6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214

Analysis

max time kernel
152s
max time network
168s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
Size

6.5MB
MD5

8be14523a8862b1caa98e218acc94958
SHA1

c8ef028db2c37b4bbc0b3659aa0708558d5f71f8
SHA256

6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214
SHA512

1f5195fb70d2c3c15b23b1b9d11c3423040dab9cfec27d539fa3f21e33bba9e0e99d4611e3281d3868b0f7099bee0f52c2c1e065ebd109b64753980455651dfa
SSDEEP

196608:be7k1bSAfCaSAd9tKjwEHl4mRSAIwGuJPy+x+ACN3b:b7c3DUEjZlbwj+x+bb

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

PartitionGuru.exe

pid process

1496 PartitionGuru.exe

pid	process
1496	PartitionGuru.exe

Loads dropped DLL 15 IoCs

Processes:

6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exePartitionGuru.exe

pid	process
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
1496	PartitionGuru.exe
1496	PartitionGuru.exe
1496	PartitionGuru.exe
1496	PartitionGuru.exe
1496	PartitionGuru.exe
1496	PartitionGuru.exe
1496	PartitionGuru.exe
1496	PartitionGuru.exe
1496	PartitionGuru.exe
1496	PartitionGuru.exe
1496	PartitionGuru.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

PartitionGuru.exe

description ioc process

File opened for modification \??\PhysicalDrive0 PartitionGuru.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	PartitionGuru.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

PartitionGuru.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	PartitionGuru.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	PartitionGuru.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe

pid	process
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

PartitionGuru.exe

pid process

1496 PartitionGuru.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

PartitionGuru.exe

pid process

1496 PartitionGuru.exe
1496 PartitionGuru.exe
1496 PartitionGuru.exe

pid	process
1496	PartitionGuru.exe

pid	process
1496	PartitionGuru.exe
1496	PartitionGuru.exe
1496	PartitionGuru.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe

description	pid	process	target process
PID 944 wrote to memory of 1496	944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe	PartitionGuru.exe
PID 944 wrote to memory of 1496	944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe	PartitionGuru.exe
PID 944 wrote to memory of 1496	944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe	PartitionGuru.exe
PID 944 wrote to memory of 1496	944	6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe	PartitionGuru.exe

C:\Users\Admin\AppData\Local\Temp\6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe
"C:\Users\Admin\AppData\Local\Temp\6814d9f8fb80420b7f312cc2c4d6a3905c79ffd71ca47a9563fd44401736a214.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:944

C:\Users\Admin\AppData\Roaming\PartitionGuru.exe
"C:\Users\Admin\AppData\Roaming\PartitionGuru.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Barray.dll

Filesize
56KB

MD5
6f3d54c5114cbd6cc23e9d8461495b54

SHA1
97a87270fc4d97bcb72731a067801ca5305c91cb

SHA256
0fb5ada4afb2ef532e304c9b2a0afc14ad403151d1e4a5479eecb1f717614a47

SHA512
15dcba7a073b14d2d0d1ffabbc6e29a2735e6b7ef21574fcc764f373ac856893c52cd99db3279f9be0adb76e7a118e4717b5e39511b6cc0638a9375a5db7341d

Download Submit
C:\Users\Admin\AppData\Roaming\Charset.dll

Filesize
47KB

MD5
06fde9dd2729bfa20c9476a0212d6540

SHA1
5bb1cc8085dd0397badb70beaafce1dafc56e666

SHA256
5070d6f52aca18375def5b81db4304d62700b11c7b3fcc0b94d01bf9e58e7218

SHA512
74544e0d159b36fa053d94b6585550244f57d409ccfc7bb18d0fc2fee11916f56b0e99cb90ed32bed2927bbfb66d68593f74f0df1acaacd528f16c58dfbf4db9

Download Submit
C:\Users\Admin\AppData\Roaming\Hdrw.dll

Filesize
1.1MB

MD5
9a3da124ade3cc6708fb75ae53f2cd84

SHA1
3f05906da4604bddff3a8f020bc433422d40905a

SHA256
528e951dbea4b4552266179bac278da58e16c44169b67f85a11b393437cbe8db

SHA512
5d6653eb29b98330ec275c66bc3d7a6fb77e7ec110a4682834290eb6c3f50cf1dccf20b43d57071680a0eebbe17703f1343f889a3f0c667016b7ed8466b12871

Download Submit
C:\Users\Admin\AppData\Roaming\Hdrwnt.dll

Filesize
95KB

MD5
8487d5450a89fccf9b76b339b1043ae8

SHA1
3094187122888b3833de41f6bfd8f386585b1510

SHA256
de7ab8e58c81a1e929ebef9ef39c770bc37fc96ad2643d5370f526ce15d32133

SHA512
c11f74dcb1839df513aff4dfa606773fa8cc1bfd2a67f94fa26408fe245bd258bbc07958df48529d8d7357f35f240389c75a2b9269cee08c5c24291a84e2b11c

Download Submit
C:\Users\Admin\AppData\Roaming\IniCfg.dll

Filesize
78KB

MD5
93cc87a1bec7ca3b522e700df4be460e

SHA1
4338b01bc51be35ea3694f7e2e21880b6eaf67e0

SHA256
270dae4a2fd4b621b6b0323042a52b551855c0687ea1e18ea38908853d7c7ee8

SHA512
dee5dd9b5619c17c30014a688364534068bd7d7a73a5a662b26eb7333273d1b7d5ddc2f75145842c977dd186031d12f0d0a8eacc7361536730961811dc27f86e

Download Submit
C:\Users\Admin\AppData\Roaming\Langeng.dll

Filesize
1.1MB

MD5
308e3cc70aa48292032c1e9821471390

SHA1
0f4951886fc4a0f98e30ec28c3113e2ead483365

SHA256
c991b03b51f94120c05ef84aecf85877d5b9272db22622ab3d1d594ca199389c

SHA512
cf17b082c54bac874ff8c94b2fa01313afa7019fbdb081a94d7924135b8a2c2e1e7c04e4ef0e42ec7e184701ae93334621378c912430606007c67df1a2b0a429

Download Submit
C:\Users\Admin\AppData\Roaming\Options.ini

Filesize
45B

MD5
2b2a479bd5a66bedf9a49b62d08c583d

SHA1
8c87bf272e49545c4e02b90d52caaab92766d83e

SHA256
e42f2858834f930d7d197569e142a4dd87a09181b5cb4c64248a0223ba9249fd

SHA512
8d9adb79c4dd2aaa682543ac61f3bd891813052abe908df079855153b7e9b4e125a6c1f372046befc9a46ea074040a5a314158218a2f7eb59932639b91d638b4

Download Submit
C:\Users\Admin\AppData\Roaming\PartitionGuru.exe

Filesize
2.5MB

MD5
bcfdb074485c4a9c1b8497b26d9a5290

SHA1
32fcc50531705f8e2e7c6777e14d281f73e206d7

SHA256
84d4bd419398fc2acf66ee03f33e011966cbf6cbc5ec7eaa255775bcd2eb780e

SHA512
3b29c8f823d76e0d813085e7d6f2ce20f4bd1210700fb07dba66c8c04d3527cb52d4da2c9045c7e27e0d1c2d02d8e8b8a0ef35c150795512168ec33f5428ab87

Download Submit
C:\Users\Admin\AppData\Roaming\PartitionGuru.exe

Filesize
2.5MB

MD5
bcfdb074485c4a9c1b8497b26d9a5290

SHA1
32fcc50531705f8e2e7c6777e14d281f73e206d7

SHA256
84d4bd419398fc2acf66ee03f33e011966cbf6cbc5ec7eaa255775bcd2eb780e

SHA512
3b29c8f823d76e0d813085e7d6f2ce20f4bd1210700fb07dba66c8c04d3527cb52d4da2c9045c7e27e0d1c2d02d8e8b8a0ef35c150795512168ec33f5428ab87

Download Submit
C:\Users\Admin\AppData\Roaming\Update.dll

Filesize
114KB

MD5
a35c319007ad64846833ef247adfc092

SHA1
79f6a8a83723d5322f429e67567c0879c876bd0d

SHA256
c176ee50da97cb97f8d408187b87d44975e8ec7867690fecb3705a8e3b781929

SHA512
8f85a3f73b35ae638463faefdaabebff1a2edce2860e18d4219d714b8cf1d89b67bdb5550725be8d642b01bd84bfd935884bed128b0d91b74ee836218284b36c

Download Submit
C:\Users\Admin\AppData\Roaming\hdrwImg.dll

Filesize
58KB

MD5
277f98dad063bfe5a665b293add2c15c

SHA1
59fe4f4833e692def6f758f83d3c320956478756

SHA256
c496bb85a598bc45992512080a996358d5d803bc5417279911a61a08be208221

SHA512
38a7356ff1e94a320394e5531b3e089b084929df2d7802c1ec42929767bdcc539caa65bebf4430c0e47c996a5872cc64fc745ff2b3f8f4b8dc7c3d14b28dc89a

Download Submit
C:\Users\Admin\AppData\Roaming\hdrwVdi.dll

Filesize
64KB

MD5
e61c979b98efa82634019adae187923a

SHA1
172de50555ebe1faa47490b0ed3084981f55325e

SHA256
b7d6518142f2008c6230bd25f1d1173da9aeeea58d8ac9e1ec4e35ede1389c17

SHA512
8b66c4864f048ed41a4159f2752e05666d1000c0652a72380c49b55151caceac18a50f1fae7f264229d327e11b037ba2feb01e067f2d495113957ecfbfccf58b

Download Submit
C:\Users\Admin\AppData\Roaming\hdrwVhd.dll

Filesize
75KB

MD5
cf707c20ce3617e57d86bc6948a06ed6

SHA1
17a58ec29e13cdf75ec2871019f55252a0a1a945

SHA256
86891d35a4a5c0fde0fa36aed64941e396aff9b77ff86247cf6337891c0acf61

SHA512
d1cdb89cc8a0b6c8c332ab0a43a54b73730fc7936ed8a0d4d23243eeab7da8fe2c4eebaa8b8ad0c84c08384c774f4f4fc5090b4ebdb7e9f846ffb93b28540116

Download Submit
C:\Users\Admin\AppData\Roaming\hdrwvm.dll

Filesize
98KB

MD5
3165a6004a217d8462c2e6dffc6b2d27

SHA1
38ae74838f5148b2b669d76b96c206c76e35e197

SHA256
ec1721d032d4d610d812c7d80624b6858ddf610caf4668b830bfd8a5f11d9b54

SHA512
c9986510715590fb8977c322ef1b7be3e6b6706b48dffebb96544eb644fcb61bddb0cea1dac57a8f70dd56e2a609ff03463d676d4a595911f23655aecd51a49e

Download Submit
\Users\Admin\AppData\Roaming\Barray.dll

Filesize
56KB

MD5
6f3d54c5114cbd6cc23e9d8461495b54

SHA1
97a87270fc4d97bcb72731a067801ca5305c91cb

SHA256
0fb5ada4afb2ef532e304c9b2a0afc14ad403151d1e4a5479eecb1f717614a47

SHA512
15dcba7a073b14d2d0d1ffabbc6e29a2735e6b7ef21574fcc764f373ac856893c52cd99db3279f9be0adb76e7a118e4717b5e39511b6cc0638a9375a5db7341d

Download Submit
\Users\Admin\AppData\Roaming\Charset.dll

Filesize
47KB

MD5
06fde9dd2729bfa20c9476a0212d6540

SHA1
5bb1cc8085dd0397badb70beaafce1dafc56e666

SHA256
5070d6f52aca18375def5b81db4304d62700b11c7b3fcc0b94d01bf9e58e7218

SHA512
74544e0d159b36fa053d94b6585550244f57d409ccfc7bb18d0fc2fee11916f56b0e99cb90ed32bed2927bbfb66d68593f74f0df1acaacd528f16c58dfbf4db9

Download Submit
\Users\Admin\AppData\Roaming\Hdrw.dll

Filesize
1.1MB

MD5
9a3da124ade3cc6708fb75ae53f2cd84

SHA1
3f05906da4604bddff3a8f020bc433422d40905a

SHA256
528e951dbea4b4552266179bac278da58e16c44169b67f85a11b393437cbe8db

SHA512
5d6653eb29b98330ec275c66bc3d7a6fb77e7ec110a4682834290eb6c3f50cf1dccf20b43d57071680a0eebbe17703f1343f889a3f0c667016b7ed8466b12871

Download Submit
\Users\Admin\AppData\Roaming\HdrwImg.dll

Filesize
58KB

MD5
277f98dad063bfe5a665b293add2c15c

SHA1
59fe4f4833e692def6f758f83d3c320956478756

SHA256
c496bb85a598bc45992512080a996358d5d803bc5417279911a61a08be208221

SHA512
38a7356ff1e94a320394e5531b3e089b084929df2d7802c1ec42929767bdcc539caa65bebf4430c0e47c996a5872cc64fc745ff2b3f8f4b8dc7c3d14b28dc89a

Download Submit
\Users\Admin\AppData\Roaming\Hdrwnt.dll

Filesize
95KB

MD5
8487d5450a89fccf9b76b339b1043ae8

SHA1
3094187122888b3833de41f6bfd8f386585b1510

SHA256
de7ab8e58c81a1e929ebef9ef39c770bc37fc96ad2643d5370f526ce15d32133

SHA512
c11f74dcb1839df513aff4dfa606773fa8cc1bfd2a67f94fa26408fe245bd258bbc07958df48529d8d7357f35f240389c75a2b9269cee08c5c24291a84e2b11c

Download Submit
\Users\Admin\AppData\Roaming\Hdrwvdi.dll

Filesize
64KB

MD5
e61c979b98efa82634019adae187923a

SHA1
172de50555ebe1faa47490b0ed3084981f55325e

SHA256
b7d6518142f2008c6230bd25f1d1173da9aeeea58d8ac9e1ec4e35ede1389c17

SHA512
8b66c4864f048ed41a4159f2752e05666d1000c0652a72380c49b55151caceac18a50f1fae7f264229d327e11b037ba2feb01e067f2d495113957ecfbfccf58b

Download Submit
\Users\Admin\AppData\Roaming\Hdrwvhd.dll

Filesize
75KB

MD5
cf707c20ce3617e57d86bc6948a06ed6

SHA1
17a58ec29e13cdf75ec2871019f55252a0a1a945

SHA256
86891d35a4a5c0fde0fa36aed64941e396aff9b77ff86247cf6337891c0acf61

SHA512
d1cdb89cc8a0b6c8c332ab0a43a54b73730fc7936ed8a0d4d23243eeab7da8fe2c4eebaa8b8ad0c84c08384c774f4f4fc5090b4ebdb7e9f846ffb93b28540116

Download Submit
\Users\Admin\AppData\Roaming\Hdrwvm.dll

Filesize
98KB

MD5
3165a6004a217d8462c2e6dffc6b2d27

SHA1
38ae74838f5148b2b669d76b96c206c76e35e197

SHA256
ec1721d032d4d610d812c7d80624b6858ddf610caf4668b830bfd8a5f11d9b54

SHA512
c9986510715590fb8977c322ef1b7be3e6b6706b48dffebb96544eb644fcb61bddb0cea1dac57a8f70dd56e2a609ff03463d676d4a595911f23655aecd51a49e

Download Submit
\Users\Admin\AppData\Roaming\IniCfg.dll

Filesize
78KB

MD5
93cc87a1bec7ca3b522e700df4be460e

SHA1
4338b01bc51be35ea3694f7e2e21880b6eaf67e0

SHA256
270dae4a2fd4b621b6b0323042a52b551855c0687ea1e18ea38908853d7c7ee8

SHA512
dee5dd9b5619c17c30014a688364534068bd7d7a73a5a662b26eb7333273d1b7d5ddc2f75145842c977dd186031d12f0d0a8eacc7361536730961811dc27f86e

Download Submit
\Users\Admin\AppData\Roaming\LangEng.dll

Filesize
1.1MB

MD5
308e3cc70aa48292032c1e9821471390

SHA1
0f4951886fc4a0f98e30ec28c3113e2ead483365

SHA256
c991b03b51f94120c05ef84aecf85877d5b9272db22622ab3d1d594ca199389c

SHA512
cf17b082c54bac874ff8c94b2fa01313afa7019fbdb081a94d7924135b8a2c2e1e7c04e4ef0e42ec7e184701ae93334621378c912430606007c67df1a2b0a429

Download Submit
\Users\Admin\AppData\Roaming\PartitionGuru.exe

Filesize
2.5MB

MD5
bcfdb074485c4a9c1b8497b26d9a5290

SHA1
32fcc50531705f8e2e7c6777e14d281f73e206d7

SHA256
84d4bd419398fc2acf66ee03f33e011966cbf6cbc5ec7eaa255775bcd2eb780e

SHA512
3b29c8f823d76e0d813085e7d6f2ce20f4bd1210700fb07dba66c8c04d3527cb52d4da2c9045c7e27e0d1c2d02d8e8b8a0ef35c150795512168ec33f5428ab87

Download Submit
\Users\Admin\AppData\Roaming\PartitionGuru.exe

Filesize
2.5MB

MD5
bcfdb074485c4a9c1b8497b26d9a5290

SHA1
32fcc50531705f8e2e7c6777e14d281f73e206d7

SHA256
84d4bd419398fc2acf66ee03f33e011966cbf6cbc5ec7eaa255775bcd2eb780e

SHA512
3b29c8f823d76e0d813085e7d6f2ce20f4bd1210700fb07dba66c8c04d3527cb52d4da2c9045c7e27e0d1c2d02d8e8b8a0ef35c150795512168ec33f5428ab87

Download Submit
\Users\Admin\AppData\Roaming\PartitionGuru.exe

Filesize
2.5MB

MD5
bcfdb074485c4a9c1b8497b26d9a5290

SHA1
32fcc50531705f8e2e7c6777e14d281f73e206d7

SHA256
84d4bd419398fc2acf66ee03f33e011966cbf6cbc5ec7eaa255775bcd2eb780e

SHA512
3b29c8f823d76e0d813085e7d6f2ce20f4bd1210700fb07dba66c8c04d3527cb52d4da2c9045c7e27e0d1c2d02d8e8b8a0ef35c150795512168ec33f5428ab87

Download Submit
\Users\Admin\AppData\Roaming\PartitionGuru.exe

Filesize
2.5MB

MD5
bcfdb074485c4a9c1b8497b26d9a5290

SHA1
32fcc50531705f8e2e7c6777e14d281f73e206d7

SHA256
84d4bd419398fc2acf66ee03f33e011966cbf6cbc5ec7eaa255775bcd2eb780e

SHA512
3b29c8f823d76e0d813085e7d6f2ce20f4bd1210700fb07dba66c8c04d3527cb52d4da2c9045c7e27e0d1c2d02d8e8b8a0ef35c150795512168ec33f5428ab87

Download Submit
\Users\Admin\AppData\Roaming\update.dll

Filesize
114KB

MD5
a35c319007ad64846833ef247adfc092

SHA1
79f6a8a83723d5322f429e67567c0879c876bd0d

SHA256
c176ee50da97cb97f8d408187b87d44975e8ec7867690fecb3705a8e3b781929

SHA512
8f85a3f73b35ae638463faefdaabebff1a2edce2860e18d4219d714b8cf1d89b67bdb5550725be8d642b01bd84bfd935884bed128b0d91b74ee836218284b36c

Download Submit
memory/944-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1496-59-0x0000000000000000-mapping.dmp

Download