cerber | cbe89146c2b5c01173a1faa442841ffd1d8209b2774975b8835dea678f1af84b

Resubmissions

10/03/2025, 16:32

250310-t1813s1xcy 8

10/03/2025, 16:28

250310-tyrzsa1ly8 10

Analysis

max time kernel
60s
max time network
76s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2025, 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

frog/Frog Spoofer (1).exe
Size

2.7MB
MD5

e001605fa695282a2d3170d8d9e956c9
SHA1

4544155daae0335ada1d05a509e43b8c0434ffc8
SHA256

003dc05c74dedfb83f73982173d2ed293a84a2af8a7ef8b6e6ff928119859a2e
SHA512

11642791791255eea62db5b5058e651329d9b537cc9ffd734702b5bf5207351ecc3bbdb3499acb3dc43e7937da8efd9e23b1e1ccfaa6a077bd747a40926d40d6
SSDEEP

49152:wy8J1anDS2TFQTnQT2QT9QT1QTXCbAAKrqgvWAtY3o41MBXcOz5dD:CxYw1aCkX23o41MBXc4D

Score

10^/10

cerber defense_evasion discovery execution ransomware

Malware Config

Signatures

Cerber 12 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	pid	Process
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		ifsutipx.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		ifsutipx.exe
		4204	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		ifsutipx.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		ifsutipx.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		ifsutipx.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		ifsutipx.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		ifsutipx.exe
		3800	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		ifsutipx.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		ifsutipx.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		ifsutipx.exe

Cerber family
cerber
Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Frog Spoofer (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	ntelidcx.dll

Executes dropped EXE 42 IoCs

pid	Process
2732	accessibility.dll
3504	accessibility.dll
2720	accessibility.dll
1792	accessibility.dll
628	accessibility.dll
3540	accessibility.dll
4388	accessibility.dll
1596	accessibility.dll
3364	accessibility.dll
1960	ifsutipx.exe
3420	ifsutipx.exe
4972	ifsutipx.exe
4244	ifsutipx.exe
3396	ifsutipx.exe
1916	ifsutipx.exe
1680	ifsutipx.exe
964	ifsutipx.exe
4504	ifsutipx.exe
4520	ifsutipx.exe
1556	ntelidcx.dll
4644	AppVLicense.dll
2732	accessibility.dll
3504	accessibility.dll
2720	accessibility.dll
1792	accessibility.dll
628	accessibility.dll
3540	accessibility.dll
4388	accessibility.dll
1596	accessibility.dll
3364	accessibility.dll
1960	ifsutipx.exe
3420	ifsutipx.exe
4972	ifsutipx.exe
4244	ifsutipx.exe
3396	ifsutipx.exe
1916	ifsutipx.exe
1680	ifsutipx.exe
964	ifsutipx.exe
4504	ifsutipx.exe
4520	ifsutipx.exe
1556	ntelidcx.dll
4644	AppVLicense.dll

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\accessibility.dll	Frog Spoofer (1).exe
File created	C:\Windows\System32\amifldrv64.sys	Frog Spoofer (1).exe
File created	C:\Windows\System32\ifsutipx.exe	Frog Spoofer (1).exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2576	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\AppVLicense.dll	Frog Spoofer (1).exe
File created	C:\Windows\ntelidcx.dll	Frog Spoofer (1).exe

Launches sc.exe 20 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4312	sc.exe
1896	sc.exe
540	sc.exe
4920	sc.exe
2900	sc.exe
4888	sc.exe
2700	sc.exe
3888	sc.exe
3548	sc.exe
4080	sc.exe
3800	sc.exe
3364	sc.exe
1972	sc.exe
4268	sc.exe
2884	sc.exe
3660	sc.exe
1296	sc.exe
944	sc.exe
3228	sc.exe
4892	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ntelidcx.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Kills process with taskkill 34 IoCs

defense_evasion

pid	Process
212	taskkill.exe
3800	taskkill.exe
2176	taskkill.exe
3296	taskkill.exe
1200	taskkill.exe
860	taskkill.exe
632	taskkill.exe
2136	taskkill.exe
964	taskkill.exe
1596	taskkill.exe
2660	taskkill.exe
4344	taskkill.exe
2028	taskkill.exe
4004	taskkill.exe
224	taskkill.exe
3548	taskkill.exe
116	taskkill.exe
716	taskkill.exe
5076	taskkill.exe
1800	taskkill.exe
4204	taskkill.exe
3416	taskkill.exe
1372	taskkill.exe
4520	taskkill.exe
4184	taskkill.exe
1280	taskkill.exe
3416	taskkill.exe
4324	taskkill.exe
4316	taskkill.exe
444	taskkill.exe
3672	taskkill.exe
536	taskkill.exe
4264	taskkill.exe
1796	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Migration\IE Installed Date = 1505478562	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Registration	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Registration\ProductId = "00331-10000-00001-AF990"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\svcKBNumber = "KB3170547"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Migration	reg.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionInventoryVersionGUID_DONOTUSEINSTORE	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{27720B92-5ED7-5C28-5ED7-92B51D7DDE15}"	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4204	taskkill.exe
Token: SeDebugPrivilege	3800	taskkill.exe
Token: SeDebugPrivilege	2176	taskkill.exe
Token: SeDebugPrivilege	3416	taskkill.exe
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3940	WMIC.exe
Token: SeSecurityPrivilege	3940	WMIC.exe
Token: SeTakeOwnershipPrivilege	3940	WMIC.exe
Token: SeLoadDriverPrivilege	3940	WMIC.exe
Token: SeSystemProfilePrivilege	3940	WMIC.exe
Token: SeSystemtimePrivilege	3940	WMIC.exe
Token: SeProfSingleProcessPrivilege	3940	WMIC.exe
Token: SeIncBasePriorityPrivilege	3940	WMIC.exe
Token: SeCreatePagefilePrivilege	3940	WMIC.exe
Token: SeBackupPrivilege	3940	WMIC.exe
Token: SeRestorePrivilege	3940	WMIC.exe
Token: SeShutdownPrivilege	3940	WMIC.exe
Token: SeDebugPrivilege	3940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3940	WMIC.exe
Token: SeRemoteShutdownPrivilege	3940	WMIC.exe
Token: SeUndockPrivilege	3940	WMIC.exe
Token: SeManageVolumePrivilege	3940	WMIC.exe
Token: 33	3940	WMIC.exe
Token: 34	3940	WMIC.exe
Token: 35	3940	WMIC.exe
Token: 36	3940	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3940	WMIC.exe
Token: SeSecurityPrivilege	3940	WMIC.exe
Token: SeTakeOwnershipPrivilege	3940	WMIC.exe
Token: SeLoadDriverPrivilege	3940	WMIC.exe
Token: SeSystemProfilePrivilege	3940	WMIC.exe
Token: SeSystemtimePrivilege	3940	WMIC.exe
Token: SeProfSingleProcessPrivilege	3940	WMIC.exe
Token: SeIncBasePriorityPrivilege	3940	WMIC.exe
Token: SeCreatePagefilePrivilege	3940	WMIC.exe
Token: SeBackupPrivilege	3940	WMIC.exe
Token: SeRestorePrivilege	3940	WMIC.exe
Token: SeShutdownPrivilege	3940	WMIC.exe
Token: SeDebugPrivilege	3940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3940	WMIC.exe
Token: SeRemoteShutdownPrivilege	3940	WMIC.exe
Token: SeUndockPrivilege	3940	WMIC.exe
Token: SeManageVolumePrivilege	3940	WMIC.exe
Token: 33	3940	WMIC.exe
Token: 34	3940	WMIC.exe
Token: 35	3940	WMIC.exe
Token: 36	3940	WMIC.exe
Token: SeShutdownPrivilege	4088	shutdown.exe
Token: SeRemoteShutdownPrivilege	4088	shutdown.exe
Token: SeIncreaseQuotaPrivilege	4172	WMIC.exe
Token: SeSecurityPrivilege	4172	WMIC.exe
Token: SeTakeOwnershipPrivilege	4172	WMIC.exe
Token: SeLoadDriverPrivilege	4172	WMIC.exe
Token: SeSystemProfilePrivilege	4172	WMIC.exe
Token: SeSystemtimePrivilege	4172	WMIC.exe
Token: SeProfSingleProcessPrivilege	4172	WMIC.exe
Token: SeIncBasePriorityPrivilege	4172	WMIC.exe
Token: SeCreatePagefilePrivilege	4172	WMIC.exe
Token: SeBackupPrivilege	4172	WMIC.exe
Token: SeRestorePrivilege	4172	WMIC.exe
Token: SeShutdownPrivilege	4172	WMIC.exe
Token: SeDebugPrivilege	4172	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4172	WMIC.exe
Token: SeRemoteShutdownPrivilege	4172	WMIC.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe
1964	Frog Spoofer (1).exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 4080	1964	Frog Spoofer (1).exe	85
PID 1964 wrote to memory of 4080	1964	Frog Spoofer (1).exe	85
PID 4080 wrote to memory of 4204	4080	cmd.exe	86
PID 4080 wrote to memory of 4204	4080	cmd.exe	86
PID 1964 wrote to memory of 2912	1964	Frog Spoofer (1).exe	88
PID 1964 wrote to memory of 2912	1964	Frog Spoofer (1).exe	88
PID 2912 wrote to memory of 3800	2912	cmd.exe	89
PID 2912 wrote to memory of 3800	2912	cmd.exe	89
PID 1964 wrote to memory of 4824	1964	Frog Spoofer (1).exe	90
PID 1964 wrote to memory of 4824	1964	Frog Spoofer (1).exe	90
PID 4824 wrote to memory of 944	4824	cmd.exe	91
PID 4824 wrote to memory of 944	4824	cmd.exe	91
PID 1964 wrote to memory of 2736	1964	Frog Spoofer (1).exe	92
PID 1964 wrote to memory of 2736	1964	Frog Spoofer (1).exe	92
PID 2736 wrote to memory of 2176	2736	cmd.exe	93
PID 2736 wrote to memory of 2176	2736	cmd.exe	93
PID 1964 wrote to memory of 4408	1964	Frog Spoofer (1).exe	94
PID 1964 wrote to memory of 4408	1964	Frog Spoofer (1).exe	94
PID 4408 wrote to memory of 3416	4408	cmd.exe	95
PID 4408 wrote to memory of 3416	4408	cmd.exe	95
PID 1964 wrote to memory of 4432	1964	Frog Spoofer (1).exe	96
PID 1964 wrote to memory of 4432	1964	Frog Spoofer (1).exe	96
PID 4432 wrote to memory of 2028	4432	cmd.exe	97
PID 4432 wrote to memory of 2028	4432	cmd.exe	97
PID 1964 wrote to memory of 2268	1964	Frog Spoofer (1).exe	109
PID 1964 wrote to memory of 2268	1964	Frog Spoofer (1).exe	109
PID 2268 wrote to memory of 3228	2268	cmd.exe	110
PID 2268 wrote to memory of 3228	2268	cmd.exe	110
PID 1964 wrote to memory of 3648	1964	Frog Spoofer (1).exe	111
PID 1964 wrote to memory of 3648	1964	Frog Spoofer (1).exe	111
PID 3648 wrote to memory of 4892	3648	cmd.exe	112
PID 3648 wrote to memory of 4892	3648	cmd.exe	112
PID 1964 wrote to memory of 2792	1964	Frog Spoofer (1).exe	113
PID 1964 wrote to memory of 2792	1964	Frog Spoofer (1).exe	113
PID 2792 wrote to memory of 4312	2792	cmd.exe	114
PID 2792 wrote to memory of 4312	2792	cmd.exe	114
PID 1964 wrote to memory of 4468	1964	Frog Spoofer (1).exe	115
PID 1964 wrote to memory of 4468	1964	Frog Spoofer (1).exe	115
PID 4468 wrote to memory of 1896	4468	cmd.exe	116
PID 4468 wrote to memory of 1896	4468	cmd.exe	116
PID 1964 wrote to memory of 856	1964	Frog Spoofer (1).exe	117
PID 1964 wrote to memory of 856	1964	Frog Spoofer (1).exe	117
PID 856 wrote to memory of 540	856	cmd.exe	118
PID 856 wrote to memory of 540	856	cmd.exe	118
PID 1964 wrote to memory of 992	1964	Frog Spoofer (1).exe	119
PID 1964 wrote to memory of 992	1964	Frog Spoofer (1).exe	119
PID 992 wrote to memory of 4888	992	cmd.exe	120
PID 992 wrote to memory of 4888	992	cmd.exe	120
PID 1964 wrote to memory of 3700	1964	Frog Spoofer (1).exe	121
PID 1964 wrote to memory of 3700	1964	Frog Spoofer (1).exe	121
PID 3700 wrote to memory of 3660	3700	cmd.exe	122
PID 3700 wrote to memory of 3660	3700	cmd.exe	122
PID 1964 wrote to memory of 4876	1964	Frog Spoofer (1).exe	123
PID 1964 wrote to memory of 4876	1964	Frog Spoofer (1).exe	123
PID 4876 wrote to memory of 4080	4876	cmd.exe	124
PID 4876 wrote to memory of 4080	4876	cmd.exe	124
PID 1964 wrote to memory of 4900	1964	Frog Spoofer (1).exe	125
PID 1964 wrote to memory of 4900	1964	Frog Spoofer (1).exe	125
PID 4900 wrote to memory of 3800	4900	cmd.exe	126
PID 4900 wrote to memory of 3800	4900	cmd.exe	126
PID 1964 wrote to memory of 4184	1964	Frog Spoofer (1).exe	127
PID 1964 wrote to memory of 4184	1964	Frog Spoofer (1).exe	127
PID 4184 wrote to memory of 2700	4184	cmd.exe	128
PID 4184 wrote to memory of 2700	4184	cmd.exe	128

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
876	attrib.exe
4972	attrib.exe

C:\Users\Admin\AppData\Local\Temp\frog\Frog Spoofer (1).exe
"C:\Users\Admin\AppData\Local\Temp\frog\Frog Spoofer (1).exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:4892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:4312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:1896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop cpuz150 >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Windows\system32\sc.exe
    sc stop cpuz150
    3⤵
    - Launches sc.exe
    PID:4888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop vgt >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\system32\sc.exe
    sc stop vgt
    3⤵
    - Launches sc.exe
    PID:3660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop vgrl >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\system32\sc.exe
    sc stop vgrl
    3⤵
    - Launches sc.exe
    PID:4080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop vgk >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\system32\sc.exe
    sc stop vgk
    3⤵
    - Launches sc.exe
    PID:3800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop vgc >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\system32\sc.exe
    sc stop vgc
    3⤵
    - Launches sc.exe
    PID:2700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete vgrl >nul 2>&1
  2⤵
  PID:2120
- - C:\Windows\system32\sc.exe
    sc delete vgrl
    3⤵
    - Launches sc.exe
    PID:3888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete vgk >nul 2>&1
  2⤵
  PID:4504
- - C:\Windows\system32\sc.exe
    sc delete vgk
    3⤵
    - Launches sc.exe
    PID:1296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete vgc >nul 2>&1
  2⤵
  PID:4028
- - C:\Windows\system32\sc.exe
    sc delete vgc
    3⤵
    - Launches sc.exe
    PID:3364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete vg >nul 2>&1
  2⤵
  PID:3928
- - C:\Windows\system32\sc.exe
    sc delete vg
    3⤵
    - Launches sc.exe
    PID:1972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im vgtray.exe >nul 2>&1
  2⤵
  PID:2064
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im vgtray.exe
    3⤵
    - Kills process with taskkill
    PID:3416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete cpuz150 >nul 2>&1
  2⤵
  PID:4408
- - C:\Windows\system32\sc.exe
    sc delete cpuz150
    3⤵
    - Launches sc.exe
    PID:3548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config wuauserv start = disabled >nul 2>&1
  2⤵
  PID:1944
- - C:\Windows\system32\sc.exe
    sc config wuauserv start = disabled
    3⤵
    - Launches sc.exe
    PID:4268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop wuauserv >nul 2>&1
  2⤵
  PID:4880
- - C:\Windows\system32\net.exe
    net stop wuauserv
    3⤵
    PID:4328
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      PID:4368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config bits start = disabled >nul 2>&1
  2⤵
  PID:3692
- - C:\Windows\system32\sc.exe
    sc config bits start = disabled
    3⤵
    - Launches sc.exe
    PID:4920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop bits >nul 2>&1
  2⤵
  PID:2388
- - C:\Windows\system32\net.exe
    net stop bits
    3⤵
    PID:4652
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop bits
      4⤵
      PID:3752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config dosvc start = disabled >nul 2>&1
  2⤵
  PID:2948
- - C:\Windows\system32\sc.exe
    sc config dosvc start = disabled
    3⤵
    - Launches sc.exe
    PID:2884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop dosvc >nul 2>&1
  2⤵
  PID:4000
- - C:\Windows\system32\net.exe
    net stop dosvc
    3⤵
    PID:4428
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop dosvc
      4⤵
      PID:2652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config UsoSvc start = disabled >nul 2>&1
  2⤵
  PID:2720
- - C:\Windows\system32\sc.exe
    sc config UsoSvc start = disabled
    3⤵
    - Launches sc.exe
    PID:2900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop UsoSvc >nul 2>&1
  2⤵
  PID:2412
- - C:\Windows\system32\net.exe
    net stop UsoSvc
    3⤵
    PID:1672
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop UsoSvc
      4⤵
      PID:436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im smartscreen.exe
  2⤵
  PID:2420
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im smartscreen.exe
    3⤵
    - Kills process with taskkill
    PID:1372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im EasyAntiCheat.exe
  2⤵
  PID:3008
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im EasyAntiCheat.exe
    3⤵
    - Kills process with taskkill
    PID:4520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im dnf.exe
  2⤵
  PID:812
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im dnf.exe
    3⤵
    - Kills process with taskkill
    PID:716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im DNF.exe
  2⤵
  PID:4848
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im DNF.exe
    3⤵
    - Kills process with taskkill
    PID:3296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im CrossProxy.exe
  2⤵
  PID:2740
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im CrossProxy.exe
    3⤵
    - Kills process with taskkill
    PID:116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im tensafe_1.exe
  2⤵
  PID:3584
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im tensafe_1.exe
    3⤵
    - Kills process with taskkill
    PID:1200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im TenSafe_1.exe
  2⤵
  PID:4388
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im TenSafe_1.exe
    3⤵
    - Kills process with taskkill
    PID:1796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im tensafe_2.exe
  2⤵
  PID:624
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im tensafe_2.exe
    3⤵
    - Kills process with taskkill
    PID:2136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im tencentdl.exe
  2⤵
  PID:3748
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im tencentdl.exe
    3⤵
    - Kills process with taskkill
    PID:964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im TenioDL.exe
  2⤵
  PID:808
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im TenioDL.exe
    3⤵
    - Kills process with taskkill
    PID:1596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im uishell.exe
  2⤵
  PID:4280
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im uishell.exe
    3⤵
    - Kills process with taskkill
    PID:5076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im BackgroundDownloader.exe
  2⤵
  PID:2372
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im BackgroundDownloader.exe
    3⤵
    - Kills process with taskkill
    PID:860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im conime.exe
  2⤵
  PID:3648
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im conime.exe
    3⤵
    - Kills process with taskkill
    PID:4324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im QQDL.EXE
  2⤵
  PID:2792
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im QQDL.EXE
    3⤵
    - Kills process with taskkill
    PID:4316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im qqlogin.exe
  2⤵
  PID:4924
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im qqlogin.exe
    3⤵
    - Kills process with taskkill
    PID:4004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im dnfchina.exe >nul 2>&1
  2⤵
  PID:1936
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im dnfchina.exe
    3⤵
    - Kills process with taskkill
    PID:444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im dnfchinatest.exe
  2⤵
  PID:5036
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im dnfchinatest.exe
    3⤵
    - Kills process with taskkill
    PID:632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im dnf.exe
  2⤵
  PID:4632
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im dnf.exe
    3⤵
    - Kills process with taskkill
    PID:2660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im txplatform.exe
  2⤵
  PID:2880
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im txplatform.exe
    3⤵
    - Kills process with taskkill
    PID:3672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im TXPlatform.exe
  2⤵
  PID:2700
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im TXPlatform.exe
    3⤵
    - Kills process with taskkill
    PID:4184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im OriginWebHelperService.exe
  2⤵
  PID:4556
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im OriginWebHelperService.exe
    3⤵
    - Kills process with taskkill
    PID:4344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im Origin.exe
  2⤵
  PID:1544
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im Origin.exe
    3⤵
    - Kills process with taskkill
    PID:212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im OriginClientService.exe
  2⤵
  PID:1292
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im OriginClientService.exe
    3⤵
    - Kills process with taskkill
    PID:1800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im OriginER.exe
  2⤵
  PID:4596
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im OriginER.exe
    3⤵
    - Kills process with taskkill
    PID:224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im OriginThinSetupInternal.exe
  2⤵
  PID:2168
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im OriginThinSetupInternal.exe
    3⤵
    - Kills process with taskkill
    PID:3548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im OriginLegacyCLI.exe
  2⤵
  PID:4408
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im OriginLegacyCLI.exe
    3⤵
    - Kills process with taskkill
    PID:1280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im Agent.exe
  2⤵
  PID:2096
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im Agent.exe
    3⤵
    - Kills process with taskkill
    PID:536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im Client.exe
  2⤵
  PID:2008
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im Client.exe
    3⤵
    - Kills process with taskkill
    PID:4264
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll /accepteula
  2⤵
  PID:1240
- - C:\Windows\System32\accessibility.dll
    C:\Windows\System32\accessibility.dll /accepteula
    3⤵
    - Executes dropped EXE
    PID:2732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll
  2⤵
  PID:4652
- - C:\Windows\System32\accessibility.dll
    C:\Windows\System32\accessibility.dll
    3⤵
    - Executes dropped EXE
    PID:3504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll /accepteula
  2⤵
  PID:3420
- - C:\Windows\System32\accessibility.dll
    C:\Windows\System32\accessibility.dll /accepteula
    3⤵
    - Executes dropped EXE
    PID:2720
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll C: %random:~-1%%random:~-1%%random:~-1%%random:~-1%-%random:~-1%%random:~-1%%random:~-1%%random:~-1%
  2⤵
  PID:3916
- - C:\Windows\System32\accessibility.dll
    C:\Windows\System32\accessibility.dll C: 4416-7869
    3⤵
    - Executes dropped EXE
    PID:1792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll D: %random:~-1%%random:~-1%%random:~-1%%random:~-1%-%random:~-1%%random:~-1%%random:~-1%%random:~-1%
  2⤵
  PID:3376
- - C:\Windows\System32\accessibility.dll
    C:\Windows\System32\accessibility.dll D: 7472-2512
    3⤵
    - Executes dropped EXE
    PID:628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll E: %random:~-1%%random:~-1%%random:~-1%%random:~-1%-%random:~-1%%random:~-1%%random:~-1%%random:~-1%
  2⤵
  PID:812
- - C:\Windows\System32\accessibility.dll
    C:\Windows\System32\accessibility.dll E: 1327-6235
    3⤵
    - Executes dropped EXE
    PID:3540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll F: %random:~-1%%random:~-1%%random:~-1%%random:~-1%-%random:~-1%%random:~-1%%random:~-1%%random:~-1%
  2⤵
  PID:3352
- - C:\Windows\System32\accessibility.dll
    C:\Windows\System32\accessibility.dll F: 4182-3168
    3⤵
    - Executes dropped EXE
    PID:4388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll G: %random:~-1%%random:~-1%%random:~-1%%random:~-1%-%random:~-1%%random:~-1%%random:~-1%%random:~-1%
  2⤵
  PID:4024
- - C:\Windows\System32\accessibility.dll
    C:\Windows\System32\accessibility.dll G: 7245-7780
    3⤵
    - Executes dropped EXE
    PID:1596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll
  2⤵
  PID:2984
- - C:\Windows\System32\accessibility.dll
    C:\Windows\System32\accessibility.dll
    3⤵
    - Executes dropped EXE
    PID:3364
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /SS %random%%random%%random%
  2⤵
  PID:3684
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /SS 964253584704
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:1960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /BS %random%%random%%random%
  2⤵
  PID:1516
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /BS 967333922568
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:3420
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /SU auto
  2⤵
  PID:2720
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /SU auto
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:4972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /IV %random:~-1%.%random:~-1%.%random:~-1%
  2⤵
  PID:4548
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /IV 3.6.9
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:4244
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /ID 0%random:~-1%/0%random:~-1%/2021
  2⤵
  PID:628
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /ID 07/06/2021
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:3396
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /SP MS-%random:~-1%C%random:~-1%%random:~-1%F
  2⤵
  PID:3296
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /SP MS-0C49F
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:1916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /SK A%random:~-1%%random:~-1%%random:~-1%S%random:~-1%%random:~-1%%random:~-1%O%random:~-1%
  2⤵
  PID:3736
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /SK A335S403O0
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:1680
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /SF B%random:~-1%%random:~-1%%random:~-1%S%random:~-1%%random:~-1%%random:~-1%Z%random:~-1%
  2⤵
  PID:1200
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /SF B639S950Z2
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /BT X%random:~-1%%random:~-1%%random:~-1%S%random:~-1%%random:~-1%%random:~-1%X%random:~-1%
  2⤵
  PID:1952
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /BT X026S597X5
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:4504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /PSN %random%%random%%random%
  2⤵
  PID:4824
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /PSN 993237901642
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:4520
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\ntelidcx.dll
  2⤵
  PID:1524
- - C:\Windows\ntelidcx.dll
    C:\Windows\ntelidcx.dll
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t6223.bat" "C:\Windows\ntelidcx.dll" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4320
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
        5⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:876
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic useraccount where caption='Admin' rename
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3940
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v "NV Hostname" /t REG_SZ /d 1740-F990 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v Hostname /t REG_SZ /d 1740-F990 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName" /v ComputerName /t REG_SZ /d 1740-F990 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4428
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName" /v ComputerName /t REG_SZ /d 1740-F990 /f
        5⤵
        
        PID:1516
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v RegisteredOwner /t REG_SZ /d 1740-F990 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1788
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 00331--00001-AF990 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId /t REG_BINARY /d A4000000000003030312D3836382D303030303030372D383535353700AA0000005831352D3333000000000000000C3AABF5C28BA18B8878E89D5C28000000000000396CC459BD03000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005ED76736 /f
        5⤵
        
        PID:2772
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId4 /t REG_BINARY /d 69261DC204000000300030003300375ED7002D00300030003100370030002D003800360038002D003000300030003000300030002D00300033002D0031003000330033002D0037003600300031002E0030003000300030002D00320036003500320030003100370000000000000000000000000000000000000000000000000000000000000000006200390032006500369261DC280030002D0062003900035002D0034003800320031002D0039006300390034002D0031003400300066003600330032006600360033003100320000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050006F00660065007300730065ED7F006E0061006C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000C3AABFA65BBA18B889D24ED80000C6169261DC2D0BEDFD25E5ED745B89FFF45564B84E87CB968EC7F4D18F6E5066261A0B704B9D2739558B7E97DF882AB087AB0D8A314BA9BB1E06029EA28D5800310035002D0033003900310037003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000056006F006C0075006D006A00470056004C004B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000056006F006C007D0065000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4828
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Registration" /v ProductId /t REG_SZ /d 00331-10000-00001-AF990 /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:4628
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer" /v svcKBNumber /t REG_SZ /d KB3170547 /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2716
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v InstallDate /t REG_DWORD /d 1505478562 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration" /v "IE Installed Date" /t REG_BINARY /d 1505478562 /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:4244
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001" /v HwProfileGuid /t REG_SZ /d {69261DC2-5ED7-5C28-5ED7-80B51D7DDE15} /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3252
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d {69261DC2-5ED7-5C28-5ED7-6aB51D7DDE15} /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3916
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d {69261DC2-5ED7-5C28-5ED7-6aB51D7DDE15} /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Diagnostics\Performance\BootCKCLSettings" /v GUID /t REG_SZ /d {69261DC2-5ED7-5C28-5ED7-3eB51D7DDE15} /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2468
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Diagnostics\Performance\SecondaryLogonCKCLSettings" /v GUID /t REG_SZ /d {69261DC2-5ED7-5C28-5ED7-3eB51D7DDE15} /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5080
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Diagnostics\Performance\ShutdownCKCLSettings" /v GUID /t REG_SZ /d {69261DC2-5ED7-5C28-5ED7-3eB51D7DDE15} /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\IDConfigDB\Hardware Profiles\0001" /v HwProfileGuid /t REG_SZ /d {69261DC2-5ED7-5C28-5ED7-80B51D7DDE15} /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:720
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d 69261DC2-5ED7-5C28-5ED7-e7B51D7DDE15 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3424
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild /t REG_SZ /d 14424 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3348
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuildNumber /t REG_SZ /d 14424 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4220
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLab /t REG_SZ /d 14424.rs1_release.171248-2100 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3540
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx /t REG_SZ /d 14424.1944.amd64fre.rs1_release.171248-2100 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildGUID /t REG_SZ /d 69261DC2-5ED7-5C28-5ED7-B51D7DDE15 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3976
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\Connected" /v GUID /t REG_SZ /d {A28BBADE-5ED7-5C28-5ED7-00B51D7DDE15} /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4480
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\Disconnected" /v GUID /t REG_SZ /d {143E4E83-5ED7-5C28-5ED7-00B51D7DDE15} /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2068
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\EmailImage" /v GUID /t REG_SZ /d {C66DCEE1-5ED7-5C28-5ED7-2FB51D7DDE15} /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1680
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\FaxImage" /v GUID /t REG_SZ /d {C00EB793-5ED7-5C28-5ED7-00B51D7DDE15} /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4796
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\PrintImage" /v GUID /t REG_SZ /d {B441F425-5ED7-5C28-5ED7-00B51D7DDE15} /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\ScanButton" /v GUID /t REG_SZ /d {A6C5A715-5ED7-5C28-5ED7-00B51D7DDE15} /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\STIproxyEvent" /v GUID /t REG_SZ /d {d711f81f-5ED7-5C28-5ED7-92B51D7DDE15} /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3400
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionInventoryVersionGUID_DONOTUSEINSTORE" /v value /t REG_SZ /d {27720B92-5ED7-5C28-5ED7-92B51D7DDE15} /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
    - - C:\Windows\SysWOW64\net.exe
        
        net stop wuauserv
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1796
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wuauserv
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1228
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /t REG_SZ /d 69261DC2-5ED7-5C28-5ED7-c9B51D7DDE15 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /t REG_BINARY /d A4000000000003030312D3836382D30303B51D7DDE15D383535353700AA0000005831352D3333000000000000000C3AABF5C28BA18B8878E89D5C28000000000000396CC459BD03000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005ED76736 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
    - - C:\Windows\SysWOW64\net.exe
        
        net start wuauserv
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4004
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start wuauserv
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2412
      - C:\Windows\SysWOW64\reg.exe
        
        reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c shutdown /r /t 25
  2⤵
  PID:2736
- - C:\Windows\system32\shutdown.exe
    shutdown /r /t 25
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4088
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\AppVLicense.dll
  2⤵
  PID:3936
- - C:\Windows\AppVLicense.dll
    C:\Windows\AppVLicense.dll
    3⤵
    - Executes dropped EXE
    PID:4644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ytmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ytmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
      4⤵
      Hide Artifacts: Hidden Files and Directories
      System Location Discovery: System Language Discovery
      PID:2576
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
        5⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp6490.bat" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp6490.bat"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp6509.exe" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp6509.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytmp\tmp6490.bat "C:\Windows\AppVLicense.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4072
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic nic where physicaladapter=true get deviceid
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4172
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr [0-9]
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4396
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3264
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3396
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3456
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 926EAC96D101 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:400
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic nic where physicaladapter=true get deviceid
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5060
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr [0-9]
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3424
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4420
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4660
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4536
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3564
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3352
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
        6⤵
        
        PID:2104
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh interface set interface name="Ethernet" disable
        5⤵
        
        PID:2868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ytmp\t6223.bat

Filesize
12KB

MD5
c33f29b25a24a03b0609f2e43e595d5b

SHA1
0bda21ecad2e90ae2db7eff4fb77c924b8e3e155

SHA256
54ec6eaf981ca2969b106aa3967fe6515e29842032790541e50f6904f76e5b4d

SHA512
3d78ff48e654f077b0fdea697bf365a1c5f37c110c8ae6f46be8185192f853c2ad334b7710ea5e0abc97a4c5c474b0ef6042a818e8c6c6f316ca467969b7cafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytmp\tmp6490.bat

Filesize
2KB

MD5
8ff30c1d69e174bbfd7a5b637c09aa41

SHA1
97d19698e5cb23205ec67e20f7e3c6506ec4e1e6

SHA256
50846d4a0adff5fc3b176150c895af2025594d379867549d3f6facf2bbe6935f

SHA512
0beebd5ad3aa415691bb40cf325da741d77060466761805bc235e20a6036221caf82fdcd238ac02263cd70ab97687d95cfd60535fd45d9665f3a1998126d1f7b

Download Submit
C:\Windows\AppVLicense.dll

Filesize
78KB

MD5
d74f8515a65300b04ca04d622023f41f

SHA1
50689adb85e0e18625f1200c4a2d4b49c7270a9d

SHA256
a8b7df4fa86ec5cddd13fd650a553fac8611b8904f35529d8dfa2492f48f76b2

SHA512
9f95ee019da5734e14801f3fc1257d50fd078cd818288f681bdd6399244450cef901151b003e079d455c50247fc75fabd6e2237d47dd9bfcf8ac1e4287ffd672

Download Submit
C:\Windows\System32\accessibility.dll

Filesize
165KB

MD5
42b7d0cdd6a7ce9791b11d69315523dc

SHA1
8de659e46ea55b5ab3eb32b8216f74fe53f7d0a2

SHA256
5b85d64218283c933ca9afd194d5b8f451a519dcec58369434009d0dbd04e9e1

SHA512
f5141adbf226f15128e553088b2625f2cb38a1fbf3cff98dda205e1686ce186537abf5daa7c7148f887ab3bafcf03a9fa487844cad95e77ae38eae5d00af41cf

Download Submit
C:\Windows\System32\amifldrv64.sys

Filesize
29KB

MD5
f22740ba54a400fd2be7690bb204aa08

SHA1
5812387783d61c6ab5702213bb968590a18065e3

SHA256
65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9

SHA512
ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500

Download Submit
C:\Windows\System32\ifsutipx.exe

Filesize
459KB

MD5
92a410010d0fb650385e88c1474ac29d

SHA1
7ab69e5c7442a94fb5fa25705ca4eb2028a0c32c

SHA256
47d8117f0f7ecdc6843fe7f33cfa8a4a12bcf657fe648bde19050a12950e9555

SHA512
ff698acfef1270daebf5c4788e414ced15fd724c61e45a9cfa5f9220aa70866e43d0cb3348f06cd2741a13c2e5e42ae49eaf266263ab2777378244d4d7d1131e

Download Submit
C:\Windows\ntelidcx.dll

Filesize
72KB

MD5
6811536b3f22331c79f54b4b9dc4fa7b

SHA1
430c3222443590554a9ff932882c666ec91a2944

SHA256
2690ca7e6d7f8c28b43616e0a31ac8a8535a44506e145885e06072b51aeec787

SHA512
23765a39cbeb75010be44e218ad0626ba05f3615c202b74f561a579ed3cbd31da74d2639d9a7c7af6e0bf6fb25ec26d6895d2f020d167cffa0754f8a9041849e

Download Submit