Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 12:27
Behavioral task
behavioral1
Sample
2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe
Resource
win7-20240708-en
General
-
Target
2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe
-
Size
4.5MB
-
MD5
b3ba7afb650fbc73d5d7ba46d5e9f091
-
SHA1
4f8f13afcd80d83cbe952774fee437ce32e87730
-
SHA256
f6f84b418926af4185426db6f6ad92aff970457e1ea707413fd95137a32a908d
-
SHA512
f86ec814fa90698baebba871a48fbbdb10b543c6cb839eba4288c2aa4865db357f371bd5dfaa95423a4f5e8c04c3a6809ad13579d88fecf69e672515d7db41ba
-
SSDEEP
49152:8AR/SCICrtvMLtAvVfJVgbhWss4lTDRLOyR0MKGKPhGi:NdAc6yVfJVg0ss4lZiGti
Malware Config
Signatures
-
Detect Neshta payload 40 IoCs
resource yara_rule behavioral1/files/0x0007000000015d52-23.dat family_neshta behavioral1/files/0x0007000000015d66-34.dat family_neshta behavioral1/files/0x0001000000010314-113.dat family_neshta behavioral1/memory/2016-123-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2880-125-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/files/0x0001000000010312-112.dat family_neshta behavioral1/files/0x001700000000f7f7-111.dat family_neshta behavioral1/files/0x001400000001033a-110.dat family_neshta behavioral1/files/0x0006000000018636-83.dat family_neshta behavioral1/memory/1572-277-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2656-298-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1272-310-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2868-322-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2432-552-0x0000000000400000-0x000000000087B000-memory.dmp family_neshta behavioral1/memory/1812-555-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3024-571-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3068-587-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2780-588-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1296-594-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2528-592-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2132-593-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1680-590-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/836-596-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1768-603-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2440-602-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1156-601-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2128-600-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2520-598-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1356-597-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2948-595-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/952-599-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2528-604-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2680-608-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1680-610-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2780-612-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3068-611-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/652-615-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3068-633-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2780-634-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2808-635-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Ramnit family
-
ModiLoader First Stage 1 IoCs
resource yara_rule behavioral1/memory/2864-764-0x0000000000400000-0x00000000004EC000-memory.dmp modiloader_stage1 -
resource yara_rule behavioral1/files/0x0006000000019080-122.dat aspack_v212_v242 -
Executes dropped EXE 64 IoCs
pid Process 2656 1.exe 2740 MousePad.exe 3068 headache.exe 2780 screenscrew.exe 2688 headache.exe 2296 headacheSrv.exe 2016 svchost.com 1680 svchost.com 2880 svchost.com 2988 DesktopLayer.exe 2336 20min.exe 1232 SCREEN~1.EXE 2528 svchost.com 2744 BLACK&~1.EXE 2132 svchost.com 1296 svchost.com 1736 Blank.exe 1312 Bubbler.exe 2948 svchost.com 1932 DESKSC~1.EXE 836 svchost.com 2232 DSCROL~1.EXE 1356 svchost.com 1436 Flip.exe 2520 svchost.com 908 halyava.exe 952 svchost.com 2116 Hello.exe 2128 svchost.com 1760 Invert.exe 1156 svchost.com 2148 myWeb.exe 2440 svchost.com 896 Patterns.exe 1768 svchost.com 812 STRETC~1.EXE 1572 svchost.com 2656 svchost.com 2736 PUSKA_~1.EXE 2556 430A~1.EXE 2808 svchost.com 2868 svchost.com 2720 BURP.EXE 2004 Viagra.exe 1272 svchost.com 1324 ANTIPUSK.EXE 652 svchost.com 2332 svchost.com 1588 krutilka.exe 1016 krutilkaSrv.exe 1812 DesktopLayer.exe 604 svchost.com 2864 Aforizm.exe 776 svchost.com 2464 GECCO.EXE 2680 svchost.com 3052 svchost.com 2728 E1F4~1.EXE 3024 svchost.com 2976 Stub.exe 816 svchost.com 2536 DROPPI~1.EXE 700 DROPPI~1Srv.exe 2612 svchost.com -
Loads dropped DLL 64 IoCs
pid Process 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 3068 headache.exe 3068 headache.exe 2688 headache.exe 2296 headacheSrv.exe 2880 svchost.com 2016 svchost.com 2016 svchost.com 2880 svchost.com 2528 svchost.com 2528 svchost.com 2132 svchost.com 2132 svchost.com 1296 svchost.com 1296 svchost.com 2948 svchost.com 2948 svchost.com 836 svchost.com 836 svchost.com 1356 svchost.com 1356 svchost.com 2520 svchost.com 2520 svchost.com 952 svchost.com 952 svchost.com 2128 svchost.com 2128 svchost.com 1156 svchost.com 1156 svchost.com 2440 svchost.com 2440 svchost.com 1768 svchost.com 1768 svchost.com 1572 svchost.com 1572 svchost.com 2656 svchost.com 2656 svchost.com 2808 svchost.com 2808 svchost.com 2868 svchost.com 2868 svchost.com 1272 svchost.com 1272 svchost.com 1324 ANTIPUSK.EXE 2736 PUSKA_~1.EXE 1680 svchost.com 1232 SCREEN~1.EXE 2556 430A~1.EXE 3068 headache.exe 2004 Viagra.exe 2332 svchost.com 2332 svchost.com 1588 krutilka.exe 1016 krutilkaSrv.exe 652 svchost.com 604 svchost.com 604 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" headache.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x0006000000018741-59.dat upx behavioral1/memory/2296-88-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2988-99-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2296-68-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2132-159-0x00000000001B0000-0x00000000001CA000-memory.dmp upx behavioral1/memory/2948-191-0x0000000000220000-0x0000000000228000-memory.dmp upx behavioral1/memory/2332-364-0x00000000002B0000-0x00000000002CD000-memory.dmp upx behavioral1/files/0x00050000000195c4-368.dat upx behavioral1/memory/1016-373-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1016-378-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1588-456-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral1/memory/700-520-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE headache.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE screenscrew.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE screenscrew.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe headache.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE headache.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE headache.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe screenscrew.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE headache.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe headache.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe screenscrew.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE headache.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe headache.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe screenscrew.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE screenscrew.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe headache.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe headache.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE headache.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE screenscrew.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe screenscrew.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE screenscrew.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE headache.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe headache.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe screenscrew.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE headache.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE screenscrew.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE screenscrew.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe screenscrew.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE screenscrew.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE screenscrew.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe headache.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE screenscrew.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe headache.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE headache.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE screenscrew.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe headache.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE headache.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE screenscrew.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE screenscrew.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE headache.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE screenscrew.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE screenscrew.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE screenscrew.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE screenscrew.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE headache.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE headache.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE screenscrew.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe screenscrew.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe headache.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE headache.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE screenscrew.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe screenscrew.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE headache.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE screenscrew.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE screenscrew.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE screenscrew.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE screenscrew.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE headache.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE screenscrew.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE headache.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe headache.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE screenscrew.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe headacheSrv.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE screenscrew.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE screenscrew.exe -
Drops file in Windows directory 63 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys screenscrew.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com headache.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com screenscrew.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 61 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BURP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 430A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language krutilka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language krutilkaSrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DROPPI~1Srv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language headacheSrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PUSKA_~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DROPPI~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language headache.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Stub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Viagra.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ANTIPUSK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aforizm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MousePad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GECCO.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SCREEN~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language screenscrew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language headache.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20min.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ERROR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com -
Kills process with taskkill 1 IoCs
pid Process 844 taskkill.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{45A50021-C129-11EF-BD41-DEC97E11E4FF} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{44F908B1-C129-11EF-BD41-DEC97E11E4FF} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{43E640F1-C129-11EF-BD41-DEC97E11E4FF} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" headache.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2988 DesktopLayer.exe 2988 DesktopLayer.exe 2988 DesktopLayer.exe 2988 DesktopLayer.exe 1812 DesktopLayer.exe 1812 DesktopLayer.exe 1812 DesktopLayer.exe 1812 DesktopLayer.exe 2080 DesktopLayer.exe 2080 DesktopLayer.exe 2080 DesktopLayer.exe 2080 DesktopLayer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 844 taskkill.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
pid Process 1948 iexplore.exe 2736 PUSKA_~1.EXE 1324 ANTIPUSK.EXE 2464 GECCO.EXE 2864 Aforizm.exe 2464 GECCO.EXE 2464 GECCO.EXE 2864 Aforizm.exe 2464 GECCO.EXE 2464 GECCO.EXE -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 2464 GECCO.EXE 2864 Aforizm.exe 2464 GECCO.EXE 2464 GECCO.EXE 2864 Aforizm.exe 2464 GECCO.EXE 2464 GECCO.EXE -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 2740 MousePad.exe 1948 iexplore.exe 1948 iexplore.exe 2640 IEXPLORE.EXE 2640 IEXPLORE.EXE 1324 ANTIPUSK.EXE 1948 iexplore.exe 1948 iexplore.exe 2976 Stub.exe 1948 iexplore.exe 1948 iexplore.exe 704 iexplore.exe 704 iexplore.exe 2928 iexplore.exe 2928 iexplore.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2432 wrote to memory of 2656 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 30 PID 2432 wrote to memory of 2656 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 30 PID 2432 wrote to memory of 2656 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 30 PID 2432 wrote to memory of 2656 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 30 PID 2432 wrote to memory of 2740 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 31 PID 2432 wrote to memory of 2740 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 31 PID 2432 wrote to memory of 2740 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 31 PID 2432 wrote to memory of 2740 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 31 PID 2432 wrote to memory of 3068 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 32 PID 2432 wrote to memory of 3068 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 32 PID 2432 wrote to memory of 3068 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 32 PID 2432 wrote to memory of 3068 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 32 PID 2432 wrote to memory of 2780 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 33 PID 2432 wrote to memory of 2780 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 33 PID 2432 wrote to memory of 2780 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 33 PID 2432 wrote to memory of 2780 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 33 PID 3068 wrote to memory of 2688 3068 headache.exe 34 PID 3068 wrote to memory of 2688 3068 headache.exe 34 PID 3068 wrote to memory of 2688 3068 headache.exe 34 PID 3068 wrote to memory of 2688 3068 headache.exe 34 PID 2432 wrote to memory of 2016 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 35 PID 2432 wrote to memory of 2016 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 35 PID 2432 wrote to memory of 2016 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 35 PID 2432 wrote to memory of 2016 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 35 PID 2688 wrote to memory of 2296 2688 headache.exe 36 PID 2688 wrote to memory of 2296 2688 headache.exe 36 PID 2688 wrote to memory of 2296 2688 headache.exe 36 PID 2688 wrote to memory of 2296 2688 headache.exe 36 PID 2432 wrote to memory of 1680 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 37 PID 2432 wrote to memory of 1680 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 37 PID 2432 wrote to memory of 1680 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 37 PID 2432 wrote to memory of 1680 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 37 PID 2780 wrote to memory of 2880 2780 screenscrew.exe 38 PID 2780 wrote to memory of 2880 2780 screenscrew.exe 38 PID 2780 wrote to memory of 2880 2780 screenscrew.exe 38 PID 2780 wrote to memory of 2880 2780 screenscrew.exe 38 PID 2296 wrote to memory of 2988 2296 headacheSrv.exe 39 PID 2296 wrote to memory of 2988 2296 headacheSrv.exe 39 PID 2296 wrote to memory of 2988 2296 headacheSrv.exe 39 PID 2296 wrote to memory of 2988 2296 headacheSrv.exe 39 PID 2988 wrote to memory of 1948 2988 DesktopLayer.exe 40 PID 2988 wrote to memory of 1948 2988 DesktopLayer.exe 40 PID 2988 wrote to memory of 1948 2988 DesktopLayer.exe 40 PID 2988 wrote to memory of 1948 2988 DesktopLayer.exe 40 PID 2016 wrote to memory of 2336 2016 svchost.com 42 PID 2016 wrote to memory of 2336 2016 svchost.com 42 PID 2016 wrote to memory of 2336 2016 svchost.com 42 PID 2016 wrote to memory of 2336 2016 svchost.com 42 PID 2880 wrote to memory of 1232 2880 svchost.com 41 PID 2880 wrote to memory of 1232 2880 svchost.com 41 PID 2880 wrote to memory of 1232 2880 svchost.com 41 PID 2880 wrote to memory of 1232 2880 svchost.com 41 PID 1948 wrote to memory of 2640 1948 iexplore.exe 43 PID 1948 wrote to memory of 2640 1948 iexplore.exe 43 PID 1948 wrote to memory of 2640 1948 iexplore.exe 43 PID 1948 wrote to memory of 2640 1948 iexplore.exe 43 PID 2432 wrote to memory of 2528 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 44 PID 2432 wrote to memory of 2528 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 44 PID 2432 wrote to memory of 2528 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 44 PID 2432 wrote to memory of 2528 2432 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 44 PID 2528 wrote to memory of 2744 2528 svchost.com 45 PID 2528 wrote to memory of 2744 2528 svchost.com 45 PID 2528 wrote to memory of 2744 2528 svchost.com 45 PID 2528 wrote to memory of 2744 2528 svchost.com 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Executes dropped EXE
PID:2656
-
-
C:\Users\Admin\AppData\Local\Temp\MousePad.exe"C:\Users\Admin\AppData\Local\Temp\MousePad.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2740
-
-
C:\Users\Admin\AppData\Local\Temp\headache.exe"C:\Users\Admin\AppData\Local\Temp\headache.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\3582-490\headache.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\headache.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\3582-490\headacheSrv.exeC:\Users\Admin\AppData\Local\Temp\3582-490\headacheSrv.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1948 CREDAT:275457 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2640
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1948 CREDAT:734212 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:1440
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\screenscrew.exe"C:\Users\Admin\AppData\Local\Temp\screenscrew.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SCREEN~1.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\3582-490\SCREEN~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\SCREEN~1.EXE4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1232
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\20min.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\20min.exeC:\Users\Admin\AppData\Local\Temp\20min.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2336
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\EARTHQ~1.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1680
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\BLACK&~1.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\BLACK&~1.EXEC:\Users\Admin\AppData\Local\Temp\BLACK&~1.EXE3⤵
- Executes dropped EXE
PID:2744
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Blank.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\Blank.exeC:\Users\Admin\AppData\Local\Temp\Blank.exe3⤵
- Executes dropped EXE
PID:1736
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Bubbler.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\Bubbler.exeC:\Users\Admin\AppData\Local\Temp\Bubbler.exe3⤵
- Executes dropped EXE
PID:1312
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\DESKSC~1.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Users\Admin\AppData\Local\Temp\DESKSC~1.EXEC:\Users\Admin\AppData\Local\Temp\DESKSC~1.EXE3⤵
- Executes dropped EXE
PID:1932
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\DSCROL~1.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:836 -
C:\Users\Admin\AppData\Local\Temp\DSCROL~1.EXEC:\Users\Admin\AppData\Local\Temp\DSCROL~1.EXE3⤵
- Executes dropped EXE
PID:2232
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Flip.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\Flip.exeC:\Users\Admin\AppData\Local\Temp\Flip.exe3⤵
- Executes dropped EXE
PID:1436
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\halyava.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\halyava.exeC:\Users\Admin\AppData\Local\Temp\halyava.exe3⤵
- Executes dropped EXE
PID:908
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Hello.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:952 -
C:\Users\Admin\AppData\Local\Temp\Hello.exeC:\Users\Admin\AppData\Local\Temp\Hello.exe3⤵
- Executes dropped EXE
PID:2116
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Invert.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\Invert.exeC:\Users\Admin\AppData\Local\Temp\Invert.exe3⤵
- Executes dropped EXE
PID:1760
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\myWeb.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\myWeb.exeC:\Users\Admin\AppData\Local\Temp\myWeb.exe3⤵
- Executes dropped EXE
PID:2148
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Patterns.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\Patterns.exeC:\Users\Admin\AppData\Local\Temp\Patterns.exe3⤵
- Executes dropped EXE
PID:896
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\STRETC~1.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\STRETC~1.EXEC:\Users\Admin\AppData\Local\Temp\STRETC~1.EXE3⤵
- Executes dropped EXE
PID:812
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\PUSKA_~1.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\PUSKA_~1.EXEC:\Users\Admin\AppData\Local\Temp\PUSKA_~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2736
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\430A~1.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\430A~1.EXEC:\Users\Admin\AppData\Local\Temp\430A~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2556
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\BURP.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\BURP.EXEC:\Users\Admin\AppData\Local\Temp\BURP.EXE3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2720
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Viagra.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\Viagra.exeC:\Users\Admin\AppData\Local\Temp\Viagra.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2004
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\ANTIPUSK.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\ANTIPUSK.EXEC:\Users\Admin\AppData\Local\Temp\ANTIPUSK.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1324
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\PUSKDLL.DLL2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1820
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Porno!.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:652
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\krutilka.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\krutilka.exeC:\Users\Admin\AppData\Local\Temp\krutilka.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\krutilkaSrv.exeC:\Users\Admin\AppData\Local\Temp\krutilkaSrv.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1016 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1812 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:704 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:704 CREDAT:275457 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:2712
-
-
-
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Aforizm.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:604 -
C:\Users\Admin\AppData\Local\Temp\Aforizm.exeC:\Users\Admin\AppData\Local\Temp\Aforizm.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2864
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\GECCO.EXE"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:776 -
C:\Users\Admin\AppData\Local\Temp\GECCO.EXEC:\Users\Admin\AppData\Local\Temp\GECCO.EXE3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2464
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\FILE_ID.DIZ2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2436
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Flipped.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2680
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\E1F4~1.EXE"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\E1F4~1.EXEC:\Users\Admin\AppData\Local\Temp\E1F4~1.EXE3⤵
- Executes dropped EXE
PID:2728
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Stub.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\Stub.exeC:\Users\Admin\AppData\Local\Temp\Stub.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2976 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "Stub.exe"4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:844
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\DROPPI~1.EXE"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:816 -
C:\Users\Admin\AppData\Local\Temp\DROPPI~1.EXEC:\Users\Admin\AppData\Local\Temp\DROPPI~1.EXE3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\DROPPI~1Srv.exeC:\Users\Admin\AppData\Local\Temp\DROPPI~1Srv.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:700 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2080 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2928 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2928 CREDAT:275457 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:2856
-
-
-
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\ERROR.EXE"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\ERROR.EXEC:\Users\Admin\AppData\Local\Temp\ERROR.EXE3⤵
- System Location Discovery: System Language Discovery
PID:316
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\MouseFX.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1812 -
C:\Users\Admin\AppData\Local\Temp\MouseFX.exeC:\Users\Admin\AppData\Local\Temp\MouseFX.exe3⤵PID:2508
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
859KB
MD502ee6a3424782531461fb2f10713d3c1
SHA1b581a2c365d93ebb629e8363fd9f69afc673123f
SHA256ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc
SHA5126c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec
-
Filesize
547KB
MD5cf6c595d3e5e9667667af096762fd9c4
SHA19bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80
-
Filesize
186KB
MD558b58875a50a0d8b5e7be7d6ac685164
SHA11e0b89c1b2585c76e758e9141b846ed4477b0662
SHA2562a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae
SHA512d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b
-
Filesize
1.1MB
MD5566ed4f62fdc96f175afedd811fa0370
SHA1d4b47adc40e0d5a9391d3f6f2942d1889dd2a451
SHA256e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460
SHA512cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7
-
Filesize
84KB
MD5f06f1ee47df12256990a6f81249661de
SHA14e1fed25a57e49102cf2a45862d478dc8d68cafc
SHA25668b76252d3140cc1e3944898dde0d198131e1758bda1a83596e2811a18875b66
SHA512c3827de7b15dda80f11504b932db790f68d4d4e3fcc27abab5c5d97f25eebac7586664872f36434c928bbb010d6cd5a3977e97b29c4f9cd7d0b49a43daf7394a
-
Filesize
172KB
MD57eb8c9c1701f6b347721b42ba15c0993
SHA113e62637aa5c402383f5665d20c7491c51bccbdc
SHA2566d5e92ccc9d65e02d8f805e3f4e33841db34a562b3c882a137146461a56bdec2
SHA51222572a6ebf16b5e260c5d99f30aaefabd88a143bc6b6a9a4d7b82a31ffeb7970d3701c697fcb4c692c6f450782982f3e43f74e3b01fe3ebf1957fc0ef0a4a072
-
Filesize
14KB
MD500dd057add024c605c0414a985d31c32
SHA11d00812873ff86b33120923b705c872e13efd5cc
SHA2562665f52d47ee7dfbffabcf58c0da31e311d3efa97442e85944a61bac8629e2af
SHA5123eb9439c75ac9b32a121ee959aa94f11a5c73d26aa24d76bf0af149a045ad1368711797ef949ba834cb6da970005b5e829bc96fba5d841a2256022b973000226
-
Filesize
311KB
MD576047996f4f4ff35476d1d961ea7ae85
SHA1171026463d36aee9df90166ff3c9cb93e3b0e76b
SHA2564f29dec6e66bf0aef0a30275f45eebadd50a42ad4b13b28ed8307ab4c403533e
SHA512d24b64b87660dcdc9168efca1ac5c7047a27c3cafb23b81f203e6e734c855dc2d32921908e98f03191e872feb5719518dbe469762021b19b485b498db96ef5ce
-
Filesize
71KB
MD55c70d18d0078e484a9a0a40f8f585bbb
SHA1b3f886d37be5d04bfa5ac93b5d30c9b5cab72e21
SHA25681252087cbffce0278cb4fc96ef4e38902d3a2a353fa761fe1a979c7bf959dcf
SHA51267020862c4409ed267819016c1a76fd08010a5e34274ab17bab76d6fda0d8792deabb509b43580c3ee7c870b770151aa196d812f1cc4040b8ac2bc286fe8c6c5
-
Filesize
67KB
MD55c8434c362e791e2d40dc47603d2b552
SHA13181705211deaa2204b4e936e196411a2f0e7b87
SHA25665ee141434e58dddb67d135728d5f8dfb38ee28fc4627b4c5ce3a831c3a724ae
SHA512a4907232d77278cfdbd67ba75dc6fb48f0ce162623126f57efd04ef816fe396f4eb68dca1eaa7876d3a683472f473e229e689b3f75b9fd80a2ceb369dc227110
-
Filesize
8KB
MD5d704b61a5521a22261ee9025259374fb
SHA1a55a7211c0b2ef2d04824b897ee8ba4d20af6874
SHA2568d4383f98fb673652fda948463e2cd0957ce3c6a1f7912d38245b14cc0e7c4dc
SHA512105f600c76d591909c315ccdb56917badc8b03f81dfe46530db4c4fc03459bfd2b527cc1f81e9d63cbd5c7f7e2447ecfbfb541bb2dca9efd6fca5ade9a0eaa58
-
Filesize
205KB
MD5375a2cfdd9fef84d768ec6fe4864637c
SHA1e936dcde05852641ebc26f900e4be79536b46006
SHA2560f3a8d1bdb5906503c3379e87c83509485d725f41e2ab46cc09bd2a4d89ed6ab
SHA512a2e946074d9a926ce1e5ab8f4e65bfd637410d4a5baca71c8b1aaad5ab6eaac63d0bbd710b0554061c1b43efe67ca3374835453d86ff34607b9a0d85718f9eda
-
Filesize
5KB
MD57320032b2b46c07b4a432745829223b3
SHA123386c3d89290ecc3d47c4a626cc7cc68ad2ef5a
SHA256834ae4c2ca0b332fafcc6abb2ce7d5fa4c5ffb1778fc1280fe1f09f65f1ecc9a
SHA512312ce17c8b3203928ffd8eca3aa94f3b04194e89e12ff25cffb370722636994f100708e05ab9782ca90756eb92607d6126ab72ee60726d3a0a1dc2320e208684
-
Filesize
383KB
MD5a4511b80eff4f5007db396d4d5945000
SHA196b46a299f8cbdae9709f9ead1263db93d75dba8
SHA25688f14d21db721241a476936b0d249dd51f845c0023222aee35110fd96fa05dc2
SHA51275c729fa641fc49dcee4c8255d8b6d6c5436bcbc1ee43264cba936f93d634ef2d1dcc6bfd9eed7cf68f3f04d5a683ecc5597d0c524238328852d1c036942f007
-
Filesize
1.0MB
MD542dd94809ad0c60480690c0ae0019ee8
SHA1d578fb2fc7c0b08a8ebb375e920d3602a70a098d
SHA2560040cd2d77e8f81db7414c284bf9828348d7b3a5a5322177fd9e8151fc00638f
SHA512b8ba04feb9e2a6b15b017af6d2af55756987ac33de1c0740208ac09f402218ca585bbe0e6ce91b8aa50b0653fc8999473c1ed34c3b1a0d5e87b21ce35c19470b
-
Filesize
214KB
MD547c74a609a29a07bc46ed4b08d7b2e53
SHA15123c36d3c406ed7bbecd0fc06132351205f6cea
SHA256f2a77abec4c54f4e896848622a61592e3a50a744002ef3dc50734f024207f9d9
SHA512471debf83743d5726598432367a84efe02c44df8ee40274bf22815e34e2975d55bd169ea889e950c66a56e92295690cb73f009439655d091332fdb6e51133b43
-
Filesize
192KB
MD57504638de13c91d3de4701bc5eba895e
SHA19db65ccbc5d16a692a5a1d7ab883786281bf3345
SHA256c11a3234a6037f762a40d6694a66f2a3f99d7fb792ec9bfdd988fcc53cc08301
SHA5121a0acb104b1b5d8a62a5c9450110aef4b87a399823c1cb9372f305ae98342389795283bb7b74f4a1351f9411a469a5ec0ff8dca1562ebc6d63863ba15bec4ccf
-
Filesize
433KB
MD581d6608d365553332b24d7010bfa3db5
SHA184755b2ac2d7d89d7ae65beb5c1c3fc7af382153
SHA25652d9642c0148b215088b1fee8da5325a3f0067fa69132e75477e67e702f3d053
SHA51242af9e30321657b23bc748f1434382cae414ca22ed6f941d5258db9ed35bffa7805abe3814a849154df49544a5a670c2d874eb8dd385a914240a1efe41f5ab56
-
Filesize
65KB
MD5c1de9eca3223daed0bc2ae4816193d94
SHA1802d287f4b04454349ca29edf759c8a17c1001fa
SHA256da7ad7681972d3bad124bb4896d74cee40f5aa86d07ecfbd81050c6cc1619e8c
SHA5121ffc95367e960652cd78d99b6a7a38d8056b46dca5f59ada7f4c2dc620d829a43e96610c8bfa36268e1b5037bd9ce7225a050d53fef32cfd9309af3cdc4627a0
-
Filesize
48B
MD5ca9da789285d8480041f990a5826b434
SHA1b984cd9b3480ade14641d8fca1dd43061fc97c7a
SHA256a6aa6760eb41684f489497aff3c34e48b7446f6fcf35ea687b0d05c24aeeb2d6
SHA51213fc1b80b9bd6293970ab624b8479f9c13b7e42eb846ee0f0b4b9947e84235c70184a0f886b70f68265575e2a278548b3536577c439f09b279ce171403ac46e6
-
Filesize
45B
MD5c174d288b05a38ee8221fbcc5bd7e6d5
SHA1231fc93e554939469b6182d4d3aa70bc8cda5f9a
SHA25612b8369b496c50eeb7d0677ebd95b770f339e22e797ab688358eea6511314696
SHA512440537220d1802a66435eac61085efeba97063643d9c2b5a1940a40e0d31158ba31d06d5d29964afffcc06725f35980ac413f05db16957074ae85b415c9f8846
-
Filesize
47B
MD5abdd43c95f7409f3f56fa2136aa7b019
SHA10b1e299d9c33ba0fb109530bd7d85e4e1cf2dd79
SHA2567d2f33c94a25d16d1470740b86763e103c11bfb2477f61076d3663bfea762022
SHA5129ac07533873d5afca79dce573dc7b47ee31b1dac2140155ddad5463574418c0d67851cb3079ee73c575145356d9e6955d32b2a8b4029078de51dbb6e558064d6
-
Filesize
48B
MD5c5dcdd951acc04fe426a82e965960dda
SHA11b17cf9868de2822bf7301233672917618d40bce
SHA2568bbc419c8181c116d356148de5403bea85971c5a0f9aa6a78552127d3bb61d28
SHA512edb757fb7b858082a953a57548e5f96d786735f28c72dd1d103e71ff4e4cbd0c1de974737d9c20c2ac744f3d6ca4d648a9dcb1d3b3d4ade30428969a6447db76
-
Filesize
48B
MD50d59b24aa20f45ec904baa2c50c0db7b
SHA1d3286a9182454ff6c9184d1957e7f016dd507025
SHA256a6e2fe46a70a8508d36ffce7a02c961f0ead8357a106038d58321be2207201ce
SHA5128cc10071627557d60bd37c14513feafe3c527045b08f513b0aa6e1ef86ec114382bc36678a49106350a84c12e354203849f64b8c2f0d67b72289cc226c1fea8a
-
Filesize
44B
MD5fda4f502731bda201b6788e8497f4c53
SHA1ad476d40ac9beb57281255bc38587504f597f539
SHA256c44bfc4cfe40f2547ff7beabf1ce602b0481f21d9764260bad52856e28fa6b04
SHA5129c5be9356982bc3e2082823edcb77d777507d8b0ceb8ffce58eb9f0ed9f1821704cdf5b634a1573e053b054dc60a8c99499560338c85b75260aed2d680666bbb
-
Filesize
47B
MD59f4b8635f615b9ca53664130d4b2bf22
SHA1c0305580fb4b2f16cbf3cc8342b717e94f4f42a0
SHA25687e46c36eeb5e5ddd680ba26f0086e72549816162ae3ff7d4abbb0422e77bc5f
SHA512a08bb2e3f731e801615e4bcc07cd202373c32d0fb0e174b9a6f206203b378bcb3925faecc9bcf690b2d8484d4ffce7edcb90b7e3b7a1261b441ec5af2112368e
-
Filesize
45B
MD521d6ae7029f90c664bce7252c3a55faa
SHA1d7e0029d055d7991756de8af7b6780c3b76be080
SHA256b3bdd2b0422dec2799dcc60bad78629be56f0cbc0c952841af1cf63be12fd071
SHA51235c181636a7cb5c604d02fe9a38e780e3c49dbabeea58246c01c9e4aa72505b35f3d66ec405a9c600cc2ceba300333ce01f1460db9bfb1a6770968a04081b5c9
-
Filesize
46B
MD53bfee03ca953e08369cd4f4e2d9ddfdb
SHA13c3864e518a15a96b5b2276774d4bb27c73166aa
SHA25656b0e4b578f2f4b829517d787501f8d477ae38c8ae735577cc4566b2ca29c669
SHA5129b67d59b161c27971c9ec765c466492e0d28b47bb5a3e5f9a3324e03b9bf2ef46f3aa568726fa99213a7b31b3a98054af2f31529a11e65f77ec6996a243d4d98
-
Filesize
45B
MD5ce78a8be53539b1634aa78756399b69a
SHA1121278762d71392cb961e01c6223f99c30c373c8
SHA25674751b73e6dec718f46989df3011aae54b2969982a658d06528060faa87de47b
SHA5128bf684a04daeaa6ae2718b61aa06e9681e9db57545218cad8f061abd60fe03ea4639d85b0d9ff86100badb49625fd4a850f9921ca40d3d065ae345fe9b91af59
-
Filesize
48B
MD5cd0aab597e41fcb374029f1df65b7092
SHA15930309d2b6d88e9e62aac4ca0076260f77eaa31
SHA256f78f00e2e44c770730c33cfdd9aea49c13bd67d510fcbe8b9b9894168d39b957
SHA512ebfd3bd7d067754a95acfa73db8980d89334fdd8cb87dd8f6943c2222d39e719125911b2c41dfa3a6a5f13ead076f535408a046356e6de5fb623a6c5080d8266
-
Filesize
48B
MD58b09ebf49aa3a36bc1da0b239c6558b8
SHA1fcc63e84d593a16670a4a44c62f60fd40ceb5d5d
SHA2563f154869608ac18a62c7910d426133b4a43feee9e158b65ee16977d280371462
SHA512bea989f0bc86359579df596e16036bc326d017d42b896fc6849e6c006ff8d9d86865143b2d1a0c76f2767fa885ab59ea7b1506ae38fff3d8c31c9b0219254eee
-
Filesize
48B
MD59a1f190e77f9890ee1f6c1d2ae0dccca
SHA1a000d6d3122f8742352798de0f09305efc481364
SHA25605d4c50a1bdc0ac53b121ae14de84551a75416c2e2aabb377eb7abd700fddd42
SHA512797421923afe9a924e07ead4d06818f8cfff17c6d7ad5a8a98819db99a8b6b0a1d2b9551bc9bb195d12951eb4a3e10f8164e9ea7af6f7eda58007107c1b54335
-
Filesize
46B
MD5135ac7bc37eb453e3832dc4f855ad4f3
SHA1d2a32700ef1ae8e116bdec90cfb7041594d1b307
SHA2562c2671e970f826a075e17e316f6cf7321a365190c1930687134a08c3a79297a9
SHA512650d6ffe2343400f93c44f2379f680c4582df18c581a4d9ecd1e47a591a7ad098fda68979d24912455984223e0018098a5a4792f5c04ed32a588c1c1e1b3f0a1
-
Filesize
44B
MD556e740b72f8dcf1aab85d53ddb63a7ee
SHA12dbef9cb11b778afaf5e0b3f27d0d348de80fac4
SHA256ba11812098cc3c5801a4b1eba675e1e3ab22ed0979b2c7b5da74e718f86eb196
SHA512622488bc0e9b02f5b3c484862f699d665125e95c0d7d0b93b28b6cdd327a82bc0b8b7f7154f9df1d333cd7707ebab103c32cbfedef63b8793db805ea22cf5822
-
Filesize
46B
MD545e25a10530441eca16e2b927d8a1f26
SHA163b4729e705ccce1adb72f51cc8e60acb6575e90
SHA256e8d521206c7c7f2ca8a336b519f94e23f705eea3eff6d9793b167786cf35eec6
SHA51293450dc53335b01e645fc25d80b0b56342c87c7bf4e6ae778c7b05a7136fa9e780eef23dcd5c7f94af2f9e04c590ab7574d61434dcf0a2299a39e40eb58a9916
-
Filesize
48B
MD5a67c4f59dad32b4a05e162dfcdb95970
SHA1d73b1bcc2381e4f3b8ec83a25d3839f6e65236fc
SHA25684f6a51f6814de849fa083f6250eef43d6c44d10ce4f5319a4a999bea64530cb
SHA5122432a578c0f77b6e30431d224750c48b2f95a6c62448377bbf0a7645d0fae040d4baa67d080f867467348f262a6df9cf222b064fb9268da08a0c3bfc387a426b
-
Filesize
48B
MD5eda1a1c1b267107a1a07a64ee58b2e1b
SHA16bc4cb3faac2759278b43df8dffc3a0134b3addd
SHA256261f5176179b15dcb678372346f07eb8ab7b9d1ead0e8b03619242692f3b94a8
SHA5121e1189de24b4dfc01df164f75e5c891e6cbfa069d5a0ad2d392fe0496c29035703099f0870cbf02ee3bd06f48aa7fa0d96f7252bc12955e6900e695e9a1789a4
-
Filesize
47B
MD5a53fc8e71eda60f1bc0565db9af95546
SHA1bd862b7ec3e26ae667b4bba98cf42d1ba71c5b09
SHA256087e833a9582574c71016fb1dc1887e4d86304b7d0528ad913537bd8495b3914
SHA51251ccb99753a5eb0bbadfbe90ff119535c520b4ce6d7990cddc7ce18acd4e2e77c4becce020612f42ae20c4f7eedb783d38ef1981b1c98a61e778622d2eaf618f
-
Filesize
45B
MD5b541fce0f8255a19da78278e8938d535
SHA137e751748a6b3112e944c17b0e763a591c350ca0
SHA25629e57547d9a1461be0152e5270479884bc1078ff87293b47b8e0058b78a55395
SHA512096c0791bf625e725665b0a2bf761244aa255eb70a1fa4c21585252f81c325b275427cd35704318496bfaa20e6d4a3515388d1a17b1eb5a7b33e5fa5b06b4109
-
Filesize
47B
MD57e359bdef24d4f0760b85b05a5b2c3c4
SHA1fa377ce2402729bb68c09da249c5c1882acaf547
SHA2563574367152f10742e7be63b461ed8b5df17d061e1f5e218344a0a50db25a8094
SHA512461f5e5623cfb48c051f9710430fe6e2874432408555c42196a2377185f7aea86f5fd07d0dda60fbf566de21d92f9cb59174f4ea9248b210252aece51640cbee
-
Filesize
46B
MD5de1824ddd6b5fab1e5f0e4d103c40f47
SHA1ce062719a266f974bfb17a8371e7419fc1989e74
SHA256419597f7a9cdd954106d5000d85b427e3d311f4d37fefe75dc83b01d81ecd4d2
SHA5123c2413fccbcb9f9d777a4d66c7a4969e6c0cd2e034280fc59e30a586d79dcf04ecc8d3dd58f4525c31062f87b5f1fd65492e2984cee351de9e385f298e33cb04
-
Filesize
48B
MD5817076cc58618b0cb92ff3ae6c5565a0
SHA1ed2e6e0f3eacf3716a1841a921d4bb6be43df128
SHA2567a16741573b93c405cb4938b776132abf5a3c8a3be205f33e68e6755caca432c
SHA512771b50827010c76eb884e4c437ef6aed86bb13589d225db46af4ac93b9039133003730364b9446161791db3b9c30bc8267c694b0d5f089531487c1f84753fcca
-
Filesize
45B
MD5536f9de9cb62b5fe04601c00c6621595
SHA11e612fa28ce3c672eb44e3bda9f057c2de8e4a84
SHA25666cac746e3879b021194f6742e38ba31f9f16b32f204a1e4dc26981ac305c44a
SHA51284d5567a15db23a2d063950121d4bd88f440408a38d4c5d5e1e3c9be25e5599773d46c60dd1e0c4de59295477c23745bf20063b8acda0f9b4e60cada61208413
-
Filesize
40KB
MD551de8a63b5a590ce6504d2fa14a23659
SHA172994aaf41378cc91e197ffa26f78b2226623751
SHA25693a337038058b54f864906972ef34926be8316a49d5b72190c0134f54ed8ce21
SHA51278fa2853da3220f62acf5990a1d7d9165eeee1b1256e7c9ff7887332377072d2389c99d19779fe1a0182094217e5e17a7bc7da8f568b54ca69a68f62584fda9b
-
Filesize
9KB
MD526abb9e459e5976f658ce80d6433f1b1
SHA13c8f02c1cf7b8ae82be3deea4b360497f6fee1c3
SHA25660cc77b5d4210cef0a9032908b179142f212155426fdae48055c5f72811f7a12
SHA512c2c02aa1db8036c7309100bb683ec7708fedfb129d763d86e03d9d6adc3688423ec04cb5b596eaf99300787f90d641e53350e1ceed0e8b11d6f29333e04b4ce8
-
Filesize
111KB
MD5e87a04c270f98bb6b5677cc789d1ad1d
SHA18c14cb338e23d4a82f6310d13b36729e543ff0ca
SHA256e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338
SHA5128784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
Filesize
32KB
MD58b74b02f17593680f4bdb4ffb578ef86
SHA1c76998140974d7c14d44c998549a681c7c712164
SHA2569893494bcef02c6e63e4bfce830f5d33d2af1056b220a3469bc00df059b25013
SHA512225592139afe6b7dffca3b2a0b13047a5988e43ddf77fd725c137f6c8960cb987185d8f559af92faadc0275be4f31a1da51a1bb36011f9288949510af4efd554
-
Filesize
212KB
MD576ce4661b60461154ffcfd8fb51b6c57
SHA1b9e71d6126d7db063febd0f7306095a030ead84b
SHA2566e363c4d8d13b353529b11881f5fdcc1138e93df104b24d31d3ce566ffabe8de
SHA51242f970e5929039ca68649998bf727aaca3bad0a7f0563399c11904aaa5378b72b0fb2d6dcad724119cad10f9792c348aa444b94413e132fac35494d275dde3bd
-
Filesize
151KB
MD51c78e0c700a71e5894ed013058bdee7a
SHA162f01b0dae3f46fabd25ee38ab18581b6ab2a74d
SHA2560be4b9f91a69ba196afa99e71925da5d72c9f94a2974ebcdc49d7dbb42374a93
SHA512f28fb376e4bd700e62a25e760d1c8f195e0e7995f17b0fee65969241c085bc2349ff2cc2a4e3e479675c2ea445752824053730fdcc4dcf724376a0899b6c4c85