hxxps://github[.]com/Endermanch/MalwareDatabase

Resubmissions

12-02-2025 14:40

250212-r2c9pawjcp 10

12-02-2025 14:40

250212-r1yt1awjbl 3

12-02-2025 14:35

250212-rx15yswjfs 8

Analysis

max time kernel
189s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20250211-en
resource tags

arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2025 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

8^/10

bootkit defense_evasion discovery persistence privilege_escalation trojan upx

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
76	4940	Process not Found

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3700	netsh.exe
2996	netsh.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DB.EXE

Executes dropped EXE 5 IoCs

pid	Process
4916	AV.EXE
1708	AV2.EXE
1980	DB.EXE
4724	EN.EXE
1968	SB.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DB.EXE

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\l:	[email protected]
File opened (read-only)	\??\n:	[email protected]
File opened (read-only)	\??\r:	[email protected]
File opened (read-only)	\??\v:	[email protected]
File opened (read-only)	\??\w:	[email protected]
File opened (read-only)	\??\a:	[email protected]
File opened (read-only)	\??\b:	[email protected]
File opened (read-only)	\??\o:	[email protected]
File opened (read-only)	\??\p:	[email protected]
File opened (read-only)	\??\s:	[email protected]
File opened (read-only)	\??\t:	[email protected]
File opened (read-only)	\??\i:	[email protected]
File opened (read-only)	\??\k:	[email protected]
File opened (read-only)	\??\h:	[email protected]
File opened (read-only)	\??\j:	[email protected]
File opened (read-only)	\??\y:	[email protected]
File opened (read-only)	\??\e:	[email protected]
File opened (read-only)	\??\g:	[email protected]
File opened (read-only)	\??\u:	[email protected]
File opened (read-only)	\??\x:	[email protected]
File opened (read-only)	\??\z:	[email protected]
File opened (read-only)	\??\m:	[email protected]
File opened (read-only)	\??\q:	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
94	raw.githubusercontent.com
95	raw.githubusercontent.com

System Binary Proxy Execution: Verclsid 1 TTPs 1 IoCs

Adversaries may abuse Verclsid to proxy execution of malicious code.

defense_evasion

Verclsid

T1218.012

pid	Process
4664	verclsid.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\physicaldrive0	SB.EXE

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\OEAPN.exe	DB.EXE

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023e0d-475.dat	upx
behavioral1/memory/1980-492-0x0000000000450000-0x00000000004E3000-memory.dmp	upx
behavioral1/memory/1980-491-0x0000000000450000-0x00000000004E3000-memory.dmp	upx
behavioral1/memory/4724-509-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x0007000000023e0e-503.dat	upx
behavioral1/memory/1980-488-0x0000000000450000-0x00000000004E3000-memory.dmp	upx
behavioral1/memory/1980-484-0x0000000000400000-0x0000000000445000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EN.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4884	MicrosoftEdgeUpdate.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133838445420636357"	chrome.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30530A0C86EDB1CD5A2A5FE37EF3BF28E69BE16D\Blob = 03000000010000001400000030530a0c86edb1cd5a2a5fe37ef3bf28e69be16d2000000001000000b3020000308202af308202180209009168978ee53f5964300d06092a864886f70d010105050030819b310b30090603550406130255533110300e06035504081307566972676e69613110300e060355040713074e65776275727931123010060355040a13094261636f72204c4c43312330210603550403131a746f74616c736f6c7574696f6e616e746976697275732e636f6d312f302d06092a864886f70d010901162061646d696e40746f74616c736f6c7574696f6e616e746976697275732e636f6d301e170d3131303931383131313834395a170d3132303931373131313834395a30819b310b30090603550406130255533110300e06035504081307566972676e69613110300e060355040713074e65776275727931123010060355040a13094261636f72204c4c43312330210603550403131a746f74616c736f6c7574696f6e616e746976697275732e636f6d312f302d06092a864886f70d010901162061646d696e40746f74616c736f6c7574696f6e616e746976697275732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100cac8419346518527133fdefd7982ac3919f1d6e2f815ecab0b5d219ccf843885645cfd9c35cae2eff8e7506e690b52c587a59c8d667cb671454030bd370fa334b18afb5ea4f4f819a36685a705a8543f320af913ca680a1d32a402db6d3e42d93228e44ba230fda524d490ddc35b922f23d36d95417136ac50afa567e21359350203010001300d06092a864886f70d0101050500038181003c6a7f43ca2cee1caafee88b04777032a4c9d7794222537e3ebe57953198281bdbe0d3a58f7d3eb358f361848f30ad88a364cd0ae3376e6239dedb01497d52d3dd55e78e49375373419ad7e5e2e036f713bf4d96a552f2aa26b35b66d7a83fb2a9b6e317d162d8342f09ccc71b2a1c7d9474ca7872bfa4acd623d61c4491d740	AV.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30530A0C86EDB1CD5A2A5FE37EF3BF28E69BE16D	AV.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1980	DB.EXE
1980	DB.EXE
1980	DB.EXE
1980	DB.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1712	chrome.exe
1712	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 3564	1712	chrome.exe	89
PID 1712 wrote to memory of 3564	1712	chrome.exe	89
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 244	1712	chrome.exe	90
PID 1712 wrote to memory of 3480	1712	chrome.exe	91
PID 1712 wrote to memory of 3480	1712	chrome.exe	91
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92
PID 1712 wrote to memory of 1368	1712	chrome.exe	92

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff80e56cc40,0x7ff80e56cc4c,0x7ff80e56cc58
  2⤵
  PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2040,i,7683281284684857757,16080963708515006514,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2036 /prefetch:2
  2⤵
  PID:244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1508,i,7683281284684857757,16080963708515006514,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2088 /prefetch:3
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,7683281284684857757,16080963708515006514,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2256 /prefetch:8
  2⤵
  PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,7683281284684857757,16080963708515006514,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,7683281284684857757,16080963708515006514,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4652,i,7683281284684857757,16080963708515006514,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=208,i,7683281284684857757,16080963708515006514,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4540 /prefetch:8
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4856,i,7683281284684857757,16080963708515006514,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4576 /prefetch:8
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4592,i,7683281284684857757,16080963708515006514,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4820,i,7683281284684857757,16080963708515006514,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5168,i,7683281284684857757,16080963708515006514,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1212

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4052

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NkJFQ0IxREEtMUZGNi00MTdELUE5OUMtQkM3MjA2NzJFQjA5fSIgdXNlcmlkPSJ7M0M3NDNFNDgtQUZEQy00MUYyLUFFMjYtRTQ0ODBEMzBCNTZGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7Q0FENEU1NzctN0M4Qi00QzM1LTgzMkEtMkU3MEExQkIyQ0M5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODIxNjkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1MzE4NTEwMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTI4NDQyMjk2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4884

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4700

C:\Users\Admin\Downloads\Cerber 5\[email protected]
"C:\Users\Admin\Downloads\Cerber 5\[email protected]"
1⤵
- System Location Discovery: System Language Discovery
PID:4708
- C:\Users\Admin\AppData\Local\Temp\AV.EXE
  "C:\Users\Admin\AppData\Local\Temp\AV.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:4916
- C:\Users\Admin\AppData\Local\Temp\AV2.EXE
  "C:\Users\Admin\AppData\Local\Temp\AV2.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1708
- C:\Users\Admin\AppData\Local\Temp\DB.EXE
  "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1980
- C:\Users\Admin\AppData\Local\Temp\EN.EXE
  "C:\Users\Admin\AppData\Local\Temp\EN.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4724
- C:\Users\Admin\AppData\Local\Temp\SB.EXE
  "C:\Users\Admin\AppData\Local\Temp\SB.EXE"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:1968

C:\Users\Admin\Downloads\Cerber 5\[email protected]
"C:\Users\Admin\Downloads\Cerber 5\[email protected]"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:3136
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:3700
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  PID:2996

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {088E3905-0323-4B02-9826-5D99428E115F} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
1⤵
- System Binary Proxy Execution: Verclsid
PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

System Binary Proxy Execution

T1218

Verclsid

T1218.012

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\0ec0f130-7619-4e52-b775-d42a7d1ea0a1.tmp

Filesize
9KB

MD5
ec9824761a8ce7aee40c950aaaf84747

SHA1
8e01c156941191c0f563ab1db199ada25a69554a

SHA256
2549a0d1f730d780a68873c80184256dd37cccf2d7457afedc462543488fd4da

SHA512
fccbacc4ea63b830f4c9ad4e0172a0badaec17ec2f4f58fef7ef4a2561372ddb6bc61088d655122691778bcdd4cd869a57f74f2334b7033954dfc1a1c67c0be5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0c3ba9781e4ed5e8a50d5cd3309ae77d

SHA1
34bbd4b563932aee8beca3b1730abfb57d308398

SHA256
89ed2e92ac69aa1af3a87bcbef33f15a91c4090a98ab2d8d0c0f3299712066dc

SHA512
f996b08ae2aaae62f5f40d2fd28778cfca5079bd0cc6f2f92ceab86641730e3e36a7853f6b6def9fefdc551ce616a3736dc1e5c8c9b8e97a8b5b885650ccc0ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3edc2a9924ca9b7fbd9ae2f5c6da68ed

SHA1
e9b1dec4927177bcb7165ab1a57024062dc5a61d

SHA256
fbb27587dc7b1f0404696e023c4bc650a0c24084f5fea94db111a2fec93b8408

SHA512
f31b4d0e478061a400bc0fc947f087643145f2fd5001cc6e4f8b3b94e708b367aa08521ea2486f2cbfc8f55a5ff5bb3f8aa0e8ff2db5ce85ce0901fc8b1a2790

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
f3156ec3e6731a131f857aab45a52e4c

SHA1
8517fb358fdf6ef0a776c7993697e6a72b6f6b73

SHA256
fdb75bddc9282491074ee51dc9480747707ce5a2f95b09298d7acf583a891d98

SHA512
6384bc7db721edf49c5ca0cf275c2d0a3846e903597a47af8d725d55b578c122dc722f07f710401cd7412c6814f74a259552f47d55a50ba43244d56005bb46f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ec6cb42e3e40fa2bf483d32fd60b345d

SHA1
0000009bfb95fcf9d1e7ea8a0eef4d9c17a5a790

SHA256
a5665e9fb55fd48b0a8d99852c65fd1ccdcfb85ee9d593336b73cb61d9d3d8d2

SHA512
c59e31c846a0fca5ddfc812c8b6b3cbb9e5f84146deb204961c333ebdc1630921c796d941b27e73e0a65c15b52077ddefe8a071ee7db4ecc8df655ba58aba667

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
6bc1e68edf9a48f95d422bfb6e397162

SHA1
eab4aa665e22eeaf8291067488b5e7bc4cf90ff1

SHA256
da1ea704872a7d0ab83f06fd1354d2f30d117a7676f3fe14697343ffad0a1d8d

SHA512
36ae34ebd486ec2a3449778d9174dca7c907682e3b162cc6a927a86adc9be763664ab23cc9ee9195c29ce05bb581f1a907686030cbb13dfc47929943f55e3c9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
0c9ee6adb2e35f03b72f5095970ee555

SHA1
bda22e485491fa8edce27078cb1a6d90775a1b15

SHA256
f00d24d9937d56b6bb304e0ffdbe2fe79c9cb22b4a16f48532e4fef88f4ae849

SHA512
311ca69e82d41ecdcbd643fdcfafd1d6c5cfb57a4bdcde330843e48d3795654efda761498b5073aeae2f57499f55d844fc2ecd759c87d7ad906c190b715e37f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b8b8d7aece49345bf913289fb2ff5c09

SHA1
557a8bc47e31b4fdb4ce00a81467aa78eead6bad

SHA256
038581780a624036b45ddec06e8b530c74c3adfdcbeb196dc614e9a246399434

SHA512
78af62087467cfa5179b76b64fcefdb0b771f7b44bb305acf0fe4978de2ee3ea73641b93b02604eab664d250888b4dcc35167508920cdf64cb60ae540ea970fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
665a4a3e6a05b989939d65de99087efc

SHA1
8162bde45ff12f7f82d9b7b5bb6e65ca2b36d732

SHA256
e83b8ac888cc5fa9eb3602ff2078b425a052369e902f5917f5fc7c8e9b093eb0

SHA512
1e2c682bf9200a2ea9b72007f3902ebd961f070c4c2e82763b6f8329d44b453c4d8df78fe07a0f7e1ee74c3cf6c0aa9dc13b720b414fd024207e3e7c0fd56828

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4fa276ad13ad09d45d69577e066b48c0

SHA1
66df28246bbad8b136e7510d3ddea20c0d0303dc

SHA256
e02f20a2f29de65f240f32fd3afd076ec07b47d7f1a2055bd3385c75297b3739

SHA512
c8acafa6d8ff962c6e95ca57e2e3b919a1eecc4e0959172748d439b1872d727277ada346b0663788f2c7fa0af975ae8f5458f7272e1c1f9bdb6b7a355b0575cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
89ed93bbc8aa8c332245bbefb5939950

SHA1
c87f855be290f336b29c3e2ab09c53d096b8b91d

SHA256
4f2e27a489a782c855f1322f5c572fd8956b69faee345878be26d32262e23c75

SHA512
cce4c658f36f9021d9e27cf1f46c55a52052f70017bb988afee7147ab2d99385c75471345b9a067b3a14af0f2431f4be912fba013154ce270b1a9f40fef18d57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6c54a4c4366ddca13eed02e32b6d0b41

SHA1
c52750f40ebcc242e60feed67247f535f6e91f5d

SHA256
e3f1a1e2524cbe0c956829d2ac1a108405f97d1083ce979af2e78ff77e6522e9

SHA512
388d9555650dac350c1fad01b0a415c7ec12965cf15d551123bcec31820c365bee4dcb376573b8ce501c18036de5994d4984b100ddf0dabbc49c91e888d8e24a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2c756112372eeaa08dec852382f66dbc

SHA1
f7f712c37e9223792397631aaecf4bb2a5b94b4b

SHA256
bfd23b710ef23591c9271d64049aba1f8274e1df588f6681293e0ed2ba4ec01d

SHA512
3e6b7432ee535cbbb04722c0d110bc84a8a1c62cdaabfc1922e39cb93e7ca886c7ad69d8106ee8b37c7b9e015336759fa74d3a1f07d20ec22571c5eded5c4097

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3fd752482f0a6f330456541f175f6850

SHA1
748b79df3122080cf4629a26a56666cc9b246477

SHA256
2c677a3e1130c86f0fa0997fa452fa4a04a39a80a3d585803f226b3c962e2977

SHA512
fe41de8f984fcdfdf446d970dacdab3b4f6660670eab221efc927bfcbc084fd80f8551d12b382c36a3fff93347e4a6ac73ef5b226417cc5b695a11b4e12f0f71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2c6937a016703a900ee9e165c36f4fd2

SHA1
36f1d2b44d53ba907ff299af29073bb54896bbd0

SHA256
0d2019d8dbaa2bfe3a48bcfd99530e3310187844c342192a6de6355b65d7038c

SHA512
34549ec414142636e204eadb5038645ad77f8be3f1f7e5091da140dc205415da4926ce291c3bd1944e93a5f4934ff891e3fd167852da03986ef7bb0a86154e29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b48cd69897c4263676e00dc391bec2fc

SHA1
6875262ab5264fa9e875c481f32436d5e8cc4fd8

SHA256
17f80bf0a67e65b34bbd2d9eff506cc90fbc0f7b1c7d5a365b133973487e2dd7

SHA512
32cd7493a35f3ca43e2a0b0f2823c5ed71038287a6e7ebb874b3cdd550a0768b71b00e7be29eef0388b5bade8278e6ba69c922a182400c1d32891d8e2fece158

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f383aebfa4c70960fd5e3daa30adc4b2

SHA1
b3e1abdccf3810d07501e6f632036c4c7a92dc1f

SHA256
6a05910f6c41c6e948a308898bf117308971cfd3044aff37ae418a1922726f6f

SHA512
fab63111c161f595852f038ba200ecd687c1a0f87b001eadf20e112ba2e81a7bc70a94445b6607deb298bcd363a7c9a236b63d1011bcd36f2fc7cf7637fbd04a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4f7f5338929450286c613eeb62f24edc

SHA1
b11c1362c1840d1bdd87668cb64b36e8eb356f94

SHA256
a7c47c8b2918e48e30d5e9a85661b2530272376ae33ecddeefc26f2c57119546

SHA512
419afb206bca0e3cf2e0b572c5117c2ea5f5858f9a148246d86da1d31c7eee2928bd74f55910fc0b58cf1c64b07c3e8da404ee1a2f50d80314020a4e8576b8f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f03c1c6564cf45267d86312e52424bf5

SHA1
ee98fb7abc0c4bb19159eec5c1ac3f97677ded42

SHA256
24bff14aff07e77e8da2030f8b0c134a412e5bdbc8a64478da7551e6b1b1aa5d

SHA512
141939ecbcf2e70e24df35dfbd5453ee0b512fd9e847afae8b9d9b09a1a00a08541f9bbc36a5f867845f3dae1eb7244ee8eeef4a850652f194f2cc9ac4758bb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e3b0bdc434515d7ccd0ffaddf15b44f2

SHA1
49a6529c0ee6c15b9df4cd1a13c4a65db82eff1b

SHA256
5efdfe2cf0e23a7a37e400fbc0d9e78f714601baada54fe1b1b48d31cac64d7b

SHA512
3d94ebb08c3314747eca44e74abb536c4ccbe39269f1256fe57cb44b3383ab9f7265c47da53765c94945593007d81cf602ec732faf14b28a06dcd5f7479456e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
00b64baebc23f748b9c959a7b2155996

SHA1
d104222407504c56087c6f243a3a03fc3c036ae1

SHA256
8012c4fff89d5734685c5bf96ea10f48b639fe9dafc0564f78417ecb646f3377

SHA512
515bcd7326077464a432dc8297882ea607266a54e55d5bb4cef39b9450d8183620c375178ec294f62b0099da635d2fee0b193bd0dd8e74b4dfa12d12e959ebb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3b97934fdf35bafb4aac6eccbb16f214

SHA1
008c4653fd2e0a35273c124fe2488808a2ca4621

SHA256
b92b5ee658ab55543c895bd7ac533fe9da17a4fc2c9b42274cb5d8e57947a2fa

SHA512
571602de234a8b6730975a96c1cc9336bbfc19443743862995bc9f0c8520c596b7590a7e2605f1b4a39b8090feb5504d43738191842466218876665539f25a1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
97d6992587fba7ae2a87538f01bbc16b

SHA1
3aab8100da262dfb34ca003d6a742625c5ec963c

SHA256
316adf262f59a1318a9500ed8d357796b06343a4a0995d2851b4cf1d4f4893d4

SHA512
9d98b6a01989b56e400a9d59f9acf5890ea7e1fdd8731c0b9a8e086ee775364f79dddddc1d3c7993a18517bdb0d3f838286cc47bc42f5adeee8eba5425127ff4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fe914d9a3a5aa4028db6700df376340b

SHA1
c8e52c452c29b37310a64de958f74e84cde6757a

SHA256
41127390fc4a50fdaa4ae782cce9210df00325e8b078266dd6aa52edc86d9293

SHA512
4bf08a2455bae2c6e22994bffd2431a246a250e2fa16574cecbac5910c3325213d00b463311b3d3ad1c01c7cffad725bef0dfb22cbc77fddfafa75d8442c4a19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
3f94ec77dd19095fd7f08a8d15e27476

SHA1
924a65c9c9b36aa429bf0963c507c627202b3320

SHA256
c6e4c42171a4b0c9d60fd36079a0d9607a4bdfffc6155849196bb44f6234be2b

SHA512
8d3e30d264904b88b180f416d5b270f8d28ec898b67067526d122cf0a2f853797cb7889ad209f1e8c57dabb4b44c864d3de1f4befb7186441e85652aee7d6bce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
6f0f9ef90e0b985bd3d324cc15a52d3d

SHA1
8244cab6ddd426d72d4497ae3304e896d9f9fca3

SHA256
1f8b687601774c85ab16df27e62690a7781d9b860143df96bdd4dc3f1020c67d

SHA512
6574083b61f6f867693d69a352e9984448a9398ed334e6234b3c880c5458cb8e9f86a81f2733254f1a01c189460974c9ce869ff8ddf36e66ac3b733724af4ee4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
050ff01db1bad544aba29caf156f6057

SHA1
704b5601c57f4e88143ad597e3a44734fb5f2391

SHA256
ee5eca952d0474ade7563f5c92f95837ddd1a9944848e183415f65028a6f8836

SHA512
373e6938d807a559ccc4800dbecee6529eebfdd6900dc639b1daec9c51313d01298496ef6bf51c86de471d37c4292221a02edcfa449f6f8c58a26cd2c430da91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
8f6841ae9ecf33be3aad4e01e9c80f17

SHA1
9659734202f969338f3516f72ab43402ce5daccb

SHA256
ebd7c8416530f8b7fd7ad623c7e825a3375b7b52ffd639a99c59adf90ce57aaa

SHA512
7effff98fe3b8b8d82cf31ec1d0f65f02bf06e15919c38bbf29b4c27039856b9e86df744fd96382c6ab7c1daa287e96140301b364a14b3b0f45eac5987adf614

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
158KB

MD5
9d42cf15b3c3a487be7c35b9c31f9b56

SHA1
59260c26e091642bd59ce5f84218669bc99b1b52

SHA256
da4e717ded8d8c640ab51885142eb90431f4a309dd73820b9124dcfae6aa5c93

SHA512
39c1f68dff8d7602d0817c415bf548840453bce2603562c05ae42a3399b96fe49dabea895723d82ee9f702bb3dca95a36e434f07eb18fb72711514acbc9302c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV.EXE

Filesize
1.1MB

MD5
f284568010505119f479617a2e7dc189

SHA1
e23707625cce0035e3c1d2255af1ed326583a1ea

SHA256
26c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1

SHA512
ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV2.EXE

Filesize
368KB

MD5
014578edb7da99e5ba8dd84f5d26dfd5

SHA1
df56d701165a480e925a153856cbc3ab799c5a04

SHA256
4ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529

SHA512
bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB.EXE

Filesize
243KB

MD5
c6746a62feafcb4fca301f606f7101fa

SHA1
e09cd1382f9ceec027083b40e35f5f3d184e485f

SHA256
b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6

SHA512
ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642

Download Submit
C:\Users\Admin\AppData\Local\Temp\EN.EXE

Filesize
6KB

MD5
621f2279f69686e8547e476b642b6c46

SHA1
66f486cd566f86ab16015fe74f50d4515decce88

SHA256
c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38

SHA512
068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB.EXE

Filesize
149KB

MD5
fe731b4c6684d643eb5b55613ef9ed31

SHA1
cfafe2a14f5413278304920154eb467f7c103c80

SHA256
e7953daad7a68f8634ded31a21a31f0c2aa394ca9232e2f980321f7b69176496

SHA512
f7756d69138df6d3b0ffa47bdf274e5fd8aab4fff9d68abe403728c8497ac58e0f3d28d41710de715f57b7a2b5daa2dd7e04450f19c6d013a08f543bd6fc9c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SB.EXE

Filesize
224KB

MD5
9252e1be9776af202d6ad5c093637022

SHA1
6cc686d837cd633d9c2e8bc1eaba5fc364bf71d8

SHA256
ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6

SHA512
98b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea

Download Submit
C:\Users\Admin\Downloads\Ana.zip

Filesize
1.8MB

MD5
cb6e4f6660706c29035189f8aacfe3f8

SHA1
7dd1e37a50d4bd7488a3966b8c7c2b99bba2c037

SHA256
3341abf6dbefb8aec171f3766a4a23f323ff207e1b031946ee4dbe6dbb2d45a4

SHA512
66c3351ce069a85c9a1b648d64883176983acd34c0d5ca78b5138b7edc2890b34408e8e6fa235258d98c105113d1978a68a15262d6523a82abb004f78b06de38

Download Submit
C:\Users\Admin\Downloads\Cerber 5.zip

Filesize
181KB

MD5
10d74de972a374bb9b35944901556f5f

SHA1
593f11e2aa70a1508d5e58ea65bec0ae04b68d64

SHA256
ab9f6ac4a669e6cbd9cfb7f7a53f8d2393cd9753cc1b1f0953f8655d80a4a1df

SHA512
1755be2bd1e2c9894865492903f9bf03a460fb4c952f84b748268bf050c3ece4185b612c855804c7600549170742359f694750a46e5148e00b5604aca5020218

Download Submit
C:\Users\Admin\Downloads\Cerber 5\tsa.crt

Filesize
1010B

MD5
6e630504be525e953debd0ce831b9aa0

SHA1
edfa47b3edf98af94954b5b0850286a324608503

SHA256
2563fe2f793f119a1bae5cca6eab9d8c20409aa1f1e0db341c623e1251244ef5

SHA512
bbcf285309a4d5605e19513c77ef077a4c451cbef04e3cbdfec6d15cc157a9800a7ff6f70964b0452ddb939ff50766e887904eda06a9999fdedf5b2e8776ebd2

Download Submit
memory/1980-491-0x0000000000450000-0x00000000004E3000-memory.dmp

Filesize
588KB

Download
memory/1980-492-0x0000000000450000-0x00000000004E3000-memory.dmp

Filesize
588KB

Download
memory/1980-488-0x0000000000450000-0x00000000004E3000-memory.dmp

Filesize
588KB

Download
memory/1980-484-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3136-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-509-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download