cerber | hxxps://gofile[.]io/d/mYbxF8

Analysis

max time kernel
130s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2024 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/mYbxF8

Score

10^/10

cerber discovery evasion persistence privilege_escalation ransomware themida trojan

Malware Config

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Cerber family
cerber

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	applecleaner.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
6068	netsh.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	applecleaner.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = 32004f00620048005300200020002d002000620000000000	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	applecleaner.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Kopx_Perm.exe

Executes dropped EXE 18 IoCs

pid	Process
2872	Kopx_Perm.exe
876	AMIDEWINx64.exe
5016	AMIDEWINx64.exe
888	AMIDEWINx64.exe
1896	AMIDEWINx64.exe
4832	AMIDEWINx64.exe
2432	AMIDEWINx64.exe
1160	AMIDEWINx64.exe
3744	AMIDEWINx64.exe
392	AMIDEWINx64.exe
4496	AMIDEWINx64.exe
4772	AMIDEWINx64.exe
2256	AMIDEWINx64.exe
4664	AMIDEWINx64.exe
2552	AMIDEWINx64.exe
2676	AMIDEWINx64.exe
3036	AMIDEWINx64.exe
3924	applecleaner.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000400000000070b-196.dat	themida
behavioral1/memory/3924-199-0x00007FF611580000-0x00007FF611F22000-memory.dmp	themida
behavioral1/memory/3924-203-0x00007FF611580000-0x00007FF611F22000-memory.dmp	themida
behavioral1/memory/3924-202-0x00007FF611580000-0x00007FF611F22000-memory.dmp	themida
behavioral1/memory/3924-201-0x00007FF611580000-0x00007FF611F22000-memory.dmp	themida
behavioral1/memory/3924-213-0x00007FF611580000-0x00007FF611F22000-memory.dmp	themida
behavioral1/memory/3924-350-0x00007FF611580000-0x00007FF611F22000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	applecleaner.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
76	raw.githubusercontent.com
77	raw.githubusercontent.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
5624	cmd.exe
5648	ARP.EXE

Checks system information in the registry 2 TTPs 1 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	applecleaner.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3924	applecleaner.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\AMIDEWINx64.EXE	Kopx_Perm.exe
File created	C:\Windows\Fonts\amigendrv64.sys	Kopx_Perm.exe
File created	C:\Windows\Fonts\amifldrv64.sys	Kopx_Perm.exe
File created	C:\Windows\IME\applecleaner.exe	Kopx_Perm.exe
File created	C:\Windows\INF\display.PNF	chrome.exe
File created	C:\Windows\Kopx\checker.bat	Kopx_Perm.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 21 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
60	cmd.exe

Enumerates system info in registry 2 TTPs 27 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "1f4eae45-c95e4a40-8"	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	applecleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Kopx_Perm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Kopx_Perm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	applecleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "a8c59d7a-89e23e12-1"	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Kopx_Perm.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	applecleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	applecleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	applecleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemBiosVersion	applecleaner.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5564	ipconfig.exe
5584	ipconfig.exe
5672	ipconfig.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
3204	taskkill.exe
3244	taskkill.exe
4060	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133760223916068338"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3232	chrome.exe
3232	chrome.exe
1056	chrome.exe
1056	chrome.exe
3924	applecleaner.exe
3924	applecleaner.exe
4000	msedge.exe
4000	msedge.exe
2524	msedge.exe
2524	msedge.exe
1056	chrome.exe
1056	chrome.exe

Suspicious behavior: LoadsDriver 16 IoCs

pid	Process
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeRestorePrivilege	396	7zG.exe
Token: 35	396	7zG.exe
Token: SeSecurityPrivilege	396	7zG.exe
Token: SeSecurityPrivilege	396	7zG.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe
Token: SeShutdownPrivilege	3232	chrome.exe
Token: SeCreatePagefilePrivilege	3232	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
396	7zG.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
3232	chrome.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2872	Kopx_Perm.exe
876	AMIDEWINx64.exe
5016	AMIDEWINx64.exe
888	AMIDEWINx64.exe
1896	AMIDEWINx64.exe
4832	AMIDEWINx64.exe
2432	AMIDEWINx64.exe
1160	AMIDEWINx64.exe
3744	AMIDEWINx64.exe
392	AMIDEWINx64.exe
4496	AMIDEWINx64.exe
4772	AMIDEWINx64.exe
2256	AMIDEWINx64.exe
4664	AMIDEWINx64.exe
2552	AMIDEWINx64.exe
2676	AMIDEWINx64.exe
3036	AMIDEWINx64.exe
3924	applecleaner.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 2964	3232	chrome.exe	85
PID 3232 wrote to memory of 2964	3232	chrome.exe	85
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 4440	3232	chrome.exe	86
PID 3232 wrote to memory of 3500	3232	chrome.exe	87
PID 3232 wrote to memory of 3500	3232	chrome.exe	87
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88
PID 3232 wrote to memory of 3260	3232	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/mYbxF8
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffec001cc40,0x7ffec001cc4c,0x7ffec001cc58
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,8135447421825822747,6679206505298705937,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2160,i,8135447421825822747,6679206505298705937,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,8135447421825822747,6679206505298705937,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2412 /prefetch:8
  2⤵
  PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,8135447421825822747,6679206505298705937,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:3304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,8135447421825822747,6679206505298705937,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4488,i,8135447421825822747,6679206505298705937,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4508 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3308,i,8135447421825822747,6679206505298705937,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3332 /prefetch:8
  2⤵
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4044,i,8135447421825822747,6679206505298705937,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4948,i,8135447421825822747,6679206505298705937,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5176,i,8135447421825822747,6679206505298705937,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5276 /prefetch:8
  2⤵
  PID:4164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=964,i,8135447421825822747,6679206505298705937,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1044 /prefetch:8
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1056

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2224

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1476

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\KOPX Perm crack by croissant\" -spe -an -ai#7zMap4204:118:7zEvent24188
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:396

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\KOPX Perm crack by croissant\Keys.txt
1⤵
PID:524

C:\Users\Admin\Downloads\KOPX Perm crack by croissant\Kopx_Perm.exe
"C:\Users\Admin\Downloads\KOPX Perm crack by croissant\Kopx_Perm.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2872
- C:\Windows\Fonts\AMIDEWINx64.exe
  "AMIDEWINx64.exe" /SU AUTO
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:876
- C:\Windows\Fonts\AMIDEWINx64.exe
  "AMIDEWINx64.exe" /BS JTOBECOO74JCJU0H
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5016
- C:\Windows\Fonts\AMIDEWINx64.exe
  "AMIDEWINx64.exe" /CS JTOBECOO74JCJU0H
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:888
- C:\Windows\Fonts\AMIDEWINx64.exe
  "AMIDEWINx64.exe" /SS JTOBECOO74JCJU0H
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1896
- C:\Windows\Fonts\AMIDEWINx64.exe
  "AMIDEWINx64.exe" /SM "System manufacturer"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4832
- C:\Windows\Fonts\AMIDEWINx64.exe
  "AMIDEWINx64.exe" /SP "System Product Name"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2432
- C:\Windows\Fonts\AMIDEWINx64.exe
  "AMIDEWINx64.exe" /SV "System Version"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1160
- C:\Windows\Fonts\AMIDEWINx64.exe
  "AMIDEWINx64.exe" /SK "SKU"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3744
- C:\Windows\Fonts\AMIDEWINx64.exe
  "AMIDEWINx64.exe" /BT "Default string"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:392
- C:\Windows\Fonts\AMIDEWINx64.exe
  "AMIDEWINx64.exe" /BLC "Default string"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4496
- C:\Windows\Fonts\AMIDEWINx64.exe
  "AMIDEWINx64.exe" /CM "Default string"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4772
- C:\Windows\Fonts\AMIDEWINx64.exe
  "AMIDEWINx64.exe" /CV "Default string"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2256
- C:\Windows\Fonts\AMIDEWINx64.exe
  "AMIDEWINx64.exe" /CA "Default string"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4664
- C:\Windows\Fonts\AMIDEWINx64.exe
  "AMIDEWINx64.exe" /CSK "Default string"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2552
- C:\Windows\Fonts\AMIDEWINx64.exe
  "AMIDEWINx64.exe" /SF "To be filled by O.E.M."
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2676
- C:\Windows\Fonts\AMIDEWINx64.exe
  "AMIDEWINx64.exe" /PSN JTOBECOO74JCJU0H
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3036
- C:\Windows\IME\applecleaner.exe
  "C:\Windows\IME\applecleaner.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Checks system information in the registry
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
    3⤵
    PID:4364
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      PID:3204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:60
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      4⤵
      Kills process with taskkill
      PID:3244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1
    3⤵
    PID:5112
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Battle.net.exe
      4⤵
      Kills process with taskkill
      PID:4060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start https://applecheats.cc
    3⤵
    PID:4132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://applecheats.cc/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2524
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x100,0x128,0x7ffeaddc46f8,0x7ffeaddc4708,0x7ffeaddc4718
        5⤵
        
        PID:2456
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,13825746710012336447,11238819606112065061,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
        5⤵
        
        PID:4856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,13825746710012336447,11238819606112065061,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4000
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,13825746710012336447,11238819606112065061,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
        5⤵
        
        PID:2676
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13825746710012336447,11238819606112065061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
        5⤵
        
        PID:4092
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13825746710012336447,11238819606112065061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
        5⤵
        
        PID:60
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13825746710012336447,11238819606112065061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
        5⤵
        
        PID:1916
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13825746710012336447,11238819606112065061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
        5⤵
        
        PID:5184
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13825746710012336447,11238819606112065061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
        5⤵
        
        PID:5276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:1876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c NETSH WINSOCK RESET >nul 2>&1
    3⤵
    PID:5924
  - - C:\Windows\system32\netsh.exe
      NETSH WINSOCK RESET
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:5940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c NETSH INT IP RESET >nul 2>&1
    3⤵
    PID:6004
  - - C:\Windows\system32\netsh.exe
      NETSH INT IP RESET
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:6020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall reset >nul 2>&1
    3⤵
    PID:6052
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall reset
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:6068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c NETSH INTERFACE IPV4 RESET >nul 2>&1
    3⤵
    PID:6104
  - - C:\Windows\system32\netsh.exe
      NETSH INTERFACE IPV4 RESET
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:6120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c NETSH INTERFACE IPV6 RESET >nul 2>&1
    3⤵
    PID:5140
  - - C:\Windows\system32\netsh.exe
      NETSH INTERFACE IPV6 RESET
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:2476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c NETSH INTERFACE TCP RESET >nul 2>&1
    3⤵
    PID:3888
  - - C:\Windows\system32\netsh.exe
      NETSH INTERFACE TCP RESET
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:3592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c NETSH INT RESET ALL >nul 2>&1
    3⤵
    PID:5420
  - - C:\Windows\system32\netsh.exe
      NETSH INT RESET ALL
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:1576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c IPCONFIG /RELEASE >nul 2>&1
    3⤵
    PID:5508
  - - C:\Windows\system32\ipconfig.exe
      IPCONFIG /RELEASE
      4⤵
      Gathers network information
      PID:5564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c IPCONFIG /RELEASE >nul 2>&1
    3⤵
    PID:5592
  - - C:\Windows\system32\ipconfig.exe
      IPCONFIG /RELEASE
      4⤵
      Gathers network information
      PID:5584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c IPCONFIG /FLUSHDNS >nul 2>&1
    3⤵
    PID:5660
  - - C:\Windows\system32\ipconfig.exe
      IPCONFIG /FLUSHDNS
      4⤵
      Gathers network information
      PID:5672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c NBTSTAT -R >nul 2>&1
    3⤵
    PID:5688
  - - C:\Windows\system32\nbtstat.exe
      NBTSTAT -R
      4⤵
      PID:5520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c NBTSTAT -RR >nul 2>&1
    3⤵
    PID:5536
  - - C:\Windows\system32\nbtstat.exe
      NBTSTAT -RR
      4⤵
      PID:5452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c arp -a >nul 2>&1
    3⤵
    - Network Service Discovery
    PID:5624
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:5648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c arp -d >nul 2>&1
    3⤵
    PID:5484
  - - C:\Windows\system32\ARP.EXE
      arp -d
      4⤵
      PID:400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE >nul 2>&1
    3⤵
    PID:5588
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
      4⤵
      PID:5636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3a5377994a56a6cad48df069e637c9b0

SHA1
9f9c9ae597470bd28c2e0ce4aa07fa6a705de319

SHA256
ebfe7a772cc1bc60f77c65f5300a469aa188658c22055f3c4f57fa62a9d2f21b

SHA512
51a3e0e7301bb1e8375bee64ffee3db64486c3dad4744c4465d020ba378e6024ec36c518a30cb5fa3b8dba679aa00427547e0220c1507c78520f2d5437ba2f59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
a579116ce6be5a7e202d5dea4dc62cb3

SHA1
545bf033715e4cfa82481d158b55d656e6e137ab

SHA256
29bdb28293ae3bb7df66a4b637a9f2ddbd8b2a4dcbdbc9d1d774919ad696ee07

SHA512
9ccdf52ff1c05409b908108a1db451efb7480fa4a5807480f92071cdf5f5aba7e82b93aa0cafc0084ffab99dbee822a73d8224a1aea26cd4febeb3b05ea2e600

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
17ef75b5af78a05a33cc2655c8278d83

SHA1
b409c948b95544b2e0f9f8cb2dd65300e65e434e

SHA256
4d02f99e787138c610a002bb387f22e4dd0a0ebe2815350ac71bd86c2ab32467

SHA512
d3c7b7ca043195c4a7fef5e2d02eeb7c476fc1b5dbd6a4b13bc8a22c08a521355848b586790c061aafbab4abcc94003dc9f702e4669f6cf3425f5775755734d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
856B

MD5
e99e641dfc17308d2eb6f49d9f5d3a6c

SHA1
15eedd7615a6bd071ae93e36b62aedccf640e7a8

SHA256
5a05b5ab5bcc0453f623d4bda2df3116d96568e72673e8133bde4d784135589d

SHA512
2dbe47a55b589addccd409d3cf8258964046a9c4ae497850a3f1c518c1034c96c9148aa1cd2e1e80303640aabcbee52c44c8d94e446647b26804cfb9abd3a101

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9180a7bdb33e140508f74e00f2321185

SHA1
c8079b0ef322a5c3adc42ce67aca07e3d9d73e4c

SHA256
a3084b88e413e66eeaf085722f6845e5f678398cfb5e6cce175a8b6011758274

SHA512
85ffb5171c124ccc85574ab16de06217e2e31c1dadf780446b608bb24c400642c8fb35d1453d22077baed1ae97a02fe8bc8f4ae25792ffc0c14e60718614f718

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e65d08ccb3c67882ee2e9beb02aaf028

SHA1
7abbf3795a8fa11848bc947d6932cf7dd636b380

SHA256
4d446f1fabb1d8b1e4825d66016679d86ef1e9b3b1e7ce3e36b72040312b9797

SHA512
96ebbf5a443b54acc3596c8d72a4673101e44a712b06f9247529ede68467796c738a6d18bfbea5989cb735a563a6591771a3e4e369a257c2a0b3633d98f352fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
03cc4a83dac7d4bc91a72d677845da06

SHA1
fcfb51557fff62584d82a3cbab11038802850a9c

SHA256
85e5d5eeb1d332d30e60b79362852ab5676e66295fbbd1f4f7608da6adffaf6c

SHA512
f8284aeba3701ca8c1e6e97634b99fe123090c23cdc9c8b40fc578215e63126f8c8971f8e85fb96f461ed7a39224616b93410012ff7abb6a57a463ff87c82775

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8aaf506444b2db1caa7303f6abbbb73e

SHA1
d01c308f576b8fef41a86fb48eae1fd142ab1bbe

SHA256
6a1904dd58e31d4598882fdc6f07e700189f8d6b4b5bfc377cec86b1bc7ecaf2

SHA512
768d99667926e8ad82999cd83413bbba3110db3eaadd9d0d0b8c7cba4f5d76bacb5732a255a682980d9518522256b5f83d376b4ee650caa90d129b70298c949a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6ede7a7a9d346e80ba9411382a6b42cf

SHA1
e171582d8bffaaf834c59d00a1d891a123f0628a

SHA256
38f6eb1ceab989149f10f8fade8960ef81ff949dc0204704c667cd2001b7c629

SHA512
708611ea67081df2cf5eb2f514de80e4666755ff231b0b9b89d50537e0cc7bfb50913456bc69b4e4e9f059bf8ef9a252436287f30b4c9d5a9a0fc18eaef9888f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
252481192e0e89b5ce8aa6adbc6ec73a

SHA1
01c06846764bf6ef1438fb17dbe298aa1c5bedab

SHA256
d0515d8663b73fc3bc4cf431fd18b77fdb872732a7ddea5827515d01e484d7e9

SHA512
e01ccf373b487413f33ae1ad0ae85becf80ba6b88913d97912bff5a9490f2856dca111b8052067fedc5ec1993816676601edcb5c6dab2845c400a07f6fd6edfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
36591b321d671d3b97bb70be91b770be

SHA1
d1d565046246bb40d9ae448a2e63b2bf92b5cff8

SHA256
040bfd2d58549ff20160b989bbee5ab0ddab571e79dee6ed3e85ab88c32e7840

SHA512
f6396a5b6379ae3201a183270f49e6f258087f88a4b4f7ac98040f6d1a664de05a96e49d669683fbb67cbb9ecf1e6f516f23213c291ed97c5fa0641b8465c46b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d53db987aac52770ceeddf80a3e478eb

SHA1
7403517141074c366c5aa88c6500fc93b28d9043

SHA256
7fc526c5f6913eb4d8c82984591892145cc8acd71e695d6754534cc59c30a4d8

SHA512
1a01ffe83481ca6efb393e18529e3764f70171a0f9f0a49aa32a572c193607c4d0bd5bc9e060b2aa50785a38fa3aa21c97101b44bb88796946e5d166eff6a680

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
7f971f2cbaaabb3d817850b6875f76c1

SHA1
b2585a1061a61717f508b66bb42d3d019050c6f5

SHA256
c0e431e2304758ec6d8750510b653b98e1d4f2b01362e43808ee7e0e2cdb76fd

SHA512
cece2508df57d60d5fe6d336888f069593762e06ee1bedf39a2e809108889094d99160360ce66cbef51c079c185ada4a5e5c9d5ad028b09d9853a944b39aa82c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
67417e5bebfbffdf09eacf212ca8c64a

SHA1
345f43d3ee59baa54968c741b5b51583504d4188

SHA256
9f60cd96f19834db30f78046223afb3c430c598f410c9f80139f541ebe89401a

SHA512
1682211b4c13d1149caf26c70224ad46fda660a2f0ff7a197a427cb4948819af352e595b519a1a12543acf4cb44fac6a97fbfa934a920d87e16841b80f206226

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
06c4506d926bce66b28d0eccd0203bb6

SHA1
4cc4701f7b678330cc594c4eeca25edd69f1ef24

SHA256
f8b336c6d59b21f2b928d3403536333831aa8bd1aeb9f933e9f947557b1efe70

SHA512
ec3365395867782236a839ef0e2a21fdb6024f6a3c9113160c1519b85e4cbbf13ddf53546bb5a2e52a009b24e235d048ce01d026112f8a5ac899ad3b800ba806

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
495B

MD5
22096ab8358e0db37539e6a5d41324e7

SHA1
e07c70ee5c9901cb5f82b82775b3265392cbfdb2

SHA256
970da7529401a8d6754278f51a11f71ff7e17052f80665582cd21e174597db2e

SHA512
c3e26a5d3016d38c9cf4156ccd64d2098489e4532416cd90d663a715a6f4a486c6df3bc1adfdab92feccc82fc7a1018f003f298234a18d67a6072ca3f014502e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
599abfdbad6ba5894509eb916c0c3e09

SHA1
6543dc4ccc788a2d3dc6d5dae31d09a9f2d7dfcc

SHA256
6c59c24035e18cb4c6f56665801e798ea8333218b14de73a542697283f32e7ad

SHA512
77e97af2b0544f92d9f5fa1e49ec83f2a07aac4319100ee739bb913d42836416a05f62e04755edc5f39453615fc6bc703b804501ba40b6e629333036c86e518d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
223ba1d89b5e0cda34601bdd84cb1952

SHA1
d7dcad99065ff36b8ea022e47a71db2a93d2ae81

SHA256
96d7a1014526c97d3c333c972e5b24bb0deaa1ba3dd60f5a963becade5953974

SHA512
611095e4c3bb23e34fdcaeec955c0b6ea1d090abb2eb7a354a7c769c9b28fbc7aee8279893fbed7e66140701dc752b6ac5bccc3e7d04fd11e95e4de165638693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\f2861f99-73a0-4b23-a706-72e1256469ec.tmp

Filesize
10KB

MD5
c1e0f4d505030024d978dd2bae24356f

SHA1
64f3411aceb89f6a019cdf0b5c5ecb68882b2a63

SHA256
67a943df6ef1b23e95f36e6ec8749dd60bc2d6e8903ca9d0ebfd82c63db8d9b7

SHA512
d84e00424d4606c5411f224206614482b17c493c3dad6efcefd54ec80c3ac386b8c81ee3219ac8a03196b07fb33d6f0a6ad95394c5196f8fc8090a0e3dd7ef4b

Download Submit
C:\Users\Admin\Downloads\KOPX Perm crack by croissant.rar.crdownload

Filesize
2.0MB

MD5
8d7d9fa4e08612232ebf0e87f256ab37

SHA1
2d1958a9396518fce8b1718cbd2cdf008e40c475

SHA256
69671b312c7aa241a5b2acfd1e3b6f264d6d8835b30ceb1f9e0ac6e120726c35

SHA512
d5976084c480c80f799756726f7e675efac596133e7c81e5c2e2ec7aeff6f5f1ea6d920c111579fa2fc0edecd84d2f3491927d5a00607be1dc5fb1302095228b

Download Submit
C:\Users\Admin\Downloads\KOPX Perm crack by croissant\Keys.txt

Filesize
499B

MD5
a3c7369b4dcca6f03c05a9b4a7b23557

SHA1
57c3e886a7214e42cb68fa4842647b6bba2ef7e1

SHA256
fddfe3dd2c1dbfc6e37cb8749b910c8c42906475ebabca2b1cc29d91bcd226a3

SHA512
d3f94ed97eca8eaf6709ac76e5f02f6e624d71871b0f35d6883f5ae0e42729d9bf897fa4dce7d60d7c476d08ca88794d341ee47c6f3ed9f2964d76f0cda4913a

Download Submit
C:\Users\Admin\Downloads\KOPX Perm crack by croissant\Kopx_Perm.exe

Filesize
5.5MB

MD5
8c13d2fd7836abcfe22c00ace0061d40

SHA1
3c9640ec84a86cb10e87f2b2d8217f034aab1d5b

SHA256
cd665494b4a760a948b940d3bbae302134c282deee633f04343fe34790406001

SHA512
3c192fe7231e7c0306521c2701a3c9eeac0fd0091f6d59ef0f35a2dca193fcf5ff36008065838b2cabc92757708525a4d500e315a5502cbd8d7a6e5850255285

Download Submit
C:\Windows\Fonts\AMIDEWINx64.EXE

Filesize
377KB

MD5
64ae4aa4904d3b259dda8cc53769064f

SHA1
24be8fb54afd8182652819b9a307b6f66f3fc58d

SHA256
2c67fb6eb81630c917f08295e4ff3b5f777cb41b26f7b09dc36d79f089e61bc4

SHA512
6c16d2bc23c20a7456b4db7136e1bb5fcee9cbf83a73d8de507b7b3ffc618f81f020cde638d2cd1ef5f154541b745a2a0e27b4c654683a21571183f7a1bffd16

Download Submit
C:\Windows\IME\applecleaner.exe

Filesize
3.6MB

MD5
f96eb2236970fb3ea97101b923af4228

SHA1
e0eed80f1054acbf5389a7b8860a4503dd3e184a

SHA256
46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172

SHA512
2fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7

Download Submit
C:\Windows\INF\display.PNF

Filesize
7KB

MD5
ee9324c580306d44cd07af5784f57f3a

SHA1
87459b660ff1f3e753baf79ef3d802897cd6d2ef

SHA256
d5fb65a1c62fdeac55ee128285ce0f9bb6db53b7bc00d6b4a0ad7b3d20b17f6b

SHA512
d4aed72d7c69a519f8bbdaacaf4c788c69b65a0f40fdab4068d32ffcbdbacd4f5dc89e365cf3a7815b2afc6f6036ba2f2bc2c2d3cea727f4357de98b5b012a67

Download Submit
memory/3924-213-0x00007FF611580000-0x00007FF611F22000-memory.dmp

Filesize
9.6MB

Download
memory/3924-201-0x00007FF611580000-0x00007FF611F22000-memory.dmp

Filesize
9.6MB

Download
memory/3924-202-0x00007FF611580000-0x00007FF611F22000-memory.dmp

Filesize
9.6MB

Download
memory/3924-203-0x00007FF611580000-0x00007FF611F22000-memory.dmp

Filesize
9.6MB

Download
memory/3924-199-0x00007FF611580000-0x00007FF611F22000-memory.dmp

Filesize
9.6MB

Download
memory/3924-350-0x00007FF611580000-0x00007FF611F22000-memory.dmp

Filesize
9.6MB

Download