cerber | hxxps://gofile[.]io/d/O8lsRx

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-08-2024 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/O8lsRx

Score

10^/10

cerber discovery evasion ransomware themida trojan

Malware Config

Signatures

Cerber 2 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	Process
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AFUWINx64.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AFUWINx64.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4.exe

Executes dropped EXE 6 IoCs

pid	Process
4608	AFUWINx64.exe
5716	AFUWINx64.exe
5932	4.exe
4608	AFUWINx64.exe
5716	AFUWINx64.exe
5932	4.exe

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/5932-244-0x00007FF7B0290000-0x00007FF7B0C32000-memory.dmp	themida
behavioral1/memory/5932-247-0x00007FF7B0290000-0x00007FF7B0C32000-memory.dmp	themida
behavioral1/memory/5932-248-0x00007FF7B0290000-0x00007FF7B0C32000-memory.dmp	themida
behavioral1/memory/5932-246-0x00007FF7B0290000-0x00007FF7B0C32000-memory.dmp	themida
behavioral1/memory/5932-249-0x00007FF7B0290000-0x00007FF7B0C32000-memory.dmp	themida
behavioral1/memory/5932-251-0x00007FF7B0290000-0x00007FF7B0C32000-memory.dmp	themida
behavioral1/memory/5932-244-0x00007FF7B0290000-0x00007FF7B0C32000-memory.dmp	themida
behavioral1/memory/5932-247-0x00007FF7B0290000-0x00007FF7B0C32000-memory.dmp	themida
behavioral1/memory/5932-248-0x00007FF7B0290000-0x00007FF7B0C32000-memory.dmp	themida
behavioral1/memory/5932-246-0x00007FF7B0290000-0x00007FF7B0C32000-memory.dmp	themida
behavioral1/memory/5932-249-0x00007FF7B0290000-0x00007FF7B0C32000-memory.dmp	themida
behavioral1/memory/5932-251-0x00007FF7B0290000-0x00007FF7B0C32000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5932	4.exe
5932	4.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4120	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
1348	taskkill.exe
1956	taskkill.exe
3476	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4676	msedge.exe
4676	msedge.exe
4928	msedge.exe
4928	msedge.exe
3164	identity_helper.exe
3164	identity_helper.exe
5224	msedge.exe
5224	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
4676	msedge.exe
4676	msedge.exe
4928	msedge.exe
4928	msedge.exe
3164	identity_helper.exe
3164	identity_helper.exe
5224	msedge.exe
5224	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5688	7zG.exe
Token: 35	5688	7zG.exe
Token: SeSecurityPrivilege	5688	7zG.exe
Token: SeSecurityPrivilege	5688	7zG.exe
Token: SeDebugPrivilege	1348	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	3476	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2492	WMIC.exe
Token: SeSecurityPrivilege	2492	WMIC.exe
Token: SeTakeOwnershipPrivilege	2492	WMIC.exe
Token: SeLoadDriverPrivilege	2492	WMIC.exe
Token: SeSystemProfilePrivilege	2492	WMIC.exe
Token: SeSystemtimePrivilege	2492	WMIC.exe
Token: SeProfSingleProcessPrivilege	2492	WMIC.exe
Token: SeIncBasePriorityPrivilege	2492	WMIC.exe
Token: SeCreatePagefilePrivilege	2492	WMIC.exe
Token: SeBackupPrivilege	2492	WMIC.exe
Token: SeRestorePrivilege	2492	WMIC.exe
Token: SeShutdownPrivilege	2492	WMIC.exe
Token: SeDebugPrivilege	2492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2492	WMIC.exe
Token: SeRemoteShutdownPrivilege	2492	WMIC.exe
Token: SeUndockPrivilege	2492	WMIC.exe
Token: SeManageVolumePrivilege	2492	WMIC.exe
Token: 33	2492	WMIC.exe
Token: 34	2492	WMIC.exe
Token: 35	2492	WMIC.exe
Token: 36	2492	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2492	WMIC.exe
Token: SeSecurityPrivilege	2492	WMIC.exe
Token: SeTakeOwnershipPrivilege	2492	WMIC.exe
Token: SeLoadDriverPrivilege	2492	WMIC.exe
Token: SeSystemProfilePrivilege	2492	WMIC.exe
Token: SeSystemtimePrivilege	2492	WMIC.exe
Token: SeProfSingleProcessPrivilege	2492	WMIC.exe
Token: SeIncBasePriorityPrivilege	2492	WMIC.exe
Token: SeCreatePagefilePrivilege	2492	WMIC.exe
Token: SeBackupPrivilege	2492	WMIC.exe
Token: SeRestorePrivilege	2492	WMIC.exe
Token: SeShutdownPrivilege	2492	WMIC.exe
Token: SeDebugPrivilege	2492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2492	WMIC.exe
Token: SeRemoteShutdownPrivilege	2492	WMIC.exe
Token: SeUndockPrivilege	2492	WMIC.exe
Token: SeManageVolumePrivilege	2492	WMIC.exe
Token: 33	2492	WMIC.exe
Token: 34	2492	WMIC.exe
Token: 35	2492	WMIC.exe
Token: 36	2492	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3956	WMIC.exe
Token: SeSecurityPrivilege	3956	WMIC.exe
Token: SeTakeOwnershipPrivilege	3956	WMIC.exe
Token: SeLoadDriverPrivilege	3956	WMIC.exe
Token: SeSystemProfilePrivilege	3956	WMIC.exe
Token: SeSystemtimePrivilege	3956	WMIC.exe
Token: SeProfSingleProcessPrivilege	3956	WMIC.exe
Token: SeIncBasePriorityPrivilege	3956	WMIC.exe
Token: SeCreatePagefilePrivilege	3956	WMIC.exe
Token: SeBackupPrivilege	3956	WMIC.exe
Token: SeRestorePrivilege	3956	WMIC.exe
Token: SeShutdownPrivilege	3956	WMIC.exe
Token: SeDebugPrivilege	3956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3956	WMIC.exe
Token: SeRemoteShutdownPrivilege	3956	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
5688	7zG.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5932	4.exe
5932	4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 4576	4928	msedge.exe	84
PID 4928 wrote to memory of 4576	4928	msedge.exe	84
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 3156	4928	msedge.exe	85
PID 4928 wrote to memory of 4676	4928	msedge.exe	86
PID 4928 wrote to memory of 4676	4928	msedge.exe	86
PID 4928 wrote to memory of 4400	4928	msedge.exe	87
PID 4928 wrote to memory of 4400	4928	msedge.exe	87
PID 4928 wrote to memory of 4400	4928	msedge.exe	87
PID 4928 wrote to memory of 4400	4928	msedge.exe	87
PID 4928 wrote to memory of 4400	4928	msedge.exe	87
PID 4928 wrote to memory of 4400	4928	msedge.exe	87
PID 4928 wrote to memory of 4400	4928	msedge.exe	87
PID 4928 wrote to memory of 4400	4928	msedge.exe	87
PID 4928 wrote to memory of 4400	4928	msedge.exe	87
PID 4928 wrote to memory of 4400	4928	msedge.exe	87
PID 4928 wrote to memory of 4400	4928	msedge.exe	87
PID 4928 wrote to memory of 4400	4928	msedge.exe	87
PID 4928 wrote to memory of 4400	4928	msedge.exe	87
PID 4928 wrote to memory of 4400	4928	msedge.exe	87
PID 4928 wrote to memory of 4400	4928	msedge.exe	87
PID 4928 wrote to memory of 4400	4928	msedge.exe	87
PID 4928 wrote to memory of 4400	4928	msedge.exe	87
PID 4928 wrote to memory of 4400	4928	msedge.exe	87
PID 4928 wrote to memory of 4400	4928	msedge.exe	87
PID 4928 wrote to memory of 4400	4928	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/O8lsRx
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcde2346f8,0x7ffcde234708,0x7ffcde234718
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,15174676898441509223,12650502291585458115,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,15174676898441509223,12650502291585458115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,15174676898441509223,12650502291585458115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15174676898441509223,12650502291585458115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15174676898441509223,12650502291585458115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15174676898441509223,12650502291585458115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,15174676898441509223,12650502291585458115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,15174676898441509223,12650502291585458115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15174676898441509223,12650502291585458115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
  2⤵
  PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15174676898441509223,12650502291585458115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2216,15174676898441509223,12650502291585458115,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4088 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15174676898441509223,12650502291585458115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15174676898441509223,12650502291585458115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15174676898441509223,12650502291585458115,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15174676898441509223,12650502291585458115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15174676898441509223,12650502291585458115,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2216,15174676898441509223,12650502291585458115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6288 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,15174676898441509223,12650502291585458115,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5308 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1988

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5532

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\kainite+perm+(orig+;+enigma+perm)\" -spe -an -ai#7zMap10623:126:7zEvent30217
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\kainite+perm+(orig+;+enigma+perm)\kainite perm (orig ; enigma perm)\Unban.bat" "
1⤵
PID:6048
- C:\Windows\system32\net.exe
  net session
  2⤵
  PID:5124
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:5140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c call randstr.bat 10
  2⤵
  PID:3232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c call randstr.bat 14
  2⤵
  PID:4980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c call randstr.bat 10
  2⤵
  PID:5644
- C:\Users\Admin\Downloads\kainite+perm+(orig+;+enigma+perm)\kainite perm (orig ; enigma perm)\AMI\AFUWINx64.exe
  AFUWINx64.exe BIOS.rom /o
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:4608
- C:\Users\Admin\Downloads\kainite+perm+(orig+;+enigma+perm)\kainite perm (orig ; enigma perm)\AMI\AFUWINx64.exe
  AFUWINx64.exe BIOS.rom /p
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\kainite+perm+(orig+;+enigma+perm)\kainite perm (orig ; enigma perm)\Unban.bat" "
1⤵
PID:5996
- C:\Windows\system32\net.exe
  net session
  2⤵
  PID:6112
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:5144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\kainite+perm+(orig+;+enigma+perm)\kainite perm (orig ; enigma perm)\randstr.bat" "
1⤵
PID:860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\kainite+perm+(orig+;+enigma+perm)\kainite perm (orig ; enigma perm)\randstr.bat" "
1⤵
PID:5540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\kainite+perm+(orig+;+enigma+perm)\kainite perm (orig ; enigma perm)\randstr.bat" "
1⤵
PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\kainite+perm+(orig+;+enigma+perm)\kainite perm (orig ; enigma perm)\CLEANERS\1.bat" "
1⤵
PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\kainite+perm+(orig+;+enigma+perm)\kainite perm (orig ; enigma perm)\CLEANERS\2.bat" "
1⤵
PID:5800

C:\Users\Admin\Downloads\kainite+perm+(orig+;+enigma+perm)\kainite perm (orig ; enigma perm)\CLEANERS\4.exe
"C:\Users\Admin\Downloads\kainite+perm+(orig+;+enigma+perm)\kainite perm (orig ; enigma perm)\CLEANERS\4.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
  2⤵
  PID:6128
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4120
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1
  2⤵
  PID:6116
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Battle.net.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\kainite+perm+(orig+;+enigma+perm)\kainite perm (orig ; enigma perm)\NETWORK\MAC.bat" "
1⤵
PID:4828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
  2⤵
  PID:3620
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nic where physicaladapter=true get deviceid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- - C:\Windows\system32\findstr.exe
    findstr [0-9]
    3⤵
    PID:5392
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
  2⤵
  PID:2336
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
  2⤵
  PID:4632
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
  2⤵
  PID:4516
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 9A9062026BBE /f
  2⤵
  PID:220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
  2⤵
  PID:5292
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nic where physicaladapter=true get deviceid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3956
- - C:\Windows\system32\findstr.exe
    findstr [0-9]
    3⤵
    PID:4680
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
  2⤵
  PID:4468
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
  2⤵
  PID:5396
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
  2⤵
  PID:1360
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f
  2⤵
  PID:5368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
  2⤵
  PID:5544
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
    3⤵
    PID:6140
- C:\Windows\system32\netsh.exe
  netsh interface set interface name="Ethernet" disable
  2⤵
  PID:3500

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
eea271a362facb1860febd97abb7e477

SHA1
d715249f700dffbe42a5ef6f44998f4c4716d747

SHA256
c9c93c9d3e55f927807cf6eee3e1b60e0577d1a7598955d0acccbc023b2e461e

SHA512
d1487cfdacc32667a024b1e2699951fd7c2832823ae3e52227332b94e1cb9a8b72632b2e3f928bca6888dd1d0ba22db03060cfb3eb4b92e6e87731d77d552cf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
930B

MD5
ddf925b6cfd54dc923c72aaeb4189568

SHA1
d311625a24cead9de23c23769d63f943e7a50eb8

SHA256
768c5d9c914425f827811d20c9ba66e03405d6815ad9d87ac5923ec2d5edd7da

SHA512
34760eef395d68be232fd32d8f1065ea1eb3be2c72b149378d1c941a01048b410df2b80f45e20f20009861808d80152feff579f6115f2694dd505d5b4281c722

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
721d4d5d79be9eedd514c32743c1cb4a

SHA1
2fb57e353328f010bab307090f83e71929b04bd4

SHA256
c540dcfdda89f0afaa362840898d4f930c9ec162940c4cfdcfbf83fdf88b16a8

SHA512
0ddd6ac06ed9e2a5d0a580c16984f7d704ab250605c4d46b72d9d340fd83da4a484d74884b38e56b6a26ac4c8e7481024286268aff471f60695149ec25b1819f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1ebd6f04a99b41e4ffd4f887a2317f2f

SHA1
0e3b785bb4a681eb5c1a4071b9ab1f0423c510ab

SHA256
3baded56f16d947d663fb5278b2a64572c9cc154d28beed4976e3cbcbae3ce31

SHA512
043fc651e6f3738d76123beb8ea5019e884435a4e91c3d82a0e8ab44815881645e69b7784bb044d1823249cada49dbe2f705ec7aa709d2c36d1e679aca37b36f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6a451594ecee1dab2bb603cc605c5192

SHA1
c40bfad83cc4e5ecd67a5357a34b10c2a39e1535

SHA256
5fa11aad49d76ae386996bf2f4c3d76ce9436d35035cf93a93c393b5f9813cbc

SHA512
c3000ba405015554997457c2ddb44f2ee0ce144e8e577fca8b81e23d41414e226f77ef6d1136b4c5b8d34cbbe25e2f4b68fae3aab519dbbb072d3bd1b901cc6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
576342c3057eb9edb169dc58ff8d36c4

SHA1
2286b931566e4b8743bfb67d909d79d850368476

SHA256
4b1ffb6e5f250ce05002a22e51cadd374f628d123b5656c6d5f4da97af8f6869

SHA512
eb8df50e0f8162c65970fe28f322aca1bf6f72628bc1f216c200f64e8ab9cd377424c0b2b5b7d9661e381a7d910d3b580234c6e0f9307c09f1f91084ef69e047

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
87f13d3fa748b7e69b0082f1df9b3acc

SHA1
3547a48d499c0c6de065038239cd37d84b3d3df5

SHA256
0425f4c7b7f637256055f6197e958c5fb4afcc938d6fd864f6078698520a7f26

SHA512
0eedf0a2374fc8660304c7ee7698167fd1002c88edaf76e23a7f4a9191a881c1869d0fcb31d078c74fc01dfad9b09e383e0a0de4f4bb2bf11a6dfcd05d31bb56

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 661370.crdownload

Filesize
20.1MB

MD5
4bac221a390f87093b3a4d60aabce6ae

SHA1
7faeed23574a593b26a48e65412a04e6f02ec94b

SHA256
2382fe7dc1830bb5a0baee7e5b4cc0a34a5f0aa4dbc6aed510394a11a1b2368b

SHA512
1fe9267fffcc813a1eaf03b09c4632112eaa6729cea5b388b3ecc2adc1f838e6b9e04c9be44a8b1001286472bd27301ff54bce6cf2090ea3410f74d192c58383

Download Submit
C:\Users\Admin\Downloads\kainite+perm+(orig+;+enigma+perm)\kainite perm (orig ; enigma perm)\AMI\AFUWINx64.exe

Filesize
1.1MB

MD5
9d0daba81cee203b0d39377baef9f4cb

SHA1
ed37746cbb5ed85c54aa90c3598b7069c194bad9

SHA256
1f12e8352afbb111918f2a3e7cdad8202ea4f55e691f1de55ac0bd58f2f96460

SHA512
cb29f7c6a71efa33652298f35cc878427806e2452a65c70079bf5f9fded7fb90500d9e73c96c85a2fdfa85587b7a7c365c7464e0e7b90832da6bfec3926f51cb

Download Submit
C:\Users\Admin\Downloads\kainite+perm+(orig+;+enigma+perm)\kainite perm (orig ; enigma perm)\CLEANERS\1.bat

Filesize
1.5MB

MD5
7b641c7dc6d9594726ddfe900313fbcc

SHA1
c66f280e8bc007a6dd88776549e12e215673e4be

SHA256
e106b60099faa77c101cb9cbc1cde7ec5b909ff995b3039ab0c42c0162fe4c6e

SHA512
d094f7c2abc30752d10ffe6386c8bc7a33671552f05b888a72e9c28ae6b1be336c15b6326ac4d30420066f348ff47de7f99d3ac6f6d7babfa665ddb88b8d8df8

Download Submit
C:\Users\Admin\Downloads\kainite+perm+(orig+;+enigma+perm)\kainite perm (orig ; enigma perm)\CLEANERS\2.bat

Filesize
867KB

MD5
0a324989986ed9b4dbf23026bdf2c8e5

SHA1
b3ceb4e321215785da84f8c83b7792c43f934c04

SHA256
ce2c58f5eecbf209b2d33b4034c55d36c07da82a9094de99f757a0684f6e4efd

SHA512
29830e54265dfcd543f13b3e69354f5048f1055ff56801a494973db6efd383fc02a3aa712bd35c41b929d28eb3c94f2b8282db1657322d28f34f1b597f4057a1

Download Submit
C:\Users\Admin\Downloads\kainite+perm+(orig+;+enigma+perm)\kainite perm (orig ; enigma perm)\CLEANERS\4.exe

Filesize
3.6MB

MD5
f96eb2236970fb3ea97101b923af4228

SHA1
e0eed80f1054acbf5389a7b8860a4503dd3e184a

SHA256
46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172

SHA512
2fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7

Download Submit
C:\Users\Admin\Downloads\kainite+perm+(orig+;+enigma+perm)\kainite perm (orig ; enigma perm)\NETWORK\MAC.bat

Filesize
1KB

MD5
c59b3336cbfcdadf5caa920eee90b780

SHA1
d0b413147d681fa116d3185224f63977933ffd60

SHA256
c47cf7d4c20c531aae1ba88eb5ac9462820e5e6483a4b574a59d600bbd09c379

SHA512
0cc84604a8a01289e2abf86e2b6afa0cf011f12122a15312ac5dc17ab1f1287f6d954e71bc646a336a7666de594373efd71d1ab2288e98bbc392699e9f03d6cc

Download Submit
C:\Users\Admin\Downloads\kainite+perm+(orig+;+enigma+perm)\kainite perm (orig ; enigma perm)\Unban.bat

Filesize
4KB

MD5
946e84dff7dd9218760c0b6bea6bce86

SHA1
ea6be2d686070aaf0363051c4dfd42de5233f300

SHA256
5a2b8d06e060f3fae0edda90b8fded1852d4499e8ba55d7bd170e869771c090f

SHA512
81898fa64e9cf7d36c864dabc6c228e5f599b7e877a8cc9e30ac02156e4060524aa467fbc5e86ff9f1e4d324ea7e677786471fd3fb589ae3d75825361b052eaa

Download Submit
C:\Users\Admin\Downloads\kainite+perm+(orig+;+enigma+perm)\kainite perm (orig ; enigma perm)\randstr.bat

Filesize
524B

MD5
3775df8d8cf721476f9275cdf5c1fcc7

SHA1
e83e61c5538f71596e862cabb3b6c9272397a02c

SHA256
3465b936a3351c11fd6e45cc9d1c955d126a0219fdcefa2f863b025e83304c26

SHA512
981d66c7addc2c6765c6036a31ddac1ca0754aadd4b394c111f5fa5d2447b4d7bc5f30d548035c59e49d1537000e0340f06f8d99e35d5731ff1637bd6aa2a84e

Download Submit
memory/5932-246-0x00007FF7B0290000-0x00007FF7B0C32000-memory.dmp

Filesize
9.6MB

Download
memory/5932-248-0x00007FF7B0290000-0x00007FF7B0C32000-memory.dmp

Filesize
9.6MB

Download
memory/5932-247-0x00007FF7B0290000-0x00007FF7B0C32000-memory.dmp

Filesize
9.6MB

Download
memory/5932-249-0x00007FF7B0290000-0x00007FF7B0C32000-memory.dmp

Filesize
9.6MB

Download
memory/5932-251-0x00007FF7B0290000-0x00007FF7B0C32000-memory.dmp

Filesize
9.6MB

Download
memory/5932-244-0x00007FF7B0290000-0x00007FF7B0C32000-memory.dmp

Filesize
9.6MB

Download
memory/5932-244-0x00007FF7B0290000-0x00007FF7B0C32000-memory.dmp

Filesize
9.6MB

Download
memory/5932-247-0x00007FF7B0290000-0x00007FF7B0C32000-memory.dmp

Filesize
9.6MB

Download
memory/5932-248-0x00007FF7B0290000-0x00007FF7B0C32000-memory.dmp

Filesize
9.6MB

Download
memory/5932-246-0x00007FF7B0290000-0x00007FF7B0C32000-memory.dmp

Filesize
9.6MB

Download
memory/5932-249-0x00007FF7B0290000-0x00007FF7B0C32000-memory.dmp

Filesize
9.6MB

Download
memory/5932-251-0x00007FF7B0290000-0x00007FF7B0C32000-memory.dmp

Filesize
9.6MB

Download