cerber | 38e602bbf54ad86da02ff83c6324574bb330912252aab0b6291661eec3d8a3de

Analysis

max time kernel
44s
max time network
41s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2024 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MesquitaSp00ferV7.exe
Size

3.4MB
MD5

cbcc049160c46b78bf10465a16d9e784
SHA1

1e2139e3995d9c1e47c032f3e260a172bdef1602
SHA256

38e602bbf54ad86da02ff83c6324574bb330912252aab0b6291661eec3d8a3de
SHA512

07bbc9fe94acd66c0b91cabeff6805cfe6898ee580f9e053013f40911768d2da0f2bc1338b3132ad97b5593a022b5dcd7d121661c5a614b506564cb5fbc4ca71
SSDEEP

49152:j6zx+pSFtoalhcGRVtfyz8PgqSLumRdJ46issnR5MtAxToDF0BtWk5Q:kiW7pLtg8PUKmq9LAWoB0B

Score

10^/10

cerber discovery evasion execution persistence privilege_escalation pyinstaller ransomware themida trojan upx

Malware Config

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	applecleaner.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5992	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LmHKCRcINrWqzvzHOwIPOTTHxPXES\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\LmHKCRcINrWqzvzHOwIPOTTHxPXES"	nprojecto.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	applecleaner.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = 62004f00320048005300200020002d002000650000000000	applecleaner.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MesquitaSp00ferV7.exe

Executes dropped EXE 27 IoCs

pid	Process
3520	AMIDEWIN.exe
684	AMIDEWINx64.exe
3944	Activation.exe
872	Anti_Debug.exe
2448	DMIEDIT.exe
1472	EQU8_Blocker.exe
3632	GPU-UUID-Changer.exe
3960	GPU.exe
4296	Scripthook_bypass.exe
3648	Volume.exe
3324	applecleaner.exe
1584	destra.exe
1372	extd.exe
4000	identity_data.exe
3960	identity_data.exe
3616	log_helper.exe
768	log_helper.exe
4200	map.exe
1868	map_1.exe
3612	map_2.exe
4456	mapper.exe
1660	nprojecto.exe
3936	oi.exe
1088	system_utils.exe
2028	system_utils.exe
5744	system_fingerprint.exe
5884	system_fingerprint.exe

Loads dropped DLL 25 IoCs

pid	Process
3960	identity_data.exe
3960	identity_data.exe
3960	identity_data.exe
3960	identity_data.exe
3960	identity_data.exe
3960	identity_data.exe
768	log_helper.exe
768	log_helper.exe
768	log_helper.exe
768	log_helper.exe
768	log_helper.exe
768	log_helper.exe
2028	system_utils.exe
2028	system_utils.exe
2028	system_utils.exe
2028	system_utils.exe
2028	system_utils.exe
2028	system_utils.exe
5884	system_fingerprint.exe
5884	system_fingerprint.exe
5884	system_fingerprint.exe
5884	system_fingerprint.exe
5884	system_fingerprint.exe
5884	system_fingerprint.exe
5884	system_fingerprint.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000700000002343d-181.dat	themida
behavioral1/memory/3324-191-0x00007FF7699C0000-0x00007FF76A362000-memory.dmp	themida
behavioral1/memory/3324-206-0x00007FF7699C0000-0x00007FF76A362000-memory.dmp	themida
behavioral1/memory/3324-205-0x00007FF7699C0000-0x00007FF76A362000-memory.dmp	themida
behavioral1/memory/3324-204-0x00007FF7699C0000-0x00007FF76A362000-memory.dmp	themida
behavioral1/memory/3324-209-0x00007FF7699C0000-0x00007FF76A362000-memory.dmp	themida
behavioral1/memory/3324-373-0x00007FF7699C0000-0x00007FF76A362000-memory.dmp	themida
behavioral1/memory/3324-532-0x00007FF7699C0000-0x00007FF76A362000-memory.dmp	themida

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000002343f-197.dat	upx
behavioral1/memory/1372-200-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/1372-208-0x0000000140000000-0x00000001400D8000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	applecleaner.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
404	powershell.exe
4364	powershell.exe
4140	powershell.exe
560	powershell.exe
1096	powershell.exe
3612	powershell.exe

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
5336	cmd.exe
5356	ARP.EXE

Checks system information in the registry 2 TTPs 1 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	applecleaner.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3324	applecleaner.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File created	C:\Windows\IME\EQU8_Blocker.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\log_helper.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\AMIDEWIN.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\DMIEDIT.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\nprojecto.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\system_fingerprint.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\AMIDEWINx64.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\GPU-UUID-Changer.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\destra.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\extd.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\mapper.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\system_utils.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\Activation.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\map_2.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\registry_helper.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\lgsvcl.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\DMI16.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\map.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\map_1.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\oi.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\FiveM_Cleanerino1.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\Volume.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\applecleaner.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\identity_data.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\Anti_Debug.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\GPU.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\Scripthook_bypass.exe	MesquitaSp00ferV7.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 4 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000023440-215.dat	pyinstaller
behavioral1/files/0x0009000000023445-282.dat	pyinstaller
behavioral1/files/0x000a000000023444-399.dat	pyinstaller
behavioral1/files/0x0003000000000735-537.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 21 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Volume.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	destra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MesquitaSp00ferV7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AMIDEWIN.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3268	cmd.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs = "ScSI\\e3Rom"	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs = "S5SI\\3isk"	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs = "SbSI\\bisk"	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	GPU.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID = "S0SI\\0eRomQcMU____Q2MU_9V8-ROM____4.5+"	GPU-UUID-Changer.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	GPU.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName = "QOMU Q6MU zVm-ROM"	GPU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	GPU-UUID-Changer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	GPU.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	GPU.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	GPU-UUID-Changer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID = "S4SI\\e8RomMs1t____Virtu3l_2Vc-ROM_3.1_"	GPU-UUID-Changer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	GPU.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID = "SdSI\\b9RomMsft____Virtubl_5V9-ROM_5.7_"	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs = "S9SI\\eaRom"	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	GPU-UUID-Changer.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	GPU-UUID-Changer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	GPU-UUID-Changer.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	GPU.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs = "SfSI\\iisk"	GPU.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs = "S2SI\\55Rom"	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	GPU.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	GPU.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	GPU.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	GPU-UUID-Changer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	GPU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	GPU.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID = "SMSI\\X&RomQCMU____QyMU_gVX-ROM____u.Y+"	GPU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	GPU.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	GPU.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID = "S2SI\\3iskW05__________W9S7e9T989db.e+"	GPU-UUID-Changer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	GPU.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	GPU.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs = "S0SI\\b5Rom"	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID = "S2SI\\57RomMs2t____Virtufl_4V4-ROM_7.8_"	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	GPU.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName = "WgC WbS2C&Tx0Ej"	GPU.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	GPU-UUID-Changer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID = "ScSI\\ciskWd0__________WbS443Tb43ff.1+"	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID = "SKSI\\agRomMsVt____Virtuxl_tVE-ROM_6.N_"	GPU.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName = "@nbrom.inC,%ISO_GBnfri#_vri0nClyN0mo%;MiBrosobt Virtuzl uVq-ROM"	GPU.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	GPU.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs = "S2SI\\1LRom"	GPU.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs = "SISI\\q&Rom"	GPU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	GPU-UUID-Changer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	GPU-UUID-Changer.exe

Checks processor information in registry 2 TTPs 50 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	GPU.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information = 43336b16cf697a1c67dcad1dd77b4b16	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\8	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\13	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\14	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\8	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\9	GPU-UUID-Changer.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information = bb11adae248879fe52db2543e53cf445	GPU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GPU-UUID-Changer.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information = 903828d1d96ca1665e4ee1309cfed971	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\15	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\11	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\12	GPU.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information = 5b13ad882e0bbdbab757626ef5cbb4aa	GPU-UUID-Changer.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier = cfd3902d48d38f75e6d91d2ae5c0f72b788187440e5f5000d4618dbe7b0515073b33821f187092da6454ceb1853e6915f8466a0496730ed9162f6768d4f74a4ad0576876fa16	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3	GPU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\7	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\14	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\6	GPU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\10	GPU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\5	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\13	GPU-UUID-Changer.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier = b3d4b6b0907c41c473b1431e8a3e6a811a9f51ecb966541cbddda352f4ed9556963e3fbc77a0466681aaf14a62a08275829ac75038e3ec233da093d761b226007cdd6c1ba829	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\10	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\11	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\15	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\12	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\16	GPU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	GPU.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier = d3d828ce0bf5c560593d97278a59762dd0c2c9cd68d4496a792508614014b13b6aa51128c18cd6a90b87978c2ff1151d9a95c19be1c07ee9a89aa786c2b554bf9ae7d923d155	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\4	GPU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\6	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\5	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\7	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\16	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GPU.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier = 00c3058f35e4a4ebb2f41ad25e139a001184e96feeb05a7af36efc42ce811251f262c37deb41130fee461225b51c53558ab0a093a136ec55aa6e89f5a7259c56fbfecdcac472	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\4	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\9	GPU.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3356	timeout.exe

Enumerates system info in registry 2 TTPs 46 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\1\DiskPeripheral	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\2\DiskPeripheral	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	GPU.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier = "UNKNOWN_K4Y4O0R2"	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	GPU.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	applecleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "9ac8eead-befee85f-1"	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\SerialNumber	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	applecleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	applecleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	GPU.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "e889f440-4bc1f44e-3"	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "b05ced0b-b154b491-2"	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemBiosVersion	applecleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\3\DiskPeripheral	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	GPU.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "aOkvlx9n-ta43yc3K-S"	GPU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Serialnumber	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier = "UNKNOWN_KLYbOpRV"	GPU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\SerialNumber	GPU.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "080c9aaa-47b23acd-b"	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	applecleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "54fff2e8-9c59c3df-d"	GPU-UUID-Changer.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1776	ipconfig.exe
5236	ipconfig.exe
5284	ipconfig.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
4880	taskkill.exe
1676	taskkill.exe
3556	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 57a980c31290ca2d	GPU-UUID-Changer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\DeviceId = 42256bba	GPU-UUID-Changer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Revision = 981216a3	GPU-UUID-Changer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\SubSysId = 5e77fee5	GPU-UUID-Changer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\DeviceId = e72f21da	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "v1n2orI7=\"dx51dd\",a3viddI4=\"7x01\",sufSysI4=\"2x3\",r5vision=\"4x7\",v8rsion=\"db.3.f435e.9b2\"hypbrvisor=\"No Hypcrvisor (No SL7T)\""	GPU-UUID-Changer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe
656	MesquitaSp00ferV7.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
672	Process not Found
672	Process not Found
1660	nprojecto.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	656	MesquitaSp00ferV7.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeBackupPrivilege	3612	powershell.exe
Token: SeBackupPrivilege	3612	powershell.exe
Token: SeRestorePrivilege	3612	powershell.exe
Token: SeSecurityPrivilege	3612	powershell.exe
Token: SeTakeOwnershipPrivilege	3960	GPU.exe
Token: SeDebugPrivilege	4880	taskkill.exe
Token: SeAssignPrimaryTokenPrivilege	600	svchost.exe
Token: SeIncreaseQuotaPrivilege	600	svchost.exe
Token: SeSecurityPrivilege	600	svchost.exe
Token: SeTakeOwnershipPrivilege	600	svchost.exe
Token: SeLoadDriverPrivilege	600	svchost.exe
Token: SeSystemtimePrivilege	600	svchost.exe
Token: SeBackupPrivilege	600	svchost.exe
Token: SeRestorePrivilege	600	svchost.exe
Token: SeShutdownPrivilege	600	svchost.exe
Token: SeSystemEnvironmentPrivilege	600	svchost.exe
Token: SeUndockPrivilege	600	svchost.exe
Token: SeManageVolumePrivilege	600	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	600	svchost.exe
Token: SeIncreaseQuotaPrivilege	600	svchost.exe
Token: SeSecurityPrivilege	600	svchost.exe
Token: SeTakeOwnershipPrivilege	600	svchost.exe
Token: SeLoadDriverPrivilege	600	svchost.exe
Token: SeSystemtimePrivilege	600	svchost.exe
Token: SeBackupPrivilege	600	svchost.exe
Token: SeRestorePrivilege	600	svchost.exe
Token: SeShutdownPrivilege	600	svchost.exe
Token: SeSystemEnvironmentPrivilege	600	svchost.exe
Token: SeUndockPrivilege	600	svchost.exe
Token: SeManageVolumePrivilege	600	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	600	svchost.exe
Token: SeIncreaseQuotaPrivilege	600	svchost.exe
Token: SeSecurityPrivilege	600	svchost.exe
Token: SeTakeOwnershipPrivilege	600	svchost.exe
Token: SeLoadDriverPrivilege	600	svchost.exe
Token: SeSystemtimePrivilege	600	svchost.exe
Token: SeBackupPrivilege	600	svchost.exe
Token: SeRestorePrivilege	600	svchost.exe
Token: SeShutdownPrivilege	600	svchost.exe
Token: SeSystemEnvironmentPrivilege	600	svchost.exe
Token: SeUndockPrivilege	600	svchost.exe
Token: SeManageVolumePrivilege	600	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	600	svchost.exe
Token: SeIncreaseQuotaPrivilege	600	svchost.exe
Token: SeSecurityPrivilege	600	svchost.exe
Token: SeTakeOwnershipPrivilege	600	svchost.exe
Token: SeLoadDriverPrivilege	600	svchost.exe
Token: SeSystemtimePrivilege	600	svchost.exe
Token: SeBackupPrivilege	600	svchost.exe
Token: SeRestorePrivilege	600	svchost.exe
Token: SeShutdownPrivilege	600	svchost.exe
Token: SeSystemEnvironmentPrivilege	600	svchost.exe
Token: SeUndockPrivilege	600	svchost.exe
Token: SeManageVolumePrivilege	600	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	600	svchost.exe
Token: SeIncreaseQuotaPrivilege	600	svchost.exe
Token: SeSecurityPrivilege	600	svchost.exe
Token: SeTakeOwnershipPrivilege	600	svchost.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 3520	656	MesquitaSp00ferV7.exe	96
PID 656 wrote to memory of 3520	656	MesquitaSp00ferV7.exe	96
PID 656 wrote to memory of 3520	656	MesquitaSp00ferV7.exe	96
PID 656 wrote to memory of 684	656	MesquitaSp00ferV7.exe	98
PID 656 wrote to memory of 684	656	MesquitaSp00ferV7.exe	98
PID 656 wrote to memory of 3944	656	MesquitaSp00ferV7.exe	100
PID 656 wrote to memory of 3944	656	MesquitaSp00ferV7.exe	100
PID 656 wrote to memory of 872	656	MesquitaSp00ferV7.exe	102
PID 656 wrote to memory of 872	656	MesquitaSp00ferV7.exe	102
PID 3944 wrote to memory of 4320	3944	Activation.exe	104
PID 3944 wrote to memory of 4320	3944	Activation.exe	104
PID 3944 wrote to memory of 2636	3944	Activation.exe	105
PID 3944 wrote to memory of 2636	3944	Activation.exe	105
PID 3944 wrote to memory of 1084	3944	Activation.exe	106
PID 3944 wrote to memory of 1084	3944	Activation.exe	106
PID 1084 wrote to memory of 4364	1084	cmd.exe	107
PID 1084 wrote to memory of 4364	1084	cmd.exe	107
PID 3944 wrote to memory of 4828	3944	Activation.exe	108
PID 3944 wrote to memory of 4828	3944	Activation.exe	108
PID 4828 wrote to memory of 4140	4828	cmd.exe	109
PID 4828 wrote to memory of 4140	4828	cmd.exe	109
PID 3944 wrote to memory of 4940	3944	Activation.exe	110
PID 3944 wrote to memory of 4940	3944	Activation.exe	110
PID 4940 wrote to memory of 560	4940	cmd.exe	111
PID 4940 wrote to memory of 560	4940	cmd.exe	111
PID 3944 wrote to memory of 2464	3944	Activation.exe	112
PID 3944 wrote to memory of 2464	3944	Activation.exe	112
PID 2464 wrote to memory of 1096	2464	cmd.exe	113
PID 2464 wrote to memory of 1096	2464	cmd.exe	113
PID 656 wrote to memory of 2448	656	MesquitaSp00ferV7.exe	114
PID 656 wrote to memory of 2448	656	MesquitaSp00ferV7.exe	114
PID 656 wrote to memory of 1472	656	MesquitaSp00ferV7.exe	115
PID 656 wrote to memory of 1472	656	MesquitaSp00ferV7.exe	115
PID 3944 wrote to memory of 740	3944	Activation.exe	117
PID 3944 wrote to memory of 740	3944	Activation.exe	117
PID 740 wrote to memory of 3612	740	cmd.exe	118
PID 740 wrote to memory of 3612	740	cmd.exe	118
PID 656 wrote to memory of 3632	656	MesquitaSp00ferV7.exe	119
PID 656 wrote to memory of 3632	656	MesquitaSp00ferV7.exe	119
PID 656 wrote to memory of 3960	656	MesquitaSp00ferV7.exe	121
PID 656 wrote to memory of 3960	656	MesquitaSp00ferV7.exe	121
PID 3632 wrote to memory of 4024	3632	GPU-UUID-Changer.exe	122
PID 3632 wrote to memory of 4024	3632	GPU-UUID-Changer.exe	122
PID 656 wrote to memory of 4296	656	MesquitaSp00ferV7.exe	124
PID 656 wrote to memory of 4296	656	MesquitaSp00ferV7.exe	124
PID 3960 wrote to memory of 2872	3960	GPU.exe	126
PID 3960 wrote to memory of 2872	3960	GPU.exe	126
PID 656 wrote to memory of 3648	656	MesquitaSp00ferV7.exe	127
PID 656 wrote to memory of 3648	656	MesquitaSp00ferV7.exe	127
PID 656 wrote to memory of 3648	656	MesquitaSp00ferV7.exe	127
PID 2872 wrote to memory of 1552	2872	cmd.exe	129
PID 2872 wrote to memory of 1552	2872	cmd.exe	129
PID 1552 wrote to memory of 4140	1552	net.exe	130
PID 1552 wrote to memory of 4140	1552	net.exe	130
PID 3960 wrote to memory of 560	3960	GPU.exe	131
PID 3960 wrote to memory of 560	3960	GPU.exe	131
PID 656 wrote to memory of 3324	656	MesquitaSp00ferV7.exe	132
PID 656 wrote to memory of 3324	656	MesquitaSp00ferV7.exe	132
PID 656 wrote to memory of 1584	656	MesquitaSp00ferV7.exe	134
PID 656 wrote to memory of 1584	656	MesquitaSp00ferV7.exe	134
PID 656 wrote to memory of 1584	656	MesquitaSp00ferV7.exe	134
PID 656 wrote to memory of 1372	656	MesquitaSp00ferV7.exe	136
PID 656 wrote to memory of 1372	656	MesquitaSp00ferV7.exe	136
PID 1584 wrote to memory of 3112	1584	destra.exe	138

C:\Users\Admin\AppData\Local\Temp\MesquitaSp00ferV7.exe
"C:\Users\Admin\AppData\Local\Temp\MesquitaSp00ferV7.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:656
- C:\Windows\IME\AMIDEWIN.exe
  "C:\Windows\IME\AMIDEWIN.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3520
- C:\Windows\IME\AMIDEWINx64.exe
  "C:\Windows\IME\AMIDEWINx64.exe"
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\IME\Activation.exe
  "C:\Windows\IME\Activation.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c %windir%\IME\permissions.bat
    3⤵
    PID:4320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl '%windir%\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path '%windir%\System32' -AclObject $acl
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -c $acl = Get-Acl 'C:\Windows\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32' -AclObject $acl
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl '%windir%\System32\spp'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path '%windir%\System32\spp' -AclObject $acl
    3⤵
    PID:544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -c $acl = Get-Acl 'C:\Windows\System32\spp'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32\spp' -AclObject $acl
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c %windir%\IME\reset.bat
    3⤵
    PID:444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c %windir%\IME\activator.bat
    3⤵
    PID:3268
- C:\Windows\IME\Anti_Debug.exe
  "C:\Windows\IME\Anti_Debug.exe"
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\IME\DMIEDIT.exe
  "C:\Windows\IME\DMIEDIT.exe"
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\IME\EQU8_Blocker.exe
  "C:\Windows\IME\EQU8_Blocker.exe"
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\IME\GPU-UUID-Changer.exe
  "C:\Windows\IME\GPU-UUID-Changer.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c exit
    3⤵
    PID:4024
- C:\Windows\IME\GPU.exe
  "C:\Windows\IME\GPU.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop winmgmt /Y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\system32\net.exe
      net stop winmgmt /Y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1552
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop winmgmt /Y
        5⤵
        
        PID:4140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c exit
    3⤵
    PID:560
- C:\Windows\IME\Scripthook_bypass.exe
  "C:\Windows\IME\Scripthook_bypass.exe"
  2⤵
  - Executes dropped EXE
  PID:4296
- C:\Windows\IME\Volume.exe
  "C:\Windows\IME\Volume.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3648
- C:\Windows\IME\applecleaner.exe
  "C:\Windows\IME\applecleaner.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Checks system information in the registry
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Enumerates system info in registry
  PID:3324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
    3⤵
    PID:4976
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3268
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      4⤵
      Kills process with taskkill
      PID:1676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1
    3⤵
    PID:3744
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Battle.net.exe
      4⤵
      Kills process with taskkill
      PID:3556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start https://applecheats.cc
    3⤵
    PID:1236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://applecheats.cc/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2976
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa0f6246f8,0x7ffa0f624708,0x7ffa0f624718
        5⤵
        
        PID:684
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,13909189816821858882,762107140651266743,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
        5⤵
        
        PID:3352
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,13909189816821858882,762107140651266743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
        5⤵
        
        PID:3780
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,13909189816821858882,762107140651266743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:8
        5⤵
        
        PID:4428
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,13909189816821858882,762107140651266743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
        5⤵
        
        PID:2888
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,13909189816821858882,762107140651266743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
        5⤵
        
        PID:2964
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,13909189816821858882,762107140651266743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
        5⤵
        
        PID:1636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,13909189816821858882,762107140651266743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1
        5⤵
        
        PID:3880
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,13909189816821858882,762107140651266743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
        5⤵
        
        PID:2040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c NETSH WINSOCK RESET >nul 2>&1
    3⤵
    PID:5644
  - - C:\Windows\system32\netsh.exe
      NETSH WINSOCK RESET
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:5660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c NETSH INT IP RESET >nul 2>&1
    3⤵
    PID:5800
  - - C:\Windows\system32\netsh.exe
      NETSH INT IP RESET
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:5816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall reset >nul 2>&1
    3⤵
    PID:5976
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall reset
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c NETSH INTERFACE IPV4 RESET >nul 2>&1
    3⤵
    PID:6028
  - - C:\Windows\system32\netsh.exe
      NETSH INTERFACE IPV4 RESET
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:6040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c NETSH INTERFACE IPV6 RESET >nul 2>&1
    3⤵
    PID:6072
  - - C:\Windows\system32\netsh.exe
      NETSH INTERFACE IPV6 RESET
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:6088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c NETSH INTERFACE TCP RESET >nul 2>&1
    3⤵
    PID:6120
  - - C:\Windows\system32\netsh.exe
      NETSH INTERFACE TCP RESET
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:6136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c NETSH INT RESET ALL >nul 2>&1
    3⤵
    PID:4304
  - - C:\Windows\system32\netsh.exe
      NETSH INT RESET ALL
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:1236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c IPCONFIG /RELEASE >nul 2>&1
    3⤵
    PID:1868
  - - C:\Windows\system32\ipconfig.exe
      IPCONFIG /RELEASE
      4⤵
      Gathers network information
      PID:1776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c IPCONFIG /RELEASE >nul 2>&1
    3⤵
    PID:3484
  - - C:\Windows\system32\ipconfig.exe
      IPCONFIG /RELEASE
      4⤵
      Gathers network information
      PID:5236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c IPCONFIG /FLUSHDNS >nul 2>&1
    3⤵
    PID:5248
  - - C:\Windows\system32\ipconfig.exe
      IPCONFIG /FLUSHDNS
      4⤵
      Gathers network information
      PID:5284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c NBTSTAT -R >nul 2>&1
    3⤵
    PID:5260
  - - C:\Windows\system32\nbtstat.exe
      NBTSTAT -R
      4⤵
      PID:5276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c NBTSTAT -RR >nul 2>&1
    3⤵
    PID:5304
  - - C:\Windows\system32\nbtstat.exe
      NBTSTAT -RR
      4⤵
      PID:5428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c arp -a >nul 2>&1
    3⤵
    - Network Service Discovery
    PID:5336
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:5356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c arp -d >nul 2>&1
    3⤵
    PID:5368
  - - C:\Windows\system32\ARP.EXE
      arp -d
      4⤵
      PID:5384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE >nul 2>&1
    3⤵
    PID:5400
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
      4⤵
      PID:5408
- C:\Windows\IME\destra.exe
  "C:\Windows\IME\destra.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EF03.tmp\EF04.tmp\EF05.bat C:\Windows\IME\destra.exe"
    3⤵
    PID:3112
  - - C:\Windows\system32\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:3356
- C:\Windows\IME\extd.exe
  "C:\Windows\IME\extd.exe"
  2⤵
  - Executes dropped EXE
  PID:1372
- C:\Windows\IME\identity_data.exe
  "C:\Windows\IME\identity_data.exe"
  2⤵
  - Executes dropped EXE
  PID:4000
- - C:\Windows\IME\identity_data.exe
    "C:\Windows\IME\identity_data.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3960
- C:\Windows\IME\log_helper.exe
  "C:\Windows\IME\log_helper.exe"
  2⤵
  - Executes dropped EXE
  PID:3616
- - C:\Windows\IME\log_helper.exe
    "C:\Windows\IME\log_helper.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:768
- C:\Windows\IME\map.exe
  "C:\Windows\IME\map.exe"
  2⤵
  - Executes dropped EXE
  PID:4200
- C:\Windows\IME\map_1.exe
  "C:\Windows\IME\map_1.exe"
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\IME\map_2.exe
  "C:\Windows\IME\map_2.exe"
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Windows\IME\mapper.exe
  "C:\Windows\IME\mapper.exe"
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\IME\nprojecto.exe
  "C:\Windows\IME\nprojecto.exe"
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  PID:1660
- C:\Windows\IME\oi.exe
  "C:\Windows\IME\oi.exe"
  2⤵
  - Executes dropped EXE
  PID:3936
- C:\Windows\IME\system_utils.exe
  "C:\Windows\IME\system_utils.exe"
  2⤵
  - Executes dropped EXE
  PID:1088
- - C:\Windows\IME\system_utils.exe
    "C:\Windows\IME\system_utils.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2028
- C:\Windows\IME\system_fingerprint.exe
  "C:\Windows\IME\system_fingerprint.exe"
  2⤵
  - Executes dropped EXE
  PID:5744
- - C:\Windows\IME\system_fingerprint.exe
    "C:\Windows\IME\system_fingerprint.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
8fe7bd6cd1d64bcdabbf2e2ae72c5a28

SHA1
5e1080c3b8cc4c5bffc73ffe6d45fa073335d0de

SHA256
5054cd4d79ca09e90169cdaee05c1e3dfc5d6fa1ad1275e11fd094521fed3fb8

SHA512
658004888ba70fa4a8c4b573d439496532c08b81afdc0b2419187c2ec9f3e42408d9a7c2bd2c73efd06fd5ada7ea57e1bb5d188e57ead32a7c0c900a82099f68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
dd3e43fa85b0177154da34f1c60d65dd

SHA1
f644f896b59cd2ef3c08f7dba5a9b4ca89b479c0

SHA256
8e158de2262cdc25fd8e60db63a33193e4806fbceea37d164b2e013394f4e069

SHA512
01cc2f958a1e77ff64b8e5a64361d8cac26d30919a3687a994865059d7995267234af2bdb4739f282559bd7c7967158486aea4889e1037c7a7d5fde86a7c712e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
555B

MD5
e7e4b8b8c00d44c102033aa47cd55a5f

SHA1
513711f4a2809e9bdf9c9e4e6173756ce6828c39

SHA256
b79147ae60e53da40802c6b1e3819ae3d8ed1c4ed7661421a221c3612b59cd13

SHA512
9b1c675eaca4da6b59462b3a3383a61a59ab111b3e46f4567b1043c991e6a68ed508c87403050ed9b89523a1633342aaa1bd4c4f214d6ba06579b1110765c302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
808a0a2ea0c41a9df4aaa40cb63f0d30

SHA1
9756db857e505cefd2861245c2cec37bd010781b

SHA256
aa3233e3ad64ad2a361931466b259656088d70fcf78ac3c447db3665044d8e0a

SHA512
db89f780b6aa80eed3d183d7da7dd8d85c42c22d0cf49e96bd97cd8b97a1ca18ca53eaad2dd5d215e4e6f4f79f8b6222937ab0796828b9069aa281a90e54e25e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e7e1f779ccf97792c12ea99d391357e4

SHA1
9048cdb84ae46faf2f1ab4f4c515be89251b860c

SHA256
9acd7b6af490274487c859a41dc15acea48caa3a1e7b6ecc07c7f5c55c62d52b

SHA512
4f48251e3d3bbd7beb3e767e4115e074b9a48b530634e27a61b5c4cb0023bed2b2184cccd11c765b3f73579cd17a4bcd9ec4c58cd16f76daa357be25de6a1710

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
52aa1a462f3fb1cd1238cf2bf899c7f1

SHA1
8129c16cef6db3d1b4a30c9c376f7b3a9494bca0

SHA256
1eb9bd80908bb0f69a35dd902f9b9ef32933803e2d4ed8b47e54c295f7e38311

SHA512
8cef0cad8e2f6dc9df56a06ed63a2e7ba6ac97ef0efcd23c90f5f16381224ba6aafdcfc3d2e1456cfdf5dc058dc65a0fa461d7e5859b7b56932bee71fb4e2069

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eeb7a77d00f2376f1f8e2ffd991e1f02

SHA1
e5adf8d83ac1d14a77d39c45e029e02eb61bf998

SHA256
5384efe3fbae8d7fb9beb97680153faad0cf5c47af5d5d43b253e2d381d9c635

SHA512
7f1872095f1916cace083fd0dfcf65e6e85a831be9af5cecb0c67fb76e1bc231012f1e671f4bcd81d0aaa1941e038ec45b7ba3db6ecd791edea904d824c3444b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cc60145f17109e59040759362b19f298

SHA1
2defc98f1598b6e4b585a7d682b9ddc01e21c2fa

SHA256
6ca0e4fd10c92f4cd55d32b0c3aa9cbbc8c9bf659d3eccc2fb07ccd282b9553a

SHA512
0fc7faf670cf3b655dc37a5cbd64ddf124d165973cc4e17a35df0ad3d05fa15011a6135848172be70b07c3f8d7b960df383945c69707786d5cf62c3ec2cf5977

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dc7186643fbc0e2f483b494a3087209b

SHA1
d2e89d822e81c33f7f2777acb83080fdee80ccc8

SHA256
a366742fffd678f591607f3cf4873f33049f3bcad304bdd5a03d169bac96fe5c

SHA512
98b7623056b9af33d386a6f0a4bd7da7131b40fff2629a83fcb51c8005399b5afc42e9ba4589d4ce902ad8b39261ee1abb089d5d78a33d688d2905e58cc0361e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
172272024885b5b7ec8e5a3584c551b6

SHA1
4aba901844943a56710351ff599f5b1cbd888eea

SHA256
4728cb6af2157e7922c883706f9cb96f6a341f9556cfc932b534ee334788d1b4

SHA512
d2f0c99212f3aa6a4a17332e3d02f4f93cd1bc555cebf3f8784a686fb18f5049658ff24ece09a464dd709f0b7348300be2901cfa9e3d1b659cb2408788dd2f3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eaeef76231f02156072374ea60b6c4dd

SHA1
45fa5161c4ecbb2e584f0832fae00cecf5807b69

SHA256
1579d8f2ecdac34e475d4a3aa5d4ea1b536d808c481b9081b80f3824417b692f

SHA512
79bf5967e7337cb29e7e3d903934b2c163a10b73cf8f0cf29ad04ae9cbde5ad29fa0231438051dabc98d23e05d4ade8da266837f87b88b655b6f3357374ae3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF03.tmp\EF04.tmp\EF05.bat

Filesize
228B

MD5
41f4f3570c9a7eb2d5146ad51ed2b8c6

SHA1
01e21461208a6af14c9219b258d313878d202ee1

SHA256
c492710f0badce9c62d2568e7a5d85d55e2112a716da32e6ce151417ba407c8e

SHA512
b33e5d71df455c2dfc1c6e41e259176bf12dbcd057dd7095adac77ba6c0d9e956af9a7346f0919e1145898757259f2e18cc620beec340e5cf204f2d9df71ea3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36162\base_library.zip

Filesize
812KB

MD5
a928becdfac91f1d4407812a6057e55d

SHA1
c0fe8327b62290dae4d26e7c9a68c92790337616

SHA256
8d62379941335d3b87f9eb3d8d9a83e7e84630c305dee477aed9b3a78ca444e9

SHA512
600210e0bd4162e2122bc2499d803d7972582504578ea6d7b9abfbd8d8b377563f3f7b3b73701acf6e411cc4d838726a0c4805415d192b7eff6365d39a468d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40002\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40002\_ctypes.pyd

Filesize
116KB

MD5
92276f41ff9c856f4dbfa6508614e96c

SHA1
5bc8c3555e3407a3c78385ff2657de3dec55988e

SHA256
9ab1f8cbb50db3d9a00f74447a2275a89ec52d1139fc0a93010e59c412c2c850

SHA512
9df63ef04ea890dd0d38a26ac64a92392cf0a8d0ad77929727238e9e456450518404c1b6bb40844522fca27761c4e864550aacb96e825c4e4b367a59892a09e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40002\_socket.pyd

Filesize
73KB

MD5
c5378bac8c03d7ef46305ee8394560f5

SHA1
2aa7bc90c0ec4d21113b8aa6709569d59fadd329

SHA256
130de3506471878031aecc4c9d38355a4719edd3786f27262a724efc287a47b9

SHA512
1ecb88c62a9daad93ec85f137440e782dcc40d7f1598b5809ab41bf86a5c97224e2361c0e738c1387c6376f2f24d284583fd001c4e1324d72d6989d0b84bf856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40002\base_library.zip

Filesize
812KB

MD5
5b2b482b287015240f296c370e6f9e11

SHA1
f824af57523ac8eae77316cc650f2646d03ee955

SHA256
06f91f55b0891c1f5c0bf18e553d73a37fb9b402e74dea30996137361a9a143e

SHA512
233330f66f8e7ce538438679e5f3c5361ebc427f2dc8dfbac52a1cfb7e1eb11f8a80a2b8f8082b9e3705d4465fcf96b4e6597c12553ca00abb1246de7419c229

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40002\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40002\python310.dll

Filesize
4.2MB

MD5
a1185bef38fdba5e3fe6a71f93a9d142

SHA1
e2b40f5e518ad000002b239a84c153fdc35df4eb

SHA256
8d0bec69554317ccf1796c505d749d5c9f3be74ccbfce1d9e4d5fe64a536ae9e

SHA512
cb9baea9b483b9153efe2f453d6ac0f0846b140e465d07244f651c946900bfcd768a6b4c0c335ecebb45810bf08b7324501ea22b40cc7061b2f2bb98ed7897f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40002\select.pyd

Filesize
25KB

MD5
63ede3c60ee921074647ec0278e6aa45

SHA1
a02c42d3849ad8c03ce60f2fd1797b1901441f26

SHA256
cb643556c2dcdb957137b25c8a33855067e0d07547e547587c9886238253bfe5

SHA512
d0babc48b0e470abdafad6205cc0824eec66dbb5bff771cee6d99a0577373a2de2ffab93e86c42c7642e49999a03546f94e7630d3c58db2cff8f26debc67fcad

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x30kbwqm.r2z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\IME\AMIDEWIN.exe

Filesize
148KB

MD5
182ec3a59bd847fb1bc3e12a41d48fa6

SHA1
2f548bceb819d3843827c1e218af6708db447d4b

SHA256
948dbd2bc128f8dc08267e110020fee3ff5de17cf4aaef89372de29623af96fa

SHA512
91ecc5a76edc2aea4219f68569b54d3e9fe15c2a30a146edc0d09e713feaa739a5c1e7dbfa97e60828696078d43d1f8fd3466234525b099ed6e614e854ac6c4c

Download Submit
C:\Windows\IME\AMIDEWINx64.exe

Filesize
453KB

MD5
6a6505b2413d2c7b16c6d059448db9e5

SHA1
dfe6c6b6051c26326a12dc9d0d5701cb4728266c

SHA256
53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

SHA512
1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

Download Submit
C:\Windows\IME\Activation.exe

Filesize
31KB

MD5
ef51cf406fe437cca81d6db6408bec7e

SHA1
899ccfa895acc0f770307e767a1cd1c5ef342310

SHA256
59b02dc911e5aa219bfb4684aa227f7cad207e5d2daab4cdf6df276882f8a12e

SHA512
1afb254e5f507040e72306200bb35bf0fd633310ef0ac5d9e46ed016d7acf097fdbe0b7b9554e1d9d2152f4794803307005d0f692404b0e55f6d73abcce268a7

Download Submit
C:\Windows\IME\Anti_Debug.exe

Filesize
18KB

MD5
fff2deb4eb8fa1becdeeb8a2a19a9ca4

SHA1
1d91c5c5de2e74609786ff750ba25f0863e54c94

SHA256
f42dde7132cb296715629512d205c5c81e374664f6a18da77dbfa161894fab63

SHA512
5856c46aca0ab668ce15d50e12371f3597cb891409ee3479611762fc1bed0dac49df2319d6fd179067b97d3680b34e5dcb941a33f00e2ee8d0b9f55779eb396f

Download Submit
C:\Windows\IME\DMI16.exe

Filesize
30KB

MD5
2a89d4e479351022ab8bd604030a76f3

SHA1
ad1d39fd38fafaae4d77eed5f1c67f665686736d

SHA256
28e6e1908f2996af9b7a9930f13d4c770d6963425df0869ce4bcdb1442a4a917

SHA512
0fb48aaeeedb5a96246ffd80c167f501ff2f5a08cf8d2dbf63373666c6f3394244395e05e49b68fedf02c2a3df75ad6ba4223f0066c350993233cf218da83e43

Download Submit
C:\Windows\IME\DMIEDIT.exe

Filesize
3.2MB

MD5
fbaf6262fd84f9966338518d4de46fdd

SHA1
291d481e3b42029e157e7c60febc8fe67cd50cf1

SHA256
5d37e5e7ce01549965bf2166adcba33d1e2c4bd2c90711032f3987b58452ce49

SHA512
5d8cc6e1ab85fae8d9a5ffa83cecc2608b1fbbb28b9e80afe2dc6f7d46b657d489e03f75e42fc147d49313b3a41ad768fd0f320a905cbc41d767c0fc3c3d9d7e

Download Submit
C:\Windows\IME\EQU8_Blocker.exe

Filesize
17KB

MD5
c657c027cd0283ea61545065ad42bf09

SHA1
f99af7cf296b2fd2da339b7c64a9441dd21335bb

SHA256
849eff74cd7b9c0928e9f1696257b66509fad8077d408b8c83aeb243599ec0c7

SHA512
983e26103af269697db752f45b589cd1519c7596e4d991aa7d23c6d9f2f7631588147bcd94d2f0138faee93a7e6692f78f866372008303e04263b1ca6441b089

Download Submit
C:\Windows\IME\FiveM_Cleanerino1.exe

Filesize
106KB

MD5
1e71acd7df04fb6ce6e34e90b5bf32b1

SHA1
80fa2ec3c72a1c1c6439c9171f35fb35c3bd2519

SHA256
24bc98f9a5c6f024ec76d9c6cd6fea09ece564c63cc88b31fd0040f9f8a79080

SHA512
968b8ca75dc8f3ebb2d32637652e1a9558f26b02ddda7a01439723823b4e9c2192aafe57be102a85c34be2b516bc26f3046ff65a915b4d249beea0d60adb3a25

Download Submit
C:\Windows\IME\GPU-UUID-Changer.exe

Filesize
174KB

MD5
f2ca790528e739c7657a9ac1ccc6c98c

SHA1
83b9157784ffdeb80f4d58b6203c1f5cbc0b1558

SHA256
299bf060362f1afe65c27cf7751d9cfb8cf9b49842179cb473b774cd45b91e02

SHA512
b56e7bafcfc334baad9d0cc1c41b74a800a0cf2de47bda3a60a9eb3e64cf4086d7c6911c7c6b1d1bf8cac81fb0a98e162d8cedbffab8303e4c218d9567286a70

Download Submit
C:\Windows\IME\GPU.exe

Filesize
172KB

MD5
0804fc6cd6f229bf70189709ab457681

SHA1
a40d620571c1468b7b5b78831a07cbb9c3416473

SHA256
67303b02b3e1b3f5a5a37713c58cdd0385b09bd2f822e6f0ac71127134f80afb

SHA512
3283188fabf8d53005d733e3ff461da9ce15495870d4456bc453e4311b37d5e263da7bc416128a220b489407669e1d39dd8c234acbe985c6467a9d1873f9349d

Download Submit
C:\Windows\IME\Scripthook_bypass.exe

Filesize
18KB

MD5
9e6b2acbdaa7c89f30e2db243f88f114

SHA1
13bc14b043288cb0313cded5a209ff1eea2f28a3

SHA256
64b6fa6c6d2cd4056c960707bc6f2d98d5ce2bcb95faeada62f4bb3326d52c5f

SHA512
2bd350f03cb4da46e4b8473906e0df2e60c91f5858160f5462dde2dd9b14e680df083dcd920251f0c2b44224657ea93a3d37b2b6f536ac3779c209fafdcb6573

Download Submit
C:\Windows\IME\Volume.exe

Filesize
228KB

MD5
4d867033b27c8a603de4885b449c4923

SHA1
f1ace1a241bab6efb3c7059a68b6e9bbe258da83

SHA256
22a2484d7fa799e6e71e310141614884f3bc8dad8ac749b6f1c475b5398a72f3

SHA512
b5d6d4a58d8780a43e69964f80525905224fa020c0032e637cd25557097e331f63d156cceaaacfe1a692ca8cea8d8bd1b219468b6b8e4827c90febe1535a5702

Download Submit
C:\Windows\IME\applecleaner.exe

Filesize
3.6MB

MD5
f96eb2236970fb3ea97101b923af4228

SHA1
e0eed80f1054acbf5389a7b8860a4503dd3e184a

SHA256
46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172

SHA512
2fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7

Download Submit
C:\Windows\IME\destra.exe

Filesize
89KB

MD5
af5d32242f7f166560403bf25b81d9ff

SHA1
3c0c158faf00b973c5e70e257b99cc1d2709e881

SHA256
2106abc313ee98ee288d6e67ffab444c723f704e09d441dc49411544899b59c2

SHA512
33dcac1e6311bcefe387891b02073fc9da97309aade3d1381639c4e604cb16efc9a24fc8defa146462afd59b461921d192accbd516d622c1ec31ffe1c01badd9

Download Submit
C:\Windows\IME\extd.exe

Filesize
326KB

MD5
c14ce13ab09b4829f67a879d735a10a1

SHA1
537e1ce843f07ce629699ef5742c42ee2f06e9b6

SHA256
ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a

SHA512
c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38

Download Submit
C:\Windows\IME\identity_data.exe

Filesize
6.8MB

MD5
092606046d03650e00361db36f3204d4

SHA1
e1a914431fdc8ecafaa4ebc332bb9ab366f7851d

SHA256
640f31861079f27a010158ecda0fb74a81be9801a8de311bb23e94ffc82e3562

SHA512
dacc42705f2d8cf2316b653cc47ceada7018900bb5e415f83fc83d21867e4923e6829f19fd77356f3c5dc3033113d19161b752f2692148c6ead7e7005bdcefec

Download Submit
C:\Windows\IME\log_helper.exe

Filesize
6.6MB

MD5
888ca44b82899b0d51bc51494dffefd0

SHA1
a1c292570abca1bee3d66c3e6b4f34d67cc57416

SHA256
5c9abf1192e0a0260f3b14c8bb15e39291d91a87dc2e3f2bac69bf8b17e14917

SHA512
735345683ab63c302fa23805cecc221b9e3966629aa187822fd1ba7745a7813c66f1de17039b16226e5f499c0ec5026f9231e52cb281904090d4f06066fe6e04

Download Submit
C:\Windows\IME\map.exe

Filesize
151KB

MD5
e78ceacaa734a3ddfe71fc237bfbd293

SHA1
dfb775c1d371778141caa6631f93c785f329d5c9

SHA256
6de739479ad5c9d61fe6198d4579e3120f47d8a12abe759d02a02a829cb8f821

SHA512
b133023fe345485cd94ac165f883e41710aed4ba389ab60990c1976440a5db1a32eb1148e1a242c4dfe40e930fe07189bf786f9f230eab7dc649c578e54fb7ca

Download Submit
C:\Windows\IME\mapper.exe

Filesize
120KB

MD5
d541398a31a6139b3f808f91523b6544

SHA1
a36d6104d718cc4e0958c83a6c68cee201e771be

SHA256
b5bc20e8c75b57c4fd5c6c1454d045d100c1122410ac6ffa049e48a5ded1641e

SHA512
d34288db7e90353bdac72193c0b3ee8fe2ec6c4ecef5e7667ccd8a219d1441f484717f835fa22d7b8afc03147af27b5f3b698218caef4d82d1d50d4a01102cc6

Download Submit
C:\Windows\IME\nprojecto.exe

Filesize
385KB

MD5
f3d376470f405c6c59a3c22fb04297a2

SHA1
5486ac65958518fcabe26db7c2de76db2d4252a8

SHA256
66572f91a658ebc6b3c87144f633278123cab7d4a69bffa14f1b49d527cb4ac1

SHA512
8a5096dc761a80dba9a03aed8098107cad8a7004cebfe2f6721ea5346de2841605b0ebf975a7a63e014ab69e61fc4bb40cb259f871689803b0c873eda46409c3

Download Submit
C:\Windows\IME\oi.exe

Filesize
106KB

MD5
6653ada4e227a621637803a853a3cc9a

SHA1
bf72deef66857a6f165b3a168eb2d12549c49be3

SHA256
75b833939231b9f6c4b72bc5cff1aedd38a32941076104fe0d2f52bf124fbc8f

SHA512
96393e6a434d411f17e44a6ce65f73187c279d76d61f15a68bfe4b7559a8066b9907b15f7772c0bcd295834ec2fe3123efbeb2050899f02042457a1102c24190

Download Submit
C:\Windows\IME\system_fingerprint.exe

Filesize
6.8MB

MD5
ecb2e9a3d7d3b2f3894f6b9e4d2a299f

SHA1
668ace2a5c59265c5fb95a0c9816f03d21e9f2b8

SHA256
868e174f3b00ec9077a4dc834e04a11046a12e1058e6be2050d5bab40695fca9

SHA512
246df0da02cb329aedb60f03d0a33d70cb840881dded5538b4c56033c074ef1f0e4a95fdf093a2e7bbab548e4a4878dfa33f753188f34be1c064bd5b6170a027

Download Submit
C:\Windows\IME\system_utils.exe

Filesize
6.6MB

MD5
610f9af74729b3da350e199bc4a65381

SHA1
60d0d15b570c7531579b26feee72d579aa09dfa8

SHA256
bdb08f5ae158806fc7c276392c889fcc44b11ab9cd9c29550ff8e7b4f331c560

SHA512
f32361e12f2e3c1bed6b2ea56b1989f02a11f26cf1d8424bb2c2791dc66fd843ba98434802440baf849d855ee3fa15ce5a833979d402f5a54054adaadb1bf963

Download Submit
memory/656-0-0x0000000074E0E000-0x0000000074E0F000-memory.dmp

Filesize
4KB

Download
memory/656-5-0x0000000005890000-0x000000000589A000-memory.dmp

Filesize
40KB

Download
memory/656-13-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/656-12-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/656-11-0x0000000006C70000-0x0000000006C84000-memory.dmp

Filesize
80KB

Download
memory/656-10-0x00000000097B0000-0x00000000098FE000-memory.dmp

Filesize
1.3MB

Download
memory/656-9-0x0000000074E0E000-0x0000000074E0F000-memory.dmp

Filesize
4KB

Download
memory/656-1-0x0000000000B20000-0x0000000000E92000-memory.dmp

Filesize
3.4MB

Download
memory/656-2-0x0000000005E80000-0x0000000006424000-memory.dmp

Filesize
5.6MB

Download
memory/656-8-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/656-3-0x00000000058D0000-0x0000000005962000-memory.dmp

Filesize
584KB

Download
memory/656-4-0x00000000057F0000-0x0000000005802000-memory.dmp

Filesize
72KB

Download
memory/656-6-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/656-7-0x0000000006A70000-0x0000000006AAC000-memory.dmp

Filesize
240KB

Download
memory/1372-200-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1372-208-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3324-373-0x00007FF7699C0000-0x00007FF76A362000-memory.dmp

Filesize
9.6MB

Download
memory/3324-206-0x00007FF7699C0000-0x00007FF76A362000-memory.dmp

Filesize
9.6MB

Download
memory/3324-205-0x00007FF7699C0000-0x00007FF76A362000-memory.dmp

Filesize
9.6MB

Download
memory/3324-204-0x00007FF7699C0000-0x00007FF76A362000-memory.dmp

Filesize
9.6MB

Download
memory/3324-209-0x00007FF7699C0000-0x00007FF76A362000-memory.dmp

Filesize
9.6MB

Download
memory/3324-532-0x00007FF7699C0000-0x00007FF76A362000-memory.dmp

Filesize
9.6MB

Download
memory/3324-191-0x00007FF7699C0000-0x00007FF76A362000-memory.dmp

Filesize
9.6MB

Download
memory/4364-67-0x000002BA790F0000-0x000002BA79112000-memory.dmp

Filesize
136KB

Download