Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-12-2024 12:27

General

  • Target

    2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe

  • Size

    4.5MB

  • MD5

    b3ba7afb650fbc73d5d7ba46d5e9f091

  • SHA1

    4f8f13afcd80d83cbe952774fee437ce32e87730

  • SHA256

    f6f84b418926af4185426db6f6ad92aff970457e1ea707413fd95137a32a908d

  • SHA512

    f86ec814fa90698baebba871a48fbbdb10b543c6cb839eba4288c2aa4865db357f371bd5dfaa95423a4f5e8c04c3a6809ad13579d88fecf69e672515d7db41ba

  • SSDEEP

    49152:8AR/SCICrtvMLtAvVfJVgbhWss4lTDRLOyR0MKGKPhGi:NdAc6yVfJVg0ss4lZiGti

Malware Config

Signatures

  • Detect Neshta payload 43 IoCs
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modiloader family
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Neshta family
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • ModiLoader First Stage 1 IoCs
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 63 IoCs
  • Loads dropped DLL 16 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 59 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4968
    • C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1508
    • C:\Users\Admin\AppData\Local\Temp\MousePad.exe
      "C:\Users\Admin\AppData\Local\Temp\MousePad.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2964
    • C:\Users\Admin\AppData\Local\Temp\headache.exe
      "C:\Users\Admin\AppData\Local\Temp\headache.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:432
    • C:\Users\Admin\AppData\Local\Temp\screenscrew.exe
      "C:\Users\Admin\AppData\Local\Temp\screenscrew.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2692
    • C:\Users\Admin\AppData\Local\Temp\20min.exe
      "C:\Users\Admin\AppData\Local\Temp\20min.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Windows\svchost.com
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\20min.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2880
        • C:\Users\Admin\AppData\Local\Temp\3582-490\20min.exe
          C:\Users\Admin\AppData\Local\Temp\3582-490\20min.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4108
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\BLACK&~1.EXE"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4284
      • C:\Users\Admin\AppData\Local\Temp\BLACK&~1.EXE
        C:\Users\Admin\AppData\Local\Temp\BLACK&~1.EXE
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1596
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Blank.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:448
      • C:\Users\Admin\AppData\Local\Temp\Blank.exe
        C:\Users\Admin\AppData\Local\Temp\Blank.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4964
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Bubbler.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4344
      • C:\Users\Admin\AppData\Local\Temp\Bubbler.exe
        C:\Users\Admin\AppData\Local\Temp\Bubbler.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:780
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\DESKSC~1.EXE"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Users\Admin\AppData\Local\Temp\DESKSC~1.EXE
        C:\Users\Admin\AppData\Local\Temp\DESKSC~1.EXE
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4236
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\DSCROL~1.EXE"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Users\Admin\AppData\Local\Temp\DSCROL~1.EXE
        C:\Users\Admin\AppData\Local\Temp\DSCROL~1.EXE
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4852
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Flip.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4076
      • C:\Users\Admin\AppData\Local\Temp\Flip.exe
        C:\Users\Admin\AppData\Local\Temp\Flip.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1440
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\halyava.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:64
      • C:\Users\Admin\AppData\Local\Temp\halyava.exe
        C:\Users\Admin\AppData\Local\Temp\halyava.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2936
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Hello.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:5048
      • C:\Users\Admin\AppData\Local\Temp\Hello.exe
        C:\Users\Admin\AppData\Local\Temp\Hello.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4060
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Invert.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:4348
      • C:\Users\Admin\AppData\Local\Temp\Invert.exe
        C:\Users\Admin\AppData\Local\Temp\Invert.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1316
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\myWeb.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:5100
      • C:\Users\Admin\AppData\Local\Temp\myWeb.exe
        C:\Users\Admin\AppData\Local\Temp\myWeb.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1052
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Patterns.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2420
      • C:\Users\Admin\AppData\Local\Temp\Patterns.exe
        C:\Users\Admin\AppData\Local\Temp\Patterns.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4456
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\STRETC~1.EXE"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2368
      • C:\Users\Admin\AppData\Local\Temp\STRETC~1.EXE
        C:\Users\Admin\AppData\Local\Temp\STRETC~1.EXE
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1256
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\PUSKA_~1.EXE"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:948
      • C:\Users\Admin\AppData\Local\Temp\PUSKA_~1.EXE
        C:\Users\Admin\AppData\Local\Temp\PUSKA_~1.EXE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        PID:2408
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\430A~1.EXE"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:4312
      • C:\Users\Admin\AppData\Local\Temp\430A~1.EXE
        C:\Users\Admin\AppData\Local\Temp\430A~1.EXE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1472
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\BURP.EXE"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:1132
      • C:\Users\Admin\AppData\Local\Temp\BURP.EXE
        C:\Users\Admin\AppData\Local\Temp\BURP.EXE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:4424
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Viagra.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:4524
      • C:\Users\Admin\AppData\Local\Temp\Viagra.exe
        C:\Users\Admin\AppData\Local\Temp\Viagra.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1996
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\ANTIPUSK.EXE"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:3304
      • C:\Users\Admin\AppData\Local\Temp\ANTIPUSK.EXE
        C:\Users\Admin\AppData\Local\Temp\ANTIPUSK.EXE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:2168
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Porno!.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2024
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\krutilka.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:5112
      • C:\Users\Admin\AppData\Local\Temp\krutilka.exe
        C:\Users\Admin\AppData\Local\Temp\krutilka.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2176
        • C:\Users\Admin\AppData\Local\Temp\krutilkaSrv.exe
          C:\Users\Admin\AppData\Local\Temp\krutilkaSrv.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          PID:3392
          • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
            "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:3400
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:4432
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4432 CREDAT:17410 /prefetch:2
                7⤵
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                PID:1692
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Aforizm.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:4656
      • C:\Users\Admin\AppData\Local\Temp\Aforizm.exe
        C:\Users\Admin\AppData\Local\Temp\Aforizm.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3688
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\GECCO.EXE"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:3212
      • C:\Users\Admin\AppData\Local\Temp\GECCO.EXE
        C:\Users\Admin\AppData\Local\Temp\GECCO.EXE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3404
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Flipped.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:3228
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\E1F4~1.EXE"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:4712
      • C:\Users\Admin\AppData\Local\Temp\E1F4~1.EXE
        C:\Users\Admin\AppData\Local\Temp\E1F4~1.EXE
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:5036
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Stub.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:4868
      • C:\Users\Admin\AppData\Local\Temp\Stub.exe
        C:\Users\Admin\AppData\Local\Temp\Stub.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4448
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im "Stub.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4248
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\DROPPI~1.EXE"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:1032
      • C:\Users\Admin\AppData\Local\Temp\DROPPI~1.EXE
        C:\Users\Admin\AppData\Local\Temp\DROPPI~1.EXE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:4880
        • C:\Users\Admin\AppData\Local\Temp\DROPPI~1Srv.exe
          C:\Users\Admin\AppData\Local\Temp\DROPPI~1Srv.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4168
          • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
            "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:1324
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              6⤵
              • Modifies Internet Explorer settings
              PID:5072
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\ERROR.EXE"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2388
      • C:\Users\Admin\AppData\Local\Temp\ERROR.EXE
        C:\Users\Admin\AppData\Local\Temp\ERROR.EXE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:3908
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\MouseFX.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:5060
      • C:\Users\Admin\AppData\Local\Temp\MouseFX.exe
        C:\Users\Admin\AppData\Local\Temp\MouseFX.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:464
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3736
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x500 0x504
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:396
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:5000
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe 157d0a1506588fea1d1bcff2598796aa QdQYG3tAo02nOkJC4Xmscg.0.1.0.0.0
    1⤵
      PID:2420

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1.exe

      Filesize

      9KB

      MD5

      26abb9e459e5976f658ce80d6433f1b1

      SHA1

      3c8f02c1cf7b8ae82be3deea4b360497f6fee1c3

      SHA256

      60cc77b5d4210cef0a9032908b179142f212155426fdae48055c5f72811f7a12

      SHA512

      c2c02aa1db8036c7309100bb683ec7708fedfb129d763d86e03d9d6adc3688423ec04cb5b596eaf99300787f90d641e53350e1ceed0e8b11d6f29333e04b4ce8

    • C:\Users\Admin\AppData\Local\Temp\20min.exe

      Filesize

      124KB

      MD5

      35136787fd7256e6fa7fae3516a0c830

      SHA1

      699618516ba4a5efd13d41a997cf8700341eb93a

      SHA256

      9e1aab3558a45978e0cf2abcad3a883638b02fbf3a77ef4baeec62edd3eaea70

      SHA512

      f344b27562c8a4a393c41ac793463d4a4f9aa612a71e2f79ab8e95c39a9c76b6ef16a525805b06965924b5d71e4becd849ae8e0caf77e638f9f537395b45af39

    • C:\Users\Admin\AppData\Local\Temp\3582-490\20min.exe

      Filesize

      84KB

      MD5

      f06f1ee47df12256990a6f81249661de

      SHA1

      4e1fed25a57e49102cf2a45862d478dc8d68cafc

      SHA256

      68b76252d3140cc1e3944898dde0d198131e1758bda1a83596e2811a18875b66

      SHA512

      c3827de7b15dda80f11504b932db790f68d4d4e3fcc27abab5c5d97f25eebac7586664872f36434c928bbb010d6cd5a3977e97b29c4f9cd7d0b49a43daf7394a

    • C:\Users\Admin\AppData\Local\Temp\3582-490\headache.exe

      Filesize

      172KB

      MD5

      7eb8c9c1701f6b347721b42ba15c0993

      SHA1

      13e62637aa5c402383f5665d20c7491c51bccbdc

      SHA256

      6d5e92ccc9d65e02d8f805e3f4e33841db34a562b3c882a137146461a56bdec2

      SHA512

      22572a6ebf16b5e260c5d99f30aaefabd88a143bc6b6a9a4d7b82a31ffeb7970d3701c697fcb4c692c6f450782982f3e43f74e3b01fe3ebf1957fc0ef0a4a072

    • C:\Users\Admin\AppData\Local\Temp\3582-490\screenscrew.exe

      Filesize

      111KB

      MD5

      e87a04c270f98bb6b5677cc789d1ad1d

      SHA1

      8c14cb338e23d4a82f6310d13b36729e543ff0ca

      SHA256

      e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338

      SHA512

      8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

    • C:\Users\Admin\AppData\Local\Temp\ANTIPUSK.EXE

      Filesize

      7KB

      MD5

      e29569e42b85bd880c54d22524248237

      SHA1

      3d34ca85f067172c192eda7722948e25538d65fe

      SHA256

      126bc70dfcd987397d69da9f14e5535e79165c0036add6815659abc80d10f2ca

      SHA512

      0bf6f216f78e702312ebc48285a8e10913373cfac51fa3b5da3f6ceaeb8d42b792f8d86c5b1bccd53900e8e3d07c3feae2feb9d3eed34ecd96ec99696f15a534

    • C:\Users\Admin\AppData\Local\Temp\Aforizm.exe

      Filesize

      359KB

      MD5

      b65fc413c4af96d84822e39ce969942a

      SHA1

      eaa176253f3b91ef6094221403362c8c51dff572

      SHA256

      dc9015e7327c29d6699e1cb8c23148fc73af11de910ab335868342f02f22703c

      SHA512

      3e18e86a00fe81fbf27cad0c224c4772e827cfa9a18f6baeee71cf49501ccdde330e592f59b820c54669f19dda1c8fa8a2342eb5b1cf240678b4979969094454

    • C:\Users\Admin\AppData\Local\Temp\Black&White.exe

      Filesize

      14KB

      MD5

      00dd057add024c605c0414a985d31c32

      SHA1

      1d00812873ff86b33120923b705c872e13efd5cc

      SHA256

      2665f52d47ee7dfbffabcf58c0da31e311d3efa97442e85944a61bac8629e2af

      SHA512

      3eb9439c75ac9b32a121ee959aa94f11a5c73d26aa24d76bf0af149a045ad1368711797ef949ba834cb6da970005b5e829bc96fba5d841a2256022b973000226

    • C:\Users\Admin\AppData\Local\Temp\Blank.exe

      Filesize

      71KB

      MD5

      5c70d18d0078e484a9a0a40f8f585bbb

      SHA1

      b3f886d37be5d04bfa5ac93b5d30c9b5cab72e21

      SHA256

      81252087cbffce0278cb4fc96ef4e38902d3a2a353fa761fe1a979c7bf959dcf

      SHA512

      67020862c4409ed267819016c1a76fd08010a5e34274ab17bab76d6fda0d8792deabb509b43580c3ee7c870b770151aa196d812f1cc4040b8ac2bc286fe8c6c5

    • C:\Users\Admin\AppData\Local\Temp\Bubbler.exe

      Filesize

      67KB

      MD5

      5c8434c362e791e2d40dc47603d2b552

      SHA1

      3181705211deaa2204b4e936e196411a2f0e7b87

      SHA256

      65ee141434e58dddb67d135728d5f8dfb38ee28fc4627b4c5ce3a831c3a724ae

      SHA512

      a4907232d77278cfdbd67ba75dc6fb48f0ce162623126f57efd04ef816fe396f4eb68dca1eaa7876d3a683472f473e229e689b3f75b9fd80a2ceb369dc227110

    • C:\Users\Admin\AppData\Local\Temp\DROPPI~1Srv.exe

      Filesize

      55KB

      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    • C:\Users\Admin\AppData\Local\Temp\DScroller.exe

      Filesize

      11KB

      MD5

      c6aac231bd73d7cd9fe9474265fb2a0a

      SHA1

      693742b31b1f33761062744a9d317c6cb30e7e17

      SHA256

      3558cbfb4478d2f47b600c52bd5018443b86221639602f33ea0385ef3eef6ec5

      SHA512

      a32daa9b7e98b45aba2fc1c9620fca7cda218fb30fce5fa48231c4de92adeb15c8a856179a21f14b5a7acdf7294748f464c2448f3d38ddf71e9e714d913f1988

    • C:\Users\Admin\AppData\Local\Temp\DeskScroller.exe

      Filesize

      8KB

      MD5

      d704b61a5521a22261ee9025259374fb

      SHA1

      a55a7211c0b2ef2d04824b897ee8ba4d20af6874

      SHA256

      8d4383f98fb673652fda948463e2cd0957ce3c6a1f7912d38245b14cc0e7c4dc

      SHA512

      105f600c76d591909c315ccdb56917badc8b03f81dfe46530db4c4fc03459bfd2b527cc1f81e9d63cbd5c7f7e2447ecfbfb541bb2dca9efd6fca5ade9a0eaa58

    • C:\Users\Admin\AppData\Local\Temp\Flip.exe

      Filesize

      10KB

      MD5

      fc3fcc73569dc5917637de3c0271d9a5

      SHA1

      9efe1d66d9a4df5868ef12ad70b179517bab0f56

      SHA256

      008b1fbf3dc9b576733d066d69cb0038c8f58699b10f2f2a589e685c2f63fbe3

      SHA512

      92b6dbe06489f9e69ecd0fdba3c29b83ac2a85c12aebf04e493fc30bd72e78c363b9cd8ffd8c4d9643de79581c3e4ab6fc72eae1602b2fc97443e0f982155bf0

    • C:\Users\Admin\AppData\Local\Temp\Flipped.exe

      Filesize

      4KB

      MD5

      72a02361ea6a72ed57247047b780df19

      SHA1

      3bdc295eae546ba86fbd5a98ee78026fab0340b8

      SHA256

      6de221e7cd02a607f8660b89b5d008195fabe922a563ae13a8bd427c1d26ac7a

      SHA512

      5b45d59146dd13f8d78ddf27a0d7459f587d4a175d3963a2740fa2d02edf3aaa3c5feabec75148295848b4757a34be3b5ea5890544b5b4d73952c8d8fcad987e

    • C:\Users\Admin\AppData\Local\Temp\Hello.exe

      Filesize

      10KB

      MD5

      9bbf8c162b7d054161ed1f4db8d478b0

      SHA1

      157bffed52c8c7abfeeef731bea33086e713ec74

      SHA256

      2aabaa220e383a19c27bfad1262e972ec443e3bf56ea116a7600fe7f72661a02

      SHA512

      bf62209c8e1cb93a60f944f0342d2c0b8ff31abddc1b31c80130b6c175e060581f51a1252bdd95e481016aac16778bfe208e67fd0ba5e6e9297622c878416912

    • C:\Users\Admin\AppData\Local\Temp\Invert.exe

      Filesize

      13KB

      MD5

      0cdadd11f9888e0beed3b914fdd1308a

      SHA1

      5fdb5aab369e8873a9ddf9858fb40427479b198f

      SHA256

      3ec6564b1fab7c90167e287e01ae26e800d049098332b42e67fa00a416b6cc93

      SHA512

      493d94db6c8075d85fb0069e314f47b9939431d7e18f9c5ec332efa91397e5a09c653bce22c5f7b4cc73f5e180b0c8b505b550e882ad39866f6799526701638a

    • C:\Users\Admin\AppData\Local\Temp\MouseFX.exe

      Filesize

      19KB

      MD5

      aa11cbd4556066a123ff14df33a91ac8

      SHA1

      efac5c4d1eff5c0df7105440cce91d106d6ef181

      SHA256

      db5733588c2a7c6b3bc0c1a836e919a332d3435a92792f4a2e5822866a874d73

      SHA512

      b6a70e317e32e65440a8aa46c7f0342d85c3880cd3514fa9872a5202d4933612c87a674c2800a42b85950c82f456a5729b64613b8bfb68fb536128e13d3b2bd0

    • C:\Users\Admin\AppData\Local\Temp\MousePad.exe

      Filesize

      32KB

      MD5

      8b74b02f17593680f4bdb4ffb578ef86

      SHA1

      c76998140974d7c14d44c998549a681c7c712164

      SHA256

      9893494bcef02c6e63e4bfce830f5d33d2af1056b220a3469bc00df059b25013

      SHA512

      225592139afe6b7dffca3b2a0b13047a5988e43ddf77fd725c137f6c8960cb987185d8f559af92faadc0275be4f31a1da51a1bb36011f9288949510af4efd554

    • C:\Users\Admin\AppData\Local\Temp\Patterns.exe

      Filesize

      11KB

      MD5

      b03dfd6a6d029948924b5486a5bd1931

      SHA1

      bf04f4cf5d98fbfc6f6d9a8cb12c3d60823f3f11

      SHA256

      33644f58e9eb469a733dba31db9af9fde1ba5298fc18389c0a78879a4406fc4f

      SHA512

      1903a9c0e106ceeb340d4a66460b4af8fee40b7c12872b5ca91bf470d56edc1b91e7c57b1f6388efe50c70d379b12858eaaf08269f6e2d658ad8102a2f89d6e5

    • C:\Users\Admin\AppData\Local\Temp\Porno!.exe

      Filesize

      192KB

      MD5

      7504638de13c91d3de4701bc5eba895e

      SHA1

      9db65ccbc5d16a692a5a1d7ab883786281bf3345

      SHA256

      c11a3234a6037f762a40d6694a66f2a3f99d7fb792ec9bfdd988fcc53cc08301

      SHA512

      1a0acb104b1b5d8a62a5c9450110aef4b87a399823c1cb9372f305ae98342389795283bb7b74f4a1351f9411a469a5ec0ff8dca1562ebc6d63863ba15bec4ccf

    • C:\Users\Admin\AppData\Local\Temp\Stub.exe

      Filesize

      32KB

      MD5

      ac8ace1f2570085b2b7184cea7b4fdc0

      SHA1

      d6878a6dff4345122d4fe3a4c2e820cf08753a49

      SHA256

      8b48fa2f104a60bdead7695b31190e681217ee23aba44454edab3e758571884c

      SHA512

      155fddecabb75ab60930d80f4289a80d5a3e0c0e56e5169da350bf8b9959172e7fb009f8e146a153357b9519e7f96b1df941bbaeb36cf3b30045e8fec6129835

    • C:\Users\Admin\AppData\Local\Temp\earthquake.exe

      Filesize

      5KB

      MD5

      7320032b2b46c07b4a432745829223b3

      SHA1

      23386c3d89290ecc3d47c4a626cc7cc68ad2ef5a

      SHA256

      834ae4c2ca0b332fafcc6abb2ce7d5fa4c5ffb1778fc1280fe1f09f65f1ecc9a

      SHA512

      312ce17c8b3203928ffd8eca3aa94f3b04194e89e12ff25cffb370722636994f100708e05ab9782ca90756eb92607d6126ab72ee60726d3a0a1dc2320e208684

    • C:\Users\Admin\AppData\Local\Temp\halyava.exe

      Filesize

      8KB

      MD5

      9f32f1fb5155d01ce47a6b0e679ff2fe

      SHA1

      ad131beb815ca355a09cb2e4572d2d85f1d1259c

      SHA256

      c9bcd8aa2ba6364e441f609494a57a729b53e0360b7a8317e2baed76770e6d3c

      SHA512

      34ac158c558a967b8bd2ac99d8c236174f2aabd62604c8890c6236ab89e7d9345753483ad91285a02a29d4a7e1c297e0bd20767605243ed1cc03a976a226ad83

    • C:\Users\Admin\AppData\Local\Temp\headache.exe

      Filesize

      212KB

      MD5

      76ce4661b60461154ffcfd8fb51b6c57

      SHA1

      b9e71d6126d7db063febd0f7306095a030ead84b

      SHA256

      6e363c4d8d13b353529b11881f5fdcc1138e93df104b24d31d3ce566ffabe8de

      SHA512

      42f970e5929039ca68649998bf727aaca3bad0a7f0563399c11904aaa5378b72b0fb2d6dcad724119cad10f9792c348aa444b94413e132fac35494d275dde3bd

    • C:\Users\Admin\AppData\Local\Temp\myWeb.exe

      Filesize

      15KB

      MD5

      68cabf111614c64cc454a6a5fe9ee4ff

      SHA1

      74a036f32c37025699280fb474b6f7815a9d118c

      SHA256

      81162716b98c2af6e76c0acc1188c03db1e8f9485ebdff38a6364bff4aa59406

      SHA512

      cc01c441172de1bc9a414b2660d8a5330adf12fcdf2721caebadf45937864577a48fba9dd202f154f91a7a028dd8679896ecc22b9bddea9839d7af918835dad7

    • C:\Users\Admin\AppData\Local\Temp\screenscrew.exe

      Filesize

      151KB

      MD5

      1c78e0c700a71e5894ed013058bdee7a

      SHA1

      62f01b0dae3f46fabd25ee38ab18581b6ab2a74d

      SHA256

      0be4b9f91a69ba196afa99e71925da5d72c9f94a2974ebcdc49d7dbb42374a93

      SHA512

      f28fb376e4bd700e62a25e760d1c8f195e0e7995f17b0fee65969241c085bc2349ff2cc2a4e3e479675c2ea445752824053730fdcc4dcf724376a0899b6c4c85

    • C:\Users\Admin\AppData\Local\Temp\stretcher.exe

      Filesize

      11KB

      MD5

      8362e99800b0893acde429974e3bec18

      SHA1

      171fcd759a711ccfae5c17bc28733d96b3c4c501

      SHA256

      0fa2eed94a65179a43b1435b0a9f450632b35f03eb46562edd95433bcf27afac

      SHA512

      cd4de6bfb80bf7c9666e2119a8ec9630b4f150f3a492be6c6d9ef37bc93e05deaf99733eeba7ea78024de905dfb9cc666752db1cfe3a8f0dafd26e7e92a4f9a9

    • C:\Users\Admin\AppData\Local\Temp\Ìîðãàíèå ýêðàíà.EXE

      Filesize

      32KB

      MD5

      0e89a28bcf39b8ffd68b55117aa2c8c0

      SHA1

      f66ccc5892a386208fb3c105ed4b34e7e817cc51

      SHA256

      5ed6b1884460c35b8d585fe11bcf8eb156180d7e30bc22182409b251dd02f1c3

      SHA512

      a249eca07cea3180b8d0928659f2178163f03ef3b839f7482b3a26cf746e847fb1ae9b12e3b67071ab8e87fa58401e3d4395bcb58a7ca467cfbe38afd96b4054

    • C:\Users\Admin\AppData\Local\Temp\îñòîâëÿåò êðóãè êîãäà êëàöàåøü.exe

      Filesize

      15KB

      MD5

      fd83b5d21ad029ef124a9a6d4ec606f2

      SHA1

      8080416ae73380b3f09a007330b7b10c487e10b9

      SHA256

      8d6d180ab517bb2fe1361f226e5a423560e101e1d5a93b9767946c3c43673c67

      SHA512

      eea37d9f46fcd049bee25464d0226eb4ab37cdc598185dfcbf1691a8494fc7b2f9ac93a3fc53bd9090e483e91c373000b222b25ac9ad375caf894b6f7bdd1fae

    • C:\Windows\directx.sys

      Filesize

      45B

      MD5

      c174d288b05a38ee8221fbcc5bd7e6d5

      SHA1

      231fc93e554939469b6182d4d3aa70bc8cda5f9a

      SHA256

      12b8369b496c50eeb7d0677ebd95b770f339e22e797ab688358eea6511314696

      SHA512

      440537220d1802a66435eac61085efeba97063643d9c2b5a1940a40e0d31158ba31d06d5d29964afffcc06725f35980ac413f05db16957074ae85b415c9f8846

    • C:\Windows\directx.sys

      Filesize

      48B

      MD5

      6902cea03d381c9b70ea1fe2cf78faf8

      SHA1

      0fe22766d0186bdd41ee852e1ff80ae716e6bd6f

      SHA256

      a91ae4594faa308a01995d139fcb094856f08a5e99c0392abb9fd3ff12479b7a

      SHA512

      c1b2247aeddfbddc5da4df145509a8801e00051328a9526d6fa2fb0a0598a3407359183db939c85a3ece8c3adb210e5b628ddda031d5d34d6c9dd9d47f092570

    • C:\Windows\directx.sys

      Filesize

      48B

      MD5

      c5dcdd951acc04fe426a82e965960dda

      SHA1

      1b17cf9868de2822bf7301233672917618d40bce

      SHA256

      8bbc419c8181c116d356148de5403bea85971c5a0f9aa6a78552127d3bb61d28

      SHA512

      edb757fb7b858082a953a57548e5f96d786735f28c72dd1d103e71ff4e4cbd0c1de974737d9c20c2ac744f3d6ca4d648a9dcb1d3b3d4ade30428969a6447db76

    • C:\Windows\directx.sys

      Filesize

      48B

      MD5

      0d59b24aa20f45ec904baa2c50c0db7b

      SHA1

      d3286a9182454ff6c9184d1957e7f016dd507025

      SHA256

      a6e2fe46a70a8508d36ffce7a02c961f0ead8357a106038d58321be2207201ce

      SHA512

      8cc10071627557d60bd37c14513feafe3c527045b08f513b0aa6e1ef86ec114382bc36678a49106350a84c12e354203849f64b8c2f0d67b72289cc226c1fea8a

    • C:\Windows\directx.sys

      Filesize

      44B

      MD5

      fda4f502731bda201b6788e8497f4c53

      SHA1

      ad476d40ac9beb57281255bc38587504f597f539

      SHA256

      c44bfc4cfe40f2547ff7beabf1ce602b0481f21d9764260bad52856e28fa6b04

      SHA512

      9c5be9356982bc3e2082823edcb77d777507d8b0ceb8ffce58eb9f0ed9f1821704cdf5b634a1573e053b054dc60a8c99499560338c85b75260aed2d680666bbb

    • C:\Windows\directx.sys

      Filesize

      45B

      MD5

      c47a51255c2df4a88d95f0bb731b5d0d

      SHA1

      3795f37f74ba4209c123d03ba16f43da28823a1d

      SHA256

      ecbc82cca02a3be42c33c979c6d767ddf4da10138d9b12d9196fb7cba84a98b5

      SHA512

      2ea9326c5f965fb88a6dea9d38d2ce4baa2c39de12a87d2fe24d9d69fe48e79601134ced06481315e38dd64171e6cabc54cb1921959293937405ced5b03f5c2a

    • C:\Windows\directx.sys

      Filesize

      48B

      MD5

      cd0aab597e41fcb374029f1df65b7092

      SHA1

      5930309d2b6d88e9e62aac4ca0076260f77eaa31

      SHA256

      f78f00e2e44c770730c33cfdd9aea49c13bd67d510fcbe8b9b9894168d39b957

      SHA512

      ebfd3bd7d067754a95acfa73db8980d89334fdd8cb87dd8f6943c2222d39e719125911b2c41dfa3a6a5f13ead076f535408a046356e6de5fb623a6c5080d8266

    • C:\Windows\directx.sys

      Filesize

      48B

      MD5

      9a1f190e77f9890ee1f6c1d2ae0dccca

      SHA1

      a000d6d3122f8742352798de0f09305efc481364

      SHA256

      05d4c50a1bdc0ac53b121ae14de84551a75416c2e2aabb377eb7abd700fddd42

      SHA512

      797421923afe9a924e07ead4d06818f8cfff17c6d7ad5a8a98819db99a8b6b0a1d2b9551bc9bb195d12951eb4a3e10f8164e9ea7af6f7eda58007107c1b54335

    • C:\Windows\directx.sys

      Filesize

      48B

      MD5

      8b09ebf49aa3a36bc1da0b239c6558b8

      SHA1

      fcc63e84d593a16670a4a44c62f60fd40ceb5d5d

      SHA256

      3f154869608ac18a62c7910d426133b4a43feee9e158b65ee16977d280371462

      SHA512

      bea989f0bc86359579df596e16036bc326d017d42b896fc6849e6c006ff8d9d86865143b2d1a0c76f2767fa885ab59ea7b1506ae38fff3d8c31c9b0219254eee

    • C:\Windows\directx.sys

      Filesize

      46B

      MD5

      135ac7bc37eb453e3832dc4f855ad4f3

      SHA1

      d2a32700ef1ae8e116bdec90cfb7041594d1b307

      SHA256

      2c2671e970f826a075e17e316f6cf7321a365190c1930687134a08c3a79297a9

      SHA512

      650d6ffe2343400f93c44f2379f680c4582df18c581a4d9ecd1e47a591a7ad098fda68979d24912455984223e0018098a5a4792f5c04ed32a588c1c1e1b3f0a1

    • C:\Windows\directx.sys

      Filesize

      46B

      MD5

      45e25a10530441eca16e2b927d8a1f26

      SHA1

      63b4729e705ccce1adb72f51cc8e60acb6575e90

      SHA256

      e8d521206c7c7f2ca8a336b519f94e23f705eea3eff6d9793b167786cf35eec6

      SHA512

      93450dc53335b01e645fc25d80b0b56342c87c7bf4e6ae778c7b05a7136fa9e780eef23dcd5c7f94af2f9e04c590ab7574d61434dcf0a2299a39e40eb58a9916

    • C:\Windows\directx.sys

      Filesize

      48B

      MD5

      a67c4f59dad32b4a05e162dfcdb95970

      SHA1

      d73b1bcc2381e4f3b8ec83a25d3839f6e65236fc

      SHA256

      84f6a51f6814de849fa083f6250eef43d6c44d10ce4f5319a4a999bea64530cb

      SHA512

      2432a578c0f77b6e30431d224750c48b2f95a6c62448377bbf0a7645d0fae040d4baa67d080f867467348f262a6df9cf222b064fb9268da08a0c3bfc387a426b

    • C:\Windows\directx.sys

      Filesize

      48B

      MD5

      eda1a1c1b267107a1a07a64ee58b2e1b

      SHA1

      6bc4cb3faac2759278b43df8dffc3a0134b3addd

      SHA256

      261f5176179b15dcb678372346f07eb8ab7b9d1ead0e8b03619242692f3b94a8

      SHA512

      1e1189de24b4dfc01df164f75e5c891e6cbfa069d5a0ad2d392fe0496c29035703099f0870cbf02ee3bd06f48aa7fa0d96f7252bc12955e6900e695e9a1789a4

    • C:\Windows\directx.sys

      Filesize

      47B

      MD5

      a53fc8e71eda60f1bc0565db9af95546

      SHA1

      bd862b7ec3e26ae667b4bba98cf42d1ba71c5b09

      SHA256

      087e833a9582574c71016fb1dc1887e4d86304b7d0528ad913537bd8495b3914

      SHA512

      51ccb99753a5eb0bbadfbe90ff119535c520b4ce6d7990cddc7ce18acd4e2e77c4becce020612f42ae20c4f7eedb783d38ef1981b1c98a61e778622d2eaf618f

    • C:\Windows\directx.sys

      Filesize

      45B

      MD5

      b541fce0f8255a19da78278e8938d535

      SHA1

      37e751748a6b3112e944c17b0e763a591c350ca0

      SHA256

      29e57547d9a1461be0152e5270479884bc1078ff87293b47b8e0058b78a55395

      SHA512

      096c0791bf625e725665b0a2bf761244aa255eb70a1fa4c21585252f81c325b275427cd35704318496bfaa20e6d4a3515388d1a17b1eb5a7b33e5fa5b06b4109

    • C:\Windows\directx.sys

      Filesize

      44B

      MD5

      d7638ba80489ed66ab4a298a4d1e098e

      SHA1

      11a2fac05485915a5e12539bbc56cbd5c771206a

      SHA256

      aee452d38c0ccfb183d50be420d03b5ae56b216a5eb42242f012ba6879a5877e

      SHA512

      5f746f888e1634a3fe097e1ad54594dc39d974eb204e5880f0df8d2d283339b0082be0ed9ea35b603d877148ece80cf4a831d606469f3a50010d93c058202737

    • C:\Windows\directx.sys

      Filesize

      45B

      MD5

      536f9de9cb62b5fe04601c00c6621595

      SHA1

      1e612fa28ce3c672eb44e3bda9f057c2de8e4a84

      SHA256

      66cac746e3879b021194f6742e38ba31f9f16b32f204a1e4dc26981ac305c44a

      SHA512

      84d5567a15db23a2d063950121d4bd88f440408a38d4c5d5e1e3c9be25e5599773d46c60dd1e0c4de59295477c23745bf20063b8acda0f9b4e60cada61208413

    • C:\Windows\directx.sys

      Filesize

      48B

      MD5

      ca9da789285d8480041f990a5826b434

      SHA1

      b984cd9b3480ade14641d8fca1dd43061fc97c7a

      SHA256

      a6aa6760eb41684f489497aff3c34e48b7446f6fcf35ea687b0d05c24aeeb2d6

      SHA512

      13fc1b80b9bd6293970ab624b8479f9c13b7e42eb846ee0f0b4b9947e84235c70184a0f886b70f68265575e2a278548b3536577c439f09b279ce171403ac46e6

    • C:\Windows\svchost.com

      Filesize

      40KB

      MD5

      51de8a63b5a590ce6504d2fa14a23659

      SHA1

      72994aaf41378cc91e197ffa26f78b2226623751

      SHA256

      93a337038058b54f864906972ef34926be8316a49d5b72190c0134f54ed8ce21

      SHA512

      78fa2853da3220f62acf5990a1d7d9165eeee1b1256e7c9ff7887332377072d2389c99d19779fe1a0182094217e5e17a7bc7da8f568b54ca69a68f62584fda9b

    • C:\Windows\svchost.com

      Filesize

      40KB

      MD5

      3bf734e7d743f6ce0ffc0f02e3b5508a

      SHA1

      a097fdc50a9e24823175441a524fa02d2bfd50db

      SHA256

      ea9c24735adcc2933b0e073282cab0960e5a7fb5f3427c8d6520cf401845e083

      SHA512

      9dddde42a426bf63f41c6d20f35f1d139e68fc82a5144a6f99a7f3e1b96d2821f63e929ce098ef59f96fc5b1d9f9545c0c587c94b18557c399620648a1f00a1a

    • memory/64-546-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/432-599-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/432-668-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/432-537-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/448-663-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/448-541-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/948-303-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/1032-666-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/1132-367-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/1160-601-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/1160-539-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/1324-646-0x0000000000590000-0x0000000000591000-memory.dmp

      Filesize

      4KB

    • memory/1472-553-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

    • memory/1472-644-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

    • memory/1508-13-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

    • memory/1996-556-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB

    • memory/2024-532-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2044-544-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2176-491-0x0000000000400000-0x000000000041D000-memory.dmp

      Filesize

      116KB

    • memory/2176-557-0x0000000000400000-0x000000000041D000-memory.dmp

      Filesize

      116KB

    • memory/2368-551-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2388-665-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2408-552-0x0000000000400000-0x00000000004AA000-memory.dmp

      Filesize

      680KB

    • memory/2420-550-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2692-600-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2692-538-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2792-543-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2880-102-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/3228-664-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/3304-350-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/3392-499-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/3400-505-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/3400-511-0x0000000000560000-0x0000000000561000-memory.dmp

      Filesize

      4KB

    • memory/3688-518-0x0000000000400000-0x00000000004EC000-memory.dmp

      Filesize

      944KB

    • memory/3688-820-0x0000000000400000-0x00000000004EC000-memory.dmp

      Filesize

      944KB

    • memory/4060-254-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/4076-545-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/4168-648-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/4236-157-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/4284-540-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/4284-554-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/4312-344-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/4344-542-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/4344-667-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/4348-548-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/4424-555-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

    • memory/4524-389-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/4656-535-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/4868-618-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/4880-662-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4880-709-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4964-127-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/4968-536-0x0000000000400000-0x000000000087B000-memory.dmp

      Filesize

      4.5MB

    • memory/4968-645-0x0000000000400000-0x000000000087B000-memory.dmp

      Filesize

      4.5MB

    • memory/4968-565-0x0000000000400000-0x000000000087B000-memory.dmp

      Filesize

      4.5MB

    • memory/5036-661-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

    • memory/5048-547-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/5060-658-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/5100-549-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB