cerber | 38e602bbf54ad86da02ff83c6324574bb330912252aab0b6291661eec3d8a3de

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2024 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MesquitaSp00ferV7.exe
Size

3.4MB
MD5

cbcc049160c46b78bf10465a16d9e784
SHA1

1e2139e3995d9c1e47c032f3e260a172bdef1602
SHA256

38e602bbf54ad86da02ff83c6324574bb330912252aab0b6291661eec3d8a3de
SHA512

07bbc9fe94acd66c0b91cabeff6805cfe6898ee580f9e053013f40911768d2da0f2bc1338b3132ad97b5593a022b5dcd7d121661c5a614b506564cb5fbc4ca71
SSDEEP

49152:j6zx+pSFtoalhcGRVtfyz8PgqSLumRdJ46issnR5MtAxToDF0BtWk5Q:kiW7pLtg8PUKmq9LAWoB0B

Score

10^/10

cerber discovery evasion execution persistence pyinstaller ransomware themida trojan upx

Malware Config

Signatures

Cerber 2 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	Process
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	DMIEDIT.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	applecleaner.exe

Downloads MZ/PE file

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EadMSVVzPNYuasnmU\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\EadMSVVzPNYuasnmU"	nprojecto.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	applecleaner.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	MesquitaSp00ferV7.exe

Executes dropped EXE 27 IoCs

pid	Process
2968	AMIDEWIN.exe
1956	AMIDEWINx64.exe
5040	Activation.exe
4712	Anti_Debug.exe
3244	DMIEDIT.exe
1560	EQU8_Blocker.exe
3504	GPU-UUID-Changer.exe
548	GPU.exe
2524	Scripthook_bypass.exe
772	Volume.exe
2784	applecleaner.exe
4244	destra.exe
4404	extd.exe
4352	identity_data.exe
1632	identity_data.exe
3556	log_helper.exe
2832	map.exe
4740	log_helper.exe
4896	map_1.exe
2420	map_2.exe
3060	mapper.exe
2300	nprojecto.exe
1632	oi.exe
4556	system_utils.exe
4592	system_utils.exe
1568	system_fingerprint.exe
2812	system_fingerprint.exe

Loads dropped DLL 25 IoCs

pid	Process
1632	identity_data.exe
1632	identity_data.exe
1632	identity_data.exe
1632	identity_data.exe
1632	identity_data.exe
1632	identity_data.exe
4740	log_helper.exe
4740	log_helper.exe
4740	log_helper.exe
4740	log_helper.exe
4740	log_helper.exe
4740	log_helper.exe
4592	system_utils.exe
4592	system_utils.exe
4592	system_utils.exe
4592	system_utils.exe
4592	system_utils.exe
4592	system_utils.exe
2812	system_fingerprint.exe
2812	system_fingerprint.exe
2812	system_fingerprint.exe
2812	system_fingerprint.exe
2812	system_fingerprint.exe
2812	system_fingerprint.exe
2812	system_fingerprint.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x00070000000234b7-181.dat	themida
behavioral2/memory/2784-191-0x00007FF62F820000-0x00007FF6301C2000-memory.dmp	themida
behavioral2/memory/2784-206-0x00007FF62F820000-0x00007FF6301C2000-memory.dmp	themida
behavioral2/memory/2784-208-0x00007FF62F820000-0x00007FF6301C2000-memory.dmp	themida
behavioral2/memory/2784-207-0x00007FF62F820000-0x00007FF6301C2000-memory.dmp	themida
behavioral2/memory/2784-210-0x00007FF62F820000-0x00007FF6301C2000-memory.dmp	themida
behavioral2/memory/2784-362-0x00007FF62F820000-0x00007FF6301C2000-memory.dmp	themida

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00080000000234b9-197.dat	upx
behavioral2/memory/4404-200-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral2/memory/4404-205-0x0000000140000000-0x00000001400D8000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	applecleaner.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4428	powershell.exe
4356	powershell.exe
4796	powershell.exe
1732	powershell.exe
1668	powershell.exe
3368	powershell.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2784	applecleaner.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File created	C:\Windows\IME\AMIDEWIN.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\DMIEDIT.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\log_helper.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\mapper.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\Activation.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\destra.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\map_2.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\AMIDEWINx64.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\DMI16.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\extd.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\oi.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\Anti_Debug.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\lgsvcl.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\map_1.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\GPU.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\Volume.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\applecleaner.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\GPU-UUID-Changer.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\nprojecto.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\FiveM_Cleanerino1.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\Scripthook_bypass.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\map.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\system_utils.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\EQU8_Blocker.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\identity_data.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\registry_helper.exe	MesquitaSp00ferV7.exe
File created	C:\Windows\IME\system_fingerprint.exe	MesquitaSp00ferV7.exe

Detects Pyinstaller 4 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x00070000000234ba-215.dat	pyinstaller
behavioral2/files/0x00080000000234bf-270.dat	pyinstaller
behavioral2/files/0x000a0000000234be-377.dat	pyinstaller
behavioral2/files/0x000c0000000234c0-418.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MesquitaSp00ferV7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AMIDEWIN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Volume.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	destra.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4552	cmd.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID = "SdSI\\0cRomMs1t____Virtu7l_5Vf-ROM_d.2_"	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs = "S5SI\\aaRom"	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs = "SaSI\\bbRom"	GPU-UUID-Changer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID = "S9SI\\5dRomMs8t____Virtu7l_4Vb-ROM_7.9_"	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	GPU.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID = "SSSI\\TiskWzC__________WgSSaQTPObft.@+"	GPU.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	GPU.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	GPU.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName = "@nbrom.inC,%ISO_GBnfri#_vri0nClyN0mo%;MiBrosobt Virtuzl uVq-ROM"	GPU.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs = "SbSI\\38Rom"	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs = "S9SI\\ddRom"	GPU-UUID-Changer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	GPU.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	GPU.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	GPU.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID = "S8SI\\b2RomMsft____Virtucl_eV5-ROM_e.7_"	GPU-UUID-Changer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID = "S3SI\\09RomMs7t____Virtu5l_aV9-ROM_1.a_"	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs = "SfSI\\iisk"	GPU.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	GPU-UUID-Changer.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	GPU.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	GPU.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	GPU-UUID-Changer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	GPU.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName = "QOMU Q6MU zVm-ROM"	GPU.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs = "S2SI\\1LRom"	GPU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	GPU-UUID-Changer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID = "S9SI\\1dRomQ0MU____QfMU_dV1-ROM____2.1+"	GPU-UUID-Changer.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	GPU.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	GPU.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs = "SISI\\q&Rom"	GPU.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	GPU.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	GPU.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs = "ScSI\\9isk"	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	GPU.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID = "SKSI\\agRomMsVt____Virtuxl_tVE-ROM_6.N_"	GPU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	GPU.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName = "WgC WbS2C&Tx0Ej"	GPU.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs = "S1SI\\9cRom"	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	GPU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	GPU-UUID-Changer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	GPU.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	GPU.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs = "SbSI\\disk"	GPU-UUID-Changer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	GPU.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID = "S7SI\\aiskW29__________WaSed4T15d54.1+"	GPU-UUID-Changer.exe

Checks processor information in registry 2 TTPs 50 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\5	GPU-UUID-Changer.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information = bb11adae248879fe52db2543e53cf445	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\10	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\15	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\4	GPU.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier = d3d828ce0bf5c560593d97278a59762dd0c2c9cd68d4496a792508614014b13b6aa51128c18cd6a90b87978c2ff1151d9a95c19be1c07ee9a89aa786c2b554bf9ae7d923d155	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\9	GPU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\12	GPU-UUID-Changer.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information = 3fb01184597e95706ef83c789ecccfd1	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\7	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\11	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\6	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\8	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\15	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	GPU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\12	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\4	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\6	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\14	GPU.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information = 903828d1d96ca1665e4ee1309cfed971	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\7	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\16	GPU.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier = b7b6d16b4e4088848749942c6c41f4749cded6e44c11b8118c38cd71cb95a26f9eff01bbbdd716e44e3ed02867858a8bcee5eb2603710ac28048d6a53f0fb6ac7d9f6c9abefa	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\16	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\5	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\11	GPU.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier = 9df3325e1186ea243bd4dcfedab157914c115583f7d5fee8e7e46efdb87eb819b7cd2be044bdd4ba7b0e438413a89285852ea4a371d5abd63e77edde02e3c731a178f23838f2	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\13	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\14	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	GPU-UUID-Changer.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information = 05babc833b99de2677bc3230854c9127	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GPU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	GPU.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier = cfd3902d48d38f75e6d91d2ae5c0f72b788187440e5f5000d4618dbe7b0515073b33821f187092da6454ceb1853e6915f8466a0496730ed9162f6768d4f74a4ad0576876fa16	GPU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	GPU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\8	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\10	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\13	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\9	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GPU-UUID-Changer.exe

Enumerates system info in registry 2 TTPs 25 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	GPU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	GPU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\1\DiskPeripheral	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\3\DiskPeripheral	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier = "UNKNOWN_KLYbOpRV"	GPU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Serialnumber	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\SerialNumber	GPU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "c54b5ed9-28a1e43b-3"	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\2\DiskPeripheral	GPU-UUID-Changer.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "777afbda-7f003b3d-4"	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier = "UNKNOWN_K3Y4OeR2"	GPU-UUID-Changer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	GPU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\SerialNumber	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "9a38fc85-a1a1ad04-8"	GPU-UUID-Changer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	GPU.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "aOkvlx9n-ta43yc3K-S"	GPU.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
4460	taskkill.exe
4756	taskkill.exe
4988	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\SubSysId = 290d4814	GPU-UUID-Changer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\DeviceId = ad999c71	GPU-UUID-Changer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "v0n3orI1=\"dx42a8\",78vi71Ie=\"bx7a\",su3SysIf=\"ax1\",rcvision=\"ex3\",v3rsion=\"59.0.f0914.20c\"hyp3rvisor=\"No Hypervisor (No SLfT)\""	GPU-UUID-Changer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = c6f11b06bc276c7c	GPU-UUID-Changer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\DeviceId = df0b72ab	GPU-UUID-Changer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Revision = 26f2c3e6	GPU-UUID-Changer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe
3192	MesquitaSp00ferV7.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
660	Process not Found
660	Process not Found
2300	nprojecto.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3192	MesquitaSp00ferV7.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	3368	powershell.exe
Token: SeTakeOwnershipPrivilege	548	GPU.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeBackupPrivilege	4428	powershell.exe
Token: SeBackupPrivilege	4428	powershell.exe
Token: SeRestorePrivilege	4428	powershell.exe
Token: SeSecurityPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	4756	taskkill.exe
Token: SeAssignPrimaryTokenPrivilege	3704	svchost.exe
Token: SeIncreaseQuotaPrivilege	3704	svchost.exe
Token: SeSecurityPrivilege	3704	svchost.exe
Token: SeTakeOwnershipPrivilege	3704	svchost.exe
Token: SeLoadDriverPrivilege	3704	svchost.exe
Token: SeSystemtimePrivilege	3704	svchost.exe
Token: SeBackupPrivilege	3704	svchost.exe
Token: SeRestorePrivilege	3704	svchost.exe
Token: SeShutdownPrivilege	3704	svchost.exe
Token: SeSystemEnvironmentPrivilege	3704	svchost.exe
Token: SeUndockPrivilege	3704	svchost.exe
Token: SeManageVolumePrivilege	3704	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3704	svchost.exe
Token: SeIncreaseQuotaPrivilege	3704	svchost.exe
Token: SeSecurityPrivilege	3704	svchost.exe
Token: SeTakeOwnershipPrivilege	3704	svchost.exe
Token: SeLoadDriverPrivilege	3704	svchost.exe
Token: SeSystemtimePrivilege	3704	svchost.exe
Token: SeBackupPrivilege	3704	svchost.exe
Token: SeRestorePrivilege	3704	svchost.exe
Token: SeShutdownPrivilege	3704	svchost.exe
Token: SeSystemEnvironmentPrivilege	3704	svchost.exe
Token: SeUndockPrivilege	3704	svchost.exe
Token: SeManageVolumePrivilege	3704	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3704	svchost.exe
Token: SeIncreaseQuotaPrivilege	3704	svchost.exe
Token: SeSecurityPrivilege	3704	svchost.exe
Token: SeTakeOwnershipPrivilege	3704	svchost.exe
Token: SeLoadDriverPrivilege	3704	svchost.exe
Token: SeSystemtimePrivilege	3704	svchost.exe
Token: SeBackupPrivilege	3704	svchost.exe
Token: SeRestorePrivilege	3704	svchost.exe
Token: SeShutdownPrivilege	3704	svchost.exe
Token: SeSystemEnvironmentPrivilege	3704	svchost.exe
Token: SeUndockPrivilege	3704	svchost.exe
Token: SeManageVolumePrivilege	3704	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3704	svchost.exe
Token: SeIncreaseQuotaPrivilege	3704	svchost.exe
Token: SeSecurityPrivilege	3704	svchost.exe
Token: SeTakeOwnershipPrivilege	3704	svchost.exe
Token: SeLoadDriverPrivilege	3704	svchost.exe
Token: SeSystemtimePrivilege	3704	svchost.exe
Token: SeBackupPrivilege	3704	svchost.exe
Token: SeRestorePrivilege	3704	svchost.exe
Token: SeShutdownPrivilege	3704	svchost.exe
Token: SeSystemEnvironmentPrivilege	3704	svchost.exe
Token: SeUndockPrivilege	3704	svchost.exe
Token: SeManageVolumePrivilege	3704	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3704	svchost.exe
Token: SeIncreaseQuotaPrivilege	3704	svchost.exe
Token: SeSecurityPrivilege	3704	svchost.exe
Token: SeTakeOwnershipPrivilege	3704	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 2968	3192	MesquitaSp00ferV7.exe	95
PID 3192 wrote to memory of 2968	3192	MesquitaSp00ferV7.exe	95
PID 3192 wrote to memory of 2968	3192	MesquitaSp00ferV7.exe	95
PID 3192 wrote to memory of 1956	3192	MesquitaSp00ferV7.exe	97
PID 3192 wrote to memory of 1956	3192	MesquitaSp00ferV7.exe	97
PID 3192 wrote to memory of 5040	3192	MesquitaSp00ferV7.exe	99
PID 3192 wrote to memory of 5040	3192	MesquitaSp00ferV7.exe	99
PID 3192 wrote to memory of 4712	3192	MesquitaSp00ferV7.exe	101
PID 3192 wrote to memory of 4712	3192	MesquitaSp00ferV7.exe	101
PID 5040 wrote to memory of 4552	5040	Activation.exe	103
PID 5040 wrote to memory of 4552	5040	Activation.exe	103
PID 5040 wrote to memory of 3176	5040	Activation.exe	104
PID 5040 wrote to memory of 3176	5040	Activation.exe	104
PID 5040 wrote to memory of 1080	5040	Activation.exe	105
PID 5040 wrote to memory of 1080	5040	Activation.exe	105
PID 1080 wrote to memory of 4796	1080	cmd.exe	106
PID 1080 wrote to memory of 4796	1080	cmd.exe	106
PID 5040 wrote to memory of 4392	5040	Activation.exe	107
PID 5040 wrote to memory of 4392	5040	Activation.exe	107
PID 4392 wrote to memory of 1732	4392	cmd.exe	108
PID 4392 wrote to memory of 1732	4392	cmd.exe	108
PID 5040 wrote to memory of 1632	5040	Activation.exe	109
PID 5040 wrote to memory of 1632	5040	Activation.exe	109
PID 1632 wrote to memory of 1668	1632	cmd.exe	110
PID 1632 wrote to memory of 1668	1632	cmd.exe	110
PID 3192 wrote to memory of 3244	3192	MesquitaSp00ferV7.exe	111
PID 3192 wrote to memory of 3244	3192	MesquitaSp00ferV7.exe	111
PID 3192 wrote to memory of 1560	3192	MesquitaSp00ferV7.exe	112
PID 3192 wrote to memory of 1560	3192	MesquitaSp00ferV7.exe	112
PID 5040 wrote to memory of 2448	5040	Activation.exe	114
PID 5040 wrote to memory of 2448	5040	Activation.exe	114
PID 3192 wrote to memory of 3504	3192	MesquitaSp00ferV7.exe	115
PID 3192 wrote to memory of 3504	3192	MesquitaSp00ferV7.exe	115
PID 2448 wrote to memory of 3368	2448	cmd.exe	116
PID 2448 wrote to memory of 3368	2448	cmd.exe	116
PID 3192 wrote to memory of 548	3192	MesquitaSp00ferV7.exe	118
PID 3192 wrote to memory of 548	3192	MesquitaSp00ferV7.exe	118
PID 3504 wrote to memory of 1604	3504	GPU-UUID-Changer.exe	120
PID 3504 wrote to memory of 1604	3504	GPU-UUID-Changer.exe	120
PID 3192 wrote to memory of 2524	3192	MesquitaSp00ferV7.exe	121
PID 3192 wrote to memory of 2524	3192	MesquitaSp00ferV7.exe	121
PID 3192 wrote to memory of 772	3192	MesquitaSp00ferV7.exe	123
PID 3192 wrote to memory of 772	3192	MesquitaSp00ferV7.exe	123
PID 3192 wrote to memory of 772	3192	MesquitaSp00ferV7.exe	123
PID 548 wrote to memory of 4980	548	GPU.exe	124
PID 548 wrote to memory of 4980	548	GPU.exe	124
PID 4980 wrote to memory of 4092	4980	cmd.exe	126
PID 4980 wrote to memory of 4092	4980	cmd.exe	126
PID 4092 wrote to memory of 4888	4092	net.exe	127
PID 4092 wrote to memory of 4888	4092	net.exe	127
PID 5040 wrote to memory of 4884	5040	Activation.exe	128
PID 5040 wrote to memory of 4884	5040	Activation.exe	128
PID 4884 wrote to memory of 4428	4884	cmd.exe	129
PID 4884 wrote to memory of 4428	4884	cmd.exe	129
PID 3192 wrote to memory of 2784	3192	MesquitaSp00ferV7.exe	130
PID 3192 wrote to memory of 2784	3192	MesquitaSp00ferV7.exe	130
PID 3192 wrote to memory of 4244	3192	MesquitaSp00ferV7.exe	132
PID 3192 wrote to memory of 4244	3192	MesquitaSp00ferV7.exe	132
PID 3192 wrote to memory of 4244	3192	MesquitaSp00ferV7.exe	132
PID 3192 wrote to memory of 4404	3192	MesquitaSp00ferV7.exe	134
PID 3192 wrote to memory of 4404	3192	MesquitaSp00ferV7.exe	134
PID 4244 wrote to memory of 4868	4244	destra.exe	136
PID 4244 wrote to memory of 4868	4244	destra.exe	136
PID 548 wrote to memory of 2136	548	GPU.exe	137

C:\Users\Admin\AppData\Local\Temp\MesquitaSp00ferV7.exe
"C:\Users\Admin\AppData\Local\Temp\MesquitaSp00ferV7.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\IME\AMIDEWIN.exe
  "C:\Windows\IME\AMIDEWIN.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2968
- C:\Windows\IME\AMIDEWINx64.exe
  "C:\Windows\IME\AMIDEWINx64.exe"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:1956
- C:\Windows\IME\Activation.exe
  "C:\Windows\IME\Activation.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c %windir%\IME\permissions.bat
    3⤵
    PID:4552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl '%windir%\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path '%windir%\System32' -AclObject $acl
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -c $acl = Get-Acl 'C:\Windows\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32' -AclObject $acl
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl '%windir%\System32\spp'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path '%windir%\System32\spp' -AclObject $acl
    3⤵
    PID:1564
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -c $acl = Get-Acl 'C:\Windows\System32\spp'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32\spp' -AclObject $acl
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c %windir%\IME\reset.bat
    3⤵
    PID:1176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c %windir%\IME\activator.bat
    3⤵
    PID:5028
- C:\Windows\IME\Anti_Debug.exe
  "C:\Windows\IME\Anti_Debug.exe"
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\IME\DMIEDIT.exe
  "C:\Windows\IME\DMIEDIT.exe"
  2⤵
  - Cerber
  - Executes dropped EXE
  PID:3244
- C:\Windows\IME\EQU8_Blocker.exe
  "C:\Windows\IME\EQU8_Blocker.exe"
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\IME\GPU-UUID-Changer.exe
  "C:\Windows\IME\GPU-UUID-Changer.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c exit
    3⤵
    PID:1604
- C:\Windows\IME\GPU.exe
  "C:\Windows\IME\GPU.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop winmgmt /Y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4980
  - - C:\Windows\system32\net.exe
      net stop winmgmt /Y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4092
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop winmgmt /Y
        5⤵
        
        PID:4888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c exit
    3⤵
    PID:2136
- C:\Windows\IME\Scripthook_bypass.exe
  "C:\Windows\IME\Scripthook_bypass.exe"
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\IME\Volume.exe
  "C:\Windows\IME\Volume.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:772
- C:\Windows\IME\applecleaner.exe
  "C:\Windows\IME\applecleaner.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
    3⤵
    PID:4100
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4552
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      4⤵
      Kills process with taskkill
      PID:4988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1
    3⤵
    PID:2376
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Battle.net.exe
      4⤵
      Kills process with taskkill
      PID:4460
- C:\Windows\IME\destra.exe
  "C:\Windows\IME\destra.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\553F.tmp\5540.tmp\5541.bat C:\Windows\IME\destra.exe"
    3⤵
    PID:4868
- C:\Windows\IME\extd.exe
  "C:\Windows\IME\extd.exe"
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\IME\identity_data.exe
  "C:\Windows\IME\identity_data.exe"
  2⤵
  - Executes dropped EXE
  PID:4352
- - C:\Windows\IME\identity_data.exe
    "C:\Windows\IME\identity_data.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1632
- C:\Windows\IME\log_helper.exe
  "C:\Windows\IME\log_helper.exe"
  2⤵
  - Executes dropped EXE
  PID:3556
- - C:\Windows\IME\log_helper.exe
    "C:\Windows\IME\log_helper.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4740
- C:\Windows\IME\map.exe
  "C:\Windows\IME\map.exe"
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\IME\map_1.exe
  "C:\Windows\IME\map_1.exe"
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\IME\map_2.exe
  "C:\Windows\IME\map_2.exe"
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\IME\mapper.exe
  "C:\Windows\IME\mapper.exe"
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\IME\nprojecto.exe
  "C:\Windows\IME\nprojecto.exe"
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  PID:2300
- C:\Windows\IME\oi.exe
  "C:\Windows\IME\oi.exe"
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\IME\system_utils.exe
  "C:\Windows\IME\system_utils.exe"
  2⤵
  - Executes dropped EXE
  PID:4556
- - C:\Windows\IME\system_utils.exe
    "C:\Windows\IME\system_utils.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4592
- C:\Windows\IME\system_fingerprint.exe
  "C:\Windows\IME\system_fingerprint.exe"
  2⤵
  - Executes dropped EXE
  PID:1568
- - C:\Windows\IME\system_fingerprint.exe
    "C:\Windows\IME\system_fingerprint.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
8fe7bd6cd1d64bcdabbf2e2ae72c5a28

SHA1
5e1080c3b8cc4c5bffc73ffe6d45fa073335d0de

SHA256
5054cd4d79ca09e90169cdaee05c1e3dfc5d6fa1ad1275e11fd094521fed3fb8

SHA512
658004888ba70fa4a8c4b573d439496532c08b81afdc0b2419187c2ec9f3e42408d9a7c2bd2c73efd06fd5ada7ea57e1bb5d188e57ead32a7c0c900a82099f68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8f7d94af2c2f68920a170affcbe6af11

SHA1
62b7136c5ae1ad9462720b6a91daa8c858bd3581

SHA256
fcdbad1cf5d9efbff49aac250969ed3cf650d8a2c817f13bd1ca9d3c3056430c

SHA512
5c677bb5c175738db91743723388f22862696261ee13435effaad589f56b6e3947bf6dfee9e59d904b73cc35ce82425b8d632b0059ebfc9e48388d72a77b73d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7cc8c3035a2b42afd2aceeec6bea3702

SHA1
1ac282d4e083ac7e63096e83d8ed7f76e0684c3b

SHA256
6660978018bd3d41e589fcb06682e3084526612724536ffd5d4a3e85921a2f2d

SHA512
d6a133c28ba99978422875062940139469accc6e1173d6232e10beb6ca81e7ebe2ee901846c4139253dc0b49d86365479d215f1c409642764b11dd74a5a64291

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
386c44d4c41d27709445d4f198838023

SHA1
0aa143134cb817134df0f1d3228273a95d809cba

SHA256
4eced13fe8ec1d8bd12e62f76c4d40bcb46d36df35d30726e76af5b7f4637187

SHA512
6e74bb1b0ec5e66b0a84e6c51f37746b012a2a48cbbb616545a95bd5c63708aa63e3ab85c48c32ac888aed35f1e826cab67e26ea0879c37a5a4e75441a9627e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1f3142bdc9af94499fabd551ac59017d

SHA1
9f2f66fb1887e839bd7f9fefe33575d46a2bee20

SHA256
4ff8488ec3e79c6788d1435223f679502623fa99f7a73f42fa37a05cc777ebaf

SHA512
02394393174643c4ebc653b3c0661f23a905905cb6a2b50bc3504bb056c0baca163d8f2be0169761cba20a88b8dbd85c4fe09278b183af483d4f4370f1fc971d

Download Submit
C:\Users\Admin\AppData\Local\Temp\553F.tmp\5540.tmp\5541.bat

Filesize
228B

MD5
41f4f3570c9a7eb2d5146ad51ed2b8c6

SHA1
01e21461208a6af14c9219b258d313878d202ee1

SHA256
c492710f0badce9c62d2568e7a5d85d55e2112a716da32e6ce151417ba407c8e

SHA512
b33e5d71df455c2dfc1c6e41e259176bf12dbcd057dd7095adac77ba6c0d9e956af9a7346f0919e1145898757259f2e18cc620beec340e5cf204f2d9df71ea3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35562\base_library.zip

Filesize
812KB

MD5
a928becdfac91f1d4407812a6057e55d

SHA1
c0fe8327b62290dae4d26e7c9a68c92790337616

SHA256
8d62379941335d3b87f9eb3d8d9a83e7e84630c305dee477aed9b3a78ca444e9

SHA512
600210e0bd4162e2122bc2499d803d7972582504578ea6d7b9abfbd8d8b377563f3f7b3b73701acf6e411cc4d838726a0c4805415d192b7eff6365d39a468d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43522\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43522\_ctypes.pyd

Filesize
116KB

MD5
92276f41ff9c856f4dbfa6508614e96c

SHA1
5bc8c3555e3407a3c78385ff2657de3dec55988e

SHA256
9ab1f8cbb50db3d9a00f74447a2275a89ec52d1139fc0a93010e59c412c2c850

SHA512
9df63ef04ea890dd0d38a26ac64a92392cf0a8d0ad77929727238e9e456450518404c1b6bb40844522fca27761c4e864550aacb96e825c4e4b367a59892a09e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43522\_socket.pyd

Filesize
73KB

MD5
c5378bac8c03d7ef46305ee8394560f5

SHA1
2aa7bc90c0ec4d21113b8aa6709569d59fadd329

SHA256
130de3506471878031aecc4c9d38355a4719edd3786f27262a724efc287a47b9

SHA512
1ecb88c62a9daad93ec85f137440e782dcc40d7f1598b5809ab41bf86a5c97224e2361c0e738c1387c6376f2f24d284583fd001c4e1324d72d6989d0b84bf856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43522\base_library.zip

Filesize
812KB

MD5
5b2b482b287015240f296c370e6f9e11

SHA1
f824af57523ac8eae77316cc650f2646d03ee955

SHA256
06f91f55b0891c1f5c0bf18e553d73a37fb9b402e74dea30996137361a9a143e

SHA512
233330f66f8e7ce538438679e5f3c5361ebc427f2dc8dfbac52a1cfb7e1eb11f8a80a2b8f8082b9e3705d4465fcf96b4e6597c12553ca00abb1246de7419c229

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43522\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43522\python310.dll

Filesize
4.2MB

MD5
a1185bef38fdba5e3fe6a71f93a9d142

SHA1
e2b40f5e518ad000002b239a84c153fdc35df4eb

SHA256
8d0bec69554317ccf1796c505d749d5c9f3be74ccbfce1d9e4d5fe64a536ae9e

SHA512
cb9baea9b483b9153efe2f453d6ac0f0846b140e465d07244f651c946900bfcd768a6b4c0c335ecebb45810bf08b7324501ea22b40cc7061b2f2bb98ed7897f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43522\select.pyd

Filesize
25KB

MD5
63ede3c60ee921074647ec0278e6aa45

SHA1
a02c42d3849ad8c03ce60f2fd1797b1901441f26

SHA256
cb643556c2dcdb957137b25c8a33855067e0d07547e547587c9886238253bfe5

SHA512
d0babc48b0e470abdafad6205cc0824eec66dbb5bff771cee6d99a0577373a2de2ffab93e86c42c7642e49999a03546f94e7630d3c58db2cff8f26debc67fcad

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_czorwika.5ug.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\IME\AMIDEWIN.exe

Filesize
148KB

MD5
182ec3a59bd847fb1bc3e12a41d48fa6

SHA1
2f548bceb819d3843827c1e218af6708db447d4b

SHA256
948dbd2bc128f8dc08267e110020fee3ff5de17cf4aaef89372de29623af96fa

SHA512
91ecc5a76edc2aea4219f68569b54d3e9fe15c2a30a146edc0d09e713feaa739a5c1e7dbfa97e60828696078d43d1f8fd3466234525b099ed6e614e854ac6c4c

Download Submit
C:\Windows\IME\AMIDEWINx64.exe

Filesize
453KB

MD5
6a6505b2413d2c7b16c6d059448db9e5

SHA1
dfe6c6b6051c26326a12dc9d0d5701cb4728266c

SHA256
53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

SHA512
1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

Download Submit
C:\Windows\IME\Activation.exe

Filesize
31KB

MD5
ef51cf406fe437cca81d6db6408bec7e

SHA1
899ccfa895acc0f770307e767a1cd1c5ef342310

SHA256
59b02dc911e5aa219bfb4684aa227f7cad207e5d2daab4cdf6df276882f8a12e

SHA512
1afb254e5f507040e72306200bb35bf0fd633310ef0ac5d9e46ed016d7acf097fdbe0b7b9554e1d9d2152f4794803307005d0f692404b0e55f6d73abcce268a7

Download Submit
C:\Windows\IME\Anti_Debug.exe

Filesize
18KB

MD5
fff2deb4eb8fa1becdeeb8a2a19a9ca4

SHA1
1d91c5c5de2e74609786ff750ba25f0863e54c94

SHA256
f42dde7132cb296715629512d205c5c81e374664f6a18da77dbfa161894fab63

SHA512
5856c46aca0ab668ce15d50e12371f3597cb891409ee3479611762fc1bed0dac49df2319d6fd179067b97d3680b34e5dcb941a33f00e2ee8d0b9f55779eb396f

Download Submit
C:\Windows\IME\DMI16.exe

Filesize
30KB

MD5
2a89d4e479351022ab8bd604030a76f3

SHA1
ad1d39fd38fafaae4d77eed5f1c67f665686736d

SHA256
28e6e1908f2996af9b7a9930f13d4c770d6963425df0869ce4bcdb1442a4a917

SHA512
0fb48aaeeedb5a96246ffd80c167f501ff2f5a08cf8d2dbf63373666c6f3394244395e05e49b68fedf02c2a3df75ad6ba4223f0066c350993233cf218da83e43

Download Submit
C:\Windows\IME\DMIEDIT.exe

Filesize
3.2MB

MD5
fbaf6262fd84f9966338518d4de46fdd

SHA1
291d481e3b42029e157e7c60febc8fe67cd50cf1

SHA256
5d37e5e7ce01549965bf2166adcba33d1e2c4bd2c90711032f3987b58452ce49

SHA512
5d8cc6e1ab85fae8d9a5ffa83cecc2608b1fbbb28b9e80afe2dc6f7d46b657d489e03f75e42fc147d49313b3a41ad768fd0f320a905cbc41d767c0fc3c3d9d7e

Download Submit
C:\Windows\IME\EQU8_Blocker.exe

Filesize
17KB

MD5
c657c027cd0283ea61545065ad42bf09

SHA1
f99af7cf296b2fd2da339b7c64a9441dd21335bb

SHA256
849eff74cd7b9c0928e9f1696257b66509fad8077d408b8c83aeb243599ec0c7

SHA512
983e26103af269697db752f45b589cd1519c7596e4d991aa7d23c6d9f2f7631588147bcd94d2f0138faee93a7e6692f78f866372008303e04263b1ca6441b089

Download Submit
C:\Windows\IME\FiveM_Cleanerino1.exe

Filesize
106KB

MD5
1e71acd7df04fb6ce6e34e90b5bf32b1

SHA1
80fa2ec3c72a1c1c6439c9171f35fb35c3bd2519

SHA256
24bc98f9a5c6f024ec76d9c6cd6fea09ece564c63cc88b31fd0040f9f8a79080

SHA512
968b8ca75dc8f3ebb2d32637652e1a9558f26b02ddda7a01439723823b4e9c2192aafe57be102a85c34be2b516bc26f3046ff65a915b4d249beea0d60adb3a25

Download Submit
C:\Windows\IME\GPU-UUID-Changer.exe

Filesize
174KB

MD5
f2ca790528e739c7657a9ac1ccc6c98c

SHA1
83b9157784ffdeb80f4d58b6203c1f5cbc0b1558

SHA256
299bf060362f1afe65c27cf7751d9cfb8cf9b49842179cb473b774cd45b91e02

SHA512
b56e7bafcfc334baad9d0cc1c41b74a800a0cf2de47bda3a60a9eb3e64cf4086d7c6911c7c6b1d1bf8cac81fb0a98e162d8cedbffab8303e4c218d9567286a70

Download Submit
C:\Windows\IME\GPU.exe

Filesize
172KB

MD5
0804fc6cd6f229bf70189709ab457681

SHA1
a40d620571c1468b7b5b78831a07cbb9c3416473

SHA256
67303b02b3e1b3f5a5a37713c58cdd0385b09bd2f822e6f0ac71127134f80afb

SHA512
3283188fabf8d53005d733e3ff461da9ce15495870d4456bc453e4311b37d5e263da7bc416128a220b489407669e1d39dd8c234acbe985c6467a9d1873f9349d

Download Submit
C:\Windows\IME\Scripthook_bypass.exe

Filesize
18KB

MD5
9e6b2acbdaa7c89f30e2db243f88f114

SHA1
13bc14b043288cb0313cded5a209ff1eea2f28a3

SHA256
64b6fa6c6d2cd4056c960707bc6f2d98d5ce2bcb95faeada62f4bb3326d52c5f

SHA512
2bd350f03cb4da46e4b8473906e0df2e60c91f5858160f5462dde2dd9b14e680df083dcd920251f0c2b44224657ea93a3d37b2b6f536ac3779c209fafdcb6573

Download Submit
C:\Windows\IME\Volume.exe

Filesize
228KB

MD5
4d867033b27c8a603de4885b449c4923

SHA1
f1ace1a241bab6efb3c7059a68b6e9bbe258da83

SHA256
22a2484d7fa799e6e71e310141614884f3bc8dad8ac749b6f1c475b5398a72f3

SHA512
b5d6d4a58d8780a43e69964f80525905224fa020c0032e637cd25557097e331f63d156cceaaacfe1a692ca8cea8d8bd1b219468b6b8e4827c90febe1535a5702

Download Submit
C:\Windows\IME\applecleaner.exe

Filesize
3.6MB

MD5
f96eb2236970fb3ea97101b923af4228

SHA1
e0eed80f1054acbf5389a7b8860a4503dd3e184a

SHA256
46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172

SHA512
2fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7

Download Submit
C:\Windows\IME\destra.exe

Filesize
89KB

MD5
af5d32242f7f166560403bf25b81d9ff

SHA1
3c0c158faf00b973c5e70e257b99cc1d2709e881

SHA256
2106abc313ee98ee288d6e67ffab444c723f704e09d441dc49411544899b59c2

SHA512
33dcac1e6311bcefe387891b02073fc9da97309aade3d1381639c4e604cb16efc9a24fc8defa146462afd59b461921d192accbd516d622c1ec31ffe1c01badd9

Download Submit
C:\Windows\IME\extd.exe

Filesize
326KB

MD5
c14ce13ab09b4829f67a879d735a10a1

SHA1
537e1ce843f07ce629699ef5742c42ee2f06e9b6

SHA256
ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a

SHA512
c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38

Download Submit
C:\Windows\IME\identity_data.exe

Filesize
6.8MB

MD5
092606046d03650e00361db36f3204d4

SHA1
e1a914431fdc8ecafaa4ebc332bb9ab366f7851d

SHA256
640f31861079f27a010158ecda0fb74a81be9801a8de311bb23e94ffc82e3562

SHA512
dacc42705f2d8cf2316b653cc47ceada7018900bb5e415f83fc83d21867e4923e6829f19fd77356f3c5dc3033113d19161b752f2692148c6ead7e7005bdcefec

Download Submit
C:\Windows\IME\log_helper.exe

Filesize
6.6MB

MD5
888ca44b82899b0d51bc51494dffefd0

SHA1
a1c292570abca1bee3d66c3e6b4f34d67cc57416

SHA256
5c9abf1192e0a0260f3b14c8bb15e39291d91a87dc2e3f2bac69bf8b17e14917

SHA512
735345683ab63c302fa23805cecc221b9e3966629aa187822fd1ba7745a7813c66f1de17039b16226e5f499c0ec5026f9231e52cb281904090d4f06066fe6e04

Download Submit
C:\Windows\IME\map.exe

Filesize
151KB

MD5
e78ceacaa734a3ddfe71fc237bfbd293

SHA1
dfb775c1d371778141caa6631f93c785f329d5c9

SHA256
6de739479ad5c9d61fe6198d4579e3120f47d8a12abe759d02a02a829cb8f821

SHA512
b133023fe345485cd94ac165f883e41710aed4ba389ab60990c1976440a5db1a32eb1148e1a242c4dfe40e930fe07189bf786f9f230eab7dc649c578e54fb7ca

Download Submit
C:\Windows\IME\mapper.exe

Filesize
120KB

MD5
d541398a31a6139b3f808f91523b6544

SHA1
a36d6104d718cc4e0958c83a6c68cee201e771be

SHA256
b5bc20e8c75b57c4fd5c6c1454d045d100c1122410ac6ffa049e48a5ded1641e

SHA512
d34288db7e90353bdac72193c0b3ee8fe2ec6c4ecef5e7667ccd8a219d1441f484717f835fa22d7b8afc03147af27b5f3b698218caef4d82d1d50d4a01102cc6

Download Submit
C:\Windows\IME\nprojecto.exe

Filesize
385KB

MD5
f3d376470f405c6c59a3c22fb04297a2

SHA1
5486ac65958518fcabe26db7c2de76db2d4252a8

SHA256
66572f91a658ebc6b3c87144f633278123cab7d4a69bffa14f1b49d527cb4ac1

SHA512
8a5096dc761a80dba9a03aed8098107cad8a7004cebfe2f6721ea5346de2841605b0ebf975a7a63e014ab69e61fc4bb40cb259f871689803b0c873eda46409c3

Download Submit
C:\Windows\IME\oi.exe

Filesize
106KB

MD5
6653ada4e227a621637803a853a3cc9a

SHA1
bf72deef66857a6f165b3a168eb2d12549c49be3

SHA256
75b833939231b9f6c4b72bc5cff1aedd38a32941076104fe0d2f52bf124fbc8f

SHA512
96393e6a434d411f17e44a6ce65f73187c279d76d61f15a68bfe4b7559a8066b9907b15f7772c0bcd295834ec2fe3123efbeb2050899f02042457a1102c24190

Download Submit
C:\Windows\IME\system_fingerprint.exe

Filesize
6.8MB

MD5
ecb2e9a3d7d3b2f3894f6b9e4d2a299f

SHA1
668ace2a5c59265c5fb95a0c9816f03d21e9f2b8

SHA256
868e174f3b00ec9077a4dc834e04a11046a12e1058e6be2050d5bab40695fca9

SHA512
246df0da02cb329aedb60f03d0a33d70cb840881dded5538b4c56033c074ef1f0e4a95fdf093a2e7bbab548e4a4878dfa33f753188f34be1c064bd5b6170a027

Download Submit
C:\Windows\IME\system_utils.exe

Filesize
6.6MB

MD5
610f9af74729b3da350e199bc4a65381

SHA1
60d0d15b570c7531579b26feee72d579aa09dfa8

SHA256
bdb08f5ae158806fc7c276392c889fcc44b11ab9cd9c29550ff8e7b4f331c560

SHA512
f32361e12f2e3c1bed6b2ea56b1989f02a11f26cf1d8424bb2c2791dc66fd843ba98434802440baf849d855ee3fa15ce5a833979d402f5a54054adaadb1bf963

Download Submit
memory/2784-206-0x00007FF62F820000-0x00007FF6301C2000-memory.dmp

Filesize
9.6MB

Download
memory/2784-191-0x00007FF62F820000-0x00007FF6301C2000-memory.dmp

Filesize
9.6MB

Download
memory/2784-362-0x00007FF62F820000-0x00007FF6301C2000-memory.dmp

Filesize
9.6MB

Download
memory/2784-208-0x00007FF62F820000-0x00007FF6301C2000-memory.dmp

Filesize
9.6MB

Download
memory/2784-207-0x00007FF62F820000-0x00007FF6301C2000-memory.dmp

Filesize
9.6MB

Download
memory/2784-210-0x00007FF62F820000-0x00007FF6301C2000-memory.dmp

Filesize
9.6MB

Download
memory/3192-1-0x00000000008A0000-0x0000000000C12000-memory.dmp

Filesize
3.4MB

Download
memory/3192-10-0x0000000074530000-0x0000000074CE0000-memory.dmp

Filesize
7.7MB

Download
memory/3192-7-0x0000000006BE0000-0x0000000006C1C000-memory.dmp

Filesize
240KB

Download
memory/3192-6-0x0000000005600000-0x000000000560A000-memory.dmp

Filesize
40KB

Download
memory/3192-5-0x0000000074530000-0x0000000074CE0000-memory.dmp

Filesize
7.7MB

Download
memory/3192-4-0x0000000005570000-0x0000000005582000-memory.dmp

Filesize
72KB

Download
memory/3192-3-0x0000000005630000-0x00000000056C2000-memory.dmp

Filesize
584KB

Download
memory/3192-2-0x0000000005BE0000-0x0000000006184000-memory.dmp

Filesize
5.6MB

Download
memory/3192-455-0x0000000074530000-0x0000000074CE0000-memory.dmp

Filesize
7.7MB

Download
memory/3192-8-0x0000000074530000-0x0000000074CE0000-memory.dmp

Filesize
7.7MB

Download
memory/3192-0-0x000000007453E000-0x000000007453F000-memory.dmp

Filesize
4KB

Download
memory/3192-11-0x0000000074530000-0x0000000074CE0000-memory.dmp

Filesize
7.7MB

Download
memory/3192-12-0x0000000009660000-0x00000000097AE000-memory.dmp

Filesize
1.3MB

Download
memory/3192-13-0x00000000087A0000-0x00000000087B4000-memory.dmp

Filesize
80KB

Download
memory/3192-9-0x000000007453E000-0x000000007453F000-memory.dmp

Filesize
4KB

Download
memory/4404-205-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/4404-200-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/4796-67-0x000001E39A5C0000-0x000001E39A5E2000-memory.dmp

Filesize
136KB

Download