cerber | 4ac03a28ad39f04b02cabc654b1946b431ada3c5198a13e07515933f82c80be3

Analysis

max time kernel
10s
max time network
12s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2023, 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bios.exe
Size

11KB
MD5

4947bbea7829d84e405306175cb159fa
SHA1

b3b8f5b43e41ecbba35f04c16b964578b5c1c083
SHA256

4ac03a28ad39f04b02cabc654b1946b431ada3c5198a13e07515933f82c80be3
SHA512

265ff6398d64015da2da70f512c5f1386a98245ce4d6ac09a623aa805fadcb602453fa05c3a260cbc9eea18f13f443d0c2769851858392e38b92ae2c29d591f8
SSDEEP

192:QFrTzy8k0JMmx8O3napbCCePC1Eq8stYcFwVc03KY:uzrMmapbCCeUEqptYcFwVc03K

Score

10^/10

cerber ransomware

Malware Config

Signatures

Cerber 16 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	pid	Process
		3968	taskkill.exe
		2664	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		KernelMapper.exe
		2164	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		KernelMapper.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		KernelMapper.exe
		4264	taskkill.exe
		2132	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		KernelMapper.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		KernelMapper.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		KernelMapper.exe
		1960	taskkill.exe
		2660	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		KernelMapper.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		KernelMapper.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		KernelMapper.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	bios.exe

Executes dropped EXE 10 IoCs

pid	Process
1512	biosshit.exe
648	KernelMapper.exe
3056	KernelMapper.exe
2844	KernelMapper.exe
1312	KernelMapper.exe
4788	KernelMapper.exe
1620	KernelMapper.exe
4768	KernelMapper.exe
3408	KernelMapper.exe
4436	KernelMapper.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\IME\biosshit.exe	bios.exe
File created	C:\Windows\KernelMapper.exe	biosshit.exe
File created	C:\Windows\AMIFLDRV64.SYS	biosshit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 7 IoCs

evasion

pid	Process
2660	taskkill.exe
3968	taskkill.exe
2164	taskkill.exe
2664	taskkill.exe
4264	taskkill.exe
1960	taskkill.exe
2132	taskkill.exe

Suspicious behavior: LoadsDriver 9 IoCs

pid	Process
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	228	bios.exe
Token: SeDebugPrivilege	4264	taskkill.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	2132	taskkill.exe
Token: SeDebugPrivilege	2660	taskkill.exe
Token: SeDebugPrivilege	3968	taskkill.exe
Token: SeDebugPrivilege	2164	taskkill.exe
Token: SeDebugPrivilege	2664	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 1512	228	bios.exe	81
PID 228 wrote to memory of 1512	228	bios.exe	81
PID 1512 wrote to memory of 800	1512	biosshit.exe	83
PID 1512 wrote to memory of 800	1512	biosshit.exe	83
PID 800 wrote to memory of 4264	800	cmd.exe	84
PID 800 wrote to memory of 4264	800	cmd.exe	84
PID 1512 wrote to memory of 2980	1512	biosshit.exe	86
PID 1512 wrote to memory of 2980	1512	biosshit.exe	86
PID 2980 wrote to memory of 1960	2980	cmd.exe	87
PID 2980 wrote to memory of 1960	2980	cmd.exe	87
PID 1512 wrote to memory of 4460	1512	biosshit.exe	88
PID 1512 wrote to memory of 4460	1512	biosshit.exe	88
PID 4460 wrote to memory of 2132	4460	cmd.exe	89
PID 4460 wrote to memory of 2132	4460	cmd.exe	89
PID 1512 wrote to memory of 4472	1512	biosshit.exe	90
PID 1512 wrote to memory of 4472	1512	biosshit.exe	90
PID 4472 wrote to memory of 2660	4472	cmd.exe	91
PID 4472 wrote to memory of 2660	4472	cmd.exe	91
PID 1512 wrote to memory of 2280	1512	biosshit.exe	92
PID 1512 wrote to memory of 2280	1512	biosshit.exe	92
PID 2280 wrote to memory of 3968	2280	cmd.exe	93
PID 2280 wrote to memory of 3968	2280	cmd.exe	93
PID 1512 wrote to memory of 3340	1512	biosshit.exe	94
PID 1512 wrote to memory of 3340	1512	biosshit.exe	94
PID 3340 wrote to memory of 2164	3340	cmd.exe	95
PID 3340 wrote to memory of 2164	3340	cmd.exe	95
PID 1512 wrote to memory of 2596	1512	biosshit.exe	96
PID 1512 wrote to memory of 2596	1512	biosshit.exe	96
PID 2596 wrote to memory of 2664	2596	cmd.exe	97
PID 2596 wrote to memory of 2664	2596	cmd.exe	97
PID 1512 wrote to memory of 1140	1512	biosshit.exe	99
PID 1512 wrote to memory of 1140	1512	biosshit.exe	99
PID 1140 wrote to memory of 648	1140	cmd.exe	100
PID 1140 wrote to memory of 648	1140	cmd.exe	100
PID 1512 wrote to memory of 4228	1512	biosshit.exe	101
PID 1512 wrote to memory of 4228	1512	biosshit.exe	101
PID 4228 wrote to memory of 3056	4228	cmd.exe	102
PID 4228 wrote to memory of 3056	4228	cmd.exe	102
PID 1512 wrote to memory of 2504	1512	biosshit.exe	103
PID 1512 wrote to memory of 2504	1512	biosshit.exe	103
PID 2504 wrote to memory of 2844	2504	cmd.exe	104
PID 2504 wrote to memory of 2844	2504	cmd.exe	104
PID 1512 wrote to memory of 856	1512	biosshit.exe	105
PID 1512 wrote to memory of 856	1512	biosshit.exe	105
PID 856 wrote to memory of 1312	856	cmd.exe	106
PID 856 wrote to memory of 1312	856	cmd.exe	106
PID 1512 wrote to memory of 3944	1512	biosshit.exe	107
PID 1512 wrote to memory of 3944	1512	biosshit.exe	107
PID 3944 wrote to memory of 4788	3944	cmd.exe	108
PID 3944 wrote to memory of 4788	3944	cmd.exe	108
PID 1512 wrote to memory of 2224	1512	biosshit.exe	109
PID 1512 wrote to memory of 2224	1512	biosshit.exe	109
PID 2224 wrote to memory of 1620	2224	cmd.exe	110
PID 2224 wrote to memory of 1620	2224	cmd.exe	110
PID 1512 wrote to memory of 3872	1512	biosshit.exe	111
PID 1512 wrote to memory of 3872	1512	biosshit.exe	111
PID 3872 wrote to memory of 4768	3872	cmd.exe	112
PID 3872 wrote to memory of 4768	3872	cmd.exe	112
PID 1512 wrote to memory of 4300	1512	biosshit.exe	113
PID 1512 wrote to memory of 4300	1512	biosshit.exe	113
PID 4300 wrote to memory of 3408	4300	cmd.exe	114
PID 4300 wrote to memory of 3408	4300	cmd.exe	114
PID 1512 wrote to memory of 4856	1512	biosshit.exe	115
PID 1512 wrote to memory of 4856	1512	biosshit.exe	115

C:\Users\Admin\AppData\Local\Temp\bios.exe
"C:\Users\Admin\AppData\Local\Temp\bios.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228
- C:\Windows\IME\biosshit.exe
  "C:\Windows\IME\biosshit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
      4⤵
      Cerber
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      4⤵
      Cerber
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
      4⤵
      Cerber
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteLauncher.exe
      4⤵
      Cerber
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Cerber
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3340
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OneDrive.exe
      4⤵
      Cerber
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im BEservice.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im BEservice.exe
      4⤵
      Cerber
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\KernelMapper.exe /IV %random%%random%%random%%random%%random%%random%%random%%random%%random%
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Windows\KernelMapper.exe
      C:\Windows\KernelMapper.exe /IV 275082863202117290931119057126473115820261
      4⤵
      Cerber
      Executes dropped EXE
      PID:648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\KernelMapper.exe /ID %random%%random%%random%%random%%random%%random%%random%%random%%random%
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4228
  - - C:\Windows\KernelMapper.exe
      C:\Windows\KernelMapper.exe /ID 2751213612530731353196262298415759282314005
      4⤵
      Cerber
      Executes dropped EXE
      PID:3056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\KernelMapper.exe /SP %random%%random%%random%%random%%random%%random%%random%%random%%random%
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\KernelMapper.exe
      C:\Windows\KernelMapper.exe /SP 2751213612530731353196262298415759282314005
      4⤵
      Cerber
      Executes dropped EXE
      PID:2844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\KernelMapper.exe /SV %random%%random%%random%%random%%random%%random%%random%%random%%random%
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Windows\KernelMapper.exe
      C:\Windows\KernelMapper.exe /SV 2751213612530731353196262298415759282314005
      4⤵
      Cerber
      Executes dropped EXE
      PID:1312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\KernelMapper.exe /SS %random%%random%%random%%random%%random%%random%%random%%random%%random%
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3944
  - - C:\Windows\KernelMapper.exe
      C:\Windows\KernelMapper.exe /SS 2751213612530731353196262298415759282314005
      4⤵
      Cerber
      Executes dropped EXE
      PID:4788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\KernelMapper.exe /SU %random%%random%%random%%random%%random%%random%%random%%random%%random%
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\KernelMapper.exe
      C:\Windows\KernelMapper.exe /SU 2751213612530731353196262298415759282314005
      4⤵
      Cerber
      Executes dropped EXE
      PID:1620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\KernelMapper.exe /SK %random%%random%%random%%random%%random%%random%%random%%random%%random%
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3872
  - - C:\Windows\KernelMapper.exe
      C:\Windows\KernelMapper.exe /SK 2751213612530731353196262298415759282314005
      4⤵
      Cerber
      Executes dropped EXE
      PID:4768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\KernelMapper.exe /BM %random%%random%%random%%random%%random%%random%%random%%random%%random%
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Windows\KernelMapper.exe
      C:\Windows\KernelMapper.exe /BM 275152436023171226492994126910188722530420517
      4⤵
      Cerber
      Executes dropped EXE
      PID:3408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\KernelMapper.exe /BP %random%%random%%random%%random%%random%%random%%random%%random%%random%
    3⤵
    PID:4856
  - - C:\Windows\KernelMapper.exe
      C:\Windows\KernelMapper.exe /BP 275152436023171226492994126910188722530420517
      4⤵
      Cerber
      Executes dropped EXE
      PID:4436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\KernelMapper.exe /BV %random%%random%%random%%random%%random%%random%%random%%random%%random%
    3⤵
    PID:4328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\IME\biosshit.exe

Filesize
27KB

MD5
61c8d9663c6a4e039841a457ecba3880

SHA1
c9e5ca30c1c52cba7db337e9d57c03ca56a3436a

SHA256
9f7e4c4687941125afd36792fe884d78a0fb96db304445e4bc9a404b2529a8ce

SHA512
0b27a8e05e34002619540c5679df0ff7ed4422e7f9bbcef9128ab840f77c73fc983ffcd898181e3cae70944c542be55b69ba296f99704072d27b538307db3b03

Download Submit
C:\Windows\IME\biosshit.exe

Filesize
27KB

MD5
61c8d9663c6a4e039841a457ecba3880

SHA1
c9e5ca30c1c52cba7db337e9d57c03ca56a3436a

SHA256
9f7e4c4687941125afd36792fe884d78a0fb96db304445e4bc9a404b2529a8ce

SHA512
0b27a8e05e34002619540c5679df0ff7ed4422e7f9bbcef9128ab840f77c73fc983ffcd898181e3cae70944c542be55b69ba296f99704072d27b538307db3b03

Download Submit
C:\Windows\IME\biosshit.exe

Filesize
27KB

MD5
61c8d9663c6a4e039841a457ecba3880

SHA1
c9e5ca30c1c52cba7db337e9d57c03ca56a3436a

SHA256
9f7e4c4687941125afd36792fe884d78a0fb96db304445e4bc9a404b2529a8ce

SHA512
0b27a8e05e34002619540c5679df0ff7ed4422e7f9bbcef9128ab840f77c73fc983ffcd898181e3cae70944c542be55b69ba296f99704072d27b538307db3b03

Download Submit
C:\Windows\KernelMapper.exe

Filesize
453KB

MD5
6a6505b2413d2c7b16c6d059448db9e5

SHA1
dfe6c6b6051c26326a12dc9d0d5701cb4728266c

SHA256
53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

SHA512
1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

Download Submit
C:\Windows\KernelMapper.exe

Filesize
453KB

MD5
6a6505b2413d2c7b16c6d059448db9e5

SHA1
dfe6c6b6051c26326a12dc9d0d5701cb4728266c

SHA256
53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

SHA512
1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

Download Submit
C:\Windows\KernelMapper.exe

Filesize
453KB

MD5
6a6505b2413d2c7b16c6d059448db9e5

SHA1
dfe6c6b6051c26326a12dc9d0d5701cb4728266c

SHA256
53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

SHA512
1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

Download Submit
C:\Windows\KernelMapper.exe

Filesize
453KB

MD5
6a6505b2413d2c7b16c6d059448db9e5

SHA1
dfe6c6b6051c26326a12dc9d0d5701cb4728266c

SHA256
53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

SHA512
1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

Download Submit
C:\Windows\KernelMapper.exe

Filesize
453KB

MD5
6a6505b2413d2c7b16c6d059448db9e5

SHA1
dfe6c6b6051c26326a12dc9d0d5701cb4728266c

SHA256
53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

SHA512
1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

Download Submit
C:\Windows\KernelMapper.exe

Filesize
453KB

MD5
6a6505b2413d2c7b16c6d059448db9e5

SHA1
dfe6c6b6051c26326a12dc9d0d5701cb4728266c

SHA256
53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

SHA512
1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

Download Submit
C:\Windows\KernelMapper.exe

Filesize
453KB

MD5
6a6505b2413d2c7b16c6d059448db9e5

SHA1
dfe6c6b6051c26326a12dc9d0d5701cb4728266c

SHA256
53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

SHA512
1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

Download Submit
C:\Windows\KernelMapper.exe

Filesize
453KB

MD5
6a6505b2413d2c7b16c6d059448db9e5

SHA1
dfe6c6b6051c26326a12dc9d0d5701cb4728266c

SHA256
53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

SHA512
1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

Download Submit
C:\Windows\KernelMapper.exe

Filesize
453KB

MD5
6a6505b2413d2c7b16c6d059448db9e5

SHA1
dfe6c6b6051c26326a12dc9d0d5701cb4728266c

SHA256
53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

SHA512
1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

Download Submit
C:\Windows\KernelMapper.exe

Filesize
453KB

MD5
6a6505b2413d2c7b16c6d059448db9e5

SHA1
dfe6c6b6051c26326a12dc9d0d5701cb4728266c

SHA256
53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

SHA512
1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

Download Submit
C:\Windows\KernelMapper.exe

Filesize
453KB

MD5
6a6505b2413d2c7b16c6d059448db9e5

SHA1
dfe6c6b6051c26326a12dc9d0d5701cb4728266c

SHA256
53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

SHA512
1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

Download Submit
C:\Windows\amifldrv64.sys

Filesize
18KB

MD5
785045f8b25cd2e937ddc6b09debe01a

SHA1
029c678674f482ababe8bbfdb93152392457109d

SHA256
37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba

SHA512
40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9

Download Submit
memory/228-134-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/228-133-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download