Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 12:27
Behavioral task
behavioral1
Sample
2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe
Resource
win7-20240708-en
General
-
Target
2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe
-
Size
4.5MB
-
MD5
b3ba7afb650fbc73d5d7ba46d5e9f091
-
SHA1
4f8f13afcd80d83cbe952774fee437ce32e87730
-
SHA256
f6f84b418926af4185426db6f6ad92aff970457e1ea707413fd95137a32a908d
-
SHA512
f86ec814fa90698baebba871a48fbbdb10b543c6cb839eba4288c2aa4865db357f371bd5dfaa95423a4f5e8c04c3a6809ad13579d88fecf69e672515d7db41ba
-
SSDEEP
49152:8AR/SCICrtvMLtAvVfJVgbhWss4lTDRLOyR0MKGKPhGi:NdAc6yVfJVg0ss4lZiGti
Malware Config
Signatures
-
Detect Neshta payload 43 IoCs
resource yara_rule behavioral2/files/0x000a000000023b76-24.dat family_neshta behavioral2/files/0x000a000000023b77-37.dat family_neshta behavioral2/files/0x000a000000023b7a-54.dat family_neshta behavioral2/files/0x000b000000023b7b-63.dat family_neshta behavioral2/files/0x000a000000023b7d-79.dat family_neshta behavioral2/memory/2880-102-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/948-303-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4312-344-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3304-350-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1132-367-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4524-389-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2024-532-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4656-535-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1160-539-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4076-545-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4344-542-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/448-541-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4284-540-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2692-538-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/432-537-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4968-536-0x0000000000400000-0x000000000087B000-memory.dmp family_neshta behavioral2/memory/2044-544-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/64-546-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2792-543-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2368-551-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2420-550-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/5100-549-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4348-548-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/5048-547-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4284-554-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4968-565-0x0000000000400000-0x000000000087B000-memory.dmp family_neshta behavioral2/memory/432-599-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1160-601-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2692-600-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4968-645-0x0000000000400000-0x000000000087B000-memory.dmp family_neshta behavioral2/memory/5060-658-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/448-663-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4868-618-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3228-664-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1032-666-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2388-665-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4344-667-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/432-668-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Ramnit family
-
ModiLoader First Stage 1 IoCs
resource yara_rule behavioral2/memory/3688-820-0x0000000000400000-0x00000000004EC000-memory.dmp modiloader_stage1 -
resource yara_rule behavioral2/files/0x000a000000023b7b-56.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation screenscrew.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 20min.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation headache.exe -
Executes dropped EXE 63 IoCs
pid Process 1508 1.exe 2964 MousePad.exe 432 headache.exe 2692 screenscrew.exe 1160 20min.exe 2880 svchost.com 4284 svchost.com 4108 20min.exe 1596 BLACK&~1.EXE 448 svchost.com 4964 Blank.exe 4344 svchost.com 2792 svchost.com 780 Bubbler.exe 4236 DESKSC~1.EXE 2044 svchost.com 4852 DSCROL~1.EXE 4076 svchost.com 1440 Flip.exe 64 svchost.com 5048 svchost.com 2936 halyava.exe 4060 Hello.exe 4348 svchost.com 5100 svchost.com 2420 svchost.com 1052 myWeb.exe 4456 Patterns.exe 2368 svchost.com 948 svchost.com 1316 Invert.exe 2408 PUSKA_~1.EXE 1256 STRETC~1.EXE 4312 svchost.com 1132 svchost.com 1472 430A~1.EXE 4424 BURP.EXE 4524 svchost.com 3304 svchost.com 1996 Viagra.exe 2168 ANTIPUSK.EXE 2024 svchost.com 5112 svchost.com 2176 krutilka.exe 4656 svchost.com 3392 krutilkaSrv.exe 3400 DesktopLayer.exe 3688 Aforizm.exe 3212 svchost.com 3404 GECCO.EXE 3228 svchost.com 4712 svchost.com 4868 svchost.com 5036 E1F4~1.EXE 4448 Stub.exe 1032 svchost.com 4880 DROPPI~1.EXE 5060 svchost.com 2388 svchost.com 464 MouseFX.exe 4168 DROPPI~1Srv.exe 1324 DesktopLayer.exe 3908 ERROR.EXE -
Loads dropped DLL 16 IoCs
pid Process 2168 ANTIPUSK.EXE 1472 430A~1.EXE 2408 PUSKA_~1.EXE 2964 MousePad.exe 4424 BURP.EXE 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 1996 Viagra.exe 2024 svchost.com 3404 GECCO.EXE 3688 Aforizm.exe 1692 IEXPLORE.EXE 1692 IEXPLORE.EXE 3228 svchost.com 4448 Stub.exe 3908 ERROR.EXE 4880 DROPPI~1.EXE -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" screenscrew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" headache.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/3392-499-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/3400-505-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/2176-491-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/2176-557-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/4168-648-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/files/0x000a000000023b9e-634.dat upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE screenscrew.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 20min.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 20min.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 20min.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe 20min.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE headache.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE 20min.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe screenscrew.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE screenscrew.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE 20min.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE screenscrew.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe screenscrew.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 20min.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE headache.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE headache.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE screenscrew.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 20min.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe screenscrew.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE screenscrew.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe headache.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE screenscrew.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE headache.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE 20min.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE screenscrew.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE headache.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe headache.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE screenscrew.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE screenscrew.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE screenscrew.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe screenscrew.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe headache.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE screenscrew.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE 20min.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE screenscrew.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE screenscrew.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe krutilkaSrv.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE headache.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe headache.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE screenscrew.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE 20min.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe headache.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe screenscrew.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 20min.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 20min.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE 20min.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe screenscrew.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe 20min.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE 20min.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE headache.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE headache.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE screenscrew.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE screenscrew.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE headache.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe screenscrew.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 20min.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 20min.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE 20min.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe screenscrew.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 20min.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 20min.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE screenscrew.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe screenscrew.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE headache.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE headache.exe -
Drops file in Windows directory 59 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com headache.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com screenscrew.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 20min.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DROPPI~1Srv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DROPPI~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20min.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Invert.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ANTIPUSK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E1F4~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language screenscrew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Patterns.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language krutilkaSrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language headache.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20min.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hello.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language krutilka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MousePad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GECCO.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blank.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bubbler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DSCROL~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 430A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aforizm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language myWeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MouseFX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DESKSC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language halyava.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language STRETC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ERROR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PUSKA_~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Viagra.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Stub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BLACK&~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BURP.EXE -
Kills process with taskkill 1 IoCs
pid Process 4248 taskkill.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31151414" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31151414" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "543004501" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "582067204" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4F76212D-C129-11EF-BEF1-C67090DD1599} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "543004501" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31151414" IEXPLORE.EXE -
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" screenscrew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" headache.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 20min.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 3400 DesktopLayer.exe 3400 DesktopLayer.exe 3400 DesktopLayer.exe 3400 DesktopLayer.exe 3400 DesktopLayer.exe 3400 DesktopLayer.exe 3400 DesktopLayer.exe 3400 DesktopLayer.exe 1324 DesktopLayer.exe 1324 DesktopLayer.exe 1324 DesktopLayer.exe 1324 DesktopLayer.exe 1324 DesktopLayer.exe 1324 DesktopLayer.exe 1324 DesktopLayer.exe 1324 DesktopLayer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: 33 396 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 396 AUDIODG.EXE Token: SeDebugPrivilege 4248 taskkill.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
pid Process 2408 PUSKA_~1.EXE 2168 ANTIPUSK.EXE 3404 GECCO.EXE 3404 GECCO.EXE 3404 GECCO.EXE 3404 GECCO.EXE 3404 GECCO.EXE 3688 Aforizm.exe 3688 Aforizm.exe -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 3404 GECCO.EXE 3404 GECCO.EXE 3404 GECCO.EXE 3404 GECCO.EXE 3404 GECCO.EXE 3688 Aforizm.exe 3688 Aforizm.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2964 MousePad.exe 2168 ANTIPUSK.EXE 3736 OpenWith.exe 4432 iexplore.exe 4432 iexplore.exe 4448 Stub.exe 5000 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4968 wrote to memory of 1508 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 82 PID 4968 wrote to memory of 1508 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 82 PID 4968 wrote to memory of 1508 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 82 PID 4968 wrote to memory of 2964 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 83 PID 4968 wrote to memory of 2964 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 83 PID 4968 wrote to memory of 2964 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 83 PID 4968 wrote to memory of 432 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 84 PID 4968 wrote to memory of 432 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 84 PID 4968 wrote to memory of 432 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 84 PID 4968 wrote to memory of 2692 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 85 PID 4968 wrote to memory of 2692 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 85 PID 4968 wrote to memory of 2692 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 85 PID 4968 wrote to memory of 1160 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 86 PID 4968 wrote to memory of 1160 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 86 PID 4968 wrote to memory of 1160 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 86 PID 1160 wrote to memory of 2880 1160 20min.exe 87 PID 1160 wrote to memory of 2880 1160 20min.exe 87 PID 1160 wrote to memory of 2880 1160 20min.exe 87 PID 4968 wrote to memory of 4284 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 88 PID 4968 wrote to memory of 4284 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 88 PID 4968 wrote to memory of 4284 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 88 PID 2880 wrote to memory of 4108 2880 svchost.com 89 PID 2880 wrote to memory of 4108 2880 svchost.com 89 PID 2880 wrote to memory of 4108 2880 svchost.com 89 PID 4284 wrote to memory of 1596 4284 svchost.com 90 PID 4284 wrote to memory of 1596 4284 svchost.com 90 PID 4284 wrote to memory of 1596 4284 svchost.com 90 PID 4968 wrote to memory of 448 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 91 PID 4968 wrote to memory of 448 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 91 PID 4968 wrote to memory of 448 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 91 PID 448 wrote to memory of 4964 448 svchost.com 92 PID 448 wrote to memory of 4964 448 svchost.com 92 PID 448 wrote to memory of 4964 448 svchost.com 92 PID 4968 wrote to memory of 4344 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 93 PID 4968 wrote to memory of 4344 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 93 PID 4968 wrote to memory of 4344 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 93 PID 4968 wrote to memory of 2792 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 94 PID 4968 wrote to memory of 2792 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 94 PID 4968 wrote to memory of 2792 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 94 PID 4344 wrote to memory of 780 4344 svchost.com 95 PID 4344 wrote to memory of 780 4344 svchost.com 95 PID 4344 wrote to memory of 780 4344 svchost.com 95 PID 2792 wrote to memory of 4236 2792 svchost.com 96 PID 2792 wrote to memory of 4236 2792 svchost.com 96 PID 2792 wrote to memory of 4236 2792 svchost.com 96 PID 4968 wrote to memory of 2044 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 97 PID 4968 wrote to memory of 2044 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 97 PID 4968 wrote to memory of 2044 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 97 PID 2044 wrote to memory of 4852 2044 svchost.com 98 PID 2044 wrote to memory of 4852 2044 svchost.com 98 PID 2044 wrote to memory of 4852 2044 svchost.com 98 PID 4968 wrote to memory of 4076 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 99 PID 4968 wrote to memory of 4076 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 99 PID 4968 wrote to memory of 4076 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 99 PID 4076 wrote to memory of 1440 4076 svchost.com 100 PID 4076 wrote to memory of 1440 4076 svchost.com 100 PID 4076 wrote to memory of 1440 4076 svchost.com 100 PID 4968 wrote to memory of 64 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 101 PID 4968 wrote to memory of 64 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 101 PID 4968 wrote to memory of 64 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 101 PID 4968 wrote to memory of 5048 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 102 PID 4968 wrote to memory of 5048 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 102 PID 4968 wrote to memory of 5048 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 102 PID 4968 wrote to memory of 4348 4968 2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1508
-
-
C:\Users\Admin\AppData\Local\Temp\MousePad.exe"C:\Users\Admin\AppData\Local\Temp\MousePad.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2964
-
-
C:\Users\Admin\AppData\Local\Temp\headache.exe"C:\Users\Admin\AppData\Local\Temp\headache.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:432
-
-
C:\Users\Admin\AppData\Local\Temp\screenscrew.exe"C:\Users\Admin\AppData\Local\Temp\screenscrew.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2692
-
-
C:\Users\Admin\AppData\Local\Temp\20min.exe"C:\Users\Admin\AppData\Local\Temp\20min.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\20min.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\3582-490\20min.exeC:\Users\Admin\AppData\Local\Temp\3582-490\20min.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4108
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\BLACK&~1.EXE"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Users\Admin\AppData\Local\Temp\BLACK&~1.EXEC:\Users\Admin\AppData\Local\Temp\BLACK&~1.EXE3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1596
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Blank.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Users\Admin\AppData\Local\Temp\Blank.exeC:\Users\Admin\AppData\Local\Temp\Blank.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4964
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Bubbler.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Users\Admin\AppData\Local\Temp\Bubbler.exeC:\Users\Admin\AppData\Local\Temp\Bubbler.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:780
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\DESKSC~1.EXE"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\DESKSC~1.EXEC:\Users\Admin\AppData\Local\Temp\DESKSC~1.EXE3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4236
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\DSCROL~1.EXE"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\DSCROL~1.EXEC:\Users\Admin\AppData\Local\Temp\DSCROL~1.EXE3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4852
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Flip.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Users\Admin\AppData\Local\Temp\Flip.exeC:\Users\Admin\AppData\Local\Temp\Flip.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1440
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\halyava.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:64 -
C:\Users\Admin\AppData\Local\Temp\halyava.exeC:\Users\Admin\AppData\Local\Temp\halyava.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2936
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Hello.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\Hello.exeC:\Users\Admin\AppData\Local\Temp\Hello.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4060
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Invert.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4348 -
C:\Users\Admin\AppData\Local\Temp\Invert.exeC:\Users\Admin\AppData\Local\Temp\Invert.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1316
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\myWeb.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\myWeb.exeC:\Users\Admin\AppData\Local\Temp\myWeb.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1052
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Patterns.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\Patterns.exeC:\Users\Admin\AppData\Local\Temp\Patterns.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4456
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\STRETC~1.EXE"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\STRETC~1.EXEC:\Users\Admin\AppData\Local\Temp\STRETC~1.EXE3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1256
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\PUSKA_~1.EXE"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:948 -
C:\Users\Admin\AppData\Local\Temp\PUSKA_~1.EXEC:\Users\Admin\AppData\Local\Temp\PUSKA_~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2408
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\430A~1.EXE"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4312 -
C:\Users\Admin\AppData\Local\Temp\430A~1.EXEC:\Users\Admin\AppData\Local\Temp\430A~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1472
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\BURP.EXE"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1132 -
C:\Users\Admin\AppData\Local\Temp\BURP.EXEC:\Users\Admin\AppData\Local\Temp\BURP.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4424
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Viagra.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\Viagra.exeC:\Users\Admin\AppData\Local\Temp\Viagra.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1996
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\ANTIPUSK.EXE"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3304 -
C:\Users\Admin\AppData\Local\Temp\ANTIPUSK.EXEC:\Users\Admin\AppData\Local\Temp\ANTIPUSK.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2168
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Porno!.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2024
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\krutilka.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\krutilka.exeC:\Users\Admin\AppData\Local\Temp\krutilka.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\krutilkaSrv.exeC:\Users\Admin\AppData\Local\Temp\krutilkaSrv.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3392 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3400 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4432 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4432 CREDAT:17410 /prefetch:27⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:1692
-
-
-
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Aforizm.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\Aforizm.exeC:\Users\Admin\AppData\Local\Temp\Aforizm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3688
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\GECCO.EXE"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3212 -
C:\Users\Admin\AppData\Local\Temp\GECCO.EXEC:\Users\Admin\AppData\Local\Temp\GECCO.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3404
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Flipped.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3228
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\E1F4~1.EXE"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\E1F4~1.EXEC:\Users\Admin\AppData\Local\Temp\E1F4~1.EXE3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5036
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Stub.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\Stub.exeC:\Users\Admin\AppData\Local\Temp\Stub.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4448 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "Stub.exe"4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4248
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\DROPPI~1.EXE"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\DROPPI~1.EXEC:\Users\Admin\AppData\Local\Temp\DROPPI~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\DROPPI~1Srv.exeC:\Users\Admin\AppData\Local\Temp\DROPPI~1Srv.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4168 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1324 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
PID:5072
-
-
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\ERROR.EXE"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Users\Admin\AppData\Local\Temp\ERROR.EXEC:\Users\Admin\AppData\Local\Temp\ERROR.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3908
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\MouseFX.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5060 -
C:\Users\Admin\AppData\Local\Temp\MouseFX.exeC:\Users\Admin\AppData\Local\Temp\MouseFX.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:464
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3736
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x500 0x5041⤵
- Suspicious use of AdjustPrivilegeToken
PID:396
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5000
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 157d0a1506588fea1d1bcff2598796aa QdQYG3tAo02nOkJC4Xmscg.0.1.0.0.01⤵PID:2420
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD526abb9e459e5976f658ce80d6433f1b1
SHA13c8f02c1cf7b8ae82be3deea4b360497f6fee1c3
SHA25660cc77b5d4210cef0a9032908b179142f212155426fdae48055c5f72811f7a12
SHA512c2c02aa1db8036c7309100bb683ec7708fedfb129d763d86e03d9d6adc3688423ec04cb5b596eaf99300787f90d641e53350e1ceed0e8b11d6f29333e04b4ce8
-
Filesize
124KB
MD535136787fd7256e6fa7fae3516a0c830
SHA1699618516ba4a5efd13d41a997cf8700341eb93a
SHA2569e1aab3558a45978e0cf2abcad3a883638b02fbf3a77ef4baeec62edd3eaea70
SHA512f344b27562c8a4a393c41ac793463d4a4f9aa612a71e2f79ab8e95c39a9c76b6ef16a525805b06965924b5d71e4becd849ae8e0caf77e638f9f537395b45af39
-
Filesize
84KB
MD5f06f1ee47df12256990a6f81249661de
SHA14e1fed25a57e49102cf2a45862d478dc8d68cafc
SHA25668b76252d3140cc1e3944898dde0d198131e1758bda1a83596e2811a18875b66
SHA512c3827de7b15dda80f11504b932db790f68d4d4e3fcc27abab5c5d97f25eebac7586664872f36434c928bbb010d6cd5a3977e97b29c4f9cd7d0b49a43daf7394a
-
Filesize
172KB
MD57eb8c9c1701f6b347721b42ba15c0993
SHA113e62637aa5c402383f5665d20c7491c51bccbdc
SHA2566d5e92ccc9d65e02d8f805e3f4e33841db34a562b3c882a137146461a56bdec2
SHA51222572a6ebf16b5e260c5d99f30aaefabd88a143bc6b6a9a4d7b82a31ffeb7970d3701c697fcb4c692c6f450782982f3e43f74e3b01fe3ebf1957fc0ef0a4a072
-
Filesize
111KB
MD5e87a04c270f98bb6b5677cc789d1ad1d
SHA18c14cb338e23d4a82f6310d13b36729e543ff0ca
SHA256e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338
SHA5128784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13
-
Filesize
7KB
MD5e29569e42b85bd880c54d22524248237
SHA13d34ca85f067172c192eda7722948e25538d65fe
SHA256126bc70dfcd987397d69da9f14e5535e79165c0036add6815659abc80d10f2ca
SHA5120bf6f216f78e702312ebc48285a8e10913373cfac51fa3b5da3f6ceaeb8d42b792f8d86c5b1bccd53900e8e3d07c3feae2feb9d3eed34ecd96ec99696f15a534
-
Filesize
359KB
MD5b65fc413c4af96d84822e39ce969942a
SHA1eaa176253f3b91ef6094221403362c8c51dff572
SHA256dc9015e7327c29d6699e1cb8c23148fc73af11de910ab335868342f02f22703c
SHA5123e18e86a00fe81fbf27cad0c224c4772e827cfa9a18f6baeee71cf49501ccdde330e592f59b820c54669f19dda1c8fa8a2342eb5b1cf240678b4979969094454
-
Filesize
14KB
MD500dd057add024c605c0414a985d31c32
SHA11d00812873ff86b33120923b705c872e13efd5cc
SHA2562665f52d47ee7dfbffabcf58c0da31e311d3efa97442e85944a61bac8629e2af
SHA5123eb9439c75ac9b32a121ee959aa94f11a5c73d26aa24d76bf0af149a045ad1368711797ef949ba834cb6da970005b5e829bc96fba5d841a2256022b973000226
-
Filesize
71KB
MD55c70d18d0078e484a9a0a40f8f585bbb
SHA1b3f886d37be5d04bfa5ac93b5d30c9b5cab72e21
SHA25681252087cbffce0278cb4fc96ef4e38902d3a2a353fa761fe1a979c7bf959dcf
SHA51267020862c4409ed267819016c1a76fd08010a5e34274ab17bab76d6fda0d8792deabb509b43580c3ee7c870b770151aa196d812f1cc4040b8ac2bc286fe8c6c5
-
Filesize
67KB
MD55c8434c362e791e2d40dc47603d2b552
SHA13181705211deaa2204b4e936e196411a2f0e7b87
SHA25665ee141434e58dddb67d135728d5f8dfb38ee28fc4627b4c5ce3a831c3a724ae
SHA512a4907232d77278cfdbd67ba75dc6fb48f0ce162623126f57efd04ef816fe396f4eb68dca1eaa7876d3a683472f473e229e689b3f75b9fd80a2ceb369dc227110
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
Filesize
11KB
MD5c6aac231bd73d7cd9fe9474265fb2a0a
SHA1693742b31b1f33761062744a9d317c6cb30e7e17
SHA2563558cbfb4478d2f47b600c52bd5018443b86221639602f33ea0385ef3eef6ec5
SHA512a32daa9b7e98b45aba2fc1c9620fca7cda218fb30fce5fa48231c4de92adeb15c8a856179a21f14b5a7acdf7294748f464c2448f3d38ddf71e9e714d913f1988
-
Filesize
8KB
MD5d704b61a5521a22261ee9025259374fb
SHA1a55a7211c0b2ef2d04824b897ee8ba4d20af6874
SHA2568d4383f98fb673652fda948463e2cd0957ce3c6a1f7912d38245b14cc0e7c4dc
SHA512105f600c76d591909c315ccdb56917badc8b03f81dfe46530db4c4fc03459bfd2b527cc1f81e9d63cbd5c7f7e2447ecfbfb541bb2dca9efd6fca5ade9a0eaa58
-
Filesize
10KB
MD5fc3fcc73569dc5917637de3c0271d9a5
SHA19efe1d66d9a4df5868ef12ad70b179517bab0f56
SHA256008b1fbf3dc9b576733d066d69cb0038c8f58699b10f2f2a589e685c2f63fbe3
SHA51292b6dbe06489f9e69ecd0fdba3c29b83ac2a85c12aebf04e493fc30bd72e78c363b9cd8ffd8c4d9643de79581c3e4ab6fc72eae1602b2fc97443e0f982155bf0
-
Filesize
4KB
MD572a02361ea6a72ed57247047b780df19
SHA13bdc295eae546ba86fbd5a98ee78026fab0340b8
SHA2566de221e7cd02a607f8660b89b5d008195fabe922a563ae13a8bd427c1d26ac7a
SHA5125b45d59146dd13f8d78ddf27a0d7459f587d4a175d3963a2740fa2d02edf3aaa3c5feabec75148295848b4757a34be3b5ea5890544b5b4d73952c8d8fcad987e
-
Filesize
10KB
MD59bbf8c162b7d054161ed1f4db8d478b0
SHA1157bffed52c8c7abfeeef731bea33086e713ec74
SHA2562aabaa220e383a19c27bfad1262e972ec443e3bf56ea116a7600fe7f72661a02
SHA512bf62209c8e1cb93a60f944f0342d2c0b8ff31abddc1b31c80130b6c175e060581f51a1252bdd95e481016aac16778bfe208e67fd0ba5e6e9297622c878416912
-
Filesize
13KB
MD50cdadd11f9888e0beed3b914fdd1308a
SHA15fdb5aab369e8873a9ddf9858fb40427479b198f
SHA2563ec6564b1fab7c90167e287e01ae26e800d049098332b42e67fa00a416b6cc93
SHA512493d94db6c8075d85fb0069e314f47b9939431d7e18f9c5ec332efa91397e5a09c653bce22c5f7b4cc73f5e180b0c8b505b550e882ad39866f6799526701638a
-
Filesize
19KB
MD5aa11cbd4556066a123ff14df33a91ac8
SHA1efac5c4d1eff5c0df7105440cce91d106d6ef181
SHA256db5733588c2a7c6b3bc0c1a836e919a332d3435a92792f4a2e5822866a874d73
SHA512b6a70e317e32e65440a8aa46c7f0342d85c3880cd3514fa9872a5202d4933612c87a674c2800a42b85950c82f456a5729b64613b8bfb68fb536128e13d3b2bd0
-
Filesize
32KB
MD58b74b02f17593680f4bdb4ffb578ef86
SHA1c76998140974d7c14d44c998549a681c7c712164
SHA2569893494bcef02c6e63e4bfce830f5d33d2af1056b220a3469bc00df059b25013
SHA512225592139afe6b7dffca3b2a0b13047a5988e43ddf77fd725c137f6c8960cb987185d8f559af92faadc0275be4f31a1da51a1bb36011f9288949510af4efd554
-
Filesize
11KB
MD5b03dfd6a6d029948924b5486a5bd1931
SHA1bf04f4cf5d98fbfc6f6d9a8cb12c3d60823f3f11
SHA25633644f58e9eb469a733dba31db9af9fde1ba5298fc18389c0a78879a4406fc4f
SHA5121903a9c0e106ceeb340d4a66460b4af8fee40b7c12872b5ca91bf470d56edc1b91e7c57b1f6388efe50c70d379b12858eaaf08269f6e2d658ad8102a2f89d6e5
-
Filesize
192KB
MD57504638de13c91d3de4701bc5eba895e
SHA19db65ccbc5d16a692a5a1d7ab883786281bf3345
SHA256c11a3234a6037f762a40d6694a66f2a3f99d7fb792ec9bfdd988fcc53cc08301
SHA5121a0acb104b1b5d8a62a5c9450110aef4b87a399823c1cb9372f305ae98342389795283bb7b74f4a1351f9411a469a5ec0ff8dca1562ebc6d63863ba15bec4ccf
-
Filesize
32KB
MD5ac8ace1f2570085b2b7184cea7b4fdc0
SHA1d6878a6dff4345122d4fe3a4c2e820cf08753a49
SHA2568b48fa2f104a60bdead7695b31190e681217ee23aba44454edab3e758571884c
SHA512155fddecabb75ab60930d80f4289a80d5a3e0c0e56e5169da350bf8b9959172e7fb009f8e146a153357b9519e7f96b1df941bbaeb36cf3b30045e8fec6129835
-
Filesize
5KB
MD57320032b2b46c07b4a432745829223b3
SHA123386c3d89290ecc3d47c4a626cc7cc68ad2ef5a
SHA256834ae4c2ca0b332fafcc6abb2ce7d5fa4c5ffb1778fc1280fe1f09f65f1ecc9a
SHA512312ce17c8b3203928ffd8eca3aa94f3b04194e89e12ff25cffb370722636994f100708e05ab9782ca90756eb92607d6126ab72ee60726d3a0a1dc2320e208684
-
Filesize
8KB
MD59f32f1fb5155d01ce47a6b0e679ff2fe
SHA1ad131beb815ca355a09cb2e4572d2d85f1d1259c
SHA256c9bcd8aa2ba6364e441f609494a57a729b53e0360b7a8317e2baed76770e6d3c
SHA51234ac158c558a967b8bd2ac99d8c236174f2aabd62604c8890c6236ab89e7d9345753483ad91285a02a29d4a7e1c297e0bd20767605243ed1cc03a976a226ad83
-
Filesize
212KB
MD576ce4661b60461154ffcfd8fb51b6c57
SHA1b9e71d6126d7db063febd0f7306095a030ead84b
SHA2566e363c4d8d13b353529b11881f5fdcc1138e93df104b24d31d3ce566ffabe8de
SHA51242f970e5929039ca68649998bf727aaca3bad0a7f0563399c11904aaa5378b72b0fb2d6dcad724119cad10f9792c348aa444b94413e132fac35494d275dde3bd
-
Filesize
15KB
MD568cabf111614c64cc454a6a5fe9ee4ff
SHA174a036f32c37025699280fb474b6f7815a9d118c
SHA25681162716b98c2af6e76c0acc1188c03db1e8f9485ebdff38a6364bff4aa59406
SHA512cc01c441172de1bc9a414b2660d8a5330adf12fcdf2721caebadf45937864577a48fba9dd202f154f91a7a028dd8679896ecc22b9bddea9839d7af918835dad7
-
Filesize
151KB
MD51c78e0c700a71e5894ed013058bdee7a
SHA162f01b0dae3f46fabd25ee38ab18581b6ab2a74d
SHA2560be4b9f91a69ba196afa99e71925da5d72c9f94a2974ebcdc49d7dbb42374a93
SHA512f28fb376e4bd700e62a25e760d1c8f195e0e7995f17b0fee65969241c085bc2349ff2cc2a4e3e479675c2ea445752824053730fdcc4dcf724376a0899b6c4c85
-
Filesize
11KB
MD58362e99800b0893acde429974e3bec18
SHA1171fcd759a711ccfae5c17bc28733d96b3c4c501
SHA2560fa2eed94a65179a43b1435b0a9f450632b35f03eb46562edd95433bcf27afac
SHA512cd4de6bfb80bf7c9666e2119a8ec9630b4f150f3a492be6c6d9ef37bc93e05deaf99733eeba7ea78024de905dfb9cc666752db1cfe3a8f0dafd26e7e92a4f9a9
-
Filesize
32KB
MD50e89a28bcf39b8ffd68b55117aa2c8c0
SHA1f66ccc5892a386208fb3c105ed4b34e7e817cc51
SHA2565ed6b1884460c35b8d585fe11bcf8eb156180d7e30bc22182409b251dd02f1c3
SHA512a249eca07cea3180b8d0928659f2178163f03ef3b839f7482b3a26cf746e847fb1ae9b12e3b67071ab8e87fa58401e3d4395bcb58a7ca467cfbe38afd96b4054
-
Filesize
15KB
MD5fd83b5d21ad029ef124a9a6d4ec606f2
SHA18080416ae73380b3f09a007330b7b10c487e10b9
SHA2568d6d180ab517bb2fe1361f226e5a423560e101e1d5a93b9767946c3c43673c67
SHA512eea37d9f46fcd049bee25464d0226eb4ab37cdc598185dfcbf1691a8494fc7b2f9ac93a3fc53bd9090e483e91c373000b222b25ac9ad375caf894b6f7bdd1fae
-
Filesize
45B
MD5c174d288b05a38ee8221fbcc5bd7e6d5
SHA1231fc93e554939469b6182d4d3aa70bc8cda5f9a
SHA25612b8369b496c50eeb7d0677ebd95b770f339e22e797ab688358eea6511314696
SHA512440537220d1802a66435eac61085efeba97063643d9c2b5a1940a40e0d31158ba31d06d5d29964afffcc06725f35980ac413f05db16957074ae85b415c9f8846
-
Filesize
48B
MD56902cea03d381c9b70ea1fe2cf78faf8
SHA10fe22766d0186bdd41ee852e1ff80ae716e6bd6f
SHA256a91ae4594faa308a01995d139fcb094856f08a5e99c0392abb9fd3ff12479b7a
SHA512c1b2247aeddfbddc5da4df145509a8801e00051328a9526d6fa2fb0a0598a3407359183db939c85a3ece8c3adb210e5b628ddda031d5d34d6c9dd9d47f092570
-
Filesize
48B
MD5c5dcdd951acc04fe426a82e965960dda
SHA11b17cf9868de2822bf7301233672917618d40bce
SHA2568bbc419c8181c116d356148de5403bea85971c5a0f9aa6a78552127d3bb61d28
SHA512edb757fb7b858082a953a57548e5f96d786735f28c72dd1d103e71ff4e4cbd0c1de974737d9c20c2ac744f3d6ca4d648a9dcb1d3b3d4ade30428969a6447db76
-
Filesize
48B
MD50d59b24aa20f45ec904baa2c50c0db7b
SHA1d3286a9182454ff6c9184d1957e7f016dd507025
SHA256a6e2fe46a70a8508d36ffce7a02c961f0ead8357a106038d58321be2207201ce
SHA5128cc10071627557d60bd37c14513feafe3c527045b08f513b0aa6e1ef86ec114382bc36678a49106350a84c12e354203849f64b8c2f0d67b72289cc226c1fea8a
-
Filesize
44B
MD5fda4f502731bda201b6788e8497f4c53
SHA1ad476d40ac9beb57281255bc38587504f597f539
SHA256c44bfc4cfe40f2547ff7beabf1ce602b0481f21d9764260bad52856e28fa6b04
SHA5129c5be9356982bc3e2082823edcb77d777507d8b0ceb8ffce58eb9f0ed9f1821704cdf5b634a1573e053b054dc60a8c99499560338c85b75260aed2d680666bbb
-
Filesize
45B
MD5c47a51255c2df4a88d95f0bb731b5d0d
SHA13795f37f74ba4209c123d03ba16f43da28823a1d
SHA256ecbc82cca02a3be42c33c979c6d767ddf4da10138d9b12d9196fb7cba84a98b5
SHA5122ea9326c5f965fb88a6dea9d38d2ce4baa2c39de12a87d2fe24d9d69fe48e79601134ced06481315e38dd64171e6cabc54cb1921959293937405ced5b03f5c2a
-
Filesize
48B
MD5cd0aab597e41fcb374029f1df65b7092
SHA15930309d2b6d88e9e62aac4ca0076260f77eaa31
SHA256f78f00e2e44c770730c33cfdd9aea49c13bd67d510fcbe8b9b9894168d39b957
SHA512ebfd3bd7d067754a95acfa73db8980d89334fdd8cb87dd8f6943c2222d39e719125911b2c41dfa3a6a5f13ead076f535408a046356e6de5fb623a6c5080d8266
-
Filesize
48B
MD59a1f190e77f9890ee1f6c1d2ae0dccca
SHA1a000d6d3122f8742352798de0f09305efc481364
SHA25605d4c50a1bdc0ac53b121ae14de84551a75416c2e2aabb377eb7abd700fddd42
SHA512797421923afe9a924e07ead4d06818f8cfff17c6d7ad5a8a98819db99a8b6b0a1d2b9551bc9bb195d12951eb4a3e10f8164e9ea7af6f7eda58007107c1b54335
-
Filesize
48B
MD58b09ebf49aa3a36bc1da0b239c6558b8
SHA1fcc63e84d593a16670a4a44c62f60fd40ceb5d5d
SHA2563f154869608ac18a62c7910d426133b4a43feee9e158b65ee16977d280371462
SHA512bea989f0bc86359579df596e16036bc326d017d42b896fc6849e6c006ff8d9d86865143b2d1a0c76f2767fa885ab59ea7b1506ae38fff3d8c31c9b0219254eee
-
Filesize
46B
MD5135ac7bc37eb453e3832dc4f855ad4f3
SHA1d2a32700ef1ae8e116bdec90cfb7041594d1b307
SHA2562c2671e970f826a075e17e316f6cf7321a365190c1930687134a08c3a79297a9
SHA512650d6ffe2343400f93c44f2379f680c4582df18c581a4d9ecd1e47a591a7ad098fda68979d24912455984223e0018098a5a4792f5c04ed32a588c1c1e1b3f0a1
-
Filesize
46B
MD545e25a10530441eca16e2b927d8a1f26
SHA163b4729e705ccce1adb72f51cc8e60acb6575e90
SHA256e8d521206c7c7f2ca8a336b519f94e23f705eea3eff6d9793b167786cf35eec6
SHA51293450dc53335b01e645fc25d80b0b56342c87c7bf4e6ae778c7b05a7136fa9e780eef23dcd5c7f94af2f9e04c590ab7574d61434dcf0a2299a39e40eb58a9916
-
Filesize
48B
MD5a67c4f59dad32b4a05e162dfcdb95970
SHA1d73b1bcc2381e4f3b8ec83a25d3839f6e65236fc
SHA25684f6a51f6814de849fa083f6250eef43d6c44d10ce4f5319a4a999bea64530cb
SHA5122432a578c0f77b6e30431d224750c48b2f95a6c62448377bbf0a7645d0fae040d4baa67d080f867467348f262a6df9cf222b064fb9268da08a0c3bfc387a426b
-
Filesize
48B
MD5eda1a1c1b267107a1a07a64ee58b2e1b
SHA16bc4cb3faac2759278b43df8dffc3a0134b3addd
SHA256261f5176179b15dcb678372346f07eb8ab7b9d1ead0e8b03619242692f3b94a8
SHA5121e1189de24b4dfc01df164f75e5c891e6cbfa069d5a0ad2d392fe0496c29035703099f0870cbf02ee3bd06f48aa7fa0d96f7252bc12955e6900e695e9a1789a4
-
Filesize
47B
MD5a53fc8e71eda60f1bc0565db9af95546
SHA1bd862b7ec3e26ae667b4bba98cf42d1ba71c5b09
SHA256087e833a9582574c71016fb1dc1887e4d86304b7d0528ad913537bd8495b3914
SHA51251ccb99753a5eb0bbadfbe90ff119535c520b4ce6d7990cddc7ce18acd4e2e77c4becce020612f42ae20c4f7eedb783d38ef1981b1c98a61e778622d2eaf618f
-
Filesize
45B
MD5b541fce0f8255a19da78278e8938d535
SHA137e751748a6b3112e944c17b0e763a591c350ca0
SHA25629e57547d9a1461be0152e5270479884bc1078ff87293b47b8e0058b78a55395
SHA512096c0791bf625e725665b0a2bf761244aa255eb70a1fa4c21585252f81c325b275427cd35704318496bfaa20e6d4a3515388d1a17b1eb5a7b33e5fa5b06b4109
-
Filesize
44B
MD5d7638ba80489ed66ab4a298a4d1e098e
SHA111a2fac05485915a5e12539bbc56cbd5c771206a
SHA256aee452d38c0ccfb183d50be420d03b5ae56b216a5eb42242f012ba6879a5877e
SHA5125f746f888e1634a3fe097e1ad54594dc39d974eb204e5880f0df8d2d283339b0082be0ed9ea35b603d877148ece80cf4a831d606469f3a50010d93c058202737
-
Filesize
45B
MD5536f9de9cb62b5fe04601c00c6621595
SHA11e612fa28ce3c672eb44e3bda9f057c2de8e4a84
SHA25666cac746e3879b021194f6742e38ba31f9f16b32f204a1e4dc26981ac305c44a
SHA51284d5567a15db23a2d063950121d4bd88f440408a38d4c5d5e1e3c9be25e5599773d46c60dd1e0c4de59295477c23745bf20063b8acda0f9b4e60cada61208413
-
Filesize
48B
MD5ca9da789285d8480041f990a5826b434
SHA1b984cd9b3480ade14641d8fca1dd43061fc97c7a
SHA256a6aa6760eb41684f489497aff3c34e48b7446f6fcf35ea687b0d05c24aeeb2d6
SHA51213fc1b80b9bd6293970ab624b8479f9c13b7e42eb846ee0f0b4b9947e84235c70184a0f886b70f68265575e2a278548b3536577c439f09b279ce171403ac46e6
-
Filesize
40KB
MD551de8a63b5a590ce6504d2fa14a23659
SHA172994aaf41378cc91e197ffa26f78b2226623751
SHA25693a337038058b54f864906972ef34926be8316a49d5b72190c0134f54ed8ce21
SHA51278fa2853da3220f62acf5990a1d7d9165eeee1b1256e7c9ff7887332377072d2389c99d19779fe1a0182094217e5e17a7bc7da8f568b54ca69a68f62584fda9b
-
Filesize
40KB
MD53bf734e7d743f6ce0ffc0f02e3b5508a
SHA1a097fdc50a9e24823175441a524fa02d2bfd50db
SHA256ea9c24735adcc2933b0e073282cab0960e5a7fb5f3427c8d6520cf401845e083
SHA5129dddde42a426bf63f41c6d20f35f1d139e68fc82a5144a6f99a7f3e1b96d2821f63e929ce098ef59f96fc5b1d9f9545c0c587c94b18557c399620648a1f00a1a