe Key created \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe reg.exe Key created \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore reg.exe Key created \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings reg.exe Key created \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion reg.exe Key created \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer reg.exe Key created \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge reg.exe Key created \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore reg.exe Key created \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage reg.exe Key created \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory reg.exe Key created \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension reg.exe Key created \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft reg.exe Key created \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{27720B92-5ED7-5C28-5ED7-92B51D7DDE15}" reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe -
Suspicious behavior: LoadsDriver 20 IoCs
pid Process 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4204 taskkill.exe Token: SeDebugPrivilege 3800 taskkill.exe Token: SeDebugPrivilege 2176 taskkill.exe Token: SeDebugPrivilege 3416 taskkill.exe Token: SeDebugPrivilege 2028 taskkill.exe Token: SeIncreaseQuotaPrivilege 3940 WMIC.exe Token: SeSecurityPrivilege 3940 WMIC.exe Token: SeTakeOwnershipPrivilege 3940 WMIC.exe Token: SeLoadDriverPrivilege 3940 WMIC.exe Token: SeSystemProfilePrivilege 3940 WMIC.exe Token: SeSystemtimePrivilege 3940 WMIC.exe Token: SeProfSingleProcessPrivilege 3940 WMIC.exe Token: SeIncBasePriorityPrivilege 3940 WMIC.exe Token: SeCreatePagefilePrivilege 3940 WMIC.exe Token: SeBackupPrivilege 3940 WMIC.exe Token: SeRestorePrivilege 3940 WMIC.exe Token: SeShutdownPrivilege 3940 WMIC.exe Token: SeDebugPrivilege 3940 WMIC.exe Token: SeSystemEnvironmentPrivilege 3940 WMIC.exe Token: SeRemoteShutdownPrivilege 3940 WMIC.exe Token: SeUndockPrivilege 3940 WMIC.exe Token: SeManageVolumePrivilege 3940 WMIC.exe Token: 33 3940 WMIC.exe Token: 34 3940 WMIC.exe Token: 35 3940 WMIC.exe Token: 36 3940 WMIC.exe Token: SeIncreaseQuotaPrivilege 3940 WMIC.exe Token: SeSecurityPrivilege 3940 WMIC.exe Token: SeTakeOwnershipPrivilege 3940 WMIC.exe Token: SeLoadDriverPrivilege 3940 WMIC.exe Token: SeSystemProfilePrivilege 3940 WMIC.exe Token: SeSystemtimePrivilege 3940 WMIC.exe Token: SeProfSingleProcessPrivilege 3940 WMIC.exe Token: SeIncBasePriorityPrivilege 3940 WMIC.exe Token: SeCreatePagefilePrivilege 3940 WMIC.exe Token: SeBackupPrivilege 3940 WMIC.exe Token: SeRestorePrivilege 3940 WMIC.exe Token: SeShutdownPrivilege 3940 WMIC.exe Token: SeDebugPrivilege 3940 WMIC.exe Token: SeSystemEnvironmentPrivilege 3940 WMIC.exe Token: SeRemoteShutdownPrivilege 3940 WMIC.exe Token: SeUndockPrivilege 3940 WMIC.exe Token: SeManageVolumePrivilege 3940 WMIC.exe Token: 33 3940 WMIC.exe Token: 34 3940 WMIC.exe Token: 35 3940 WMIC.exe Token: 36 3940 WMIC.exe Token: SeShutdownPrivilege 4088 shutdown.exe Token: SeRemoteShutdownPrivilege 4088 shutdown.exe Token: SeIncreaseQuotaPrivilege 4172 WMIC.exe Token: SeSecurityPrivilege 4172 WMIC.exe Token: SeTakeOwnershipPrivilege 4172 WMIC.exe Token: SeLoadDriverPrivilege 4172 WMIC.exe Token: SeSystemProfilePrivilege 4172 WMIC.exe Token: SeSystemtimePrivilege 4172 WMIC.exe Token: SeProfSingleProcessPrivilege 4172 WMIC.exe Token: SeIncBasePriorityPrivilege 4172 WMIC.exe Token: SeCreatePagefilePrivilege 4172 WMIC.exe Token: SeBackupPrivilege 4172 WMIC.exe Token: SeRestorePrivilege 4172 WMIC.exe Token: SeShutdownPrivilege 4172 WMIC.exe Token: SeDebugPrivilege 4172 WMIC.exe Token: SeSystemEnvironmentPrivilege 4172 WMIC.exe Token: SeRemoteShutdownPrivilege 4172 WMIC.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe 1964 Frog Spoofer (1).exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1964 wrote to memory of 4080 1964 Frog Spoofer (1).exe 85 PID 1964 wrote to memory of 4080 1964 Frog Spoofer (1).exe 85 PID 4080 wrote to memory of 4204 4080 cmd.exe 86 PID 4080 wrote to memory of 4204 4080 cmd.exe 86 PID 1964 wrote to memory of 2912 1964 Frog Spoofer (1).exe 88 PID 1964 wrote to memory of 2912 1964 Frog Spoofer (1).exe 88 PID 2912 wrote to memory of 3800 2912 cmd.exe 89 PID 2912 wrote to memory of 3800 2912 cmd.exe 89 PID 1964 wrote to memory of 4824 1964 Frog Spoofer (1).exe 90 PID 1964 wrote to memory of 4824 1964 Frog Spoofer (1).exe 90 PID 4824 wrote to memory of 944 4824 cmd.exe 91 PID 4824 wrote to memory of 944 4824 cmd.exe 91 PID 1964 wrote to memory of 2736 1964 Frog Spoofer (1).exe 92 PID 1964 wrote to memory of 2736 1964 Frog Spoofer (1).exe 92 PID 2736 wrote to memory of 2176 2736 cmd.exe 93 PID 2736 wrote to memory of 2176 2736 cmd.exe 93 PID 1964 wrote to memory of 4408 1964 Frog Spoofer (1).exe 94 PID 1964 wrote to memory of 4408 1964 Frog Spoofer (1).exe 94 PID 4408 wrote to memory of 3416 4408 cmd.exe 95 PID 4408 wrote to memory of 3416 4408 cmd.exe 95 PID 1964 wrote to memory of 4432 1964 Frog Spoofer (1).exe 96 PID 1964 wrote to memory of 4432 1964 Frog Spoofer (1).exe 96 PID 4432 wrote to memory of 2028 4432 cmd.exe 97 PID 4432 wrote to memory of 2028 4432 cmd.exe 97 PID 1964 wrote to memory of 2268 1964 Frog Spoofer (1).exe 109 PID 1964 wrote to memory of 2268 1964 Frog Spoofer (1).exe 109 PID 2268 wrote to memory of 3228 2268 cmd.exe 110 PID 2268 wrote to memory of 3228 2268 cmd.exe 110 PID 1964 wrote to memory of 3648 1964 Frog Spoofer (1).exe 111 PID 1964 wrote to memory of 3648 1964 Frog Spoofer (1).exe 111 PID 3648 wrote to memory of 4892 3648 cmd.exe 112 PID 3648 wrote to memory of 4892 3648 cmd.exe 112 PID 1964 wrote to memory of 2792 1964 Frog Spoofer (1).exe 113 PID 1964 wrote to memory of 2792 1964 Frog Spoofer (1).exe 113 PID 2792 wrote to memory of 4312 2792 cmd.exe 114 PID 2792 wrote to memory of 4312 2792 cmd.exe 114 PID 1964 wrote to memory of 4468 1964 Frog Spoofer (1).exe 115 PID 1964 wrote to memory of 4468 1964 Frog Spoofer (1).exe 115 PID 4468 wrote to memory of 1896 4468 cmd.exe 116 PID 4468 wrote to memory of 1896 4468 cmd.exe 116 PID 1964 wrote to memory of 856 1964 Frog Spoofer (1).exe 117 PID 1964 wrote to memory of 856 1964 Frog Spoofer (1).exe 117 PID 856 wrote to memory of 540 856 cmd.exe 118 PID 856 wrote to memory of 540 856 cmd.exe 118 PID 1964 wrote to memory of 992 1964 Frog Spoofer (1).exe 119 PID 1964 wrote to memory of 992 1964 Frog Spoofer (1).exe 119 PID 992 wrote to memory of 4888 992 cmd.exe 120 PID 992 wrote to memory of 4888 992 cmd.exe 120 PID 1964 wrote to memory of 3700 1964 Frog Spoofer (1).exe 121 PID 1964 wrote to memory of 3700 1964 Frog Spoofer (1).exe 121 PID 3700 wrote to memory of 3660 3700 cmd.exe 122 PID 3700 wrote to memory of 3660 3700 cmd.exe 122 PID 1964 wrote to memory of 4876 1964 Frog Spoofer (1).exe 123 PID 1964 wrote to memory of 4876 1964 Frog Spoofer (1).exe 123 PID 4876 wrote to memory of 4080 4876 cmd.exe 124 PID 4876 wrote to memory of 4080 4876 cmd.exe 124 PID 1964 wrote to memory of 4900 1964 Frog Spoofer (1).exe 125 PID 1964 wrote to memory of 4900 1964 Frog Spoofer (1).exe 125 PID 4900 wrote to memory of 3800 4900 cmd.exe 126 PID 4900 wrote to memory of 3800 4900 cmd.exe 126 PID 1964 wrote to memory of 4184 1964 Frog Spoofer (1).exe 127 PID 1964 wrote to memory of 4184 1964 Frog Spoofer (1).exe 127 PID 4184 wrote to memory of 2700 4184 cmd.exe 128 PID 4184 wrote to memory of 2700 4184 cmd.exe 128 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 876 attrib.exe 4972 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\frog\Frog Spoofer (1).exe"C:\Users\Admin\AppData\Local\Temp\frog\Frog Spoofer (1).exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:3228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
PID:4892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
PID:4312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
PID:1896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
PID:540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop cpuz150 >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\system32\sc.exesc stop cpuz1503⤵
- Launches sc.exe
PID:4888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop vgt >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\system32\sc.exesc stop vgt3⤵
- Launches sc.exe
PID:3660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop vgrl >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\system32\sc.exesc stop vgrl3⤵
- Launches sc.exe
PID:4080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop vgk >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\system32\sc.exesc stop vgk3⤵
- Launches sc.exe
PID:3800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop vgc >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\system32\sc.exesc stop vgc3⤵
- Launches sc.exe
PID:2700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete vgrl >nul 2>&12⤵PID:2120
-
C:\Windows\system32\sc.exesc delete vgrl3⤵
- Launches sc.exe
PID:3888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete vgk >nul 2>&12⤵PID:4504
-
C:\Windows\system32\sc.exesc delete vgk3⤵
- Launches sc.exe
PID:1296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete vgc >nul 2>&12⤵PID:4028
-
C:\Windows\system32\sc.exesc delete vgc3⤵
- Launches sc.exe
PID:3364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete vg >nul 2>&12⤵PID:3928
-
C:\Windows\system32\sc.exesc delete vg3⤵
- Launches sc.exe
PID:1972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im vgtray.exe >nul 2>&12⤵PID:2064
-
C:\Windows\system32\taskkill.exetaskkill / f / im vgtray.exe3⤵
- Kills process with taskkill
PID:3416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete cpuz150 >nul 2>&12⤵PID:4408
-
C:\Windows\system32\sc.exesc delete cpuz1503⤵
- Launches sc.exe
PID:3548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config wuauserv start = disabled >nul 2>&12⤵PID:1944
-
C:\Windows\system32\sc.exesc config wuauserv start = disabled3⤵
- Launches sc.exe
PID:4268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop wuauserv >nul 2>&12⤵PID:4880
-
C:\Windows\system32\net.exenet stop wuauserv3⤵PID:4328
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵PID:4368
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config bits start = disabled >nul 2>&12⤵PID:3692
-
C:\Windows\system32\sc.exesc config bits start = disabled3⤵
- Launches sc.exe
PID:4920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop bits >nul 2>&12⤵PID:2388
-
C:\Windows\system32\net.exenet stop bits3⤵PID:4652
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop bits4⤵PID:3752
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config dosvc start = disabled >nul 2>&12⤵PID:2948
-
C:\Windows\system32\sc.exesc config dosvc start = disabled3⤵
- Launches sc.exe
PID:2884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop dosvc >nul 2>&12⤵PID:4000
-
C:\Windows\system32\net.exenet stop dosvc3⤵PID:4428
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop dosvc4⤵PID:2652
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config UsoSvc start = disabled >nul 2>&12⤵PID:2720
-
C:\Windows\system32\sc.exesc config UsoSvc start = disabled3⤵
- Launches sc.exe
PID:2900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop UsoSvc >nul 2>&12⤵PID:2412
-
C:\Windows\system32\net.exenet stop UsoSvc3⤵PID:1672
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop UsoSvc4⤵PID:436
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im smartscreen.exe2⤵PID:2420
-
C:\Windows\system32\taskkill.exetaskkill / f / im smartscreen.exe3⤵
- Kills process with taskkill
PID:1372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im EasyAntiCheat.exe2⤵PID:3008
-
C:\Windows\system32\taskkill.exetaskkill / f / im EasyAntiCheat.exe3⤵
- Kills process with taskkill
PID:4520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im dnf.exe2⤵PID:812
-
C:\Windows\system32\taskkill.exetaskkill / f / im dnf.exe3⤵
- Kills process with taskkill
PID:716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im DNF.exe2⤵PID:4848
-
C:\Windows\system32\taskkill.exetaskkill / f / im DNF.exe3⤵
- Kills process with taskkill
PID:3296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im CrossProxy.exe2⤵PID:2740
-
C:\Windows\system32\taskkill.exetaskkill / f / im CrossProxy.exe3⤵
- Kills process with taskkill
PID:116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im tensafe_1.exe2⤵PID:3584
-
C:\Windows\system32\taskkill.exetaskkill / f / im tensafe_1.exe3⤵
- Kills process with taskkill
PID:1200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im TenSafe_1.exe2⤵PID:4388
-
C:\Windows\system32\taskkill.exetaskkill / f / im TenSafe_1.exe3⤵
- Kills process with taskkill
PID:1796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im tensafe_2.exe2⤵PID:624
-
C:\Windows\system32\taskkill.exetaskkill / f / im tensafe_2.exe3⤵
- Kills process with taskkill
PID:2136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im tencentdl.exe2⤵PID:3748
-
C:\Windows\system32\taskkill.exetaskkill / f / im tencentdl.exe3⤵
- Kills process with taskkill
PID:964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im TenioDL.exe2⤵PID:808
-
C:\Windows\system32\taskkill.exetaskkill / f / im TenioDL.exe3⤵
- Kills process with taskkill
PID:1596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im uishell.exe2⤵PID:4280
-
C:\Windows\system32\taskkill.exetaskkill / f / im uishell.exe3⤵
- Kills process with taskkill
PID:5076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im BackgroundDownloader.exe2⤵PID:2372
-
C:\Windows\system32\taskkill.exetaskkill / f / im BackgroundDownloader.exe3⤵
- Kills process with taskkill
PID:860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im conime.exe2⤵PID:3648
-
C:\Windows\system32\taskkill.exetaskkill / f / im conime.exe3⤵
- Kills process with taskkill
PID:4324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im QQDL.EXE2⤵PID:2792
-
C:\Windows\system32\taskkill.exetaskkill / f / im QQDL.EXE3⤵
- Kills process with taskkill
PID:4316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im qqlogin.exe2⤵PID:4924
-
C:\Windows\system32\taskkill.exetaskkill / f / im qqlogin.exe3⤵
- Kills process with taskkill
PID:4004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im dnfchina.exe >nul 2>&12⤵PID:1936
-
C:\Windows\system32\taskkill.exetaskkill / f / im dnfchina.exe3⤵
- Kills process with taskkill
PID:444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im dnfchinatest.exe2⤵PID:5036
-
C:\Windows\system32\taskkill.exetaskkill / f / im dnfchinatest.exe3⤵
- Kills process with taskkill
PID:632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im dnf.exe2⤵PID:4632
-
C:\Windows\system32\taskkill.exetaskkill / f / im dnf.exe3⤵
- Kills process with taskkill
PID:2660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im txplatform.exe2⤵PID:2880
-
C:\Windows\system32\taskkill.exetaskkill / f / im txplatform.exe3⤵
- Kills process with taskkill
PID:3672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im TXPlatform.exe2⤵PID:2700
-
C:\Windows\system32\taskkill.exetaskkill / f / im TXPlatform.exe3⤵
- Kills process with taskkill
PID:4184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im OriginWebHelperService.exe2⤵PID:4556
-
C:\Windows\system32\taskkill.exetaskkill / f / im OriginWebHelperService.exe3⤵
- Kills process with taskkill
PID:4344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im Origin.exe2⤵PID:1544
-
C:\Windows\system32\taskkill.exetaskkill / f / im Origin.exe3⤵
- Kills process with taskkill
PID:212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im OriginClientService.exe2⤵PID:1292
-
C:\Windows\system32\taskkill.exetaskkill / f / im OriginClientService.exe3⤵
- Kills process with taskkill
PID:1800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im OriginER.exe2⤵PID:4596
-
C:\Windows\system32\taskkill.exetaskkill / f / im OriginER.exe3⤵
- Kills process with taskkill
PID:224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im OriginThinSetupInternal.exe2⤵PID:2168
-
C:\Windows\system32\taskkill.exetaskkill / f / im OriginThinSetupInternal.exe3⤵
- Kills process with taskkill
PID:3548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im OriginLegacyCLI.exe2⤵PID:4408
-
C:\Windows\system32\taskkill.exetaskkill / f / im OriginLegacyCLI.exe3⤵
- Kills process with taskkill
PID:1280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im Agent.exe2⤵PID:2096
-
C:\Windows\system32\taskkill.exetaskkill / f / im Agent.exe3⤵
- Kills process with taskkill
PID:536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im Client.exe2⤵PID:2008
-
C:\Windows\system32\taskkill.exetaskkill / f / im Client.exe3⤵
- Kills process with taskkill
PID:4264
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll /accepteula2⤵PID:1240
-
C:\Windows\System32\accessibility.dllC:\Windows\System32\accessibility.dll /accepteula3⤵
- Executes dropped EXE
PID:2732
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll2⤵PID:4652
-
C:\Windows\System32\accessibility.dllC:\Windows\System32\accessibility.dll3⤵
- Executes dropped EXE
PID:3504
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll /accepteula2⤵PID:3420
-
C:\Windows\System32\accessibility.dllC:\Windows\System32\accessibility.dll /accepteula3⤵
- Executes dropped EXE
PID:2720
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll C: %random:~-1%%random:~-1%%random:~-1%%random:~-1%-%random:~-1%%random:~-1%%random:~-1%%random:~-1%2⤵PID:3916
-
C:\Windows\System32\accessibility.dllC:\Windows\System32\accessibility.dll C: 4416-78693⤵
- Executes dropped EXE
PID:1792
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll D: %random:~-1%%random:~-1%%random:~-1%%random:~-1%-%random:~-1%%random:~-1%%random:~-1%%random:~-1%2⤵PID:3376
-
C:\Windows\System32\accessibility.dllC:\Windows\System32\accessibility.dll D: 7472-25123⤵
- Executes dropped EXE
PID:628
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll E: %random:~-1%%random:~-1%%random:~-1%%random:~-1%-%random:~-1%%random:~-1%%random:~-1%%random:~-1%2⤵PID:812
-
C:\Windows\System32\accessibility.dllC:\Windows\System32\accessibility.dll E: 1327-62353⤵
- Executes dropped EXE
PID:3540
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll F: %random:~-1%%random:~-1%%random:~-1%%random:~-1%-%random:~-1%%random:~-1%%random:~-1%%random:~-1%2⤵PID:3352
-
C:\Windows\System32\accessibility.dllC:\Windows\System32\accessibility.dll F: 4182-31683⤵
- Executes dropped EXE
PID:4388
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll G: %random:~-1%%random:~-1%%random:~-1%%random:~-1%-%random:~-1%%random:~-1%%random:~-1%%random:~-1%2⤵PID:4024
-
C:\Windows\System32\accessibility.dllC:\Windows\System32\accessibility.dll G: 7245-77803⤵
- Executes dropped EXE
PID:1596
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll2⤵PID:2984
-
C:\Windows\System32\accessibility.dllC:\Windows\System32\accessibility.dll3⤵
- Executes dropped EXE
PID:3364
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /SS %random%%random%%random%2⤵PID:3684
-
C:\Windows\System32\ifsutipx.exeC:\Windows\System32\ifsutipx.exe /SS 9642535847043⤵
- Cerber
- Executes dropped EXE
PID:1960
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /BS %random%%random%%random%2⤵PID:1516
-
C:\Windows\System32\ifsutipx.exeC:\Windows\System32\ifsutipx.exe /BS 9673339225683⤵
- Cerber
- Executes dropped EXE
PID:3420
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /SU auto2⤵PID:2720
-
C:\Windows\System32\ifsutipx.exeC:\Windows\System32\ifsutipx.exe /SU auto3⤵
- Cerber
- Executes dropped EXE
PID:4972
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /IV %random:~-1%.%random:~-1%.%random:~-1%2⤵PID:4548
-
C:\Windows\System32\ifsutipx.exeC:\Windows\System32\ifsutipx.exe /IV 3.6.93⤵
- Cerber
- Executes dropped EXE
PID:4244
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /ID 0%random:~-1%/0%random:~-1%/20212⤵PID:628
-
C:\Windows\System32\ifsutipx.exeC:\Windows\System32\ifsutipx.exe /ID 07/06/20213⤵
- Cerber
- Executes dropped EXE
PID:3396
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /SP MS-%random:~-1%C%random:~-1%%random:~-1%F2⤵PID:3296
-
C:\Windows\System32\ifsutipx.exeC:\Windows\System32\ifsutipx.exe /SP MS-0C49F3⤵
- Cerber
- Executes dropped EXE
PID:1916
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /SK A%random:~-1%%random:~-1%%random:~-1%S%random:~-1%%random:~-1%%random:~-1%O%random:~-1%2⤵PID:3736
-
C:\Windows\System32\ifsutipx.exeC:\Windows\System32\ifsutipx.exe /SK A335S403O03⤵
- Cerber
- Executes dropped EXE
PID:1680
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /SF B%random:~-1%%random:~-1%%random:~-1%S%random:~-1%%random:~-1%%random:~-1%Z%random:~-1%2⤵PID:1200
-
C:\Windows\System32\ifsutipx.exeC:\Windows\System32\ifsutipx.exe /SF B639S950Z23⤵
- Cerber
- Executes dropped EXE
PID:964
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /BT X%random:~-1%%random:~-1%%random:~-1%S%random:~-1%%random:~-1%%random:~-1%X%random:~-1%2⤵PID:1952
-
C:\Windows\System32\ifsutipx.exeC:\Windows\System32\ifsutipx.exe /BT X026S597X53⤵
- Cerber
- Executes dropped EXE
PID:4504
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /PSN %random%%random%%random%2⤵PID:4824
-
C:\Windows\System32\ifsutipx.exeC:\Windows\System32\ifsutipx.exe /PSN 9932379016423⤵
- Cerber
- Executes dropped EXE
PID:4520
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\ntelidcx.dll2⤵PID:1524
-
C:\Windows\ntelidcx.dllC:\Windows\ntelidcx.dll3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t6223.bat" "C:\Windows\ntelidcx.dll" "4⤵
- System Location Discovery: System Language Discovery
PID:4320 -
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\ytmp5⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:876
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where caption='Admin' rename5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v "NV Hostname" /t REG_SZ /d 1740-F990 /f5⤵
- System Location Discovery: System Language Discovery
PID:2932
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v Hostname /t REG_SZ /d 1740-F990 /f5⤵
- System Location Discovery: System Language Discovery
PID:2900
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName" /v ComputerName /t REG_SZ /d 1740-F990 /f5⤵
- System Location Discovery: System Language Discovery
PID:4428
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName" /v ComputerName /t REG_SZ /d 1740-F990 /f5⤵PID:1516
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v RegisteredOwner /t REG_SZ /d 1740-F990 /f5⤵
- System Location Discovery: System Language Discovery
PID:1788
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 00331--00001-AF990 /f5⤵
- System Location Discovery: System Language Discovery
PID:2760
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId /t REG_BINARY /d A4000000000003030312D3836382D303030303030372D383535353700AA0000005831352D3333000000000000000C3AABF5C28BA18B8878E89D5C28000000000000396CC459BD03000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005ED76736 /f5⤵PID:2772
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId4 /t REG_BINARY /d 69261DC204000000300030003300375ED7002D00300030003100370030002D003800360038002D003000300030003000300030002D00300033002D0031003000330033002D0037003600300031002E0030003000300030002D00320036003500320030003100370000000000000000000000000000000000000000000000000000000000000000006200390032006500369261DC280030002D0062003900035002D0034003800320031002D0039006300390034002D0031003400300066003600330032006600360033003100320000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050006F00660065007300730065ED7F006E0061006C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000C3AABFA65BBA18B889D24ED80000C6169261DC2D0BEDFD25E5ED745B89FFF45564B84E87CB968EC7F4D18F6E5066261A0B704B9D2739558B7E97DF882AB087AB0D8A314BA9BB1E06029EA28D5800310035002D0033003900310037003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000056006F006C0075006D006A00470056004C004B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000056006F006C007D0065000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 /f5⤵
- System Location Discovery: System Language Discovery
PID:4828
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Registration" /v ProductId /t REG_SZ /d 00331-10000-00001-AF990 /f5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:4628
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer" /v svcKBNumber /t REG_SZ /d KB3170547 /f5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:2716
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v InstallDate /t REG_DWORD /d 1505478562 /f5⤵
- System Location Discovery: System Language Discovery
PID:1688
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration" /v "IE Installed Date" /t REG_BINARY /d 1505478562 /f5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:4244
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001" /v HwProfileGuid /t REG_SZ /d {69261DC2-5ED7-5C28-5ED7-80B51D7DDE15} /f5⤵
- System Location Discovery: System Language Discovery
PID:3252
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d {69261DC2-5ED7-5C28-5ED7-6aB51D7DDE15} /f5⤵
- System Location Discovery: System Language Discovery
PID:3916
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d {69261DC2-5ED7-5C28-5ED7-6aB51D7DDE15} /f5⤵
- System Location Discovery: System Language Discovery
PID:1552
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Diagnostics\Performance\BootCKCLSettings" /v GUID /t REG_SZ /d {69261DC2-5ED7-5C28-5ED7-3eB51D7DDE15} /f5⤵
- System Location Discovery: System Language Discovery
PID:2468
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Diagnostics\Performance\SecondaryLogonCKCLSettings" /v GUID /t REG_SZ /d {69261DC2-5ED7-5C28-5ED7-3eB51D7DDE15} /f5⤵
- System Location Discovery: System Language Discovery
PID:5080
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Diagnostics\Performance\ShutdownCKCLSettings" /v GUID /t REG_SZ /d {69261DC2-5ED7-5C28-5ED7-3eB51D7DDE15} /f5⤵
- System Location Discovery: System Language Discovery
PID:2420
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\IDConfigDB\Hardware Profiles\0001" /v HwProfileGuid /t REG_SZ /d {69261DC2-5ED7-5C28-5ED7-80B51D7DDE15} /f5⤵
- System Location Discovery: System Language Discovery
PID:720
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d 69261DC2-5ED7-5C28-5ED7-e7B51D7DDE15 /f5⤵
- System Location Discovery: System Language Discovery
PID:3424
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild /t REG_SZ /d 14424 /f5⤵
- System Location Discovery: System Language Discovery
PID:3348
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuildNumber /t REG_SZ /d 14424 /f5⤵
- System Location Discovery: System Language Discovery
PID:4220
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLab /t REG_SZ /d 14424.rs1_release.171248-2100 /f5⤵
- System Location Discovery: System Language Discovery
PID:3540
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx /t REG_SZ /d 14424.1944.amd64fre.rs1_release.171248-2100 /f5⤵
- System Location Discovery: System Language Discovery
PID:2676
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildGUID /t REG_SZ /d 69261DC2-5ED7-5C28-5ED7-B51D7DDE15 /f5⤵
- System Location Discovery: System Language Discovery
PID:3976
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\Connected" /v GUID /t REG_SZ /d {A28BBADE-5ED7-5C28-5ED7-00B51D7DDE15} /f5⤵
- System Location Discovery: System Language Discovery
PID:4480
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\Disconnected" /v GUID /t REG_SZ /d {143E4E83-5ED7-5C28-5ED7-00B51D7DDE15} /f5⤵
- System Location Discovery: System Language Discovery
PID:2068
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\EmailImage" /v GUID /t REG_SZ /d {C66DCEE1-5ED7-5C28-5ED7-2FB51D7DDE15} /f5⤵
- System Location Discovery: System Language Discovery
PID:1680
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\FaxImage" /v GUID /t REG_SZ /d {C00EB793-5ED7-5C28-5ED7-00B51D7DDE15} /f5⤵
- System Location Discovery: System Language Discovery
PID:4796
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\PrintImage" /v GUID /t REG_SZ /d {B441F425-5ED7-5C28-5ED7-00B51D7DDE15} /f5⤵
- System Location Discovery: System Language Discovery
PID:1192
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\ScanButton" /v GUID /t REG_SZ /d {A6C5A715-5ED7-5C28-5ED7-00B51D7DDE15} /f5⤵
- System Location Discovery: System Language Discovery
PID:2424
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\STIproxyEvent" /v GUID /t REG_SZ /d {d711f81f-5ED7-5C28-5ED7-92B51D7DDE15} /f5⤵
- System Location Discovery: System Language Discovery
PID:3400
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionInventoryVersionGUID_DONOTUSEINSTORE" /v value /t REG_SZ /d {27720B92-5ED7-5C28-5ED7-92B51D7DDE15} /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5040
-
-
C:\Windows\SysWOW64\net.exenet stop wuauserv5⤵
- System Location Discovery: System Language Discovery
PID:1796 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv6⤵
- System Location Discovery: System Language Discovery
PID:1228
-
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /t REG_SZ /d 69261DC2-5ED7-5C28-5ED7-c9B51D7DDE15 /f5⤵
- System Location Discovery: System Language Discovery
PID:1716
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /t REG_BINARY /d A4000000000003030312D3836382D30303B51D7DDE15D383535353700AA0000005831352D3333000000000000000C3AABF5C28BA18B8878E89D5C28000000000000396CC459BD03000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005ED76736 /f5⤵
- System Location Discovery: System Language Discovery
PID:1968
-
-
C:\Windows\SysWOW64\net.exenet start wuauserv5⤵
- System Location Discovery: System Language Discovery
PID:4004 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start wuauserv6⤵
- System Location Discovery: System Language Discovery
PID:4556
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId5⤵
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Windows\SysWOW64\reg.exereg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId6⤵
- System Location Discovery: System Language Discovery
PID:3552
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c shutdown /r /t 252⤵PID:2736
-
C:\Windows\system32\shutdown.exeshutdown /r /t 253⤵
- Suspicious use of AdjustPrivilegeToken
PID:4088
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\AppVLicense.dll2⤵PID:3936
-
C:\Windows\AppVLicense.dllC:\Windows\AppVLicense.dll3⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"4⤵
- System Location Discovery: System Language Discovery
PID:2932
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ytmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ytmp"4⤵
- System Location Discovery: System Language Discovery
PID:520
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp4⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\ytmp5⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4972
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp6490.bat" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp6490.bat"4⤵
- System Location Discovery: System Language Discovery
PID:2640
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp6509.exe" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp6509.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4828
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytmp\tmp6490.bat "C:\Windows\AppVLicense.dll"4⤵
- System Location Discovery: System Language Discovery
PID:4628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]5⤵
- System Location Discovery: System Language Discovery
PID:4072 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4172
-
-
C:\Windows\SysWOW64\findstr.exefindstr [0-9]6⤵
- System Location Discovery: System Language Discovery
PID:4396
-
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\015⤵
- System Location Discovery: System Language Discovery
PID:3264
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0015⤵
- System Location Discovery: System Language Discovery
PID:3396
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00015⤵
- System Location Discovery: System Language Discovery
PID:3456
-
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 926EAC96D101 /f5⤵
- System Location Discovery: System Language Discovery
PID:2072
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]5⤵
- System Location Discovery: System Language Discovery
PID:400 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid6⤵
- System Location Discovery: System Language Discovery
PID:5060
-
-
C:\Windows\SysWOW64\findstr.exefindstr [0-9]6⤵
- System Location Discovery: System Language Discovery
PID:3424
-
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\015⤵
- System Location Discovery: System Language Discovery
PID:4420
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0015⤵
- System Location Discovery: System Language Discovery
PID:4660
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00015⤵
- System Location Discovery: System Language Discovery
PID:4536
-
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f5⤵
- System Location Discovery: System Language Discovery
PID:3564
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"5⤵
- System Location Discovery: System Language Discovery
PID:3352 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv6⤵PID:2104
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh interface set interface name="Ethernet" disable5⤵PID:2868
-
-
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵PID:2708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5c33f29b25a24a03b0609f2e43e595d5b
SHA10bda21ecad2e90ae2db7eff4fb77c924b8e3e155
SHA25654ec6eaf981ca2969b106aa3967fe6515e29842032790541e50f6904f76e5b4d
SHA5123d78ff48e654f077b0fdea697bf365a1c5f37c110c8ae6f46be8185192f853c2ad334b7710ea5e0abc97a4c5c474b0ef6042a818e8c6c6f316ca467969b7cafe
-
Filesize
2KB
MD58ff30c1d69e174bbfd7a5b637c09aa41
SHA197d19698e5cb23205ec67e20f7e3c6506ec4e1e6
SHA25650846d4a0adff5fc3b176150c895af2025594d379867549d3f6facf2bbe6935f
SHA5120beebd5ad3aa415691bb40cf325da741d77060466761805bc235e20a6036221caf82fdcd238ac02263cd70ab97687d95cfd60535fd45d9665f3a1998126d1f7b
-
Filesize
78KB
MD5d74f8515a65300b04ca04d622023f41f
SHA150689adb85e0e18625f1200c4a2d4b49c7270a9d
SHA256a8b7df4fa86ec5cddd13fd650a553fac8611b8904f35529d8dfa2492f48f76b2
SHA5129f95ee019da5734e14801f3fc1257d50fd078cd818288f681bdd6399244450cef901151b003e079d455c50247fc75fabd6e2237d47dd9bfcf8ac1e4287ffd672
-
Filesize
165KB
MD542b7d0cdd6a7ce9791b11d69315523dc
SHA18de659e46ea55b5ab3eb32b8216f74fe53f7d0a2
SHA2565b85d64218283c933ca9afd194d5b8f451a519dcec58369434009d0dbd04e9e1
SHA512f5141adbf226f15128e553088b2625f2cb38a1fbf3cff98dda205e1686ce186537abf5daa7c7148f887ab3bafcf03a9fa487844cad95e77ae38eae5d00af41cf
-
Filesize
29KB
MD5f22740ba54a400fd2be7690bb204aa08
SHA15812387783d61c6ab5702213bb968590a18065e3
SHA25665c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9
SHA512ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500
-
Filesize
459KB
MD592a410010d0fb650385e88c1474ac29d
SHA17ab69e5c7442a94fb5fa25705ca4eb2028a0c32c
SHA25647d8117f0f7ecdc6843fe7f33cfa8a4a12bcf657fe648bde19050a12950e9555
SHA512ff698acfef1270daebf5c4788e414ced15fd724c61e45a9cfa5f9220aa70866e43d0cb3348f06cd2741a13c2e5e42ae49eaf266263ab2777378244d4d7d1131e
-
Filesize
72KB
MD56811536b3f22331c79f54b4b9dc4fa7b
SHA1430c3222443590554a9ff932882c666ec91a2944
SHA2562690ca7e6d7f8c28b43616e0a31ac8a8535a44506e145885e06072b51aeec787
SHA51223765a39cbeb75010be44e218ad0626ba05f3615c202b74f561a579ed3cbd31da74d2639d9a7c7af6e0bf6fb25ec26d6895d2f020d167cffa0754f8a9041849e