neshta | f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5

Analysis

max time kernel
162s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
06-02-2022 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
Size

1.5MB
MD5

997d9a0c210f31ec90f157e77dc9c488
SHA1

c10e62bf47b425970075a5c6d644db23cd93e08b
SHA256

f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5
SHA512

1936aeb4fc7919e9b070be3547c4c9ebbe8bd4390628abd8700bfa196e4dcfb040a3bb394c350827132f4f5d3ee60cedcde7f0754753a0a6c42fb27df3689cef

Score

10^/10

neshta evasion persistence spyware stealer trojan

Malware Config

Signatures

Detect Neshta Payload 21 IoCs

Processes:

resource	yara_rule
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~3.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MI391D~1.EXE	family_neshta
C:\PROGRA~3\Adobe\ARM\S\21312\ADOBEA~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILESY~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\OneDrive.exe	family_neshta
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	family_neshta
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe	family_neshta
C:\Users\ALLUSE~1\Adobe\ARM\S\21312\ADOBEA~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrord32.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 2 IoCs

Processes:

f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exesvchost.com

pid process

1440 f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
3264 svchost.com

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exef62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe

Drops file in Program Files directory 64 IoCs

Processes:

svchost.comf62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~2.EXE	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MIA062~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MI9C33~1.EXE	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13153~1.55\MICROS~1.EXE	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~4.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe

Drops file in Windows directory 4 IoCs

Processes:

svchost.comf62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Modifies data under HKEY_USERS 47 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4112"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.260952"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132887828981772544"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3932"	svchost.exe

Modifies registry class 2 IoCs

Processes:

f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exef62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe

pid	process
1440	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
1440	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
1440	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
1440	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
1440	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
1440	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
1440	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
1440	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe

pid	process
1440	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
1440	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
1440	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe

pid	process
1440	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
1440	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
1440	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe

pid	process
1440	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
1440	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
1440	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exef62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exesvchost.com

description	pid	process	target process
PID 852 wrote to memory of 1440	852	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
PID 852 wrote to memory of 1440	852	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
PID 852 wrote to memory of 1440	852	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
PID 1440 wrote to memory of 3264	1440	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe	svchost.com
PID 1440 wrote to memory of 3264	1440	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe	svchost.com
PID 1440 wrote to memory of 3264	1440	f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe	svchost.com
PID 3264 wrote to memory of 3676	3264	svchost.com	READER~1.EXE
PID 3264 wrote to memory of 3676	3264	svchost.com	READER~1.EXE
PID 3264 wrote to memory of 3676	3264	svchost.com	READER~1.EXE

C:\Users\Admin\AppData\Local\Temp\f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
"C:\Users\Admin\AppData\Local\Temp\f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:852

C:\Users\Admin\AppData\Local\Temp\3582-490\f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3264

C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE
4⤵
PID:3676

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:2136

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE
MD5
22913149a9d766c415c21e613e4e1d1b

SHA1
36b33b1ab48615ebe7bd25472d50ba3de56a21c6

SHA256
495ac0a638059cb60b2eebf3ac5e8fd17d5fbc7424195308f19e2ffeac3e0ced

SHA512
d9e5396bb24e3ad7ba31b45e8e1bfeb74c32895ab3af6544715c5db04da0442fafd82b06c49a920d964cf0a8fac7a58ccef4a173f1a5879c6733748edc180b14

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MI391D~1.EXE
MD5
a1ca7be41ff6a68ecebe5305c237cf08

SHA1
f3ad861fe2d05bd457e4cec026eeb0e3c22c3c92

SHA256
77528d56d5ae8d86144d324a32b3ccf49ab9ba346fc79488682db9030a15cbad

SHA512
6d13b75c20810131397b750c99107ef45a5ed47bd4ac404d0a3b907b224f79ed0165e7c33fcdbdc32002f3eabb447eff2f102162bf4246d19fd9176782436be0

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~3.EXE
MD5
a3e0cd180bc88ba713ecd1748e8c9b32

SHA1
99b6d80183792ebb66dcc5cb7f2cbde2c023cda3

SHA256
140309628663ba161d340735332071e417ba1ee532ecf00274b6259f28db8da3

SHA512
3217b8468c7f3cd5b1e811b77cded9d35c4e2b808f5de903fa7ef690d1417f7cd037e2f1657abf420dc0f20f4de7f77ae5b97573cc2ad00ccb2d863df7962a13

Download Submit
C:\PROGRA~3\Adobe\ARM\S\21312\ADOBEA~1.EXE
MD5
fc4c66072aeacb96b521decf86fbe3e5

SHA1
a0bd3a9cd98f3d18e01b4a65e159c4d62b9bdee6

SHA256
f8f6b41712d7b27996b488cc4e781f2510655ddde579668a143a3f58c0ca5a69

SHA512
81d2409e062b734051b7cac7d9f7c808af82d25a5b9daaaef828a0619dcccb2aa2ffb481e8e063102f72ddd31da5415751ce4e26720f88dc19983fb394b4c208

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
MD5
4b2192864374f21ee6cb90b81c8b98a9

SHA1
131c29e7354fe6e32153d5dcf4d52c8f9c9d3091

SHA256
b29d2b87e91f82d764ee7ab5947dbf9f3e2b9dc473e571ef1b67622d35cb9b9a

SHA512
2361cfb375b597f6100dd0c84340c34041db4da2ca0bd72e1aba7782e73c43c9ef920c83e367eb16bf213ecb3518e97c6417a5f666a298deefd23f4260b52f2b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrord32.exe
MD5
12fd9fcb97cb1e45c020e7bac06b2c91

SHA1
90c6fce6c9c40666ecc0c3964308bb2401676703

SHA256
8cec6976f1f5c004627ac249302e29127f4c7d2cda4df8263bf75281edec7a25

SHA512
c805cc4ca9bbc3e4c961e2685712d44c85aed275cdfd2f6c3c20898c647efbd442fb0b8da0186d06fce88288e9fdec25830c48cb107b73da466098ab19353953

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe
MD5
92dc0a5b61c98ac6ca3c9e09711e0a5d

SHA1
f809f50cfdfbc469561bced921d0bad343a0d7b4

SHA256
3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc

SHA512
d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

Download Submit
C:\Users\ALLUSE~1\Adobe\ARM\S\21312\ADOBEA~1.EXE
MD5
3ad3461ef1d630f38ed3749838bbedc3

SHA1
8d85b0b392ae75c5d0b004ee9cf5a7b80b1b79e6

SHA256
32be2bca2b848da78c02140a288f1bb771cb66757f90d20126b1bcfd5bb40e62

SHA512
0e95e5181eab14d5820a3a4952018ac9b290fa3b17add8a5e13d893052f1d2a90a2323c62843f6a9e9af00f27e00108b60e0bce2f848e0a4d8ce0cce153db1ba

Download Submit
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe
MD5
05bdfd8a3128ab14d96818f43ebe9c0e

SHA1
495cbbd020391e05d11c52aa23bdae7b89532eb7

SHA256
7b945c7e6b8bfbb489f003ecd1d0dcd4803042003de4646d4206114361a0fbbb

SHA512
8d9b9fc407986bd53fe3b56c96b7371cc782b4bac705253bfb0a2b0b1e6883fdb022f1ac87b8bfd7005291991b6a3dfbaceab54f5d494e0af70f0435a0b8b0da

Download Submit
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE
MD5
63dc05e27a0b43bf25f151751b481b8c

SHA1
b20321483dac62bce0aa0cef1d193d247747e189

SHA256
7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce

SHA512
374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE
MD5
413ec51a9880e79324c712c0548674c1

SHA1
032d114c78c8df6d98186eeffd9cba24589e93bb

SHA256
80eee8d364db4b281b1643a1a52a5dd1c334b4f20c2519c5e0ba7aa9a49c2bd7

SHA512
4a1f74751793c32729ebe1e01b8b79ffe1a812e6972a21c17a688f52ea828c9d179151026597cae202b3cc46ecd0909d78b47cba5b3e2dc954832cd378657555

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE
MD5
015caa1588f703bd73bc7cfe9386ffe4

SHA1
747bec0876a67c0242ff657d47d7c383254ea857

SHA256
e5c6463292e3013ef2eb211dad0dfa716671241affbd8bed5802a94f03950141

SHA512
1fb3b2fa422d635c71a8e7865714516b7de1c32e6286f8b975be71b17a9186fcac78852e9467b4751b4eab69cb6af30140772858a758596596d09d767d170aab

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE
MD5
4cf3954a39b7e27f364cbb5e58a3a957

SHA1
4498a5dea907da2b85e30bf6a1ebddfbaba2eb18

SHA256
f24a6d80aff3ee9ee65a609376d1aa3fdb3a034847ebbc0e4e65ff20ab0893fb

SHA512
d7dd8c5ad15dda561ae309fbf18e5ad2e852e951e937ea062cc0cb035df74ecb5a9aa636c6813aef37271268cedb1b3c5d39a8b6519fd54f5346445a2a9ef57d

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE
MD5
9597098cfbc45fae685d9480d135ed13

SHA1
84401f03a7942a7e4fcd26e4414b227edd9b0f09

SHA256
45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c

SHA512
16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
MD5
a55d2c94c27ffe098171e6c1f296f56d

SHA1
d0c875b2721894404c9eaa07d444c0637a3cbc3b

SHA256
e81e4630b01d181fb3116e9e874eedfe1a43472bfa6d83cc24f55e78721ddf86

SHA512
13ee9041b21d4e00392aeaa5440c34301f945d9bbd4f07f831397040991eee79842a5618c1fd26ec75e7132b5da811bc9605b76b83a48355ede37a2a1c1cd6f0

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
MD5
07e194ce831b1846111eb6c8b176c86e

SHA1
b9c83ec3b0949cb661878fb1a8b43a073e15baf1

SHA256
d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac

SHA512
55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

Download Submit
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILESY~1.EXE
MD5
f3228c24035b3f54f78bb4fd11c36aeb

SHA1
2fe73d1f64575bc4abf1d47a9dddfe7e2d9c9cbb

SHA256
d2767c9c52835f19f6695c604081bf03cdd772a3731cd2e320d9db5e477d8af7

SHA512
b526c63338d9167060bc40ffa1d13a8c2e871f46680cd4a0efc2333d9f15bf21ae75af45f8932de857678c5bf785011a28862ce7879f4bffdb9753c8bc2c19b5

Download Submit
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\OneDrive.exe
MD5
3a3a71a5df2d162555fcda9bc0993d74

SHA1
95c7400f85325eba9b0a92abd80ea64b76917a1a

SHA256
0a023355d1cc0a2348475d63aaf6aa0521d11e12a5c70102d7b3ebde092849e8

SHA512
9ad76ccce76ccfe8292bca8def5bc7255e7ea0ba6d92130c4350da49a3d7faef2d46b08aaef1955f3f4ea0a2e22451562b5e08783a79f794724584e409cf7837

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
MD5
4eb5d80cdb10e827692c029635f171a7

SHA1
46029f69ba21eea4d701d55480fee9b991f9c052

SHA256
5ded8a12139ad93d44491706f2f0124f532d0b43a136179604ae905e2d1ccb01

SHA512
051944536afbae0619ebe272e1b6379eab66ef3eedfd4f87dce4c22a6269e69a50523c445bbda7b7d2bc8aaa112d5704609731af87d51f2a15763d564575a464

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\f62fef6f3a75f53fe3ce65440f750765635b2e9398a1e486e375c2da2a78d3c5.exe
MD5
4eb5d80cdb10e827692c029635f171a7

SHA1
46029f69ba21eea4d701d55480fee9b991f9c052

SHA256
5ded8a12139ad93d44491706f2f0124f532d0b43a136179604ae905e2d1ccb01

SHA512
051944536afbae0619ebe272e1b6379eab66ef3eedfd4f87dce4c22a6269e69a50523c445bbda7b7d2bc8aaa112d5704609731af87d51f2a15763d564575a464

Download Submit
C:\Windows\svchost.com
MD5
d1bb9002f9b41f1dd503b9b2d238e961

SHA1
12a1b2dca6a63dc395d327b7e4efe72c01869584

SHA256
b97b7dc1081d71bebacc15c20a2546e9029ec2c68294a78f29f0cce57ce49520

SHA512
40c33e27d80876b0326913f77dc70055f2e1cd89675eb7cec2e9a0c96182fdc16136009176d41be6ed959927bf4aac839586badfcb65622914a5ecce9398d860

Download Submit
C:\Windows\svchost.com
MD5
d1bb9002f9b41f1dd503b9b2d238e961

SHA1
12a1b2dca6a63dc395d327b7e4efe72c01869584

SHA256
b97b7dc1081d71bebacc15c20a2546e9029ec2c68294a78f29f0cce57ce49520

SHA512
40c33e27d80876b0326913f77dc70055f2e1cd89675eb7cec2e9a0c96182fdc16136009176d41be6ed959927bf4aac839586badfcb65622914a5ecce9398d860

Download Submit
C:\odt\OFFICE~1.EXE
MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit