cerber | 2c77fa3f45980eb0a3d97b08e186b9c992c43e25df035afaa3f0cc252a4308a3

Analysis

max time kernel
29s
max time network
5s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Frog Spoofer.exe
Size

2.7MB
MD5

e001605fa695282a2d3170d8d9e956c9
SHA1

4544155daae0335ada1d05a509e43b8c0434ffc8
SHA256

003dc05c74dedfb83f73982173d2ed293a84a2af8a7ef8b6e6ff928119859a2e
SHA512

11642791791255eea62db5b5058e651329d9b537cc9ffd734702b5bf5207351ecc3bbdb3499acb3dc43e7937da8efd9e23b1e1ccfaa6a077bd747a40926d40d6
SSDEEP

49152:wy8J1anDS2TFQTnQT2QT9QT1QTXCbAAKrqgvWAtY3o41MBXcOz5dD:CxYw1aCkX23o41MBXc4D

Score

10^/10

cerber defense_evasion execution ransomware

Malware Config

Signatures

Cerber 10 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	pid	Process
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		ifsutipx.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		ifsutipx.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		ifsutipx.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		ifsutipx.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		ifsutipx.exe
		4048	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		ifsutipx.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		ifsutipx.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		ifsutipx.exe
		2948	taskkill.exe

Cerber family
cerber
Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	Frog Spoofer.exe

Executes dropped EXE 18 IoCs

pid	Process
4860	accessibility.dll
5108	accessibility.dll
3004	accessibility.dll
2132	accessibility.dll
3376	accessibility.dll
3088	accessibility.dll
2572	accessibility.dll
3932	accessibility.dll
3304	accessibility.dll
4948	ifsutipx.exe
972	ifsutipx.exe
4868	ifsutipx.exe
1652	ifsutipx.exe
2344	ifsutipx.exe
4908	ifsutipx.exe
524	ifsutipx.exe
2192	ifsutipx.exe
3780	ifsutipx.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\ifsutipx.exe	Frog Spoofer.exe
File created	C:\Windows\System32\accessibility.dll	Frog Spoofer.exe
File created	C:\Windows\System32\amifldrv64.sys	Frog Spoofer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\AppVLicense.dll	Frog Spoofer.exe
File created	C:\Windows\ntelidcx.dll	Frog Spoofer.exe

Launches sc.exe 20 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1812	sc.exe
4556	sc.exe
2476	sc.exe
4752	sc.exe
4564	sc.exe
1108	sc.exe
1508	sc.exe
4660	sc.exe
2248	sc.exe
3276	sc.exe
1224	sc.exe
1828	sc.exe
1636	sc.exe
2840	sc.exe
4412	sc.exe
2508	sc.exe
2768	sc.exe
4768	sc.exe
3988	sc.exe
3328	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 34 IoCs

defense_evasion

pid	Process
3724	taskkill.exe
4048	taskkill.exe
3400	taskkill.exe
4188	taskkill.exe
2264	taskkill.exe
3812	taskkill.exe
208	taskkill.exe
2948	taskkill.exe
2468	taskkill.exe
4976	taskkill.exe
2932	taskkill.exe
1804	taskkill.exe
244	taskkill.exe
1884	taskkill.exe
3624	taskkill.exe
3204	taskkill.exe
4104	taskkill.exe
2960	taskkill.exe
1952	taskkill.exe
3276	taskkill.exe
4296	taskkill.exe
1480	taskkill.exe
4760	taskkill.exe
3272	taskkill.exe
4700	taskkill.exe
4320	taskkill.exe
1508	taskkill.exe
116	taskkill.exe
3420	taskkill.exe
3932	taskkill.exe
2424	taskkill.exe
4912	taskkill.exe
1892	taskkill.exe
1108	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3536	Frog Spoofer.exe

Suspicious behavior: LoadsDriver 9 IoCs

pid	Process
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	taskkill.exe
Token: SeDebugPrivilege	4048	taskkill.exe
Token: SeDebugPrivilege	1480	taskkill.exe
Token: SeDebugPrivilege	2468	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe
3536	Frog Spoofer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 3768	3536	Frog Spoofer.exe	87
PID 3536 wrote to memory of 3768	3536	Frog Spoofer.exe	87
PID 3768 wrote to memory of 2948	3768	cmd.exe	88
PID 3768 wrote to memory of 2948	3768	cmd.exe	88
PID 3536 wrote to memory of 3160	3536	Frog Spoofer.exe	90
PID 3536 wrote to memory of 3160	3536	Frog Spoofer.exe	90
PID 3160 wrote to memory of 4048	3160	cmd.exe	91
PID 3160 wrote to memory of 4048	3160	cmd.exe	91
PID 3536 wrote to memory of 4332	3536	Frog Spoofer.exe	92
PID 3536 wrote to memory of 4332	3536	Frog Spoofer.exe	92
PID 4332 wrote to memory of 4556	4332	cmd.exe	93
PID 4332 wrote to memory of 4556	4332	cmd.exe	93
PID 3536 wrote to memory of 2688	3536	Frog Spoofer.exe	94
PID 3536 wrote to memory of 2688	3536	Frog Spoofer.exe	94
PID 2688 wrote to memory of 1480	2688	cmd.exe	95
PID 2688 wrote to memory of 1480	2688	cmd.exe	95
PID 3536 wrote to memory of 3412	3536	Frog Spoofer.exe	96
PID 3536 wrote to memory of 3412	3536	Frog Spoofer.exe	96
PID 3412 wrote to memory of 2468	3412	cmd.exe	97
PID 3412 wrote to memory of 2468	3412	cmd.exe	97
PID 3536 wrote to memory of 3924	3536	Frog Spoofer.exe	98
PID 3536 wrote to memory of 3924	3536	Frog Spoofer.exe	98
PID 3924 wrote to memory of 1804	3924	cmd.exe	99
PID 3924 wrote to memory of 1804	3924	cmd.exe	99
PID 3536 wrote to memory of 3652	3536	Frog Spoofer.exe	107
PID 3536 wrote to memory of 3652	3536	Frog Spoofer.exe	107
PID 3652 wrote to memory of 2248	3652	cmd.exe	108
PID 3652 wrote to memory of 2248	3652	cmd.exe	108
PID 3536 wrote to memory of 3444	3536	Frog Spoofer.exe	109
PID 3536 wrote to memory of 3444	3536	Frog Spoofer.exe	109
PID 3444 wrote to memory of 1636	3444	cmd.exe	110
PID 3444 wrote to memory of 1636	3444	cmd.exe	110
PID 3536 wrote to memory of 3188	3536	Frog Spoofer.exe	111
PID 3536 wrote to memory of 3188	3536	Frog Spoofer.exe	111
PID 3188 wrote to memory of 3276	3188	cmd.exe	112
PID 3188 wrote to memory of 3276	3188	cmd.exe	112
PID 3536 wrote to memory of 4500	3536	Frog Spoofer.exe	113
PID 3536 wrote to memory of 4500	3536	Frog Spoofer.exe	113
PID 4500 wrote to memory of 4768	4500	cmd.exe	114
PID 4500 wrote to memory of 4768	4500	cmd.exe	114
PID 3536 wrote to memory of 3116	3536	Frog Spoofer.exe	115
PID 3536 wrote to memory of 3116	3536	Frog Spoofer.exe	115
PID 3116 wrote to memory of 2476	3116	cmd.exe	116
PID 3116 wrote to memory of 2476	3116	cmd.exe	116
PID 3536 wrote to memory of 4688	3536	Frog Spoofer.exe	117
PID 3536 wrote to memory of 4688	3536	Frog Spoofer.exe	117
PID 4688 wrote to memory of 1224	4688	cmd.exe	118
PID 4688 wrote to memory of 1224	4688	cmd.exe	118
PID 3536 wrote to memory of 3204	3536	Frog Spoofer.exe	119
PID 3536 wrote to memory of 3204	3536	Frog Spoofer.exe	119
PID 3204 wrote to memory of 2840	3204	cmd.exe	120
PID 3204 wrote to memory of 2840	3204	cmd.exe	120
PID 3536 wrote to memory of 4488	3536	Frog Spoofer.exe	121
PID 3536 wrote to memory of 4488	3536	Frog Spoofer.exe	121
PID 4488 wrote to memory of 3988	4488	cmd.exe	122
PID 4488 wrote to memory of 3988	4488	cmd.exe	122
PID 3536 wrote to memory of 1028	3536	Frog Spoofer.exe	123
PID 3536 wrote to memory of 1028	3536	Frog Spoofer.exe	123
PID 1028 wrote to memory of 1828	1028	cmd.exe	124
PID 1028 wrote to memory of 1828	1028	cmd.exe	124
PID 3536 wrote to memory of 3692	3536	Frog Spoofer.exe	125
PID 3536 wrote to memory of 3692	3536	Frog Spoofer.exe	125
PID 3692 wrote to memory of 4752	3692	cmd.exe	126
PID 3692 wrote to memory of 4752	3692	cmd.exe	126

C:\Users\Admin\AppData\Local\Temp\Frog Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\Frog Spoofer.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:4556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:1636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:3276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:4768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:2476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop cpuz150 >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Windows\system32\sc.exe
    sc stop cpuz150
    3⤵
    - Launches sc.exe
    PID:1224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop vgt >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Windows\system32\sc.exe
    sc stop vgt
    3⤵
    - Launches sc.exe
    PID:2840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop vgrl >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\system32\sc.exe
    sc stop vgrl
    3⤵
    - Launches sc.exe
    PID:3988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop vgk >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\system32\sc.exe
    sc stop vgk
    3⤵
    - Launches sc.exe
    PID:1828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop vgc >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Windows\system32\sc.exe
    sc stop vgc
    3⤵
    - Launches sc.exe
    PID:4752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete vgrl >nul 2>&1
  2⤵
  PID:4996
- - C:\Windows\system32\sc.exe
    sc delete vgrl
    3⤵
    - Launches sc.exe
    PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete vgk >nul 2>&1
  2⤵
  PID:4872
- - C:\Windows\system32\sc.exe
    sc delete vgk
    3⤵
    - Launches sc.exe
    PID:1108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete vgc >nul 2>&1
  2⤵
  PID:3788
- - C:\Windows\system32\sc.exe
    sc delete vgc
    3⤵
    - Launches sc.exe
    PID:1508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete vg >nul 2>&1
  2⤵
  PID:1188
- - C:\Windows\system32\sc.exe
    sc delete vg
    3⤵
    - Launches sc.exe
    PID:4412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im vgtray.exe >nul 2>&1
  2⤵
  PID:3528
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im vgtray.exe
    3⤵
    - Kills process with taskkill
    PID:244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete cpuz150 >nul 2>&1
  2⤵
  PID:4572
- - C:\Windows\system32\sc.exe
    sc delete cpuz150
    3⤵
    - Launches sc.exe
    PID:4660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config wuauserv start = disabled >nul 2>&1
  2⤵
  PID:1908
- - C:\Windows\system32\sc.exe
    sc config wuauserv start = disabled
    3⤵
    - Launches sc.exe
    PID:3328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop wuauserv >nul 2>&1
  2⤵
  PID:4372
- - C:\Windows\system32\net.exe
    net stop wuauserv
    3⤵
    PID:524
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      PID:1472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config bits start = disabled >nul 2>&1
  2⤵
  PID:1716
- - C:\Windows\system32\sc.exe
    sc config bits start = disabled
    3⤵
    - Launches sc.exe
    PID:2508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop bits >nul 2>&1
  2⤵
  PID:3168
- - C:\Windows\system32\net.exe
    net stop bits
    3⤵
    PID:4480
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop bits
      4⤵
      PID:2472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config dosvc start = disabled >nul 2>&1
  2⤵
  PID:1692
- - C:\Windows\system32\sc.exe
    sc config dosvc start = disabled
    3⤵
    - Launches sc.exe
    PID:1812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop dosvc >nul 2>&1
  2⤵
  PID:3192
- - C:\Windows\system32\net.exe
    net stop dosvc
    3⤵
    PID:5116
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop dosvc
      4⤵
      PID:1516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config UsoSvc start = disabled >nul 2>&1
  2⤵
  PID:3216
- - C:\Windows\system32\sc.exe
    sc config UsoSvc start = disabled
    3⤵
    - Launches sc.exe
    PID:2768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop UsoSvc >nul 2>&1
  2⤵
  PID:404
- - C:\Windows\system32\net.exe
    net stop UsoSvc
    3⤵
    PID:3680
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop UsoSvc
      4⤵
      PID:1740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im smartscreen.exe
  2⤵
  PID:4576
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im smartscreen.exe
    3⤵
    - Kills process with taskkill
    PID:1884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im EasyAntiCheat.exe
  2⤵
  PID:2104
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im EasyAntiCheat.exe
    3⤵
    - Kills process with taskkill
    PID:2960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im dnf.exe
  2⤵
  PID:5048
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im dnf.exe
    3⤵
    - Kills process with taskkill
    PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im DNF.exe
  2⤵
  PID:760
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im DNF.exe
    3⤵
    - Kills process with taskkill
    PID:3624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im CrossProxy.exe
  2⤵
  PID:4824
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im CrossProxy.exe
    3⤵
    - Kills process with taskkill
    PID:4700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im tensafe_1.exe
  2⤵
  PID:4968
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im tensafe_1.exe
    3⤵
    - Kills process with taskkill
    PID:4320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im TenSafe_1.exe
  2⤵
  PID:1256
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im TenSafe_1.exe
    3⤵
    - Kills process with taskkill
    PID:4760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im tensafe_2.exe
  2⤵
  PID:4092
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im tensafe_2.exe
    3⤵
    - Kills process with taskkill
    PID:3420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im tencentdl.exe
  2⤵
  PID:3572
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im tencentdl.exe
    3⤵
    - Kills process with taskkill
    PID:4976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im TenioDL.exe
  2⤵
  PID:3648
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im TenioDL.exe
    3⤵
    - Kills process with taskkill
    PID:3272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im uishell.exe
  2⤵
  PID:1536
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im uishell.exe
    3⤵
    - Kills process with taskkill
    PID:3932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im BackgroundDownloader.exe
  2⤵
  PID:2384
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im BackgroundDownloader.exe
    3⤵
    - Kills process with taskkill
    PID:3400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im conime.exe
  2⤵
  PID:3444
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im conime.exe
    3⤵
    - Kills process with taskkill
    PID:3276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im QQDL.EXE
  2⤵
  PID:3188
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im QQDL.EXE
    3⤵
    - Kills process with taskkill
    PID:2424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im qqlogin.exe
  2⤵
  PID:1840
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im qqlogin.exe
    3⤵
    - Kills process with taskkill
    PID:4188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im dnfchina.exe >nul 2>&1
  2⤵
  PID:4672
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im dnfchina.exe
    3⤵
    - Kills process with taskkill
    PID:2264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im dnfchinatest.exe
  2⤵
  PID:2840
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im dnfchinatest.exe
    3⤵
    - Kills process with taskkill
    PID:3204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im dnf.exe
  2⤵
  PID:2188
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im dnf.exe
    3⤵
    - Kills process with taskkill
    PID:2932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im txplatform.exe
  2⤵
  PID:912
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im txplatform.exe
    3⤵
    - Kills process with taskkill
    PID:3812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im TXPlatform.exe
  2⤵
  PID:2752
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im TXPlatform.exe
    3⤵
    - Kills process with taskkill
    PID:4296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im OriginWebHelperService.exe
  2⤵
  PID:2592
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im OriginWebHelperService.exe
    3⤵
    - Kills process with taskkill
    PID:1108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im Origin.exe
  2⤵
  PID:4872
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im Origin.exe
    3⤵
    - Kills process with taskkill
    PID:1508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im OriginClientService.exe
  2⤵
  PID:3788
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im OriginClientService.exe
    3⤵
    - Kills process with taskkill
    PID:4912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im OriginER.exe
  2⤵
  PID:2896
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im OriginER.exe
    3⤵
    - Kills process with taskkill
    PID:3724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im OriginThinSetupInternal.exe
  2⤵
  PID:5064
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im OriginThinSetupInternal.exe
    3⤵
    - Kills process with taskkill
    PID:1892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im OriginLegacyCLI.exe
  2⤵
  PID:4376
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im OriginLegacyCLI.exe
    3⤵
    - Kills process with taskkill
    PID:208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im Agent.exe
  2⤵
  PID:4080
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im Agent.exe
    3⤵
    - Kills process with taskkill
    PID:4104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill / f / im Client.exe
  2⤵
  PID:3860
- - C:\Windows\system32\taskkill.exe
    taskkill / f / im Client.exe
    3⤵
    - Kills process with taskkill
    PID:116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll /accepteula
  2⤵
  PID:4988
- - C:\Windows\System32\accessibility.dll
    C:\Windows\System32\accessibility.dll /accepteula
    3⤵
    - Executes dropped EXE
    PID:4860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll
  2⤵
  PID:1812
- - C:\Windows\System32\accessibility.dll
    C:\Windows\System32\accessibility.dll
    3⤵
    - Executes dropped EXE
    PID:5108
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll /accepteula
  2⤵
  PID:1592
- - C:\Windows\System32\accessibility.dll
    C:\Windows\System32\accessibility.dll /accepteula
    3⤵
    - Executes dropped EXE
    PID:3004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll C: %random:~-1%%random:~-1%%random:~-1%%random:~-1%-%random:~-1%%random:~-1%%random:~-1%%random:~-1%
  2⤵
  PID:2128
- - C:\Windows\System32\accessibility.dll
    C:\Windows\System32\accessibility.dll C: 9652-8085
    3⤵
    - Executes dropped EXE
    PID:2132
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll D: %random:~-1%%random:~-1%%random:~-1%%random:~-1%-%random:~-1%%random:~-1%%random:~-1%%random:~-1%
  2⤵
  PID:3064
- - C:\Windows\System32\accessibility.dll
    C:\Windows\System32\accessibility.dll D: 3425-3708
    3⤵
    - Executes dropped EXE
    PID:3376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll E: %random:~-1%%random:~-1%%random:~-1%%random:~-1%-%random:~-1%%random:~-1%%random:~-1%%random:~-1%
  2⤵
  PID:4700
- - C:\Windows\System32\accessibility.dll
    C:\Windows\System32\accessibility.dll E: 6561-7430
    3⤵
    - Executes dropped EXE
    PID:3088
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll F: %random:~-1%%random:~-1%%random:~-1%%random:~-1%-%random:~-1%%random:~-1%%random:~-1%%random:~-1%
  2⤵
  PID:1392
- - C:\Windows\System32\accessibility.dll
    C:\Windows\System32\accessibility.dll F: 9326-4053
    3⤵
    - Executes dropped EXE
    PID:2572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll G: %random:~-1%%random:~-1%%random:~-1%%random:~-1%-%random:~-1%%random:~-1%%random:~-1%%random:~-1%
  2⤵
  PID:4444
- - C:\Windows\System32\accessibility.dll
    C:\Windows\System32\accessibility.dll G: 2181-9776
    3⤵
    - Executes dropped EXE
    PID:3932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll
  2⤵
  PID:5072
- - C:\Windows\System32\accessibility.dll
    C:\Windows\System32\accessibility.dll
    3⤵
    - Executes dropped EXE
    PID:3304
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /SS %random%%random%%random%
  2⤵
  PID:3300
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /SS 22929103704528
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:4948
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /BS %random%%random%%random%
  2⤵
  PID:4180
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /BS 229322111922393
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /SU auto
  2⤵
  PID:3812
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /SU auto
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:4868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /IV %random:~-1%.%random:~-1%.%random:~-1%
  2⤵
  PID:2504
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /IV 9.7.3
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:1652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /ID 0%random:~-1%/0%random:~-1%/2021
  2⤵
  PID:4912
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /ID 02/06/2021
    3⤵
    - Executes dropped EXE
    PID:2344
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /SP MS-%random:~-1%C%random:~-1%%random:~-1%F
  2⤵
  PID:5064
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /SP MS-5C43F
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:4908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /SK A%random:~-1%%random:~-1%%random:~-1%S%random:~-1%%random:~-1%%random:~-1%O%random:~-1%
  2⤵
  PID:1200
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /SK A950S093O9
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /SF B%random:~-1%%random:~-1%%random:~-1%S%random:~-1%%random:~-1%%random:~-1%Z%random:~-1%
  2⤵
  PID:2292
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /SF B234S362Z1
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:2192
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /BT X%random:~-1%%random:~-1%%random:~-1%S%random:~-1%%random:~-1%%random:~-1%X%random:~-1%
  2⤵
  PID:2032
- - C:\Windows\System32\ifsutipx.exe
    C:\Windows\System32\ifsutipx.exe /BT X520S809X4
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:3780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\accessibility.dll

Filesize
165KB

MD5
42b7d0cdd6a7ce9791b11d69315523dc

SHA1
8de659e46ea55b5ab3eb32b8216f74fe53f7d0a2

SHA256
5b85d64218283c933ca9afd194d5b8f451a519dcec58369434009d0dbd04e9e1

SHA512
f5141adbf226f15128e553088b2625f2cb38a1fbf3cff98dda205e1686ce186537abf5daa7c7148f887ab3bafcf03a9fa487844cad95e77ae38eae5d00af41cf

Download Submit
C:\Windows\System32\amifldrv64.sys

Filesize
29KB

MD5
f22740ba54a400fd2be7690bb204aa08

SHA1
5812387783d61c6ab5702213bb968590a18065e3

SHA256
65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9

SHA512
ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500

Download Submit
C:\Windows\System32\ifsutipx.exe

Filesize
459KB

MD5
92a410010d0fb650385e88c1474ac29d

SHA1
7ab69e5c7442a94fb5fa25705ca4eb2028a0c32c

SHA256
47d8117f0f7ecdc6843fe7f33cfa8a4a12bcf657fe648bde19050a12950e9555

SHA512
ff698acfef1270daebf5c4788e414ced15fd724c61e45a9cfa5f9220aa70866e43d0cb3348f06cd2741a13c2e5e42ae49eaf266263ab2777378244d4d7d1131e

Download Submit