modiloader | f6f84b418926af4185426db6f6ad92aff970457e1ea707413fd95137a32a908d

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe
Size

4.5MB
MD5

b3ba7afb650fbc73d5d7ba46d5e9f091
SHA1

4f8f13afcd80d83cbe952774fee437ce32e87730
SHA256

f6f84b418926af4185426db6f6ad92aff970457e1ea707413fd95137a32a908d
SHA512

f86ec814fa90698baebba871a48fbbdb10b543c6cb839eba4288c2aa4865db357f371bd5dfaa95423a4f5e8c04c3a6809ad13579d88fecf69e672515d7db41ba
SSDEEP

49152:8AR/SCICrtvMLtAvVfJVgbhWss4lTDRLOyR0MKGKPhGi:NdAc6yVfJVg0ss4lZiGti

Score

10^/10

modiloader neshta ramnit aspackv2 banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Detect Neshta payload 40 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cbd-24.dat	family_neshta
behavioral2/files/0x0007000000023cbe-35.dat	family_neshta
behavioral2/files/0x0007000000023cbf-54.dat	family_neshta
behavioral2/files/0x0007000000023cc4-68.dat	family_neshta
behavioral2/memory/3028-82-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2172-100-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1520-129-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2208-325-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1996-334-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3308-358-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3580-387-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4728-452-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1120-515-0x0000000000400000-0x000000000087B000-memory.dmp	family_neshta
behavioral2/memory/4676-519-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2852-516-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1564-524-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4976-527-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2576-528-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5112-529-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2276-526-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1344-525-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4560-523-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2432-522-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4988-521-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4108-520-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2688-518-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5040-517-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2688-532-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2716-573-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1120-606-0x0000000000400000-0x000000000087B000-memory.dmp	family_neshta
behavioral2/memory/3376-639-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3892-641-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5040-610-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2852-609-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4888-644-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4676-645-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2232-646-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4988-648-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2852-649-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5040-650-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

ModiLoader First Stage 2 IoCs

resource	yara_rule
behavioral2/memory/3972-506-0x0000000000400000-0x00000000004EC000-memory.dmp	modiloader_stage1
behavioral2/memory/3972-792-0x0000000000400000-0x00000000004EC000-memory.dmp	modiloader_stage1

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000023cc2-56.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	screenscrew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	20min.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe

Executes dropped EXE 64 IoCs

pid	Process
1300	1.exe
4564	MousePad.exe
2852	headache.exe
5040	screenscrew.exe
2172	20min.exe
3028	svchost.com
2688	svchost.com
1520	svchost.com
3088	BLACK&~1.EXE
2664	20min.exe
4676	svchost.com
3704	Blank.exe
4108	svchost.com
4988	svchost.com
3672	DESKSC~1.EXE
2656	Bubbler.exe
2432	svchost.com
4560	svchost.com
1020	Flip.exe
1564	svchost.com
3756	DSCROL~1.EXE
1344	svchost.com
4480	halyava.exe
3648	Hello.exe
2276	svchost.com
1836	Invert.exe
4976	svchost.com
2588	myWeb.exe
2576	svchost.com
2264	Patterns.exe
5112	svchost.com
1424	STRETC~1.EXE
2208	svchost.com
1984	PUSKA_~1.EXE
1996	svchost.com
720	430A~1.EXE
4728	svchost.com
3580	svchost.com
3308	svchost.com
3404	BURP.EXE
676	Viagra.exe
4200	ANTIPUSK.EXE
2716	svchost.com
2232	svchost.com
4012	krutilka.exe
2292	svchost.com
4736	krutilkaSrv.exe
1348	svchost.com
3972	Aforizm.exe
1216	DesktopLayer.exe
5084	GECCO.EXE
3444	svchost.com
5068	svchost.com
2824	E1F4~1.EXE
3376	svchost.com
3096	Stub.exe
4520	svchost.com
4888	svchost.com
2160	DROPPI~1.EXE
2740	ERROR.EXE
3892	svchost.com
1216	DROPPI~1Srv.exe
2920	DesktopLayer.exe
2972	MouseFX.exe

Loads dropped DLL 15 IoCs

pid	Process
4200	ANTIPUSK.EXE
4564	MousePad.exe
720	430A~1.EXE
1984	PUSKA_~1.EXE
1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe
676	Viagra.exe
3404	BURP.EXE
2716	svchost.com
5084	GECCO.EXE
1756	IEXPLORE.EXE
1756	IEXPLORE.EXE
3444	svchost.com
3096	Stub.exe
2740	ERROR.EXE
2160	DROPPI~1.EXE

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	headache.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4736-483-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/1216-507-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4736-501-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4012-475-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/1216-513-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4012-535-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/files/0x0007000000023ce2-607.dat	upx
behavioral2/memory/1216-637-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/2920-638-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/1216-615-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	headache.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	screenscrew.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	headache.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	screenscrew.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	headache.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxEADD.tmp	krutilkaSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DROPPI~1Srv.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	screenscrew.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	screenscrew.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	screenscrew.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	screenscrew.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	screenscrew.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	screenscrew.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	screenscrew.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	screenscrew.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	headache.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	screenscrew.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	headache.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	headache.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	headache.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	headache.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	headache.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	headache.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	headache.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	headache.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	headache.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	headache.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	headache.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	screenscrew.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	screenscrew.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	headache.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	headache.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	krutilkaSrv.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	screenscrew.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	screenscrew.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	screenscrew.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	screenscrew.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	headache.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	headache.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	headache.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	krutilkaSrv.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	screenscrew.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	screenscrew.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	screenscrew.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	screenscrew.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	screenscrew.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	headache.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	screenscrew.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	screenscrew.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	screenscrew.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	headache.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	screenscrew.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	headache.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	screenscrew.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	headache.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	screenscrew.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	screenscrew.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	headache.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	headache.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	headache.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	screenscrew.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	headache.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	screenscrew.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	headache.exe

Drops file in Windows directory 62 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	headache.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	20min.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	20min.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	screenscrew.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E1F4~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	krutilka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MouseFX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	headache.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DROPPI~1Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blank.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PUSKA_~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BURP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GECCO.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	myWeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Invert.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Patterns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	STRETC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aforizm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20min.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ERROR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DROPPI~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Viagra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hello.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	krutilkaSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20min.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MousePad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DSCROL~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	halyava.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	430A~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ANTIPUSK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BLACK&~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	screenscrew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DESKSC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bubbler.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1380	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2979942808"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31151413"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31151413"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{EB06E956-C128-11EF-B319-5EA348B38F9D} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2979942808"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31151413"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3051846384"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	headache.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	screenscrew.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	20min.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1216	DesktopLayer.exe
1216	DesktopLayer.exe
1216	DesktopLayer.exe
1216	DesktopLayer.exe
1216	DesktopLayer.exe
1216	DesktopLayer.exe
1216	DesktopLayer.exe
1216	DesktopLayer.exe
2920	DesktopLayer.exe
2920	DesktopLayer.exe
2920	DesktopLayer.exe
2920	DesktopLayer.exe
2920	DesktopLayer.exe
2920	DesktopLayer.exe
2920	DesktopLayer.exe
2920	DesktopLayer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	3436	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3436	AUDIODG.EXE
Token: SeDebugPrivilege	1380	taskkill.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
1984	PUSKA_~1.EXE
4200	ANTIPUSK.EXE
5084	GECCO.EXE
5084	GECCO.EXE
5084	GECCO.EXE
5084	GECCO.EXE
5084	GECCO.EXE
3972	Aforizm.exe
3972	Aforizm.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
5084	GECCO.EXE
5084	GECCO.EXE
5084	GECCO.EXE
5084	GECCO.EXE
5084	GECCO.EXE
3972	Aforizm.exe
3972	Aforizm.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4564	MousePad.exe
4200	ANTIPUSK.EXE
8	OpenWith.exe
3000	iexplore.exe
3000	iexplore.exe
2028	OpenWith.exe
3096	Stub.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 1300	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	85
PID 1120 wrote to memory of 1300	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	85
PID 1120 wrote to memory of 1300	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	85
PID 1120 wrote to memory of 4564	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	86
PID 1120 wrote to memory of 4564	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	86
PID 1120 wrote to memory of 4564	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	86
PID 1120 wrote to memory of 2852	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	87
PID 1120 wrote to memory of 2852	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	87
PID 1120 wrote to memory of 2852	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	87
PID 1120 wrote to memory of 5040	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	88
PID 1120 wrote to memory of 5040	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	88
PID 1120 wrote to memory of 5040	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	88
PID 1120 wrote to memory of 2172	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	89
PID 1120 wrote to memory of 2172	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	89
PID 1120 wrote to memory of 2172	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	89
PID 5040 wrote to memory of 3028	5040	screenscrew.exe	90
PID 5040 wrote to memory of 3028	5040	screenscrew.exe	90
PID 5040 wrote to memory of 3028	5040	screenscrew.exe	90
PID 1120 wrote to memory of 2688	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	91
PID 1120 wrote to memory of 2688	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	91
PID 1120 wrote to memory of 2688	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	91
PID 2172 wrote to memory of 1520	2172	20min.exe	92
PID 2172 wrote to memory of 1520	2172	20min.exe	92
PID 2172 wrote to memory of 1520	2172	20min.exe	92
PID 2688 wrote to memory of 3088	2688	svchost.com	93
PID 2688 wrote to memory of 3088	2688	svchost.com	93
PID 2688 wrote to memory of 3088	2688	svchost.com	93
PID 1520 wrote to memory of 2664	1520	svchost.com	94
PID 1520 wrote to memory of 2664	1520	svchost.com	94
PID 1520 wrote to memory of 2664	1520	svchost.com	94
PID 1120 wrote to memory of 4676	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	95
PID 1120 wrote to memory of 4676	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	95
PID 1120 wrote to memory of 4676	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	95
PID 4676 wrote to memory of 3704	4676	svchost.com	96
PID 4676 wrote to memory of 3704	4676	svchost.com	96
PID 4676 wrote to memory of 3704	4676	svchost.com	96
PID 1120 wrote to memory of 4108	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	97
PID 1120 wrote to memory of 4108	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	97
PID 1120 wrote to memory of 4108	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	97
PID 1120 wrote to memory of 4988	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	98
PID 1120 wrote to memory of 4988	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	98
PID 1120 wrote to memory of 4988	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	98
PID 4108 wrote to memory of 2656	4108	svchost.com	99
PID 4108 wrote to memory of 2656	4108	svchost.com	99
PID 4108 wrote to memory of 2656	4108	svchost.com	99
PID 4988 wrote to memory of 3672	4988	svchost.com	100
PID 4988 wrote to memory of 3672	4988	svchost.com	100
PID 4988 wrote to memory of 3672	4988	svchost.com	100
PID 1120 wrote to memory of 2432	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	101
PID 1120 wrote to memory of 2432	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	101
PID 1120 wrote to memory of 2432	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	101
PID 1120 wrote to memory of 4560	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	102
PID 1120 wrote to memory of 4560	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	102
PID 1120 wrote to memory of 4560	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	102
PID 4560 wrote to memory of 1020	4560	svchost.com	103
PID 4560 wrote to memory of 1020	4560	svchost.com	103
PID 4560 wrote to memory of 1020	4560	svchost.com	103
PID 1120 wrote to memory of 1564	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	105
PID 1120 wrote to memory of 1564	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	105
PID 1120 wrote to memory of 1564	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	105
PID 2432 wrote to memory of 3756	2432	svchost.com	104
PID 2432 wrote to memory of 3756	2432	svchost.com	104
PID 2432 wrote to memory of 3756	2432	svchost.com	104
PID 1120 wrote to memory of 1344	1120	2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1300
- C:\Users\Admin\AppData\Local\Temp\MousePad.exe
  "C:\Users\Admin\AppData\Local\Temp\MousePad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4564
- C:\Users\Admin\AppData\Local\Temp\headache.exe
  "C:\Users\Admin\AppData\Local\Temp\headache.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2852
- C:\Users\Admin\AppData\Local\Temp\screenscrew.exe
  "C:\Users\Admin\AppData\Local\Temp\screenscrew.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\screenscrew.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3028
- C:\Users\Admin\AppData\Local\Temp\20min.exe
  "C:\Users\Admin\AppData\Local\Temp\20min.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\20min.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\20min.exe
      C:\Users\Admin\AppData\Local\Temp\3582-490\20min.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2664
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\BLACK&~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Users\Admin\AppData\Local\Temp\BLACK&~1.EXE
    C:\Users\Admin\AppData\Local\Temp\BLACK&~1.EXE
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3088
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Blank.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Users\Admin\AppData\Local\Temp\Blank.exe
    C:\Users\Admin\AppData\Local\Temp\Blank.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3704
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Bubbler.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Users\Admin\AppData\Local\Temp\Bubbler.exe
    C:\Users\Admin\AppData\Local\Temp\Bubbler.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2656
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\DESKSC~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Users\Admin\AppData\Local\Temp\DESKSC~1.EXE
    C:\Users\Admin\AppData\Local\Temp\DESKSC~1.EXE
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3672
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\DSCROL~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Users\Admin\AppData\Local\Temp\DSCROL~1.EXE
    C:\Users\Admin\AppData\Local\Temp\DSCROL~1.EXE
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3756
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Flip.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Users\Admin\AppData\Local\Temp\Flip.exe
    C:\Users\Admin\AppData\Local\Temp\Flip.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1020
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\halyava.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1564
- - C:\Users\Admin\AppData\Local\Temp\halyava.exe
    C:\Users\Admin\AppData\Local\Temp\halyava.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4480
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Hello.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1344
- - C:\Users\Admin\AppData\Local\Temp\Hello.exe
    C:\Users\Admin\AppData\Local\Temp\Hello.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3648
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Invert.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2276
- - C:\Users\Admin\AppData\Local\Temp\Invert.exe
    C:\Users\Admin\AppData\Local\Temp\Invert.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1836
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\myWeb.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4976
- - C:\Users\Admin\AppData\Local\Temp\myWeb.exe
    C:\Users\Admin\AppData\Local\Temp\myWeb.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2588
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Patterns.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\Patterns.exe
    C:\Users\Admin\AppData\Local\Temp\Patterns.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2264
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\STRETC~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:5112
- - C:\Users\Admin\AppData\Local\Temp\STRETC~1.EXE
    C:\Users\Admin\AppData\Local\Temp\STRETC~1.EXE
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1424
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\PUSKA_~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2208
- - C:\Users\Admin\AppData\Local\Temp\PUSKA_~1.EXE
    C:\Users\Admin\AppData\Local\Temp\PUSKA_~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:1984
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\430A~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1996
- - C:\Users\Admin\AppData\Local\Temp\430A~1.EXE
    C:\Users\Admin\AppData\Local\Temp\430A~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:720
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\BURP.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4728
- - C:\Users\Admin\AppData\Local\Temp\BURP.EXE
    C:\Users\Admin\AppData\Local\Temp\BURP.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3404
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Viagra.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3580
- - C:\Users\Admin\AppData\Local\Temp\Viagra.exe
    C:\Users\Admin\AppData\Local\Temp\Viagra.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:676
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\ANTIPUSK.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3308
- - C:\Users\Admin\AppData\Local\Temp\ANTIPUSK.EXE
    C:\Users\Admin\AppData\Local\Temp\ANTIPUSK.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:4200
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Porno!.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2716
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\krutilka.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2232
- - C:\Users\Admin\AppData\Local\Temp\krutilka.exe
    C:\Users\Admin\AppData\Local\Temp\krutilka.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4012
  - - C:\Users\Admin\AppData\Local\Temp\krutilkaSrv.exe
      C:\Users\Admin\AppData\Local\Temp\krutilkaSrv.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:4736
    - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1216
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3000
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3000 CREDAT:17410 /prefetch:2
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1756
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Aforizm.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2292
- - C:\Users\Admin\AppData\Local\Temp\Aforizm.exe
    C:\Users\Admin\AppData\Local\Temp\Aforizm.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3972
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\GECCO.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1348
- - C:\Users\Admin\AppData\Local\Temp\GECCO.EXE
    C:\Users\Admin\AppData\Local\Temp\GECCO.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5084
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Flipped.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3444
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\E1F4~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:5068
- - C:\Users\Admin\AppData\Local\Temp\E1F4~1.EXE
    C:\Users\Admin\AppData\Local\Temp\E1F4~1.EXE
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2824
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Stub.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3376
- - C:\Users\Admin\AppData\Local\Temp\Stub.exe
    C:\Users\Admin\AppData\Local\Temp\Stub.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3096
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "Stub.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1380
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\DROPPI~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\DROPPI~1.EXE
    C:\Users\Admin\AppData\Local\Temp\DROPPI~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2160
  - - C:\Users\Admin\AppData\Local\Temp\DROPPI~1Srv.exe
      C:\Users\Admin\AppData\Local\Temp\DROPPI~1Srv.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:1216
    - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2920
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        Modifies Internet Explorer settings
        
        PID:528
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\ERROR.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4888
- - C:\Users\Admin\AppData\Local\Temp\ERROR.EXE
    C:\Users\Admin\AppData\Local\Temp\ERROR.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2740
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\MouseFX.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3892
- - C:\Users\Admin\AppData\Local\Temp\MouseFX.exe
    C:\Users\Admin\AppData\Local\Temp\MouseFX.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2972

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b8 0x348
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
9KB

MD5
26abb9e459e5976f658ce80d6433f1b1

SHA1
3c8f02c1cf7b8ae82be3deea4b360497f6fee1c3

SHA256
60cc77b5d4210cef0a9032908b179142f212155426fdae48055c5f72811f7a12

SHA512
c2c02aa1db8036c7309100bb683ec7708fedfb129d763d86e03d9d6adc3688423ec04cb5b596eaf99300787f90d641e53350e1ceed0e8b11d6f29333e04b4ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\20min.exe

Filesize
124KB

MD5
35136787fd7256e6fa7fae3516a0c830

SHA1
699618516ba4a5efd13d41a997cf8700341eb93a

SHA256
9e1aab3558a45978e0cf2abcad3a883638b02fbf3a77ef4baeec62edd3eaea70

SHA512
f344b27562c8a4a393c41ac793463d4a4f9aa612a71e2f79ab8e95c39a9c76b6ef16a525805b06965924b5d71e4becd849ae8e0caf77e638f9f537395b45af39

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\20min.exe

Filesize
84KB

MD5
f06f1ee47df12256990a6f81249661de

SHA1
4e1fed25a57e49102cf2a45862d478dc8d68cafc

SHA256
68b76252d3140cc1e3944898dde0d198131e1758bda1a83596e2811a18875b66

SHA512
c3827de7b15dda80f11504b932db790f68d4d4e3fcc27abab5c5d97f25eebac7586664872f36434c928bbb010d6cd5a3977e97b29c4f9cd7d0b49a43daf7394a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\headache.exe

Filesize
172KB

MD5
7eb8c9c1701f6b347721b42ba15c0993

SHA1
13e62637aa5c402383f5665d20c7491c51bccbdc

SHA256
6d5e92ccc9d65e02d8f805e3f4e33841db34a562b3c882a137146461a56bdec2

SHA512
22572a6ebf16b5e260c5d99f30aaefabd88a143bc6b6a9a4d7b82a31ffeb7970d3701c697fcb4c692c6f450782982f3e43f74e3b01fe3ebf1957fc0ef0a4a072

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\screenscrew.exe

Filesize
111KB

MD5
e87a04c270f98bb6b5677cc789d1ad1d

SHA1
8c14cb338e23d4a82f6310d13b36729e543ff0ca

SHA256
e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338

SHA512
8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANTIPUSK.EXE

Filesize
7KB

MD5
e29569e42b85bd880c54d22524248237

SHA1
3d34ca85f067172c192eda7722948e25538d65fe

SHA256
126bc70dfcd987397d69da9f14e5535e79165c0036add6815659abc80d10f2ca

SHA512
0bf6f216f78e702312ebc48285a8e10913373cfac51fa3b5da3f6ceaeb8d42b792f8d86c5b1bccd53900e8e3d07c3feae2feb9d3eed34ecd96ec99696f15a534

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aforizm.exe

Filesize
359KB

MD5
b65fc413c4af96d84822e39ce969942a

SHA1
eaa176253f3b91ef6094221403362c8c51dff572

SHA256
dc9015e7327c29d6699e1cb8c23148fc73af11de910ab335868342f02f22703c

SHA512
3e18e86a00fe81fbf27cad0c224c4772e827cfa9a18f6baeee71cf49501ccdde330e592f59b820c54669f19dda1c8fa8a2342eb5b1cf240678b4979969094454

Download Submit
C:\Users\Admin\AppData\Local\Temp\Black&White.exe

Filesize
14KB

MD5
00dd057add024c605c0414a985d31c32

SHA1
1d00812873ff86b33120923b705c872e13efd5cc

SHA256
2665f52d47ee7dfbffabcf58c0da31e311d3efa97442e85944a61bac8629e2af

SHA512
3eb9439c75ac9b32a121ee959aa94f11a5c73d26aa24d76bf0af149a045ad1368711797ef949ba834cb6da970005b5e829bc96fba5d841a2256022b973000226

Download Submit
C:\Users\Admin\AppData\Local\Temp\Blank.exe

Filesize
71KB

MD5
5c70d18d0078e484a9a0a40f8f585bbb

SHA1
b3f886d37be5d04bfa5ac93b5d30c9b5cab72e21

SHA256
81252087cbffce0278cb4fc96ef4e38902d3a2a353fa761fe1a979c7bf959dcf

SHA512
67020862c4409ed267819016c1a76fd08010a5e34274ab17bab76d6fda0d8792deabb509b43580c3ee7c870b770151aa196d812f1cc4040b8ac2bc286fe8c6c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bubbler.exe

Filesize
67KB

MD5
5c8434c362e791e2d40dc47603d2b552

SHA1
3181705211deaa2204b4e936e196411a2f0e7b87

SHA256
65ee141434e58dddb67d135728d5f8dfb38ee28fc4627b4c5ce3a831c3a724ae

SHA512
a4907232d77278cfdbd67ba75dc6fb48f0ce162623126f57efd04ef816fe396f4eb68dca1eaa7876d3a683472f473e229e689b3f75b9fd80a2ceb369dc227110

Download Submit
C:\Users\Admin\AppData\Local\Temp\DROPPI~1Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DScroller.exe

Filesize
11KB

MD5
c6aac231bd73d7cd9fe9474265fb2a0a

SHA1
693742b31b1f33761062744a9d317c6cb30e7e17

SHA256
3558cbfb4478d2f47b600c52bd5018443b86221639602f33ea0385ef3eef6ec5

SHA512
a32daa9b7e98b45aba2fc1c9620fca7cda218fb30fce5fa48231c4de92adeb15c8a856179a21f14b5a7acdf7294748f464c2448f3d38ddf71e9e714d913f1988

Download Submit
C:\Users\Admin\AppData\Local\Temp\DeskScroller.exe

Filesize
8KB

MD5
d704b61a5521a22261ee9025259374fb

SHA1
a55a7211c0b2ef2d04824b897ee8ba4d20af6874

SHA256
8d4383f98fb673652fda948463e2cd0957ce3c6a1f7912d38245b14cc0e7c4dc

SHA512
105f600c76d591909c315ccdb56917badc8b03f81dfe46530db4c4fc03459bfd2b527cc1f81e9d63cbd5c7f7e2447ecfbfb541bb2dca9efd6fca5ade9a0eaa58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flip.exe

Filesize
10KB

MD5
fc3fcc73569dc5917637de3c0271d9a5

SHA1
9efe1d66d9a4df5868ef12ad70b179517bab0f56

SHA256
008b1fbf3dc9b576733d066d69cb0038c8f58699b10f2f2a589e685c2f63fbe3

SHA512
92b6dbe06489f9e69ecd0fdba3c29b83ac2a85c12aebf04e493fc30bd72e78c363b9cd8ffd8c4d9643de79581c3e4ab6fc72eae1602b2fc97443e0f982155bf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flipped.exe

Filesize
4KB

MD5
72a02361ea6a72ed57247047b780df19

SHA1
3bdc295eae546ba86fbd5a98ee78026fab0340b8

SHA256
6de221e7cd02a607f8660b89b5d008195fabe922a563ae13a8bd427c1d26ac7a

SHA512
5b45d59146dd13f8d78ddf27a0d7459f587d4a175d3963a2740fa2d02edf3aaa3c5feabec75148295848b4757a34be3b5ea5890544b5b4d73952c8d8fcad987e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hello.exe

Filesize
10KB

MD5
9bbf8c162b7d054161ed1f4db8d478b0

SHA1
157bffed52c8c7abfeeef731bea33086e713ec74

SHA256
2aabaa220e383a19c27bfad1262e972ec443e3bf56ea116a7600fe7f72661a02

SHA512
bf62209c8e1cb93a60f944f0342d2c0b8ff31abddc1b31c80130b6c175e060581f51a1252bdd95e481016aac16778bfe208e67fd0ba5e6e9297622c878416912

Download Submit
C:\Users\Admin\AppData\Local\Temp\Invert.exe

Filesize
13KB

MD5
0cdadd11f9888e0beed3b914fdd1308a

SHA1
5fdb5aab369e8873a9ddf9858fb40427479b198f

SHA256
3ec6564b1fab7c90167e287e01ae26e800d049098332b42e67fa00a416b6cc93

SHA512
493d94db6c8075d85fb0069e314f47b9939431d7e18f9c5ec332efa91397e5a09c653bce22c5f7b4cc73f5e180b0c8b505b550e882ad39866f6799526701638a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MouseFX.exe

Filesize
19KB

MD5
aa11cbd4556066a123ff14df33a91ac8

SHA1
efac5c4d1eff5c0df7105440cce91d106d6ef181

SHA256
db5733588c2a7c6b3bc0c1a836e919a332d3435a92792f4a2e5822866a874d73

SHA512
b6a70e317e32e65440a8aa46c7f0342d85c3880cd3514fa9872a5202d4933612c87a674c2800a42b85950c82f456a5729b64613b8bfb68fb536128e13d3b2bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MousePad.exe

Filesize
32KB

MD5
8b74b02f17593680f4bdb4ffb578ef86

SHA1
c76998140974d7c14d44c998549a681c7c712164

SHA256
9893494bcef02c6e63e4bfce830f5d33d2af1056b220a3469bc00df059b25013

SHA512
225592139afe6b7dffca3b2a0b13047a5988e43ddf77fd725c137f6c8960cb987185d8f559af92faadc0275be4f31a1da51a1bb36011f9288949510af4efd554

Download Submit
C:\Users\Admin\AppData\Local\Temp\Patterns.exe

Filesize
11KB

MD5
b03dfd6a6d029948924b5486a5bd1931

SHA1
bf04f4cf5d98fbfc6f6d9a8cb12c3d60823f3f11

SHA256
33644f58e9eb469a733dba31db9af9fde1ba5298fc18389c0a78879a4406fc4f

SHA512
1903a9c0e106ceeb340d4a66460b4af8fee40b7c12872b5ca91bf470d56edc1b91e7c57b1f6388efe50c70d379b12858eaaf08269f6e2d658ad8102a2f89d6e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Porno!.exe

Filesize
192KB

MD5
7504638de13c91d3de4701bc5eba895e

SHA1
9db65ccbc5d16a692a5a1d7ab883786281bf3345

SHA256
c11a3234a6037f762a40d6694a66f2a3f99d7fb792ec9bfdd988fcc53cc08301

SHA512
1a0acb104b1b5d8a62a5c9450110aef4b87a399823c1cb9372f305ae98342389795283bb7b74f4a1351f9411a469a5ec0ff8dca1562ebc6d63863ba15bec4ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stub.exe

Filesize
32KB

MD5
ac8ace1f2570085b2b7184cea7b4fdc0

SHA1
d6878a6dff4345122d4fe3a4c2e820cf08753a49

SHA256
8b48fa2f104a60bdead7695b31190e681217ee23aba44454edab3e758571884c

SHA512
155fddecabb75ab60930d80f4289a80d5a3e0c0e56e5169da350bf8b9959172e7fb009f8e146a153357b9519e7f96b1df941bbaeb36cf3b30045e8fec6129835

Download Submit
C:\Users\Admin\AppData\Local\Temp\earthquake.exe

Filesize
5KB

MD5
7320032b2b46c07b4a432745829223b3

SHA1
23386c3d89290ecc3d47c4a626cc7cc68ad2ef5a

SHA256
834ae4c2ca0b332fafcc6abb2ce7d5fa4c5ffb1778fc1280fe1f09f65f1ecc9a

SHA512
312ce17c8b3203928ffd8eca3aa94f3b04194e89e12ff25cffb370722636994f100708e05ab9782ca90756eb92607d6126ab72ee60726d3a0a1dc2320e208684

Download Submit
C:\Users\Admin\AppData\Local\Temp\halyava.exe

Filesize
8KB

MD5
9f32f1fb5155d01ce47a6b0e679ff2fe

SHA1
ad131beb815ca355a09cb2e4572d2d85f1d1259c

SHA256
c9bcd8aa2ba6364e441f609494a57a729b53e0360b7a8317e2baed76770e6d3c

SHA512
34ac158c558a967b8bd2ac99d8c236174f2aabd62604c8890c6236ab89e7d9345753483ad91285a02a29d4a7e1c297e0bd20767605243ed1cc03a976a226ad83

Download Submit
C:\Users\Admin\AppData\Local\Temp\headache.exe

Filesize
212KB

MD5
76ce4661b60461154ffcfd8fb51b6c57

SHA1
b9e71d6126d7db063febd0f7306095a030ead84b

SHA256
6e363c4d8d13b353529b11881f5fdcc1138e93df104b24d31d3ce566ffabe8de

SHA512
42f970e5929039ca68649998bf727aaca3bad0a7f0563399c11904aaa5378b72b0fb2d6dcad724119cad10f9792c348aa444b94413e132fac35494d275dde3bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\myWeb.exe

Filesize
15KB

MD5
68cabf111614c64cc454a6a5fe9ee4ff

SHA1
74a036f32c37025699280fb474b6f7815a9d118c

SHA256
81162716b98c2af6e76c0acc1188c03db1e8f9485ebdff38a6364bff4aa59406

SHA512
cc01c441172de1bc9a414b2660d8a5330adf12fcdf2721caebadf45937864577a48fba9dd202f154f91a7a028dd8679896ecc22b9bddea9839d7af918835dad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenscrew.exe

Filesize
151KB

MD5
1c78e0c700a71e5894ed013058bdee7a

SHA1
62f01b0dae3f46fabd25ee38ab18581b6ab2a74d

SHA256
0be4b9f91a69ba196afa99e71925da5d72c9f94a2974ebcdc49d7dbb42374a93

SHA512
f28fb376e4bd700e62a25e760d1c8f195e0e7995f17b0fee65969241c085bc2349ff2cc2a4e3e479675c2ea445752824053730fdcc4dcf724376a0899b6c4c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\stretcher.exe

Filesize
11KB

MD5
8362e99800b0893acde429974e3bec18

SHA1
171fcd759a711ccfae5c17bc28733d96b3c4c501

SHA256
0fa2eed94a65179a43b1435b0a9f450632b35f03eb46562edd95433bcf27afac

SHA512
cd4de6bfb80bf7c9666e2119a8ec9630b4f150f3a492be6c6d9ef37bc93e05deaf99733eeba7ea78024de905dfb9cc666752db1cfe3a8f0dafd26e7e92a4f9a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ìîðãàíèå ýêðàíà.EXE

Filesize
32KB

MD5
0e89a28bcf39b8ffd68b55117aa2c8c0

SHA1
f66ccc5892a386208fb3c105ed4b34e7e817cc51

SHA256
5ed6b1884460c35b8d585fe11bcf8eb156180d7e30bc22182409b251dd02f1c3

SHA512
a249eca07cea3180b8d0928659f2178163f03ef3b839f7482b3a26cf746e847fb1ae9b12e3b67071ab8e87fa58401e3d4395bcb58a7ca467cfbe38afd96b4054

Download Submit
C:\Users\Admin\AppData\Local\Temp\îñòîâëÿåò êðóãè êîãäà êëàöàåøü.exe

Filesize
15KB

MD5
fd83b5d21ad029ef124a9a6d4ec606f2

SHA1
8080416ae73380b3f09a007330b7b10c487e10b9

SHA256
8d6d180ab517bb2fe1361f226e5a423560e101e1d5a93b9767946c3c43673c67

SHA512
eea37d9f46fcd049bee25464d0226eb4ab37cdc598185dfcbf1691a8494fc7b2f9ac93a3fc53bd9090e483e91c373000b222b25ac9ad375caf894b6f7bdd1fae

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
99216b12177a4081f81f2393b28fca40

SHA1
ae453c51a1fe2a625dbeb06716431399d8006db7

SHA256
1a893c85693209ac571dc8b956756ba99de97fcc5366c2df65dccf97ed089a84

SHA512
9c5524405803dc4bf28cd9afb1d194ceb2a5a22896371de40d38f9fcb1319414c0cc8acb57c71e0504383f0c3128004f109ef06fa4f1ea3f3ef99b6a11fcb479

Download Submit
C:\Windows\directx.sys

Filesize
45B

MD5
c174d288b05a38ee8221fbcc5bd7e6d5

SHA1
231fc93e554939469b6182d4d3aa70bc8cda5f9a

SHA256
12b8369b496c50eeb7d0677ebd95b770f339e22e797ab688358eea6511314696

SHA512
440537220d1802a66435eac61085efeba97063643d9c2b5a1940a40e0d31158ba31d06d5d29964afffcc06725f35980ac413f05db16957074ae85b415c9f8846

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
abdd43c95f7409f3f56fa2136aa7b019

SHA1
0b1e299d9c33ba0fb109530bd7d85e4e1cf2dd79

SHA256
7d2f33c94a25d16d1470740b86763e103c11bfb2477f61076d3663bfea762022

SHA512
9ac07533873d5afca79dce573dc7b47ee31b1dac2140155ddad5463574418c0d67851cb3079ee73c575145356d9e6955d32b2a8b4029078de51dbb6e558064d6

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
c5dcdd951acc04fe426a82e965960dda

SHA1
1b17cf9868de2822bf7301233672917618d40bce

SHA256
8bbc419c8181c116d356148de5403bea85971c5a0f9aa6a78552127d3bb61d28

SHA512
edb757fb7b858082a953a57548e5f96d786735f28c72dd1d103e71ff4e4cbd0c1de974737d9c20c2ac744f3d6ca4d648a9dcb1d3b3d4ade30428969a6447db76

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
0d59b24aa20f45ec904baa2c50c0db7b

SHA1
d3286a9182454ff6c9184d1957e7f016dd507025

SHA256
a6e2fe46a70a8508d36ffce7a02c961f0ead8357a106038d58321be2207201ce

SHA512
8cc10071627557d60bd37c14513feafe3c527045b08f513b0aa6e1ef86ec114382bc36678a49106350a84c12e354203849f64b8c2f0d67b72289cc226c1fea8a

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
9f4b8635f615b9ca53664130d4b2bf22

SHA1
c0305580fb4b2f16cbf3cc8342b717e94f4f42a0

SHA256
87e46c36eeb5e5ddd680ba26f0086e72549816162ae3ff7d4abbb0422e77bc5f

SHA512
a08bb2e3f731e801615e4bcc07cd202373c32d0fb0e174b9a6f206203b378bcb3925faecc9bcf690b2d8484d4ffce7edcb90b7e3b7a1261b441ec5af2112368e

Download Submit
C:\Windows\directx.sys

Filesize
45B

MD5
21d6ae7029f90c664bce7252c3a55faa

SHA1
d7e0029d055d7991756de8af7b6780c3b76be080

SHA256
b3bdd2b0422dec2799dcc60bad78629be56f0cbc0c952841af1cf63be12fd071

SHA512
35c181636a7cb5c604d02fe9a38e780e3c49dbabeea58246c01c9e4aa72505b35f3d66ec405a9c600cc2ceba300333ce01f1460db9bfb1a6770968a04081b5c9

Download Submit
C:\Windows\directx.sys

Filesize
46B

MD5
3bfee03ca953e08369cd4f4e2d9ddfdb

SHA1
3c3864e518a15a96b5b2276774d4bb27c73166aa

SHA256
56b0e4b578f2f4b829517d787501f8d477ae38c8ae735577cc4566b2ca29c669

SHA512
9b67d59b161c27971c9ec765c466492e0d28b47bb5a3e5f9a3324e03b9bf2ef46f3aa568726fa99213a7b31b3a98054af2f31529a11e65f77ec6996a243d4d98

Download Submit
C:\Windows\directx.sys

Filesize
45B

MD5
ce78a8be53539b1634aa78756399b69a

SHA1
121278762d71392cb961e01c6223f99c30c373c8

SHA256
74751b73e6dec718f46989df3011aae54b2969982a658d06528060faa87de47b

SHA512
8bf684a04daeaa6ae2718b61aa06e9681e9db57545218cad8f061abd60fe03ea4639d85b0d9ff86100badb49625fd4a850f9921ca40d3d065ae345fe9b91af59

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
cd0aab597e41fcb374029f1df65b7092

SHA1
5930309d2b6d88e9e62aac4ca0076260f77eaa31

SHA256
f78f00e2e44c770730c33cfdd9aea49c13bd67d510fcbe8b9b9894168d39b957

SHA512
ebfd3bd7d067754a95acfa73db8980d89334fdd8cb87dd8f6943c2222d39e719125911b2c41dfa3a6a5f13ead076f535408a046356e6de5fb623a6c5080d8266

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
8b09ebf49aa3a36bc1da0b239c6558b8

SHA1
fcc63e84d593a16670a4a44c62f60fd40ceb5d5d

SHA256
3f154869608ac18a62c7910d426133b4a43feee9e158b65ee16977d280371462

SHA512
bea989f0bc86359579df596e16036bc326d017d42b896fc6849e6c006ff8d9d86865143b2d1a0c76f2767fa885ab59ea7b1506ae38fff3d8c31c9b0219254eee

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
9a1f190e77f9890ee1f6c1d2ae0dccca

SHA1
a000d6d3122f8742352798de0f09305efc481364

SHA256
05d4c50a1bdc0ac53b121ae14de84551a75416c2e2aabb377eb7abd700fddd42

SHA512
797421923afe9a924e07ead4d06818f8cfff17c6d7ad5a8a98819db99a8b6b0a1d2b9551bc9bb195d12951eb4a3e10f8164e9ea7af6f7eda58007107c1b54335

Download Submit
C:\Windows\directx.sys

Filesize
46B

MD5
135ac7bc37eb453e3832dc4f855ad4f3

SHA1
d2a32700ef1ae8e116bdec90cfb7041594d1b307

SHA256
2c2671e970f826a075e17e316f6cf7321a365190c1930687134a08c3a79297a9

SHA512
650d6ffe2343400f93c44f2379f680c4582df18c581a4d9ecd1e47a591a7ad098fda68979d24912455984223e0018098a5a4792f5c04ed32a588c1c1e1b3f0a1

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
a67c4f59dad32b4a05e162dfcdb95970

SHA1
d73b1bcc2381e4f3b8ec83a25d3839f6e65236fc

SHA256
84f6a51f6814de849fa083f6250eef43d6c44d10ce4f5319a4a999bea64530cb

SHA512
2432a578c0f77b6e30431d224750c48b2f95a6c62448377bbf0a7645d0fae040d4baa67d080f867467348f262a6df9cf222b064fb9268da08a0c3bfc387a426b

Download Submit
C:\Windows\directx.sys

Filesize
46B

MD5
a9b9e3470d5b479015fe1fa3562d78da

SHA1
bb21b9e4c6c30feb1ef332f636f9521c2028c363

SHA256
6140e87841ca285d1686b83372d09309f08e490d9945c44a658ec3de6b45d3b8

SHA512
826d39a9d97760264d2c16dc3fd68d064ade87895c5a2756f52e6f26a27becf9274002ba9409bba879360f1a6fb69535bf95820667e4e9f16f70ef56402d2bfc

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
a53fc8e71eda60f1bc0565db9af95546

SHA1
bd862b7ec3e26ae667b4bba98cf42d1ba71c5b09

SHA256
087e833a9582574c71016fb1dc1887e4d86304b7d0528ad913537bd8495b3914

SHA512
51ccb99753a5eb0bbadfbe90ff119535c520b4ce6d7990cddc7ce18acd4e2e77c4becce020612f42ae20c4f7eedb783d38ef1981b1c98a61e778622d2eaf618f

Download Submit
C:\Windows\directx.sys

Filesize
45B

MD5
b541fce0f8255a19da78278e8938d535

SHA1
37e751748a6b3112e944c17b0e763a591c350ca0

SHA256
29e57547d9a1461be0152e5270479884bc1078ff87293b47b8e0058b78a55395

SHA512
096c0791bf625e725665b0a2bf761244aa255eb70a1fa4c21585252f81c325b275427cd35704318496bfaa20e6d4a3515388d1a17b1eb5a7b33e5fa5b06b4109

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
7e359bdef24d4f0760b85b05a5b2c3c4

SHA1
fa377ce2402729bb68c09da249c5c1882acaf547

SHA256
3574367152f10742e7be63b461ed8b5df17d061e1f5e218344a0a50db25a8094

SHA512
461f5e5623cfb48c051f9710430fe6e2874432408555c42196a2377185f7aea86f5fd07d0dda60fbf566de21d92f9cb59174f4ea9248b210252aece51640cbee

Download Submit
C:\Windows\directx.sys

Filesize
46B

MD5
de1824ddd6b5fab1e5f0e4d103c40f47

SHA1
ce062719a266f974bfb17a8371e7419fc1989e74

SHA256
419597f7a9cdd954106d5000d85b427e3d311f4d37fefe75dc83b01d81ecd4d2

SHA512
3c2413fccbcb9f9d777a4d66c7a4969e6c0cd2e034280fc59e30a586d79dcf04ecc8d3dd58f4525c31062f87b5f1fd65492e2984cee351de9e385f298e33cb04

Download Submit
C:\Windows\directx.sys

Filesize
45B

MD5
536f9de9cb62b5fe04601c00c6621595

SHA1
1e612fa28ce3c672eb44e3bda9f057c2de8e4a84

SHA256
66cac746e3879b021194f6742e38ba31f9f16b32f204a1e4dc26981ac305c44a

SHA512
84d5567a15db23a2d063950121d4bd88f440408a38d4c5d5e1e3c9be25e5599773d46c60dd1e0c4de59295477c23745bf20063b8acda0f9b4e60cada61208413

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
363a11c833eface1d68a9ac818f17b7f

SHA1
7cc510b2838ce00c4115076495da051a80f63eee

SHA256
4ff46d87d159422e4898f27aa24e3ce1643b843a0e560e8f2ea7191b4e202b6c

SHA512
31b2c9a7455c792a6c8bc2446a1d41f644d7a98b7e3db03f12bd3222f31b411b1c4ce1e57e1f7a9dedccc688b4e5df53bcb91947594931c9fdcc5f6cc18e400f

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
ca9da789285d8480041f990a5826b434

SHA1
b984cd9b3480ade14641d8fca1dd43061fc97c7a

SHA256
a6aa6760eb41684f489497aff3c34e48b7446f6fcf35ea687b0d05c24aeeb2d6

SHA512
13fc1b80b9bd6293970ab624b8479f9c13b7e42eb846ee0f0b4b9947e84235c70184a0f886b70f68265575e2a278548b3536577c439f09b279ce171403ac46e6

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
51de8a63b5a590ce6504d2fa14a23659

SHA1
72994aaf41378cc91e197ffa26f78b2226623751

SHA256
93a337038058b54f864906972ef34926be8316a49d5b72190c0134f54ed8ce21

SHA512
78fa2853da3220f62acf5990a1d7d9165eeee1b1256e7c9ff7887332377072d2389c99d19779fe1a0182094217e5e17a7bc7da8f568b54ca69a68f62584fda9b

Download Submit
memory/676-534-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/720-636-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/720-531-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1120-515-0x0000000000400000-0x000000000087B000-memory.dmp

Filesize
4.5MB

Download
memory/1120-606-0x0000000000400000-0x000000000087B000-memory.dmp

Filesize
4.5MB

Download
memory/1216-615-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1216-637-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1216-507-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1216-499-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/1216-513-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1300-16-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1344-525-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1520-129-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1564-524-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1984-530-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1996-334-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2160-614-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2160-661-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2172-100-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2208-325-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2232-646-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2276-526-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2432-522-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2576-528-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2688-518-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2688-532-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2716-573-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2824-566-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2852-516-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2852-609-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2852-649-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2920-638-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2920-625-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/3028-82-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3308-358-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3376-639-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3404-533-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3580-387-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3648-236-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3672-166-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3704-126-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3892-641-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3972-506-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3972-792-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/4012-475-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4012-535-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4108-520-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4560-523-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4676-519-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4676-645-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4728-452-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4736-501-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4736-483-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4888-644-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4976-527-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4988-648-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4988-521-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5040-610-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5040-650-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5040-517-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5112-529-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download