dharma | 478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631

Analysis

max time kernel
150s
max time network
73s
platform
windows7_x64
resource
win7v20210408
submitted
18-05-2021 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
Size

173KB
MD5

0e3628ff2cfc0b5b457e14acc55e7fa6
SHA1

324e18c7c8776c1c9d8ec054182d98b8c8c0021e
SHA256

478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631
SHA512

7959504f076ce488559f0af15b7f4514ac25e8fcdee428870c8fbb7e3fb2ceebc042ae3668adbd14fd3204e65c61cb2298056cd43a59a8b4ac6a01070c920136

Score

10^/10

dharma persistence ransomware spyware stealer

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 3 IoCs

Processes:

478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exesvchost.comsvchost.com

pid process

1948 478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1600 svchost.com
948 svchost.com

Drops startup file 5 IoCs

Processes:

478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

Loads dropped DLL 10 IoCs

Processes:

478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exesvchost.com

pid	process
1220	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1220	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1220	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1220	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1220	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1220	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1220	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1220	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
948	svchost.com
948	svchost.com

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe = "C:\\Windows\\System32\\478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe"	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

description	ioc	process
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNHPAZTY\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VNYR844D\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X8SF34HL\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NU1L7O13\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Public\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VFDYFLB4\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

Drops file in System32 directory 2 IoCs

Processes:

478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

description	ioc	process
File created	C:\Windows\System32\Info.hta	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Windows\System32\478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

Drops file in Program Files directory 64 IoCs

Processes:

478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18205_.WMF	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR28B.GIF	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Xlate_Complete.xsn.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d11_plugin.dll	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIcon.jpg.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\spu\libmarq_plugin.dll.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Waitcursor.gif	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01172_.WMF.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WCOMP98.POC.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WITHCOMP.DPV.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialReport.dotx.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\LAYERS.ELM.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00578_.WMF	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_zh_CN.jar.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZCARD.XML.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\INDST_01.MID.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_ur.dll	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\PREVIEW.GIF.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_ja_4.4.0.v20140623020002.jar.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-13.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281630.WMF.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImagesMask.bmp.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\msjet.xsl	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh89.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.properties.src.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09662_.WMF	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\eclipse.inf.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02444_.WMF	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\CT_ROOTS.XML	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Background_QuickLaunch.png	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveIntlResource.dll.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_settings.png	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_HK.properties	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libcache_block_plugin.dll.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL108.XML	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\ECLIPSE.INF.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_zh_4.4.0.v20140623020002.jar.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV_COL.HXT.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0294991.WMF.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\DADSHIRT.GIF.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239057.WMF.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libdirectory_demux_plugin.dll.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.BR.XML.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\PREVIEW.GIF	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Monticello.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00200_.WMF	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152704.WMF.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\icon.png	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Monaco.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Mozilla Firefox\vcruntime140.dll	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImages16x16.jpg.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_m.png	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPrintTemplate.html	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\OrielLetter.Dotx.id-3C27350C.[cryptohelp24@cock.li].harma	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB11.BDR	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01474_.WMF	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

Drops file in Windows directory 5 IoCs

Processes:

svchost.com478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exesvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2036 vssadmin.exe
2024 vssadmin.exe

pid	process
2036	vssadmin.exe
2024	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry class 1 IoCs

Processes:

478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

pid	process
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 524 vssvc.exe
Token: SeRestorePrivilege 524 vssvc.exe
Token: SeAuditPrivilege 524 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	524	vssvc.exe
Token: SeRestorePrivilege	524	vssvc.exe
Token: SeAuditPrivilege	524	vssvc.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.execmd.execmd.exesvchost.comsvchost.com

description	pid	process	target process
PID 1220 wrote to memory of 1948	1220	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
PID 1220 wrote to memory of 1948	1220	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
PID 1220 wrote to memory of 1948	1220	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
PID 1220 wrote to memory of 1948	1220	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
PID 1948 wrote to memory of 1892	1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	cmd.exe
PID 1948 wrote to memory of 1892	1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	cmd.exe
PID 1948 wrote to memory of 1892	1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	cmd.exe
PID 1948 wrote to memory of 1892	1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	cmd.exe
PID 1892 wrote to memory of 1620	1892	cmd.exe	mode.com
PID 1892 wrote to memory of 1620	1892	cmd.exe	mode.com
PID 1892 wrote to memory of 1620	1892	cmd.exe	mode.com
PID 1892 wrote to memory of 2036	1892	cmd.exe	vssadmin.exe
PID 1892 wrote to memory of 2036	1892	cmd.exe	vssadmin.exe
PID 1892 wrote to memory of 2036	1892	cmd.exe	vssadmin.exe
PID 1948 wrote to memory of 1812	1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	cmd.exe
PID 1948 wrote to memory of 1812	1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	cmd.exe
PID 1948 wrote to memory of 1812	1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	cmd.exe
PID 1948 wrote to memory of 1812	1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	cmd.exe
PID 1812 wrote to memory of 1236	1812	cmd.exe	mode.com
PID 1812 wrote to memory of 1236	1812	cmd.exe	mode.com
PID 1812 wrote to memory of 1236	1812	cmd.exe	mode.com
PID 1812 wrote to memory of 2024	1812	cmd.exe	vssadmin.exe
PID 1812 wrote to memory of 2024	1812	cmd.exe	vssadmin.exe
PID 1812 wrote to memory of 2024	1812	cmd.exe	vssadmin.exe
PID 1948 wrote to memory of 1600	1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	svchost.com
PID 1948 wrote to memory of 1600	1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	svchost.com
PID 1948 wrote to memory of 1600	1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	svchost.com
PID 1948 wrote to memory of 1600	1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	svchost.com
PID 1948 wrote to memory of 948	1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	svchost.com
PID 1948 wrote to memory of 948	1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	svchost.com
PID 1948 wrote to memory of 948	1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	svchost.com
PID 1948 wrote to memory of 948	1948	478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe	svchost.com
PID 948 wrote to memory of 952	948	svchost.com	mshta.exe
PID 948 wrote to memory of 952	948	svchost.com	mshta.exe
PID 948 wrote to memory of 952	948	svchost.com	mshta.exe
PID 948 wrote to memory of 952	948	svchost.com	mshta.exe
PID 1600 wrote to memory of 1932	1600	svchost.com	mshta.exe
PID 1600 wrote to memory of 1932	1600	svchost.com	mshta.exe
PID 1600 wrote to memory of 1932	1600	svchost.com	mshta.exe
PID 1600 wrote to memory of 1932	1600	svchost.com	mshta.exe

C:\Users\Admin\AppData\Local\Temp\478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
"C:\Users\Admin\AppData\Local\Temp\478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\3582-490\478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:1620

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:2036

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:1236

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:2024

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\mshta.exe
C:\Windows\System32\mshta.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
4⤵
- Modifies Internet Explorer settings
PID:1932

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\mshta.exe
C:\Windows\System32\mshta.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
4⤵
- Modifies Internet Explorer settings
PID:952

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:524

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

File Deletion

T1107

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
MD5
871dd0cd79086279edb42f35e90d35ae

SHA1
5190ac2c835c5c1a8d14e22c1472d1bb37d4461e

SHA256
138241ace090552a2bab710821d4a3ff6b8b5f9627398e96b248551d186380d2

SHA512
6684439f2e6ffb14790a57ca40b11a10c462d4ac76b098b99e7e09a03514662a178ff8e4a037351c12472ece343a29c3f1fadee4f5203ecfd3003b3214548f74

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
MD5
b6638c2cb70b489ca07aa52dab502b4a

SHA1
49135b0e1602e99e6d8913696a82a14932f19718

SHA256
2bb1c2b0f2ea3c00e37bbc718ade7e7a4b3581fcf4fb0ce03d3164f55d0f4aa4

SHA512
c50479a04ead1e390bdb9c0bb6e90f9d486bb9fcd17d07e919799b1187f2508ef29dc7bf97d7c01a471490e0274a0329b1896ebeaa60a6c061f9a2ddb337c926

Download Submit
C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\478052~1.EXE
MD5
d64be1cf64058aba02cb98065d5ea3f0

SHA1
fbcc5a7492f6bcbc86f36fd191df038f6f6660d0

SHA256
db87da4d68417d25dd5b53511a5596cce452cdb9ab38682dfa12d6d898c38ec9

SHA512
549640e2c68692e77593b31abf2ab9cd407d8e87190096faa566d9b3d84c9ec35c66ea0d41460446ea9f469067582588af219e8dce7342ea7bfad53be192aba9

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe
MD5
463ace8db3626ec436a2344064dd4001

SHA1
59328ab9636243fde2ddbe14a99a09dc88948ddd

SHA256
8620d9b5e23b72f02eaaa3ff403ac1ed7c04939b0c2d2b934b2e02d6a6685128

SHA512
423445862ab284b999a50c265c9921f0b181b288f177dc1baa3952bf263e809b502385e8c636c5e0914c11adbc99b924e786600bd7d75b553283dc0c9bfda5aa

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe
MD5
ee90abee2cb671387c06609ef1c2334d

SHA1
349bafc05ae6a45a997cf7ec48da5de53ed49fb8

SHA256
f87b22c00c3b1874c03e8619bfb8103b9bf7bfc4f4a7c8a6160a3443ceec173f

SHA512
abe15c93d64fc4d40a6804d721398a9e514391c712383033cd03c5fea04ebc3f16e11aeb0e53818038f96e1a0455c76357c1f86f85349d71cf2a756f66fb032f

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
MD5
508ade7c6b2c6cc051a382e5b5aa9449

SHA1
55eaecb22713eed52cbc610202d9518c9e1b9d4e

SHA256
d7f97d73201c8c9747a4eba8cdc65f94b4467d8035b48b7494e64386f5a00f48

SHA512
b0a8e9b61e5b0eb22657b726a099229fca83f48bf4e420bb97a8181b916a9dff2d3bec8a27f973606a57169b147e06be0af228656a23f7b2568b6b252ac049a6

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe
MD5
036590029cd3e9d46b10f920b84ccfdc

SHA1
c17ac93cce4a02fc27c4a78ccd17e9156aef5bcd

SHA256
28c709cc63b3e68ad0c8eba1c75cc1f88f7b0cb97a1992028b904dab4c952ac8

SHA512
4032c7e798f056697f124f5b5ef90965171a0ef6de95bc73dec45b173d11e6840116a6eff7cece84491291f922daa61b2cd06c4ac37a6785b04622d14de4521e

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe
MD5
291603c34cb7bde81aed2384a3486212

SHA1
4bd867c98e2bc48e845d7450cf9ee83da171c1fb

SHA256
11bc4eda38c242ad3a2e789a58d247621d7ff05d04e2d27f42eeee3eb9525fab

SHA512
0918f4ce1b851d4969dd5eda20ec0ae359d408ebb34ca31b6844496f2eecfb8fc9f1335f6f371566d50040e187c378b5fd1ce8f196aa94a7e9f1cc74c9731bf4

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe
MD5
a4f4617fd4033940199ade7c16738321

SHA1
7cb5e38e4324377d3fabe38dfa0ccc9db36be485

SHA256
a201d2bd40a726c860a762d6a4de19cfd79ffea88e4ea1939a18d5b2b648da14

SHA512
24d537bacaf447491c4265814c8ee510777ac722d15e118cd6be2ef4f1f09a9b260f0d481b5051540950fb5c6685447a0d1877c088407fc73812222858817615

Download Submit
C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe
MD5
92fd632b7ed4540e2c327ce3331cb4ad

SHA1
fc1e2ac4e225caaf9de22496dbb86aa363fa9f8f

SHA256
8fbdd107ef1b59fa974bce9670dc9421b937189bf9764e1e0dd4f42898cbb103

SHA512
80a747fc1c666b07e50689bd9e1b451765061e8993b8e9029f83d628e4c0188f0f159664ddc1512f5fd088f78a532153438d6721aa2786c1656c2d21a5abe08b

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE
MD5
07fab2af8ec2d2e83e67220cf1822526

SHA1
8444d09681ee2eb541150473fb432bfe4dc480ac

SHA256
9d69ad0e58fa9504955757fb16368a7c6a9de6b330f7a4fa98ec655605d324eb

SHA512
e67f12637c65b01d07b0798d7c15678826b61373754857758cc8e7402876beeb6558b0ccb626f017d7508e0bca8694cd944f0befbaf7cb0d48bb6b0b8f799f75

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE
MD5
800ed82d4fc651e2fcf56d295f906bd5

SHA1
bd64de4662ddc89e7ae61dbac10c3f1dd8e3a0cb

SHA256
a7c90f33909c31f47aea7dfd7b8e256fff06095a800c4188a571e571827aafed

SHA512
6860761b18cdfdc682f215c48c878b418ac30296d28ad11fc8f99c7c5fd53e2a43810dd056fb9279a132013b796255fc73615c59c1d99b2ae4c8fb591d872b0a

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE
MD5
87f905e4c284d6e4b6362a7d68aa263e

SHA1
1d794fed2977f0541147690b717ddb3cdffd1209

SHA256
0fbff8989d7e0ab013723b5789322e0167f3424bcb15f2f98d383fc63ce0a9b6

SHA512
6ea0b178c8a5b4a7d237367c86abcabacebd892576ccbeeae43bab3c254b5226efdc1876fa17de6074be22268467c31a2f7bb4e15df390c1b87d3a54e2f78f9c

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE
MD5
ef01aba756c2cadda48d3da8e932d18f

SHA1
8dde679b3faf0cd74340dbcbeb66dffdc854bfca

SHA256
04c13bd2710afdfde3e8b99768541831f6cd9e21afd1030a653798515a0ad5f9

SHA512
eb051d94cfe115e6aacfda96c2d358e933bf9c90befddd5094b97af33e7c62bc68937b46263b53bbb1127516b9263397cb12589ab6c336f2437f288405487f94

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE
MD5
291603c34cb7bde81aed2384a3486212

SHA1
4bd867c98e2bc48e845d7450cf9ee83da171c1fb

SHA256
11bc4eda38c242ad3a2e789a58d247621d7ff05d04e2d27f42eeee3eb9525fab

SHA512
0918f4ce1b851d4969dd5eda20ec0ae359d408ebb34ca31b6844496f2eecfb8fc9f1335f6f371566d50040e187c378b5fd1ce8f196aa94a7e9f1cc74c9731bf4

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe
MD5
85cceca50cd11bf0418b4209801c7082

SHA1
512d8db3928b97020b5513a5ea47055a0084f44b

SHA256
e870511bc55c1c9cdadf569ed51f0771cbf6d03c1627694afb402d44102ea4b4

SHA512
c8f5ee433e9ad9ebb87d0f9f844f0010361e88a7f4a156130fdb0fcd32ab31362d08d4343518a71d4a09cb05498a077386f1dad1137e6190e701a84b90e21c2a

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe
MD5
44dd2c981f70974a286465c41b23b94e

SHA1
cdc3d4d11c78f50061e6da69e2f94977fbd1be87

SHA256
8cf06aa3056d5c2d5e47cbce34f004de17ec05b1cb72778c710dc9adef5a8f4f

SHA512
51fa6352266ceca24e8e1d7102c5666acd6ed1ec463ac382adf11ff18e8d9d6231afb7721acdd12631bc2757af187a6ed094498a72a0347ea033971bafddbc37

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe
MD5
6ca106a02d525c8da0592506615b13d3

SHA1
51c20d47fd01bd42f169128e34b06eb98f08eff0

SHA256
f2d8ef16ed5113ca10a3cc2b79b872de8572ce11aa69683ef433439cfe79548e

SHA512
21200f0753343028015fd9f4db39aa68c3108b5b7b7ba8307fb82e59172b9945b509d525b5ad2774fcdfb2ec7e4b27c0d217c7cad590861414893fc1c5d516ec

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
MD5
bca12f4036e2afbecf16e49893cfb025

SHA1
d5035d0978db75d6d155e340c36269a9eb4cb48a

SHA256
45fa83e76274fcbbe241be2bed458707253806684fc24f5163db01a5b985e80c

SHA512
ff186b4eaceecee6db341fbcd22f20770a0d5182ec02df3afbeba56bb586e4f0ba12dc1114628e6359f23a9387570cf789fbee69a05bc17d5d5b934b67bdeb7f

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe
MD5
ef01aba756c2cadda48d3da8e932d18f

SHA1
8dde679b3faf0cd74340dbcbeb66dffdc854bfca

SHA256
04c13bd2710afdfde3e8b99768541831f6cd9e21afd1030a653798515a0ad5f9

SHA512
eb051d94cfe115e6aacfda96c2d358e933bf9c90befddd5094b97af33e7c62bc68937b46263b53bbb1127516b9263397cb12589ab6c336f2437f288405487f94

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe
MD5
ac7bbcf7d4c7734c5c29ed6c03976335

SHA1
ceedb2993efa7803f3989b7a70ba47b21e304702

SHA256
a010e576dd1cd56bb0e9d9dcf0ce446f9d9ba8ff37abee6781a32a0773536389

SHA512
c4dd157385c33997db748c65828b2a3970aaf71157589291c81c4c72e5f9fe43fba3c9dc22d52f01fc858b4470e649cc34e141a0d1afcb12af5580fdf8853912

Download Submit
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe
MD5
11f52e8a9d0de809b304ed52685506c7

SHA1
fec14407ff5c8318ada9b224fcc2e61b50db8ad3

SHA256
73ba00a9f76a24875949c751d8168c2741513457309eb5384d88e15623980672

SHA512
ff4e0a7a4473db5c8af470f5e899a30716a2c07a5be13a7559a3c15ba95dd27a62dc9240c4d7b260be625fd85bda5b201f75955af2cb2259da141ab0cbdc7ea6

Download Submit
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe
MD5
291603c34cb7bde81aed2384a3486212

SHA1
4bd867c98e2bc48e845d7450cf9ee83da171c1fb

SHA256
11bc4eda38c242ad3a2e789a58d247621d7ff05d04e2d27f42eeee3eb9525fab

SHA512
0918f4ce1b851d4969dd5eda20ec0ae359d408ebb34ca31b6844496f2eecfb8fc9f1335f6f371566d50040e187c378b5fd1ce8f196aa94a7e9f1cc74c9731bf4

Download Submit
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe
MD5
800ed82d4fc651e2fcf56d295f906bd5

SHA1
bd64de4662ddc89e7ae61dbac10c3f1dd8e3a0cb

SHA256
a7c90f33909c31f47aea7dfd7b8e256fff06095a800c4188a571e571827aafed

SHA512
6860761b18cdfdc682f215c48c878b418ac30296d28ad11fc8f99c7c5fd53e2a43810dd056fb9279a132013b796255fc73615c59c1d99b2ae4c8fb591d872b0a

Download Submit
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe
MD5
6e1137e844c62860569cff61df4b37f0

SHA1
a64ea58e4f8eca2703a7f56d92d62411f48c6c35

SHA256
03627495d49162a38c510abc15913a4f54c617453c78cbe64d6530f5b63105bf

SHA512
0874e12032f4dc49a463d1d4f89e957dbf94a1fa9f03a33ce2f03340ed003be7a56f7c6a7a1dce3b8d3aa38466f91bed364f699fe85b813bbc9e2d1e9f9c1cd3

Download Submit
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe
MD5
b47299885583124a8f74404cca0d46f2

SHA1
87a1e47318a1316040599e308e2dc4c32f57cfc4

SHA256
6f368768df55b8caba8ba93a18c984466d66c19275cb5f795e54cedbe0b7d3d3

SHA512
39e7818470b1f2c92436b3725916c8780ade4c5476b4d36fef629dd8f3fe59dbb3933a6217f792234f3ce9681cb7fc052b6015e71f2e101002bf72c90af58d6b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE
MD5
c23ac983d1886942d6b65f21a05645c2

SHA1
2c6c88d337961c1c6d529b51ca7e9a8db1f55ac6

SHA256
11b464504afe505d0801b6ebaef593cdf8c925babc4e6f466b10ffbc51ee8dd2

SHA512
5d0577c5ac56aa309d72785d50620d5666f6584ffd44bd9e3160daf0cdb2304fd2a50183afa9db313a41b80476c19d89bcc882e6a6b61cba3490361c2d7bb477

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE
MD5
4f8fc8dc93d8171d0980edc8ad833b12

SHA1
dc2493a4d3a7cb460baed69edec4a89365dc401f

SHA256
1505f3721dd3d7062dadde1633d17e4ee80caf29fd5b6aa6e6a0c481324ffd4e

SHA512
bdc3f83d7428418516daf23a9c2d00571cbaa3755391dfd8c500b6df7f621a67ad8e27775bcdaa20b159cd77d08bcdaf81a0cb7fffdd812978888d43512113a6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE
MD5
92ee5c55aca684cd07ed37b62348cd4e

SHA1
6534d1bc8552659f19bcc0faaa273af54a7ae54b

SHA256
bee98e2150e02ad6259184a35e02e75df96291960032b3085535fb0f1f282531

SHA512
fc9f4569a5f3de81d6a490f0fff4765698cdc891933979a3ce661a6291b606630a0c2b15647fc661109fcea466c7a78552b9cfbca6c5b2079ea1632a9f1b6e22

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE
MD5
9190cd2783b9a33741f92e4d52c5f1bb

SHA1
2bff66afa734aa10cfda0dee2cf5957bb099188f

SHA256
0553431a8e850cea680679910cdd8dbec72c2f3d03657bc844ebd0c9bf36ded0

SHA512
6b406fa4bea4901e4ba875d57714a19e594191b3cd5785b98e8ff533ec06d158c03f89c208b2371f52b50ea2c67bd8c7b5f27645eb29d09dcc121eef22c42546

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE
MD5
18640a6735a158c038db067911b0e440

SHA1
0c59cbdbe0643eb166c791582dad181d03bff53f

SHA256
a733eb8f098619835f180cb797a9b24164dcceb35f8740e9ea842d4388463f6e

SHA512
59ab39297816a7ad8a09a64358833cb7913a116a4be084da66baedadca82526e5f67fb230caea68471b07e30b8950f69f146de062e4d9c750e23464bf4d38dea

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe
MD5
2fc612d65638f7ee4aa8fd72ac553883

SHA1
7a5424e6caeff3221da6ee0fe5e25e62a41af074

SHA256
e5d00dfeb3e3f41f4c7666dd933065fc72cb91835abec5ce4cb1ecd7de48d8e9

SHA512
8cfa90ced3ba35903d23e2f59ed8470e3827bb5569af69aded6ea5164ae45fc9d7e81410a27d4bb005f8ae8a0db65f8737fba53f3ed3482afebd0fef26f24ee7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE
MD5
88cc307e5faa5d9464246389a329db78

SHA1
d8fc1ec6c577d7176a96fafcad0b1eb0b9a39976

SHA256
89a3991f691cff02371ef7fb2b6083be553e2e1e3ec9d998a7323e1bc1aefe87

SHA512
18ca74280ffc3e037cf0edd0f135d5e8ef444d27222e3ff27aac366f8c7e6ba387c4d686a639ef5077b9566676ff43fd3222343800c616cd8faeb6194ccef09c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
MD5
125247a91e098fccac045826117a9d66

SHA1
dc8ef228e5d29d7b7e014159aae7bdac8b654fdd

SHA256
35b3e743a2e94114d54e37554afb70860d349089c5efc63106c2ab313c237267

SHA512
e681c664dd65964d322f8edb35a1889b4bc8fa1a0b664fb028e3f6a8e3b89fa97119e835d3562d9e7483f69f7249206d1e01ffe5f9f8c70a84b72d81cedb9855

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE
MD5
7d5a006f36a99544c7baea6a492f9920

SHA1
2b03f176121725ac4f46df590e4a5f5fa064f83a

SHA256
7c431d3fdbed5883c13bcd7c53a7226454f7c987c13e5636ad14ec60893e58c5

SHA512
d45bf84deb4b03e7d9c386aeef3a5e0818a7ca1eab2cda94a64d4d47fa6d98bf2a7bedae30eb31e18faeb65f01c04e74a8bdc3686d288330775e81ffbbac534d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE
MD5
9ee28736603a8308e5437506c073c325

SHA1
5262495ca9982b0a7c7f66dfa0ce5c15493a9b8c

SHA256
af4c28c02d9901f64abf12b6054df2520f5e4196d400af0fd90921b30490fe9e

SHA512
f7fcc5915a575fb25e156f9b70afffbdb0ba46449d17255c21c5a8819e41f20f80d88e53c275778e5338821d8d008a101b2ca265f55820475b92fa75bac81368

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE
MD5
1294a837cd01b01937780a15a14703b4

SHA1
cddc9162ebe63c21423f64a3a97c2134fa1355f6

SHA256
6785f1356826bc233793c2d7550b61c5469ded86555b4b014880fe48c542da34

SHA512
315366fc0e82fcf689ab4dd07218aea50c66265b785d8f7156d086cacc7b6f179156ad13680fcdb41e15318d53e904ce533dd0b56b89b6fd1da181a192676fe1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE
MD5
015656b72540efb0f4368ac3ae4a3777

SHA1
798e8d3f6d9e0365357b428a5f34f49c0e6d9dee

SHA256
a980b887514a9fe398b86e7dde5cfcf1026fde6a8c5861ad2d3c1b6a7e40ef63

SHA512
354594c782ee1bd224cc95fec032ec365b56f21d1f135c10bf34de304dfd12716d51c2279a7e2324dc3c9d94ad628cab19f18026cb5a4fd01e28c32d1670a58a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\misc.exe
MD5
c1e6228d50aa7984e774e94fae699498

SHA1
234fbee91159e6ec5fff4d22b464d544a45577d1

SHA256
920ba00dc5530f3f9e797e2ce78dce256968599e16923ed934a84f556a789906

SHA512
b83b816bc50c286de25b1090dd15d994d784aeb603fe5d22d571d7fe93509b956d46f621bb9c53576e0ceea06f6cf2ec38c581c41b1fe87f8d53ccbb6fec3c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
MD5
d64be1cf64058aba02cb98065d5ea3f0

SHA1
fbcc5a7492f6bcbc86f36fd191df038f6f6660d0

SHA256
db87da4d68417d25dd5b53511a5596cce452cdb9ab38682dfa12d6d898c38ec9

SHA512
549640e2c68692e77593b31abf2ab9cd407d8e87190096faa566d9b3d84c9ec35c66ea0d41460446ea9f469067582588af219e8dce7342ea7bfad53be192aba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
MD5
d64be1cf64058aba02cb98065d5ea3f0

SHA1
fbcc5a7492f6bcbc86f36fd191df038f6f6660d0

SHA256
db87da4d68417d25dd5b53511a5596cce452cdb9ab38682dfa12d6d898c38ec9

SHA512
549640e2c68692e77593b31abf2ab9cd407d8e87190096faa566d9b3d84c9ec35c66ea0d41460446ea9f469067582588af219e8dce7342ea7bfad53be192aba9

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\478052~1.EXE
MD5
d64be1cf64058aba02cb98065d5ea3f0

SHA1
fbcc5a7492f6bcbc86f36fd191df038f6f6660d0

SHA256
db87da4d68417d25dd5b53511a5596cce452cdb9ab38682dfa12d6d898c38ec9

SHA512
549640e2c68692e77593b31abf2ab9cd407d8e87190096faa566d9b3d84c9ec35c66ea0d41460446ea9f469067582588af219e8dce7342ea7bfad53be192aba9

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\Google\Temp\GUMFBCB.tmp\GOFB2B~1.EXE
MD5
583ff3367e050c4d62bc03516473b40a

SHA1
6aa1d26352b78310e711884829c35a69ed1bf0f9

SHA256
6b63f8dd47d8b3baa71b6cd205d428861b96bf09cf479071e75ddd23f97c0146

SHA512
e9bdd5cc2e29db48cc524488fbadb08e808f17f6e18fa595cfebae229c94f2547079e52a2ada214169577b89b2ffbef424729cd90acdea3774f5c76aec192be0

Download Submit
\PROGRA~2\Google\Update\1335~1.452\GOFB2B~1.EXE
MD5
583ff3367e050c4d62bc03516473b40a

SHA1
6aa1d26352b78310e711884829c35a69ed1bf0f9

SHA256
6b63f8dd47d8b3baa71b6cd205d428861b96bf09cf479071e75ddd23f97c0146

SHA512
e9bdd5cc2e29db48cc524488fbadb08e808f17f6e18fa595cfebae229c94f2547079e52a2ada214169577b89b2ffbef424729cd90acdea3774f5c76aec192be0

Download Submit
\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\478052~1.EXE
MD5
d64be1cf64058aba02cb98065d5ea3f0

SHA1
fbcc5a7492f6bcbc86f36fd191df038f6f6660d0

SHA256
db87da4d68417d25dd5b53511a5596cce452cdb9ab38682dfa12d6d898c38ec9

SHA512
549640e2c68692e77593b31abf2ab9cd407d8e87190096faa566d9b3d84c9ec35c66ea0d41460446ea9f469067582588af219e8dce7342ea7bfad53be192aba9

Download Submit
\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\478052~1.EXE
MD5
d64be1cf64058aba02cb98065d5ea3f0

SHA1
fbcc5a7492f6bcbc86f36fd191df038f6f6660d0

SHA256
db87da4d68417d25dd5b53511a5596cce452cdb9ab38682dfa12d6d898c38ec9

SHA512
549640e2c68692e77593b31abf2ab9cd407d8e87190096faa566d9b3d84c9ec35c66ea0d41460446ea9f469067582588af219e8dce7342ea7bfad53be192aba9

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
MD5
d64be1cf64058aba02cb98065d5ea3f0

SHA1
fbcc5a7492f6bcbc86f36fd191df038f6f6660d0

SHA256
db87da4d68417d25dd5b53511a5596cce452cdb9ab38682dfa12d6d898c38ec9

SHA512
549640e2c68692e77593b31abf2ab9cd407d8e87190096faa566d9b3d84c9ec35c66ea0d41460446ea9f469067582588af219e8dce7342ea7bfad53be192aba9

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\478052e8d42187e9c1d0bc38d13e140d7e92d9ab59874c44bc83e3a9ec13a631.exe
MD5
d64be1cf64058aba02cb98065d5ea3f0

SHA1
fbcc5a7492f6bcbc86f36fd191df038f6f6660d0

SHA256
db87da4d68417d25dd5b53511a5596cce452cdb9ab38682dfa12d6d898c38ec9

SHA512
549640e2c68692e77593b31abf2ab9cd407d8e87190096faa566d9b3d84c9ec35c66ea0d41460446ea9f469067582588af219e8dce7342ea7bfad53be192aba9

Download Submit
\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\478052~1.EXE
MD5
d64be1cf64058aba02cb98065d5ea3f0

SHA1
fbcc5a7492f6bcbc86f36fd191df038f6f6660d0

SHA256
db87da4d68417d25dd5b53511a5596cce452cdb9ab38682dfa12d6d898c38ec9

SHA512
549640e2c68692e77593b31abf2ab9cd407d8e87190096faa566d9b3d84c9ec35c66ea0d41460446ea9f469067582588af219e8dce7342ea7bfad53be192aba9

Download Submit
memory/948-134-0x0000000000000000-mapping.dmp

Download
memory/952-136-0x0000000000000000-mapping.dmp

Download
memory/1220-59-0x00000000769B1000-0x00000000769B3000-memory.dmp

Filesize
8KB

Download
memory/1236-130-0x0000000000000000-mapping.dmp

Download
memory/1600-132-0x0000000000000000-mapping.dmp

Download
memory/1620-67-0x0000000000000000-mapping.dmp

Download
memory/1812-129-0x0000000000000000-mapping.dmp

Download
memory/1892-66-0x0000000000000000-mapping.dmp

Download
memory/1932-137-0x0000000000000000-mapping.dmp

Download
memory/1948-62-0x0000000000000000-mapping.dmp

Download
memory/2024-131-0x0000000000000000-mapping.dmp

Download
memory/2036-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads