Analysis

  • max time kernel
    99s
  • max time network
    79s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23/02/2024, 10:24

General

  • Target

    Need-for-Speed-Most-Wanted-2005-Windows-en.exe

  • Size

    544.3MB

  • MD5

    123b3cd59944ced849bfc4419994b77f

  • SHA1

    09ba787467321e1245420b2b6257271c1a24880e

  • SHA256

    7fc950d0546aaee6c96ce7f12e8e57546be1c53fa851eca511eb5b206be3457a

  • SHA512

    4f07151edb62362b28c3e87487aedbfe45492da9c9113deccaf5ecd7159b722773fd12ff1afdf834c4e3d6ee044564283bed45424c9249ac50b579d92f12bbcc

  • SSDEEP

    12582912:kVY2xeHrcc4qLCjouEUdI79gCwyA3j8Q5cyVUjeThSyi:ki2EH/QouESC8AUT

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 56 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • Modifies Control Panel 1 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of SetWindowsHookEx 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Need-for-Speed-Most-Wanted-2005-Windows-en.exe
    "C:\Users\Admin\AppData\Local\Temp\Need-for-Speed-Most-Wanted-2005-Windows-en.exe"
    1⤵
    • Loads dropped DLL
    • Drops autorun.inf file
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\NFSMWDemo\AutoRun.exe
      "C:\NFSMWDemo\AutoRun.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\system32\regsvr32.exe /s /regserver "C:\Users\Admin\AppData\Local\Temp\AutoRun.exe"
        3⤵
          PID:1188
        • C:\Users\Admin\AppData\Local\Temp\AutoRun.exe
          "C:\Users\Admin\AppData\Local\Temp\AutoRun.exe" -restart -dir "C:\NFSMWDemo"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies Control Panel
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2288
          • C:\Windows\SysWOW64\regsvr32.exe
            C:\Windows\system32\regsvr32.exe /s /regserver "C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\eauninstall.exe"
            4⤵
              PID:2560
            • C:\Windows\SysWOW64\regsvr32.exe
              C:\Windows\system32\regsvr32.exe /s /regserver "C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\speedDemo.exe"
              4⤵
                PID:2408
              • C:\Windows\SysWOW64\regsvr32.exe
                C:\Windows\system32\regsvr32.exe /s /regserver "C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\shell_inst.exe"
                4⤵
                  PID:2448
                • C:\Windows\SysWOW64\regsvr32.exe
                  C:\Windows\system32\regsvr32.exe /s /regserver "C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\safemode_inst.exe"
                  4⤵
                    PID:2416
                  • C:\Windows\SysWOW64\regsvr32.exe
                    C:\Windows\system32\regsvr32.exe /s /regserver "C:\Users\Admin\AppData\Local\Temp\safemode_inst.exe"
                    4⤵
                      PID:2368
                    • C:\Windows\SysWOW64\regsvr32.exe
                      C:\Windows\system32\regsvr32.exe /s /regserver "C:\Users\Admin\AppData\Local\Temp\shell_inst.exe"
                      4⤵
                        PID:800
                      • C:\Users\Admin\AppData\Local\Temp\safemode_inst.exe
                        "C:\Users\Admin\AppData\Local\Temp\safemode_inst.exe" "C:\NFSMWDemo" "C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EA GAMES\Need for Speed™ Most Wanted PC Demo" "1"
                        4⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:2380
                      • C:\Users\Admin\AppData\Local\Temp\shell_inst.exe
                        "C:\Users\Admin\AppData\Local\Temp\shell_inst.exe" "C:\NFSMWDemo" "C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EA GAMES\Need for Speed™ Most Wanted PC Demo" "1"
                        4⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:1544
                      • C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\speedDemo.exe
                        "C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\speedDemo.exe"
                        4⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of SetWindowsHookEx
                        PID:1848
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 500
                          5⤵
                          • Loads dropped DLL
                          • Program crash
                          PID:1244
                • C:\Windows\system32\vssvc.exe
                  C:\Windows\system32\vssvc.exe
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2232
                • C:\Windows\system32\DrvInst.exe
                  DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B8" "00000000000005B0"
                  1⤵
                  • Drops file in Windows directory
                  • Modifies data under HKEY_USERS
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1000
                • C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\speedDemo.exe
                  "C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\speedDemo.exe"
                  1⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:1732
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 436
                    2⤵
                    • Loads dropped DLL
                    • Program crash
                    PID:3064
                • C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\speedDemo.exe
                  "C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\speedDemo.exe"
                  1⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:2888
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 436
                    2⤵
                    • Loads dropped DLL
                    • Program crash
                    PID:2268

                Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\NFSMWDemo\0compressed.zip

                        Filesize

                        107.0MB

                        MD5

                        718c9c710586b88013ed795f76d31dcf

                        SHA1

                        902e71da3dc3c65df5fb4b2b98a6672c12fa5f7a

                        SHA256

                        58dc0e4543456f2dc29af3c94994c5a629f388e7c314008525ad89e3066b83bb

                        SHA512

                        423eee426daa87edd847d8f67c54c4ef97f3988ee7ebde3a89434d57ba287f2b9b0df41f6c2efaae0ca4447dfe90d7cefe26b98d8614f742ed8fe7b8c79f1de8

                      • C:\NFSMWDemo\AutoRun.inf

                        Filesize

                        165B

                        MD5

                        75a953de47bbcaf6b74af4f3855d95b9

                        SHA1

                        9dadb7cfd999c0c2b607f7effad023c6e3a71d94

                        SHA256

                        345aac6f90fbf14854d0096ef7c8eb393d2a343767c7fceda3f2959bf5a3f75a

                        SHA512

                        cb0013579468562be623adb63341fb77aa47d84332b3c914c5951f2ea1369a221210d3cd2d75730201c201e2fd2058368d284bfb5ead5589aee40709f49b1e3a

                      • C:\NFSMWDemo\AutoRunGUI.DLL

                        Filesize

                        572KB

                        MD5

                        5d3d38da3f18c93f546149a60f431844

                        SHA1

                        4310d4fe5e9bde0a8449a8b62ea3e1f8dea9531b

                        SHA256

                        c8fd3eaf84ed3da08de0cece42b41632f3f7ac195f5beec641142243a6f4507c

                        SHA512

                        6d3fc9032c22c356252fb9f060a96cedfc206661eeec835d10bc58be0977938748da676babfa7e0e3ffe5b367c5a4a04e249167bd396019d3276924c161bc877

                      • C:\NFSMWDemo\AutoRun\AutoRun.bmp

                        Filesize

                        288KB

                        MD5

                        59ac9d9015f8b9963f6c9d9b8fe2e21f

                        SHA1

                        3781e0640ebf5949bc0fbda09c1db553923164ef

                        SHA256

                        4e3b40daf199b9887e19214e3ff72d186dda6655ba10ee0691731cd26f3be287

                        SHA512

                        008dc8d7f53ec9be85aa61c89f337da7d53d2991685a3373a2d66fae3e5726b87e29179a91a9c4dd668a103bfa2640e6442847793a213ac3117f283fddde065d

                      • C:\NFSMWDemo\AutoRun\Slide_000.bmp

                        Filesize

                        1.2MB

                        MD5

                        56aa60f2fe90176997df1e20e9adf2b8

                        SHA1

                        5300ba8c342594df80fe97d280f38d715776d3de

                        SHA256

                        0db9eb2a2e128719fc517e4588ff3e0425f4a93ea09f06dc794998594319e4c5

                        SHA512

                        fdd6a4f53139749f4d75b57cef1895b6f25e3c43185d40de02af20cceb056f8c1d02445906270b2afc4c1a3ff1bc7e1058cdd6c326c1b4447782050e8342a34f

                      • C:\NFSMWDemo\AutoRun\Slide_001.bmp

                        Filesize

                        1.2MB

                        MD5

                        d11d198717d6fc35245e6dff7171d637

                        SHA1

                        e1a5dd6236f5ae32f8fc2775af03b8edf36a1554

                        SHA256

                        ff07c06e960c8ac35da9e63d51433e4811f3897af90d7affab5d0f812f240c83

                        SHA512

                        f44e3fb5a1c9d53c0ae27a53a7ef56661cba3b68caeedd160a3db1cc866a27b213c45cc7e80740655cb038fab2da0286146ab7a7e548206215e043f3322a3fe3

                      • C:\NFSMWDemo\AutoRun\Slide_002.bmp

                        Filesize

                        1.2MB

                        MD5

                        d3d97b6189cb67adcd4b3f3be0384480

                        SHA1

                        f79845f85061198c147135a08d0c39d51c2ade20

                        SHA256

                        fb69f3b8ce7b86bfee4fc6135dcf20379bc3ae85d5131915933c653c0bfd9d09

                        SHA512

                        01db49cdac927046b0f54779a68c948e3dec608c9f7b0df4d95ae05946c7dbcc2cdbec68386b539b1c995469b39ce4744b0cdfa13f944f8d46a5382c0ec24c98

                      • C:\NFSMWDemo\AutoRun\autorun.cfg

                        Filesize

                        1KB

                        MD5

                        b4806c964937afe152a56cdee2f41280

                        SHA1

                        320a1e25edd70ff1d61d062ec1787f606bbac09c

                        SHA256

                        d2226c69443b0c2df02c1bebea151bb9af9f92f21c03c29d37470e9b32c05cca

                        SHA512

                        45d2dc2c8a299a1fd577e91f2fd737e4b4987735c99430a1ce7e0be3f817c9929b8a915e0e6a20e4f4722b4aac6359bd117b369eb3784a6254257c715b8536b3

                      • C:\NFSMWDemo\DirectX\DSETUP32.DLL

                        Filesize

                        2.1MB

                        MD5

                        c9ce4f51cf9e1afc2660e3d3d5612196

                        SHA1

                        17bc120ca7db8bb290483d9ec79be6f5e4fce6c4

                        SHA256

                        d4acd29e6717f4af4b7aaa3692d0a2a993aef91eff06c3aca5ccabef9b3222ed

                        SHA512

                        341366097edd2632ab3f795b700125e7cf29cb3adfdda8ed1c48b60cf4e0a4e0d47cbfae9806cdc210f101f27765c4919bd089fc2bec548d468f38bfad53f968

                      • C:\NFSMWDemo\DirectX\Jun2005_d3dx9_26_x86.cab

                        Filesize

                        1.0MB

                        MD5

                        60187e3c04e92d1902bf216e3a80aa4f

                        SHA1

                        4dbfcb83db7faca0fc59ea12d9a485d827fe7bc3

                        SHA256

                        4245d03aedd198bfb37328b60b3dc89824db2144b26ce4038dcdf7303384be90

                        SHA512

                        4b1c16b13bbad59144fd29ebd6d683d74078dc78ac671a2f64be04387ff1a129bbc9c34b2159196635818a0ff47efb21b928de1a4617da329f57a87e8b998901

                      • C:\NFSMWDemo\DirectX\dsetup.dll

                        Filesize

                        73KB

                        MD5

                        ea79347e17a8173df544cca1dc715a8d

                        SHA1

                        5c2a851c621410930c1ecdb422d2904798b4cbe6

                        SHA256

                        a1560c254894d3213c70408061d10308d49b390a2c1fb564fb2f71b3aa58f200

                        SHA512

                        1e39020d5bb679ae84ccf5ef8ec4ab813548a833374cdc81dd8fa50edeee82d3be6bd4ddcbfe1703e015964ae251db20df2e4a4edd22739e4e6b1d10c675fdcd

                      • C:\NFSMWDemo\DirectX\dxupdate.cab

                        Filesize

                        65KB

                        MD5

                        8a7334ed83e752819591e1b698df4328

                        SHA1

                        e7ba1363c4e3e736c56a2b709c538454752720d5

                        SHA256

                        2fd55469c31071743762e7cb26af3380976d4d2a63785c7c26f3766a4fabae0c

                        SHA512

                        2d34c82c9e1e3216906ff3cda4082d9f058c7c9773bf21e2c78f0a2bc770f8b8ccd9108bdfebbcb73ed0f3e73edd774e9e4de7c602cb70e2d87dcaf9bdbca148

                      • C:\NFSMWDemo\NFSMW_icon.ico

                        Filesize

                        2KB

                        MD5

                        c20b589a58c133a2f786bfb906be45eb

                        SHA1

                        50dee793a05a1235f0ec966a3b6cffcd6c8575c8

                        SHA256

                        5bc0aae5c19ba5c9607df465a88b8d1c9a53c455e3b99415e6984a1d5bed4cd3

                        SHA512

                        470efa105ea45873253efd65ae977d15ff6684a674ded76b6f429590ffe7dd65ef328aa578c1d330d748c8ac0bf5436f048308c66feb64dbc4192246f78318ef

                      • C:\NFSMWDemo\Support\Localization.ini

                        Filesize

                        4KB

                        MD5

                        fc08554ec1bf5a473ea3c0d7204a5d59

                        SHA1

                        bd860a03ff66e0ea64075fa8a8e4399dd4a4b7af

                        SHA256

                        8d4af904219e3612eb3cd86600cdbce8c4e294d693ff40d22d0a705485cf42cc

                        SHA512

                        d692635b142004dc3236d67a871a5e41bb51b038007f0150f4869184a2479876ac4a6891fc9a96eba76e06ec5b9d5619ed9e08e7a0f9f83783c79dd6a50df689

                      • C:\NFSMWDemo\Support\en-us\readme.txt

                        Filesize

                        18KB

                        MD5

                        714c610ab8e0138d80b3ab0232f77a4f

                        SHA1

                        250e900e4abbca3e31e83fd6c5996d9dd9be1984

                        SHA256

                        a732dc2228bbd8e94ca7abb0cc19f06a3d5f60b53ee9feeed88f56eb70cd360c

                        SHA512

                        5e0ac9e9bd01caccd5e448c1ca6d3b08ea4cafb90d8ca5ec37fa2fe178af19bfb7d3faad9445691f2a0daa54f074c64ac1aaf9df025767770f802fcf27694e39

                      • C:\NFSMWDemo\common_filelist.txt

                        Filesize

                        152B

                        MD5

                        1f0f1de9c47158cb634ee72b03639109

                        SHA1

                        6790784f10def7d6a3c9152cff340dc5785411cf

                        SHA256

                        74cc6c1c388dfc907eff7eef61f7c61f9107c6fe0b1bc72cf10014e830b05000

                        SHA512

                        9fc3743f73d6698cf5fcb9020c23e39abb93e3aa402e896650c17eb81fae25fa30effa94639f4e08efc11022a1da6e366f1ce0af214c5537ead72f2d8632af18

                      • C:\NFSMWDemo\eauninstall.exe

                        Filesize

                        336KB

                        MD5

                        4acc71517a496295e36dccc33c679fed

                        SHA1

                        52a4ba27ee1274fefbf7a5341bbc6ce4b7218a1a

                        SHA256

                        a22fd04f56af9aa2984c417bd88de50d988e5e7d636a4623c627a0108fd2b714

                        SHA512

                        c845b34fd0b4eea751cfe7c34085fcaf0613aa82fd04f4c9e21aaa0bc40746475c8f6c433609520f0332280055bd68ac219f7d41586ea1a4c7ebd79eb68d79a1

                      • C:\NFSMWDemo\safemode_inst.exe

                        Filesize

                        40KB

                        MD5

                        637e0416eb34eafd91a90b46c7f3deb0

                        SHA1

                        725cf43a85429a7a2edab1f5225cc2999bbdf296

                        SHA256

                        c0185aba7054db39751c5163e30bc8aebd8a830ebb06dc523d79bf16538de0f0

                        SHA512

                        591dfa641b3e35c99aa97df84f13eb0d86dab3aa9e683ee75175f903c6a3c4520390418d74f7c05298188d68a2d9fedd401ed050dbefb1e45c42a9e7cbe2c59e

                      • C:\NFSMWDemo\server.cfg

                        Filesize

                        1KB

                        MD5

                        b3c56e6cf07ca91e32fe4b57700db71d

                        SHA1

                        aa3173527db5c08587db70ea6d6c9498af17dd3a

                        SHA256

                        b91b1c448d189db45437a165dc41a1511057a0525b8ad31780b9c5ff75b44a7c

                        SHA512

                        9689495675b8c2687d940cbb7cc731480f807bf59c3fdd5d77c18e49e7599f854743630649f2cd914ffb378742f4b1e0a1792319e6849a618971bdccdd0805b0

                      • C:\NFSMWDemo\server.dll

                        Filesize

                        192KB

                        MD5

                        7902494ae8b255d7afccde5e7b563c2b

                        SHA1

                        66d704e44ca181af560b81ca1564fa86d1e891a4

                        SHA256

                        da6825432c286de3c2c779824c86cd406017b80e3534b29f743e0edd7b9cd483

                        SHA512

                        950b333e9041d50b566436a718da70149be6b61c3bf97bab851e57f973766bca7a583217a1d209d00d138b2e9358d16b5077c1c763941323052c9c527101d557

                      • C:\NFSMWDemo\shell_inst.exe

                        Filesize

                        40KB

                        MD5

                        515173bba58f25aff51802f1fec6f10b

                        SHA1

                        be54d9dc19a2899e421008186f3e84c2fd307942

                        SHA256

                        0c125958dc0191e59cbd1f68335674ad4a3e42f46f502eab980e4899bbd7bead

                        SHA512

                        27749ee760f6ce7b4339990ce0f7491ad1a4a1f9780cd28cb4ac82ef69cc641def02ba81f4ee98de896a3060df9b5f7fb6c1bc82d4ab7399196aa4b2df1a7ba7

                      • C:\NFSMWDemo\speedDemo.exe

                        Filesize

                        5.7MB

                        MD5

                        aecfc5c79e90b8c432f3f15c09df8736

                        SHA1

                        8c8eb7c2a863221506387a11eb84ee4e902552de

                        SHA256

                        5fb06c926718a799e85bafbc3b13b4dbd7809cffcb396d44dc95b80348ed3573

                        SHA512

                        039b106279f7be8fcf9a6b2992b2f85001e51f8df9f022ebaf20701bedae35efa2468416445c28d5b154e4e0ef1cec410669d0f54bfacb6d13c5f7f2e815272a

                      • C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\CREDITS\JAPANESE.TXT

                        Filesize

                        38KB

                        MD5

                        cd7aaae68990b3db0b613300c028171d

                        SHA1

                        010ce6ec23ce37fcfb27ad26fed1d98d4d474ac0

                        SHA256

                        ba613aefc4c0afabe6253201543a97cb6635352831afc814f0cbc73bd4ec7408

                        SHA512

                        c4eadd07af851c848d57c844dfac4c34a269b628b44476f3117484ec40fc41df287e1b04ae0fe69ba3eb5ba3dfb25440cd3d9fad520d67b5a07b0dd02def4868

                      • C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\SOUND\MIXMAPS\MAPOUTPUT2DR.mxb

                        Filesize

                        9KB

                        MD5

                        46661612ade6d3726d537444daecff4e

                        SHA1

                        cb2d55d15d40e81b13c86abc59c321ca3396d23c

                        SHA256

                        da66feb97c37f7cca7c0945011ecf14643282efcde16b54a4aa7dfc101c12596

                        SHA512

                        e2070a7c3407a22ab2224bd1c4ea841ec817ac19db1f1ddef510dccbf9702a12ef3fc7ca780e8b7167b29c5b79be4a3fb177703ebe7cfab4ce987bae37a85d89

                      • C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\SOUND\MIXMAPS\MAPOUTPUTDRG.dyn

                        Filesize

                        42KB

                        MD5

                        d9f42cd6eb5af07323f0080ab1800a8f

                        SHA1

                        7bb75322c77a1cab6376342527129e38a7b97e3e

                        SHA256

                        e45606dd7d98a80f70272a15ee2cdb9d50ae47a24cbfe5d3df285e6fd5b262aa

                        SHA512

                        828fb7194cc46c55722bb7d73ad65a75f6ec39bb29fbfb6abb2bce169fd92ef201fd39133ec6895780392433824196f6b340758d34eb0d5d99b6ee30ce52f3aa

                      • C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\SOUND\SKIDS\SKID_SML_MB.abk

                        Filesize

                        160KB

                        MD5

                        d0d65aaafefc7dbae1b2ab561d62b641

                        SHA1

                        ad21123653609cebd5c8859df30c782e5be0c405

                        SHA256

                        9a67363f97ebe7088d2d48e843008e199aada59cd9e24833083343ed18a69c8d

                        SHA512

                        387b71fc52cfe4abbcde27983c68d73b7655d054f97397e6a6c5e7a78bfa94a1a9febc6387a282cb2596a5443b0a3ba25a9c7ca95041bef8fed459e347b5c2ff

                      • C:\Users\Admin\AppData\Local\Temp\DXD6A0.tmp\d3dx9_26.dll

                        Filesize

                        2.2MB

                        MD5

                        523ab607eef81cc4d909e7febd8a788e

                        SHA1

                        2fbf1444daab3312da6b34509763656a28252134

                        SHA256

                        8ea96fe01c3c86a36fcb3795ae03eb12034003e335ef475571efaeda17c5bc78

                        SHA512

                        791f520533f58cbccded4e7c1f64fc14d20942efe57f32a5ee75eca4107543718eb35ecaf52e6eb3d9112867141271b8c097766fcc3562f016bb612bf840528a

                      • C:\Users\Admin\AppData\Local\Temp\DXD6A0.tmp\jun2005_d3dx9_26_x86.inf

                        Filesize

                        1KB

                        MD5

                        62f8ec9c0d3bd54ace90cb15f5caa208

                        SHA1

                        e84f4a60c79f862aca0f917d1d30898af4036fad

                        SHA256

                        262ed4a65dd45e19f196cb2d9946326693ee31a86b51bf77116dec2727971cb6

                        SHA512

                        3de4ad76b207c2a0ecc10835cb787d61faa02e3531f6242a606ac0686cbfa156f59c30695effe5560d9a8481800b356873b7590beb8a739b33c0b1fcccea3fab

                      • C:\Windows\DirectX.log

                        Filesize

                        2KB

                        MD5

                        398030928fc116f2dff834520178d574

                        SHA1

                        ae5dcc75bc003b157aea90d80eac3b86318f73fe

                        SHA256

                        6a7fb420a12759d73a34b0d642008eb492f0a217ab22bbc2950d8b4c3cfe165c

                        SHA512

                        b11f42c6a2377023cb3db954396f9de3aaafc386a3bd5d9d428f06ddffc2b8a412b5ddd8446eafbbfc2a13f1548427854dce72079394e6739b4664ac908d747b

                      • C:\Windows\DirectX.log

                        Filesize

                        2KB

                        MD5

                        5c7daa87476817e9786cad184b142d92

                        SHA1

                        830a5907bcf9bbe6d5c1f55039532e0c3955e66c

                        SHA256

                        d69c07fa7b4cd4169a380a879446fb594bca8d13b29503cd6312af940cc5d356

                        SHA512

                        aa12d14b68e3ae74bf784c38b13c42d9aed4ed18671cebbc50d91bc29a49e6ad156a6e8574043bd53f2bb9e62135f1cd326e207a3a65df0c6b2f23a2972c7018

                      • C:\Windows\DirectX.log

                        Filesize

                        3KB

                        MD5

                        99e4e28c3e56a062dfc27bad02a1c82e

                        SHA1

                        84c19ba8d7869a38096c0b0f2bf8144d0300c7a9

                        SHA256

                        0ac6af1c5758d0b24a3a9d50d62cd2ef02910a1066b1b5eb1707ccd53557e69f

                        SHA512

                        d183a87c205503eb12b021d707fe3d949a06b66c033d4d90609cdd3fa6336cd0b3f0624e60ef4b4fa2b64b556e2c0d21b928bdfa74ee82a18963b5f93f6fc3f5

                      • C:\Windows\DirectX.log

                        Filesize

                        4KB

                        MD5

                        9ccbad5a0589f846083050c0fb363845

                        SHA1

                        2b879f1a25923f8754f020ba0185aa7aa596eb52

                        SHA256

                        a561b7ef9f3d2d4414721dc7dc5b95dcc49948cb35d71c712725d272efb799ad

                        SHA512

                        1437115866b12dc9d1b8d91c6bca356b1efe3032586b4fdacbe6d947a961a3ae855f65b73ee87130bb3769ad068c5f1e75229f2353aa5482e698c2e2d2bd2fa9

                      • C:\Windows\DirectX.log

                        Filesize

                        457B

                        MD5

                        b9e0592d567f14449ac281c4907dfcee

                        SHA1

                        cf020b86d3c918fac8bd004ba7f752cf662544ba

                        SHA256

                        e3458a5f2fa275c28a5b5179bfcc08e11e1049a0f80dffdc4b56ac1cd0fefd66

                        SHA512

                        024ad2c373b0167a865cd0b29810dd40fee0945a9b2afc7ffcbc0e1d1f3f05b2f479cd5c090604a6f15a57b6fae4f337dfb8a441477fe9d5cfdf87e53327e4ed

                      • \NFSMWDemo\AutoRun.exe

                        Filesize

                        712KB

                        MD5

                        a0fd24d4cb82b8ad4714ac650793341e

                        SHA1

                        342599569522533afe5b936f2afac75790bd1d90

                        SHA256

                        4cad79b8778326b1cf873ea91655c7fa64fbaced8ba929ec3015068f1bb6760f

                        SHA512

                        982bc0fa18c4378ef6eda7dfc25383728c1395b71a34b40d74298396a0df5a74be8ee2d3ed6223e608d10731fe5a66032bdf4eaa407011c60d106e8b684f6132

                      • \Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\server.dll

                        Filesize

                        372KB

                        MD5

                        8e70b172a9b8e9803ade649e760c98da

                        SHA1

                        6192cc1b30406ce979e47069d1b75976516f6baa

                        SHA256

                        c6a597c4ff1d2f5ec24f901fd8494a14603793bc551c0c2a609fcd290a331c5b

                        SHA512

                        441302baee8e064938c4ee42e4ecb21a46cab26ee01188dbd7196b99f3b9df3c3a986e3c3aa7a331e9bd52325bf12cd061a02deac53dc8178b492c408f51b73f

                      • \Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\speedDemo.exe

                        Filesize

                        1.0MB

                        MD5

                        58e0089981bff77204c4554bd15387fb

                        SHA1

                        48b4eb640368dde014c12ee232793a8f86779639

                        SHA256

                        a603098bd3b2482c4ddf5f757a766108b770fda0877c693b4299ea45d01ebcbb

                        SHA512

                        aefdc49e38448b139cabbc7a4dfba2bf87cbeb5615bc43329f139241fd452792e88ac445847414afee45daa9f5bfe5a60c3c610fe32882dd3e9ccdf26ce69cf6

                      • \Users\Admin\AppData\Local\Temp\DXD6A0.tmp\dxupdate.dll

                        Filesize

                        126KB

                        MD5

                        3ff3ab1afef0bf033e8b11c0f6f54126

                        SHA1

                        b53a490e712036eb51c5c5058d812252f5c4245f

                        SHA256

                        864360e97ae16942d7703bcb060fb4b10757dc4999bdcace991b8654471dd588

                        SHA512

                        815508c42c9180086ca44693139d0de535d62b2670681f32e3c236b86aadc891eb708025bbf483f31740b711a5324f47a4015a4ec67e60138342f201c2b0a68f

                      • memory/1732-1254-0x00000000002E0000-0x00000000002EA000-memory.dmp

                        Filesize

                        40KB

                      • memory/1732-1252-0x0000000000C00000-0x0000000000E4A000-memory.dmp

                        Filesize

                        2.3MB

                      • memory/1732-1253-0x00000000002E0000-0x00000000002EA000-memory.dmp

                        Filesize

                        40KB

                      • memory/1848-1251-0x0000000000270000-0x0000000000272000-memory.dmp

                        Filesize

                        8KB

                      • memory/1848-1250-0x0000000000DD0000-0x0000000000DDA000-memory.dmp

                        Filesize

                        40KB

                      • memory/1848-1249-0x0000000000270000-0x000000000027A000-memory.dmp

                        Filesize

                        40KB

                      • memory/1848-1248-0x0000000000270000-0x000000000027A000-memory.dmp

                        Filesize

                        40KB

                      • memory/1848-1247-0x0000000000AF0000-0x0000000000D3A000-memory.dmp

                        Filesize

                        2.3MB

                      • memory/2288-103-0x00000000042D0000-0x00000000042F5000-memory.dmp

                        Filesize

                        148KB

                      • memory/2288-62-0x0000000003C60000-0x0000000003C76000-memory.dmp

                        Filesize

                        88KB

                      • memory/2288-67-0x00000000042A0000-0x00000000044C7000-memory.dmp

                        Filesize

                        2.2MB

                      • memory/2288-1189-0x0000000004490000-0x00000000044FF000-memory.dmp

                        Filesize

                        444KB

                      • memory/2288-72-0x0000000004330000-0x0000000004557000-memory.dmp

                        Filesize

                        2.2MB

                      • memory/2288-220-0x0000000004CD0000-0x0000000004EF7000-memory.dmp

                        Filesize

                        2.2MB

                      • memory/2440-38-0x0000000000970000-0x0000000000A09000-memory.dmp

                        Filesize

                        612KB

                      • memory/2888-1259-0x0000000000C40000-0x0000000000E8A000-memory.dmp

                        Filesize

                        2.3MB

                      • memory/2888-1261-0x0000000000260000-0x000000000026A000-memory.dmp

                        Filesize

                        40KB

                      • memory/2888-1260-0x0000000000260000-0x000000000026A000-memory.dmp

                        Filesize

                        40KB