cerber | hxxps://gofile[.]io/d/vcPPIw

Analysis

max time kernel
97s
max time network
107s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
14-10-2024 15:30

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://gofile.io/d/vcPPIw

Score

10^/10

cerber discovery ransomware

Malware Config

Signatures

Cerber 41 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	pid	Process
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		2288	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE

Executes dropped EXE 64 IoCs

pid	Process
4248	LARKSHARP SPOOFER.exe
1056	LARKSHARP SPOOFER.exe
2800	randomizer.exe
5052	randomizer.exe
1308	AMIDEWINx64.EXE
4388	AMIDEWINx64.EXE
4768	AMIDEWINx64.EXE
820	AMIDEWINx64.EXE
3676	AMIDEWINx64.EXE
1952	AMIDEWINx64.EXE
1152	AMIDEWINx64.EXE
860	AMIDEWINx64.EXE
3832	AMIDEWINx64.EXE
200	AMIDEWINx64.EXE
1832	AMIDEWINx64.EXE
4904	AMIDEWINx64.EXE
1364	AMIDEWINx64.EXE
3916	AMIDEWINx64.EXE
2916	AMIDEWINx64.EXE
5072	AMIDEWINx64.EXE
3764	AMIDEWINx64.EXE
4720	AMIDEWINx64.EXE
2504	AMIDEWINx64.EXE
4108	AMIDEWINx64.EXE
2580	AMIDEWINx64.EXE
4556	AMIDEWINx64.EXE
500	AMIDEWINx64.EXE
3228	AMIDEWINx64.EXE
3100	AMIDEWINx64.EXE
3524	AMIDEWINx64.EXE
1156	AMIDEWINx64.EXE
2824	AMIDEWINx64.EXE
4984	AMIDEWINx64.EXE
2244	AMIDEWINx64.EXE
804	AMIDEWINx64.EXE
2160	AMIDEWINx64.EXE
1104	AMIDEWINx64.EXE
2432	AMIDEWINx64.EXE
2848	AMIDEWINx64.EXE
4332	AMIDEWINx64.EXE
4680	AMIDEWINx64.EXE
3316	AMIDEWINx64.EXE
764	AMIDEWINx64.EXE
4744	AMIDEWINx64.EXE
1712	AMIDEWINx64.EXE
4800	mac.exe
4248	LARKSHARP SPOOFER.exe
1056	LARKSHARP SPOOFER.exe
2800	randomizer.exe
5052	randomizer.exe
1308	AMIDEWINx64.EXE
4388	AMIDEWINx64.EXE
4768	AMIDEWINx64.EXE
820	AMIDEWINx64.EXE
3676	AMIDEWINx64.EXE
1952	AMIDEWINx64.EXE
1152	AMIDEWINx64.EXE
860	AMIDEWINx64.EXE
3832	AMIDEWINx64.EXE
200	AMIDEWINx64.EXE
1832	AMIDEWINx64.EXE
4904	AMIDEWINx64.EXE
1364	AMIDEWINx64.EXE
3916	AMIDEWINx64.EXE

Loads dropped DLL 22 IoCs

pid	Process
1056	LARKSHARP SPOOFER.exe
1056	LARKSHARP SPOOFER.exe
1056	LARKSHARP SPOOFER.exe
1056	LARKSHARP SPOOFER.exe
1056	LARKSHARP SPOOFER.exe
1056	LARKSHARP SPOOFER.exe
5052	randomizer.exe
5052	randomizer.exe
4800	mac.exe
4800	mac.exe
4800	mac.exe
1056	LARKSHARP SPOOFER.exe
1056	LARKSHARP SPOOFER.exe
1056	LARKSHARP SPOOFER.exe
1056	LARKSHARP SPOOFER.exe
1056	LARKSHARP SPOOFER.exe
1056	LARKSHARP SPOOFER.exe
5052	randomizer.exe
5052	randomizer.exe
4800	mac.exe
4800	mac.exe
4800	mac.exe

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
860	7zG.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2288	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133733934244634731"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
860	7zG.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 4952	5068	chrome.exe	74
PID 5068 wrote to memory of 4952	5068	chrome.exe	74
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 1772	5068	chrome.exe	76
PID 5068 wrote to memory of 4972	5068	chrome.exe	77
PID 5068 wrote to memory of 4972	5068	chrome.exe	77
PID 5068 wrote to memory of 2316	5068	chrome.exe	78
PID 5068 wrote to memory of 2316	5068	chrome.exe	78
PID 5068 wrote to memory of 2316	5068	chrome.exe	78
PID 5068 wrote to memory of 2316	5068	chrome.exe	78
PID 5068 wrote to memory of 2316	5068	chrome.exe	78
PID 5068 wrote to memory of 2316	5068	chrome.exe	78
PID 5068 wrote to memory of 2316	5068	chrome.exe	78
PID 5068 wrote to memory of 2316	5068	chrome.exe	78
PID 5068 wrote to memory of 2316	5068	chrome.exe	78
PID 5068 wrote to memory of 2316	5068	chrome.exe	78
PID 5068 wrote to memory of 2316	5068	chrome.exe	78
PID 5068 wrote to memory of 2316	5068	chrome.exe	78
PID 5068 wrote to memory of 2316	5068	chrome.exe	78
PID 5068 wrote to memory of 2316	5068	chrome.exe	78
PID 5068 wrote to memory of 2316	5068	chrome.exe	78
PID 5068 wrote to memory of 2316	5068	chrome.exe	78
PID 5068 wrote to memory of 2316	5068	chrome.exe	78
PID 5068 wrote to memory of 2316	5068	chrome.exe	78
PID 5068 wrote to memory of 2316	5068	chrome.exe	78
PID 5068 wrote to memory of 2316	5068	chrome.exe	78
PID 5068 wrote to memory of 2316	5068	chrome.exe	78
PID 5068 wrote to memory of 2316	5068	chrome.exe	78

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/vcPPIw
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff9dbf9758,0x7fff9dbf9768,0x7fff9dbf9778
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1772,i,954060254708085605,6638837519431620756,131072 /prefetch:2
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1832 --field-trial-handle=1772,i,954060254708085605,6638837519431620756,131072 /prefetch:8
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1772,i,954060254708085605,6638837519431620756,131072 /prefetch:8
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2864 --field-trial-handle=1772,i,954060254708085605,6638837519431620756,131072 /prefetch:1
  2⤵
  PID:3852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2872 --field-trial-handle=1772,i,954060254708085605,6638837519431620756,131072 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4420 --field-trial-handle=1772,i,954060254708085605,6638837519431620756,131072 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3092 --field-trial-handle=1772,i,954060254708085605,6638837519431620756,131072 /prefetch:8
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4796 --field-trial-handle=1772,i,954060254708085605,6638837519431620756,131072 /prefetch:1
  2⤵
  PID:696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 --field-trial-handle=1772,i,954060254708085605,6638837519431620756,131072 /prefetch:8
  2⤵
  PID:588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4924 --field-trial-handle=1772,i,954060254708085605,6638837519431620756,131072 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 --field-trial-handle=1772,i,954060254708085605,6638837519431620756,131072 /prefetch:8
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 --field-trial-handle=1772,i,954060254708085605,6638837519431620756,131072 /prefetch:8
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1748 --field-trial-handle=1772,i,954060254708085605,6638837519431620756,131072 /prefetch:8
  2⤵
  PID:1508

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:756

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4148

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\LARKSHARP SPOOFER\" -spe -an -ai#7zMap2134:96:7zEvent720
1⤵
- Network Service Discovery
- Suspicious use of FindShellTrayWindow
PID:860

C:\Users\Admin\Desktop\LARKSHARP SPOOFER.exe
"C:\Users\Admin\Desktop\LARKSHARP SPOOFER.exe"
1⤵
- Executes dropped EXE
PID:4248
- C:\Users\Admin\Desktop\LARKSHARP SPOOFER.exe
  "C:\Users\Admin\Desktop\LARKSHARP SPOOFER.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mode con: cols=110 lines=30
    3⤵
    PID:4204
  - - C:\Windows\system32\mode.com
      mode con: cols=110 lines=30
      4⤵
      PID:4704
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /F /IM explorer.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:2288
- - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\randomizer.exe
    C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\randomizer.exe
    3⤵
    - Executes dropped EXE
    PID:2800
  - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\randomizer.exe
      C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\randomizer.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c "C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\spoof.bat >nul 2>&1""
    3⤵
    PID:1560
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c "C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\spoof.bat >nul 2>&1"
      4⤵
      PID:2996
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /ID 02/19/2020
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:1308
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /SV stdOZSvbQrXZgyk
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:4388
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /SS RDqDlJtnTtoTm9g
        5⤵
        Executes dropped EXE
        
        PID:4768
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /SF bqMKeQx9HDey0m1
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:820
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /SU AUTO
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:3676
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /SK YFKhju5ibVjYCUY
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:1952
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /SF yhtObXB1I3YshtS
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:1152
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /BV cCjntLbrKtedfOE
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:860
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /BS HxDVUBKatpq2FJh
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:3832
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /BT hvwOb6Z1HzXfaQh
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:200
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /BLC LQLKESYDotRNG3z
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:1832
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /CV MtO012TuUfforIf
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:4904
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /CS QBw61tK8g4A6smL
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:1364
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /CM PSKfQs0Mo2q9g6M
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:3916
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /CA XHGSif4SP0e7bra
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:2916
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /CSK 7yG3XPkGCdnilhY
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:5072
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /PSN qTGQ1AvqI6VjOo0
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:3764
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /PAT T79C287dL1VKNbo
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:4720
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /PPN 9s9dpODwqADCoOT
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:2504
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /BSH 3 QrWO0YGPNkyAC9x
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:4108
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /BMH 3 67j0WkFuYqiaPhb
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:2580
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /BPH 3 ZTk1ILwvH6D4MCG
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:4556
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /BVH 3 FzXbod6aIzJJJJe
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:500
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /CSH 4 MTNoQ9FMISlFtsX
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:3228
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /CMH 4 AZ0H20RbEzsakkn
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:3100
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /CVH 4 qNea8Au9LjUwbQp
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:3524
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /CAH 4 EitMr4RO2nLTDpC
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:1156
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /CSKH 4 TFOMeQkSg7RqX6f
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:2824
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /BTH 3 DnFtgBT8GPltTMv
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:4984
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /BLCH 3 kI2zBQlcsL3ZnEF
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:2244
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /IVN Tddu8nhnYhkdsk8
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:804
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /IV 2.1.3
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:2160
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /SM N3ibfa0C53JGkuB
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:1104
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /SP 2e5EYr2rYMC89qd
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:2432
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /BM yHQceoAjGeZf0qI
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:2848
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /BP urngLROL1RXubSX
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:4332
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /SCO 1 nN7yOxDZqWpSokQ
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:4680
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /OS 1 KUn2xCsN2ZESXum
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:3316
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /OS 3 CbLSCpSkwGr3IGM
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:764
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /OS 4 eD5I1jlah6Nr4Lv
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:4744
    - - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\AMIDEWINx64.EXE
        
        AMIDEWINx64.EXE /OS 5 pzg3uTUQAVxK7CB
        5⤵
        Cerber
        Executes dropped EXE
        
        PID:1712
- - C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\mac.exe
    C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\mac.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE >nul 2>&1
      4⤵
      PID:640
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
        5⤵
        
        PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
9269c7a45650cf6018148943c7022277

SHA1
b8a175d1c4619f4ccdca7564281178d7c01600bb

SHA256
f612656d25907f574d983a35bb30f4d677fe7b22fdbbcc3cf63e5dcbd3fae467

SHA512
4548d08c3dad294f33c968289a2e1ac62173e9802e851ae5559b645dba140c095623c51b106d5392c937286e4c977c82fca63b02f44ffc6169a2bc7799b94173

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7c2609aab0a77242ce07f18581724217

SHA1
7f63fed0b41e5e2dd82eec6b6d87a2b3318d0539

SHA256
a7d872505ba3c979f6a810af572983edeaf00f9385e381bab5d083a520112033

SHA512
41159840014aaa955ce7e15df095ff5461841ad0b034a06f6651bcccc5d01a21ded773101f0409b3ed21a6a6a1458f6bc771fce8b45c52ba5b627cdf194c3030

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
1220e5399815c478d079743845e99c62

SHA1
7a2999c46873817f51526618947741a9d35874c8

SHA256
d9efde22fd792682a419af3682bbcb35d7ddf51c4bf4339b1112387a78b7052a

SHA512
721fee5cb6ee0f983f9f8fb95dc29fc0f6cd6cc8124363d7ca4b0fe455e677117c36801c2a53415a89974b528f04f66034b46d5f4eef230b77016d42b0708dc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7bd1601b58f32d4e699b6f16932033c5

SHA1
5faf3d56356dfeb1a12f16da2dea883639b8d432

SHA256
a92b3c1b3bf8c31e217dd8ced30f42213b9a887da5ad68e77183d2048f69f1ff

SHA512
8e414484e6e969fa686e141b233acce39a9c633f1b5523b1e031972ef401d9b619fc81e13adb922df05dcc5994640bd664c3832891c17281f1dddd1c75b3d107

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4ffe5300629b337be9de336a717fe6d6

SHA1
d0a263926b521a91c02e02af1037a7c544e9323b

SHA256
ad7aed185bfcf8c7ba4a023783c85900d0fb94f7199eb1b456e89c5a8ff107df

SHA512
a5f5ef6677eb98b9f2ea5d0098e8effacb8a4fc9ed705a5079b6df81405502f036ce729be3a1c3dc604149c87a84ce93847fc4d5d1e74dece951e8008e510957

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3fca93a53f37752a33d883f83f868c63

SHA1
4b86ae6638fcc1c00bd6dbe67ec32d0f2420b84a

SHA256
a780d4a798b469733747cf52c8e1e16818f9fbfee233a8091b83dfd60f0d2068

SHA512
f67ea3c3dcd3da63cc5e134b478097bef28e6f81da4d62bd87a80876c2c38c996e28d8eb23f9997cbf26c9a12348bc3272363c142901adf30918b3ca11324239

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
0ed0bd2a23fd90d53dbb78172d8b22cb

SHA1
1573a4ff7fe9d7c15d3f209c5ed11d682b0f1235

SHA256
68ac08b07b849030960b50a4681832a8951d93192a96f70ac2834dcde7728df0

SHA512
4d3c8d82d4e2093b10b95d525dc8af82818a43b375e7dca0069b878fd5e3d59e14bbd71b60deac4f6f4c777b001656513eeaf1a01ff90974ed4bbc99948dd16c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
15f78c0453d46d1a51cf18491adaa868

SHA1
b6164415645cb070f89ec760be331cf21867d85f

SHA256
0e1cb15a419ffab49ecbc728b88badfca99ed364e02ae11abfd4e4a1af9743a7

SHA512
4f7b7d2b7b2b26fc8983090f138cb91f934971813fd6e53f10463512ee4d3fc562eeb5d24c573f70f865820a75498d469c9cd86661ba76a84aeb3fb03194e471

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
e906628217c832f3740bb00d8ae394ef

SHA1
ae78d0957bc39fd39fa7941393682d4c88df664c

SHA256
8407689d518008b5f17a2e7fc0992b144d94141a392395b74c9e4bc5b215b837

SHA512
7070e6bc5a6cc3f82bb95fd34858e338e5cd5d35077426185f5eaaf56cf2bb72a20a8cb73977a19c06ae0879c608f028c897109d46e205a74a08b1bf55019bdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57e61a.TMP

Filesize
98KB

MD5
6e68200c593ce8cf26e5e1280e60742b

SHA1
ac0452757343f7e12e794af992f1cdfebff60436

SHA256
d1536603ee63d124000d63bb59082213d58c2a11ceb9914a2280577a2a7e1ae1

SHA512
94d5c4af25044c87fe8386dac6bb167966ab59ef631e09d8e4f6a1a3ecaaa7f98926077ee59f4ce300f9d53c18394772b383ba54571248854834e632504ee02d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
836dc6463f5c9a2674322aef77881b4b

SHA1
2124edc01ee86ceb67a3b7dbd7cdaadb7fd06e9a

SHA256
61c20928d326f0c407cb32b590212851711042dfc84385dbf2a92d9189a1c073

SHA512
930be4a02f263bd3d74e06d27f083c3d884a8c64606a90cbe2077a71c56db8298eebc9887f4c7cfe5bb4d4fe98339f5e0dc183e6999f24ee7c4c401fcb46abdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28002\base_library.zip

Filesize
824KB

MD5
09f7062e078379845347034c2a63943e

SHA1
9683dd8ef7d72101674850f3db0e05c14039d5fd

SHA256
7c1c73de4909d11efb20028f4745a9c8494fb4ee8dcf2f049907115def3d2629

SHA512
a169825e9b0bb995a115134cf1f7b76a96b651acd472dc4ce8473900d8852fc93b9f87a26d2c64f7bb3dd76d5feb01eeb4af4945e0c0b95d5c9c97938fa85b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\AMIDEWINx64.EXE

Filesize
379KB

MD5
6bfe0519e242720f965bb1680356728c

SHA1
f6a5392214ade1750af15fdcaa6f05bf8ee06f9e

SHA256
a922b1906f9b04b582e8ace9a17e6b6d405df15f4ab30bdc55f2fc5df7a5c9c3

SHA512
cf47a256fd970d1de50645c23fc68a18cec6873475e06d567d7ef065ea913d8ac98cc5e811113ff5c161786544898d03d375f683b1e31551e9dd41ac036433af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\MSVCP140.dll

Filesize
561KB

MD5
72f3d84384e888bf0d38852eb863026b

SHA1
8e6a0257591eb913ae7d0e975c56306b3f680b3f

SHA256
a4c2229bdc2a2a630acdc095b4d86008e5c3e3bc7773174354f3da4f5beb9cde

SHA512
6d53634bc51bd383358e0d55988d70aee6ed3897bc6ae5e0d2413bed27ecff4c8092020682cd089859023b02d9a1858ac42e64d59c38ba90fbaf89b656c539a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\VCRUNTIME140_1.dll

Filesize
35KB

MD5
9cff894542dc399e0a46dee017331edf

SHA1
d1e889d22a5311bd518517537ca98b3520fc99ff

SHA256
b1d3b6b3cdeb5b7b8187767cd86100b76233e7bbb9acf56c64f8288f34b269ca

SHA512
ca254231f12bdfc300712a37d31777ff9d3aa990ccc129129fa724b034f3b59c88ed5006a5f057348fa09a7de4a0c2e0fb479ce06556e2059f919ddd037f239e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\_bz2.pyd

Filesize
85KB

MD5
a49c5f406456b79254eb65d015b81088

SHA1
cfc2a2a89c63df52947af3610e4d9b8999399c91

SHA256
ce4ef8ed1e72c1d3a6082d500a17a009eb6e8ed15022bf3b68a22291858feced

SHA512
bbafeff8c101c7425dc9b8789117fe4c5e516d217181d3574d9d81b8fec4b0bd34f1e1fe6e406ae95584dc671f788cd7b05c8d700baf59fbf21de9c902edf7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\_ctypes.pyd

Filesize
124KB

MD5
291a0a9b63bae00a4222a6df71a22023

SHA1
7a6a2aad634ec30e8edb2d2d8d0895c708d84551

SHA256
820e840759eed12e19f3c485fd819b065b49d9dc704ae3599a63077416d63324

SHA512
d43ef6fc2595936b17b0a689a00be04968f11d7c28945af4c3a74589bd05f415bf4cb3b4e22ac496490daff533755999a69d5962ccffd12e09c16130ed57fd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\_hashlib.pyd

Filesize
46KB

MD5
5e5af52f42eaf007e3ac73fd2211f048

SHA1
1a981e66ab5b03f4a74a6bac6227cd45df78010b

SHA256
a30cf1a40e0b09610e34be187f1396ac5a44dcfb27bc7ff9b450d1318b694c1b

SHA512
bc37625005c3dad1129b158a2f1e91628d5c973961e0efd61513bb6c7b97d77922809afca8039d08c11903734450bc098c6e7b63655ff1e9881323e5cfd739fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\_lzma.pyd

Filesize
159KB

MD5
cf9fd17b1706f3044a8f74f6d398d5f1

SHA1
c5cd0debbde042445b9722a676ff36a0ac3959ad

SHA256
9209ccc60115727b192bf7771551040ca6fdd50f9bf8c3d2eacbfd424e8245e4

SHA512
5fe922c00c6f7fd3cd9bc56fc51de1f44adffbdb0afc0583f1bb08008be628b9ac16f8560b0c3ba16138e1cdcaf1c525ef24241bed804804cdeb5961aed6385a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\_socket.pyd

Filesize
78KB

MD5
4827652de133c83fa1cae839b361856c

SHA1
182f9a04bdc42766cfd5fb352f2cb22e5c26665e

SHA256
87832a3b89e2ada8f704a8f066013660d591d9ce01ce901cc57a3b973f0858ba

SHA512
8d66d68613fdba0820257550de3c39b308b1dce659dca953d10a95ff2cf89c31afe512d30ed44422b31117058dc9fa15279e5ac84694da89b47f99b0ad7e338a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\amifldrv64.sys

Filesize
18KB

MD5
785045f8b25cd2e937ddc6b09debe01a

SHA1
029c678674f482ababe8bbfdb93152392457109d

SHA256
37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba

SHA512
40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\amigendrv64.sys

Filesize
36KB

MD5
9accebd928a8926fecf317f53cd1c44e

SHA1
d7d71135cc3cf7320f8e63cefb6298dd44e5b1d4

SHA256
811e5d65df60dfb8c6e1713da708be16d9a13ef8dfcd1022d8d1dda52ed057b2

SHA512
2563402cc8e1402d9ac3a76a72b7dab0baa4ecd03629cc350e7199c7e1e1da4000e665bd02ac3a75fd9883fa678b924c8b73d88d8c50bf9d2ae59254a057911e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\base_library.zip

Filesize
824KB

MD5
35cd9399c279aab402d2285429b666ac

SHA1
9882206919c386d399cb0af53f4f89cf3ab9ed68

SHA256
ff2a2d425b9e5ea63934f72adad3a53e9e61174a235af0f61a83816d3c5cabc6

SHA512
1652a829c6f45f2cf53d42e9ff4ad8f5e007856fd784e854a9f02d3367e509f734fa2bd1d1d387f074d51dfde132511b338c4ba9ecf3a742acd908891a4e944d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\libcrypto-1_1.dll

Filesize
3.2MB

MD5
89511df61678befa2f62f5025c8c8448

SHA1
df3961f833b4964f70fcf1c002d9fd7309f53ef8

SHA256
296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf

SHA512
9af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\mac.EXE

Filesize
33KB

MD5
aed42ff110a595753bb2f83171727285

SHA1
492ab23acf2cf384183f0a4c0716c0871b597bf5

SHA256
a124932386dbcc5e6b5901f2460f68e7cfb1dff1406cd899620e8880461c60fb

SHA512
6ba035f8d3c719adcd99f28f8b6e8e10fab15ea11f7e6753a3c1119221bffb070ccbf9ed68e1053fc55a9cd68d17ec240fb83a35fb2dd0029f256a6626eb3d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\microsoft.vbs

Filesize
1KB

MD5
af1905dc8bd39d2d407f12fb08272beb

SHA1
3f512317103d610146318aa6dd629f534647fa1e

SHA256
bb113a896a43cb1b03a8b57a85e8d46faf39fe4ae4af97581b264415ef32bd3b

SHA512
9b1f9262410ea87726587d8531f8fbe0562b54e56d66b66ac7d52bdd37c6562fcbbb11e71a4c778605beedbe89d7196f15341687964b497b7efd513c7895652e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\python38.dll

Filesize
4.0MB

MD5
26ba25d468a778d37f1a24f4514d9814

SHA1
b64fe169690557656ede3ae50d3c5a197fea6013

SHA256
2f3e368f5bcc1dda5e951682008a509751e6395f7328fd0f02c4e1a11f67c128

SHA512
80471bfeeab279ce4adfb9ee1962597fb8e1886b861e31bdff1e3aa0df06d93afeb3a3398e9519bab7152d4bd7d88fa9b328a2d7eb50a91eb60fead268912080

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\randomizer.EXE

Filesize
4.8MB

MD5
6e4421d0c8e459b2b378ea968510182e

SHA1
8bb44092d97898424c2afb30e5db11a2cbb70acd

SHA256
63534bf58d0657aee6def9711bd75310fc58724bda6200f34a11df0de9f49f96

SHA512
8f4ae909f1992e10cb88dda6b023a15b3e23543f6345853588a678b7354890d4979c1f4ddc69c1ae66ac486bab284d1fbbe369b19b8097c61bc38fcd24a08dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\reg.vbs

Filesize
5KB

MD5
3e3b30da6cc5283f8716e0fe2eabee5e

SHA1
8d70d981bb7a68f08920913b12eac31372470ba5

SHA256
6c9dd5bb8c4c7b8e55c538d0d77937e6a1edb0d7ceed1b3340ba6f053a729f82

SHA512
49423575a64a34ac0d106b0d406e64da287bd651a771b637eee49442ed7c88265b2555bbbbeecadacad57bfcf565ab2b98a3dfa78a67269b4aa10034ee7f4c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\select.pyd

Filesize
27KB

MD5
e21cff76db11c1066fd96af86332b640

SHA1
e78ef7075c479b1d218132d89bf4bec13d54c06a

SHA256
fcc2e09a2355a5546922874fb4cac92ee00a33c0ed6adbc440d128d1e9f4ec28

SHA512
e86dba2326ca5ea3f5ef3af2abd3c23d5b29b6211acc865b6be5a51d5c8850b7cda8c069e6f631ac62f2047224c4b675bbe6ac97c7ba781de5b8016ebaffd46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\spoof.bat

Filesize
1KB

MD5
596866dc4485091a5f124f2809e9be67

SHA1
fe238fbd9dd8247b092712ab320ba304515a67de

SHA256
ab3993b6d78b0dfad3a288d7edb6d04f7580aac6702af3bd6bd2cf9f4f91d8aa

SHA512
12f4e5e89b8531e290b0f240906a861305ba10ade8aa0dfb358c4115924774f8518ba342d5ebc4a8fdbd9fed0f5bb37f6949f59950b22c9453fc35e96fcb1e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\unicodedata.pyd

Filesize
1.0MB

MD5
601aee84e12b87ca66826dfc7ca57231

SHA1
3a7812433ca7d443d4494446a9ced24b6774ceca

SHA256
d8091e62c74e1b2b648086f778c3c41ce01f09661a75ea207d3fea2cf26a8762

SHA512
7c2d64623c6cfd66d6729f59909c90aa944e810ff6514c58b2b3142ee90e8660b7ddf7fa187389dd333e47efe8b19e935dd4e9119c15375b69b4880d043877d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\volumeid.EXE

Filesize
228KB

MD5
4d867033b27c8a603de4885b449c4923

SHA1
f1ace1a241bab6efb3c7059a68b6e9bbe258da83

SHA256
22a2484d7fa799e6e71e310141614884f3bc8dad8ac749b6f1c475b5398a72f3

SHA512
b5d6d4a58d8780a43e69964f80525905224fa020c0032e637cd25557097e331f63d156cceaaacfe1a692ca8cea8d8bd1b219468b6b8e4827c90febe1535a5702

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\volumeid64.EXE

Filesize
165KB

MD5
81a45f1a91448313b76d2e6d5308aa7a

SHA1
0d615343d5de03da03bce52e11b233093b404083

SHA256
fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

SHA512
675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

Download Submit
C:\Users\Admin\AppData\Roaming\tmpdk3ufbv5\spoof.bat

Filesize
1KB

MD5
f56874c133cd3c4293876d731dae3626

SHA1
4d34b627e6b9bc8f0e3199b8f91c93299784fb05

SHA256
e81f38622392f8e4bc312f49847ec02ea36bfb88df23668789d2a9dd0fcec501

SHA512
ea6717ceb4b852b9fdc2d3d0070f40f0d310dadc8bee862b8f94d2db1c4cea084f3d04000f60da95426c9efebdc2dafdc532aee27256dab6b52345e50dc08fef

Download Submit
C:\Users\Admin\Desktop\LARKSHARP SPOOFER.exe

Filesize
10.0MB

MD5
1e61aac32833d7e38884ae4df8e9748e

SHA1
b2f17de7878360c69f6c103cfb0d2f77c530cd39

SHA256
eb04c7fde0ba573eae3e9307a3c91613e2eb4c41e97e0ad7a3979d2ac0e1dff1

SHA512
947758430b35760ac87cacf9ba42c04b13628b67c9ce1bd866cb362021537f10f99869c73c62cbf7cf177fa2da285ebce11e23688e79eda22b157fa47ef9bd01

Download Submit
C:\Users\Admin\Desktop\LARKSHARP SPOOFER.exe - Shortcut.lnk

Filesize
865B

MD5
49e0e679c8ca20869814fd87e391421d

SHA1
11ea4515f65f8de4ede3148a6cb25e5b2c328de1

SHA256
0e865a6e63b3badef72cf037f893675285177f60c3fe995cc2017c1462a66c6a

SHA512
938902431f07d7ca68669fde247a53a8582b0e9a1ab2eae1ca0484b549443a81c7c83710c66e6446b61076810aef8ef78dff7b0e5ad3b36c47863c57fa8350ad

Download Submit
C:\Users\Admin\Downloads\LARKSHARP SPOOFER.zip.crdownload

Filesize
9.9MB

MD5
5e5a8a54fc1283a440ce9d35df48551d

SHA1
2ebce3a9c9f3a514f7f35e180400e7ab4dc12edc

SHA256
47f42570c1328798a903a976412a5d004fa38ca514f7262cd2fd3f80f55d02da

SHA512
1eef951d36a3a124bb2e207aa2a78966c4e84a8a07633d32c4fbd62427a651043c60fcab6016663a106db63afa7146426d1f7d778489b2201d77e56fe5036828

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI42482\VCRUNTIME140.dll

Filesize
93KB

MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit