neshta | fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3

Analysis

max time kernel
132s
max time network
120s
platform
windows7_x64
resource
win7-en-20211208
submitted
12-02-2022 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
Size

1.3MB
MD5

12cc5ca0a03ca82b23d1e87c423342e6
SHA1

776cf95b5dd0e23acc0a4f729e117757caeb3057
SHA256

fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3
SHA512

7cb0723a4dde7d0412af3712bd320bc714b762f7e0833114bf4bad5d0fb16152986eaea184d3d25af6fa586e7d9ba7e8ac0eb34028ea860a38dd1ca46f5e2e5d

Score

10^/10

neshta xmrig evasion miner persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Read-this.txt

Ransom Note

All Your Files Has Been Encrypted You Have to Pay to Get Your Files Back 1-Go to C:\ProgramData\ or in Your other Drives and send us prvkey.txt.key file 2-You can send some file little than 1mb for Decryption test to trust us But the test File should not contain valuable data 3-Payment should be with Bitcoin 4-Changing Windows without saving prvkey.txt.key file will cause permanete Data loss Our Email:[email protected] in Case of no Answer:[email protected]

Emails

Email:[email protected]

Answer:[email protected]

Signatures

Detect Neshta Payload 58 IoCs

Processes:

resource	yara_rule
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe	family_neshta
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe	family_neshta
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe	family_neshta
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE	family_neshta
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	family_neshta
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	family_neshta
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	family_neshta
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	family_neshta
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	family_neshta
C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	family_neshta
C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	family_neshta
C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	family_neshta
C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	family_neshta
C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	family_neshta
C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	family_neshta
C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	family_neshta
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	family_neshta
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	family_neshta
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	family_neshta
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	family_neshta
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	family_neshta
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	family_neshta
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	family_neshta
C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	family_neshta
C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	family_neshta
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler.exe	family_neshta
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler64.exe	family_neshta
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateBroker.exe	family_neshta
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdate.exe	family_neshta
C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	family_neshta
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe	family_neshta
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe	family_neshta
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateCore.exe	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\misc.exe	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Executes dropped EXE 1 IoCs

Processes:

fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe

pid process

368 fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\PingEnter.tiff	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe

Drops startup file 1 IoCs

Processes:

fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe

Loads dropped DLL 3 IoCs

Processes:

fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe

pid	process
1100	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
1100	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
1100	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

Processes:

fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File created	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File created	C:\Program Files\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Admin\Cookies\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2329389628-4064185017-3901522362-1000\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Public\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe

Drops file in System32 directory 1 IoCs

Processes:

fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\regedit.exe fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe

Drops file in Program Files directory 64 IoCs

Processes:

fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00610_.WMF	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\validation.js	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File created	C:\Program Files\Java\jre7\lib\zi\GMT.[[email protected]][MJ-AK5048962713].crm	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INLAUNCH.DLL	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml.[[email protected]][MJ-AK5048962713].crm	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB2B.BDR	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14691_.GIF	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\javafx.properties	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-output2.jar	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdate.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar.[[email protected]][MJ-AK5048962713].crm	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107192.WMF	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00116_.WMF	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar.[[email protected]][MJ-AK5048962713].crm	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImages.jpg	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cambridge_Bay	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Boise.[[email protected]][MJ-AK5048962713].crm	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Copenhagen.[[email protected]][MJ-AK5048962713].crm	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEODTXT.DLL	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7FR.DLL.[[email protected]][MJ-AK5048962713].crm	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-print.jar.[[email protected]][MJ-AK5048962713].crm	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nome.[[email protected]][MJ-AK5048962713].crm	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Damascus.[[email protected]][MJ-AK5048962713].crm	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar.[[email protected]][MJ-AK5048962713].crm	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_zh_4.4.0.v20140623020002.jar.[[email protected]][MJ-AK5048962713].crm	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_VelvetRose.gif	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe.[[email protected]][MJ-AK5048962713].crm	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEWDAT.DLL	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME49.CSS	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\SETUP.XML	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\localizedStrings.js	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\library.js	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\localizedStrings.js	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.security_8.1.14.v20131031.jar	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll.[[email protected]][MJ-AK5048962713].crm	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MAPIR.DLL.IDX_DLL	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar.[[email protected]][MJ-AK5048962713].crm	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-nodes.jar.[[email protected]][MJ-AK5048962713].crm	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_hail.png	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe.[[email protected]][MJ-AK5048962713].crm	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALHM.POC	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_zh_CN.jar.[[email protected]][MJ-AK5048962713].crm	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL044.XML.[[email protected]][MJ-AK5048962713].crm	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_ja.jar.[[email protected]][MJ-AK5048962713].crm	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\PersonalContact.ico	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BS2BARB.POC	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Auckland.[[email protected]][MJ-AK5048962713].crm	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar.[[email protected]][MJ-AK5048962713].crm	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\wmpnssui.dll.mui	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Lord_Howe	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\settings.css	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcor.dll.mui	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.[[email protected]][MJ-AK5048962713].crm	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_snow.png	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryNewsletter.dotx	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\WidescreenPresentation.potx.[[email protected]][MJ-AK5048962713].crm	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll.[[email protected]][MJ-AK5048962713].crm	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\EST5EDT	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR8B.GIF	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe

Drops file in Windows directory 64 IoCs

Processes:

fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Security\d9a485330ec2708456134e4a9712a4ab\System.Security.ni.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\b90f40ba78ef47ed0a9a563e242f6322\System.Runtime.Remoting.ni.dll.aux	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Acti31fd6628#\588dc6be6980380dbe4ef726ff795778\System.Activities.Core.Presentation.ni.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_64\Policy.1.0.Microsoft.Interop.Security.AzRoles\6.1.7600.16385__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.config	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine.resources\2.0.0.0_de_b03f5f7f11d50a3a\Microsoft.Build.Engine.resources.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationUI\3.0.0.0__31bf3856ad364e35\PresentationUI.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Workflow.Activities\3.0.0.0__31bf3856ad364e35\System.Workflow.Activities.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\ba0cf5858766f7bc9413b1d4af6d69bd\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c9175f8#\f730acee6c31ccae8256d0abbe9728ae\PresentationFramework.Aero.ni.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.Services\4c68ebf1c5c63ebf75ad81a9ca3e3fd2\System.Data.Services.ni.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\dcbadb02f6000b436f1cb0fb736df3ee\System.Drawing.ni.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_es_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.Resources.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.ServiceProcess.resources\2.0.0.0_es_b03f5f7f11d50a3a\System.ServiceProcess.Resources.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Mobile.resources\2.0.0.0_de_b03f5f7f11d50a3a\System.Web.Mobile.resources.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\bf7e7494e75e32979c7824a07570a8a9\CustomMarshalers.ni.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\56780b4bd164787631d4317d0556c3c0\UIAutomationClientsideProviders.ni.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\MSBuild\1a154709cdfe214029ea88c51ab2b579\MSBuild.ni.exe	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Device\64b016e546f8d38525f02e9c73c559ea\System.Device.ni.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.v3.5\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.v3.5.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build\ca807340cc583efabfc0f3ded2609280\Microsoft.Build.ni.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data.OracleC#\907f5045e26c39e1ae48024201b6334d\System.Data.OracleClient.ni.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\napinit\a64d6cb9f99621449821066eca9291e9\napinit.ni.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessData.Intl\14.0.0.0__71e9bce111e9429c\microsoft.office.businessdata.intl.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.resources\6.1.0.0_ja_31bf3856ad364e35\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.resources.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.Resources\1.0.0.0_es_31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.resources.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\napsnap.resources\6.1.0.0_en_31bf3856ad364e35\napsnap.resources.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\887ef2648686aad19feff405eddbffd2\System.EnterpriseServices.Wrapper.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Workflow.Act#\a53a2767e448aef90b345af1339d4c9a\System.Workflow.Activities.ni.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationUI\efec1926513ece87ff644670cdd80031\PresentationUI.ni.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.ServiceProcess.resources\2.0.0.0_de_b03f5f7f11d50a3a\System.ServiceProcess.Resources.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\SrpUxSnapIn.resources\6.1.0.0_es_31bf3856ad364e35\SrpUxSnapIn.resources.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\WindowsFormsIntegration.resources\3.0.0.0_ja_31bf3856ad364e35\WindowsFormsIntegration.resources.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\165d0873203da280298bfcfa50567a0b\System.Web.Routing.ni.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te3736ca4#\9312b7591cfb35c1c4b3e6d497c0489e\Microsoft.Transactions.Bridge.Dtc.ni.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\14.0.0.0__71e9bce111e9429c\Microsoft.Office.Infopath.Client.Internal.Host.Interop.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\EventViewer.Resources\6.1.0.0_es_31bf3856ad364e35\EventViewer.resources.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationCore.resources\3.0.0.0_de_31bf3856ad364e35\PresentationCore.resources.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Drawing.Design.resources\2.0.0.0_ja_b03f5f7f11d50a3a\System.Drawing.Design.Resources.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Transactions.resources\2.0.0.0_ja_b77a5c561934e089\System.Transactions.resources.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Jscript.resources\8.0.0.0_fr_b03f5f7f11d50a3a\Microsoft.JScript.Resources.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ReachFramework.resources\3.0.0.0_de_31bf3856ad364e35\ReachFramework.resources.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.Entity.resources\3.5.0.0_ja_b77a5c561934e089\System.Data.Entity.Resources.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web\7c32e936a07e0c7d9cae3ac27497f613\System.Web.ni.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Messaging.resources\2.0.0.0_de_b03f5f7f11d50a3a\System.Messaging.Resources.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Vsa\bb235aa98e8e876f0f641c4d486f9151\Microsoft.Vsa.ni.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\2dc6cfd856864312d563098f9486361c\System.Windows.Forms.ni.dll.aux	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Printing\836fe321118ff3c6c51adccf758d138b\System.Printing.ni.dll.aux	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Core.resources\3.5.0.0_ja_b77a5c561934e089\System.Core.Resources.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Applicati#\cdb429c8c7738b77dd919b4b917b2078\Microsoft.ApplicationId.Framework.ni.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\b1c511d8fad78ad3c5213b2b4fb02b8b\Microsoft.PowerShell.ConsoleHost.ni.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\62765bb26133f581e10bb7c866f35c83\System.Net.Http.ni.dll.aux	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\big5.nlp	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_de_31bf3856ad364e35\Microsoft.Ink.Resources.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\napsnap\46a2e8958905ea98cb6e91b38449c58a\napsnap.ni.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\88bbec18c44a06edb18eb16d6775008f\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Core.resources\3.5.0.0_es_b77a5c561934e089\System.Core.Resources.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.OracleClient.resources\2.0.0.0_es_b77a5c561934e089\System.Data.OracleClient.resources.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Windows.Presentation.resources\3.5.0.0_es_b77a5c561934e089\System.Windows.Presentation.resources.dll	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.6.0.ehRecObj\6.1.0.0__31bf3856ad364e35\Policy.6.0.ehRecObj.config	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\LoadMxf\d09b54cd68bc772b3be3832926e940d4\LoadMxf.ni.exe	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Windows\AppPatch\ja-JP\AcRes.dll.mui	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe

NTFS ADS 2 IoCs

Processes:

fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe

description	ioc	process
File opened for modification	C:\Users\All Users\Desktop\Updater6\Adob\:<ʻ\LNʻ\VX󈊻\`b󟊻\jl힘ʻ\tv폴ʻ\~큐ʻ\첬ʻ\줈ʻ\앤ʻ\¦¨쇀ʻ\°²븜ʻ\º¼멸ʻ\ÄÆ뛔ʻ\ÎÐ댰ʻ\ØÚ꾌ʻ\ⱨˇꯨʻK\ìîꡄʻ\öø꒠ʻ\ĂĄꃼʻ\ČĎ鵘ʻ	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2329389628-4064185017-3901522362-1000\desk\8:ʻ\ʻ\ ¢ʻ\ª¬ʻ\´¶	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe

pid	process
368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exefc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1100 wrote to memory of 368	1100	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
PID 1100 wrote to memory of 368	1100	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
PID 1100 wrote to memory of 368	1100	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
PID 1100 wrote to memory of 368	1100	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
PID 368 wrote to memory of 768	368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	cmd.exe
PID 368 wrote to memory of 768	368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	cmd.exe
PID 368 wrote to memory of 768	368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	cmd.exe
PID 368 wrote to memory of 768	368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	cmd.exe
PID 768 wrote to memory of 780	768	cmd.exe	net.exe
PID 768 wrote to memory of 780	768	cmd.exe	net.exe
PID 768 wrote to memory of 780	768	cmd.exe	net.exe
PID 768 wrote to memory of 780	768	cmd.exe	net.exe
PID 780 wrote to memory of 1244	780	net.exe	net1.exe
PID 780 wrote to memory of 1244	780	net.exe	net1.exe
PID 780 wrote to memory of 1244	780	net.exe	net1.exe
PID 780 wrote to memory of 1244	780	net.exe	net1.exe
PID 368 wrote to memory of 1392	368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	cmd.exe
PID 368 wrote to memory of 1392	368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	cmd.exe
PID 368 wrote to memory of 1392	368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	cmd.exe
PID 368 wrote to memory of 1392	368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	cmd.exe
PID 368 wrote to memory of 276	368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	cmd.exe
PID 368 wrote to memory of 276	368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	cmd.exe
PID 368 wrote to memory of 276	368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	cmd.exe
PID 368 wrote to memory of 276	368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	cmd.exe
PID 368 wrote to memory of 1656	368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	cmd.exe
PID 368 wrote to memory of 1656	368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	cmd.exe
PID 368 wrote to memory of 1656	368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	cmd.exe
PID 368 wrote to memory of 1656	368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	cmd.exe
PID 368 wrote to memory of 432	368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	cmd.exe
PID 368 wrote to memory of 432	368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	cmd.exe
PID 368 wrote to memory of 432	368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	cmd.exe
PID 368 wrote to memory of 432	368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	cmd.exe
PID 432 wrote to memory of 2004	432	cmd.exe	net.exe
PID 432 wrote to memory of 2004	432	cmd.exe	net.exe
PID 432 wrote to memory of 2004	432	cmd.exe	net.exe
PID 432 wrote to memory of 2004	432	cmd.exe	net.exe
PID 2004 wrote to memory of 1984	2004	net.exe	net1.exe
PID 2004 wrote to memory of 1984	2004	net.exe	net1.exe
PID 2004 wrote to memory of 1984	2004	net.exe	net1.exe
PID 2004 wrote to memory of 1984	2004	net.exe	net1.exe
PID 368 wrote to memory of 1972	368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	cmd.exe
PID 368 wrote to memory of 1972	368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	cmd.exe
PID 368 wrote to memory of 1972	368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	cmd.exe
PID 368 wrote to memory of 1972	368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	cmd.exe
PID 1972 wrote to memory of 2040	1972	cmd.exe	net.exe
PID 1972 wrote to memory of 2040	1972	cmd.exe	net.exe
PID 1972 wrote to memory of 2040	1972	cmd.exe	net.exe
PID 1972 wrote to memory of 2040	1972	cmd.exe	net.exe
PID 2040 wrote to memory of 1820	2040	net.exe	net1.exe
PID 2040 wrote to memory of 1820	2040	net.exe	net1.exe
PID 2040 wrote to memory of 1820	2040	net.exe	net1.exe
PID 2040 wrote to memory of 1820	2040	net.exe	net1.exe
PID 368 wrote to memory of 1552	368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	cmd.exe
PID 368 wrote to memory of 1552	368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	cmd.exe
PID 368 wrote to memory of 1552	368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	cmd.exe
PID 368 wrote to memory of 1552	368	fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe	cmd.exe
PID 1552 wrote to memory of 1684	1552	cmd.exe	net.exe
PID 1552 wrote to memory of 1684	1552	cmd.exe	net.exe
PID 1552 wrote to memory of 1684	1552	cmd.exe	net.exe
PID 1552 wrote to memory of 1684	1552	cmd.exe	net.exe
PID 1684 wrote to memory of 1688	1684	net.exe	net1.exe
PID 1684 wrote to memory of 1688	1684	net.exe	net1.exe
PID 1684 wrote to memory of 1688	1684	net.exe	net1.exe
PID 1684 wrote to memory of 1688	1684	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
"C:\Users\Admin\AppData\Local\Temp\fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\3582-490\fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe"
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSDTC
3⤵
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\SysWOW64\net.exe
net stop MSDTC
4⤵
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSDTC
5⤵
PID:1244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:1392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
3⤵
PID:276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
3⤵
PID:1656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
3⤵
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SysWOW64\net.exe
net stop SQLSERVERAGENT
4⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT
5⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
3⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
4⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
5⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop vds
3⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\net.exe
net stop vds
4⤵
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vds
5⤵
PID:1688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
3⤵
PID:1640

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
4⤵
PID:304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
3⤵
PID:1216

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
4⤵
PID:1540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLWriter
3⤵
PID:1744

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
4⤵
PID:1148

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
5⤵
PID:384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLBrowser
3⤵
PID:1064

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
4⤵
PID:1900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
5⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
3⤵
PID:1800

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
4⤵
PID:1488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
5⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
3⤵
PID:1824

C:\Windows\SysWOW64\net.exe
net stop MSSQL$CONTOSO1
4⤵
PID:1664

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$CONTOSO1
5⤵
PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
MD5
7f41cb614af1d56fb8ce3133b085dce5

SHA1
947c8898352e495b971da01934c111e139d8f80b

SHA256
f8019d045977c31b3f0b50c782cd7f1c1f61397674c763e639845123a94ddb5d

SHA512
375a6170ccc70f3d347baecd9f7ca8e9456aa598c131e1cd26f093ad2c65c692765a08dbffeb11f04ad1ad585da982029d0edb91a1b47e6c92571bb56afdde7e

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe
MD5
831270ac3db358cdbef5535b0b3a44e6

SHA1
c0423685c09bbe465f6bb7f8672c936e768f05a3

SHA256
a8f78ac26c738b13564252f1048ca784bf152ef048b829d3d22650b7f62078f0

SHA512
f64a00977d4b6f8c43f53cee7bb450f3c8cbef08525975055fde5d8c515db32d2bfad92e99313b3a10a72a50dd09b4ffe28e9af4c148c6480622ba486776e450

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe
MD5
8c4f4eb73490ca2445d8577cf4bb3c81

SHA1
0f7d1914b7aeabdb1f1e4caedd344878f48be075

SHA256
85f7249bfac06b5ee9b20c7f520e3fdc905be7d64cfbefb7dcd82cd8d44686d5

SHA512
65453075c71016b06430246c1ee2876b7762a03112caf13cff4699b7b40487616c88a1160d31e86697083e2992e0dd88ebf1721679981077799187efaa0a1769

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
MD5
a6cf84e9a0b4e69568fb8dd6f5db5341

SHA1
d8347168444c996040b308bdea34a1f5b6eb93d2

SHA256
b958182847e9208f0dfbf279722484ba1d6b4a27316a7b0cdd8611caf4ee80d2

SHA512
124b9c8cae745d10c12291f16db53700032b62b39f091e8b34c5176de0ee1a7e6ffb5ce3d2a88282d466211ab09607f735c34339d4156f7bb0f316019f16983c

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe
MD5
8e25785569c68ee97296b491c2a50196

SHA1
2bc6ae9152fed9b3ed692d5609c8544e2bbb6214

SHA256
3c4abec4b2352e2b20c1f2bd92c183ac40ec7c76424ecf324215ad862b3c61cf

SHA512
f1de8c4fbc3d9b376638343b1c8f147a716fe4cd70f3f4eedfe5e7e42a651c0a136b3e2a9ea2257fbcd29de099a34af2c3426751d48928df1b04e83fe1b382bd

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe
MD5
e1833678885f02b5e3cf1b3953456557

SHA1
c197e763500002bc76a8d503933f1f6082a8507a

SHA256
bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14

SHA512
fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe
MD5
2f6f7891de512f6269c8e8276aa3ea3e

SHA1
53f648c482e2341b4718a60f9277198711605c80

SHA256
d1ee54eb64f31247f182fd62037e64cdb3876e1100bc24883192bf46bab42c86

SHA512
c677f4f7bfb2e02cd0babed896be00567aad08304cbff3a85fcc9816b10247fedd026fee769c9bd45277a4f2814eabe6534f0b04ea804d0095a47a1477188dd6

Download Submit
C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe
MD5
6a091285d13370abb4536604b5f2a043

SHA1
8bb4aad8cadbd3894c889de85e7d186369cf6ff1

SHA256
909205de592f50532f01b4ac7b573b891f7e6e596b44ff94187b1ba4bcc296bb

SHA512
9696e4f60a5b1166535ca8ca3fb495d718086463d1a12fa1facc08219ad5b918208ddd2a102f7955e29153b081e05985c4ae6e4302ab36d548bb62991a47db18

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe
MD5
7ce8bcabb035b3de517229dbe7c5e67d

SHA1
8e43cd79a7539d240e7645f64fd7f6e9e0f90ab9

SHA256
81a3a1dc3104973a100bf8d114b6be35da03767a0cbbaf925f970ffcbe5f217c

SHA512
be7fcd50b4f71b458ca001b7c019bf1169ec089d7a1ce05355134b11cbe75a5a29811f9efec803877aeb1a1d576ea2628926e0131361db23214275af6e89e80c

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe
MD5
a741183f8c4d83467c51abab1ff68d7b

SHA1
ddb4a6f3782c0f03f282c2bed765d7b065aadcc6

SHA256
78be3aeb507db7e4ee7468c6b9384ee0459deebd503e06bd4988c52247ecea24

SHA512
c15dbecc0754a662892ecaff4b9b6c1bad46f710d8e1b973f86eaee467444f8e5764b31ace8f5a9a5e936947cc4dcb97cb1b14a6930c1025f38a3544393b6b18

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE
MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE
MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE
MD5
d4fdbb8de6a219f981ffda11aa2b2cc4

SHA1
cca2cffd4cf39277cc56ebd050f313de15aabbf6

SHA256
ba3dc87fca4641e5f5486c4d50c09d087e65264e6c5c885fa6866f6ccb23167b

SHA512
7167e13dbcc8c96114fef5fc7ae19afa31173617db153dd283aa6d8256f6b8c09c8f906f5d418efe9f7f242cdfaef24b93c11c451701c4d56eb48d18de4e88bf

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE
MD5
f304f29dbad364d73ccaa3debb077566

SHA1
622d8359d8dd3bd259b93fe8167b73059ad17c2e

SHA256
afc5d0b603948f4adbc19b59e9145ed6cf677be20f56604eead599f6e0ef23cd

SHA512
9cb1e86a204dd51cb2cc0b9d148f305ce03481dcd462a92338a0cc545a6d744658724154a898b71211256f778d6e63bff00e92caca0ce0a0035522aa73b2c24f

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE
MD5
28f7305b74e1d71409fec722d940d17a

SHA1
4c64e1ceb723f90da09e1a11e677d01fc8118677

SHA256
706db4d832abdf4907a1386b917e553315660a59bfb4c180e38215b4a606d896

SHA512
117de88d0bc437023ca2f1f54b1f2cf03b00c8cb52e4b728cabcb3140659c67cdb6d2c203d3ca13767312831c6308622dfa65d6c5361ec28aaf4ec0870f9ba6e

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE
MD5
3f67da7e800cd5b4af2283a9d74d2808

SHA1
f9288d052b20a9f4527e5a0f87f4249f5e4440f7

SHA256
31c10320edb2de22f37faee36611558db83b78a9c3c71ea0ed13c8dce25bf711

SHA512
6a40f4629ddae102d8737e921328e95717274cea16eb5f23bff6a6627c6047d7f27e7f6eb5cb52f53152e326e53b6ee44d9a9ee8eca7534a2f62fa457ac3d4e3

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe
MD5
da31170e6de3cf8bd6cf7346d9ef5235

SHA1
e2c9602f5c7778f9614672884638efd5dd2aee92

SHA256
7737ab500cbbd5d507881d481eef9bd91cf6650bf8d2b41b47b1a8c5f2789858

SHA512
2759d938d6ad963e0bf63481a700f7c503d06011a60bcfc1071b511e38afa87d903deb36f9cbfa0b3fd08f1ecb88d2c0bddf0d3b5f2dea2a0cca1a80471669f3

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe
MD5
60f6a975a53a542fd1f6e617f3906d86

SHA1
2be1ae6fffb3045fd67ed028fe6b22e235a3d089

SHA256
be23688697af7b859d62519807414565308e79a6ecac221350cd502d6bf54733

SHA512
360872d256ef91ea3debfb9b3efa22ee80859af9df29e0687c8e1b3c386d88ff1dc5635b86e714fbf1a7d4d6bc3d791efa31a9d9d13e0f79547b631bddb5108d

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe
MD5
034978c5262186b14fd7a2892e30b1cf

SHA1
237397dd3b97c762522542c57c85c3ff96646ba8

SHA256
159776d43dd2a8d843b82ece0faf469f9088a625d474ce4eea9db59d94a844e6

SHA512
d216e757616121d9902b0db2669b6e2aa9eb2697427c9ea2804ebda9690abbf9219c6e603d63ff19dc6115a072985ca862499b5f8319ca057a16e81aec9ea949

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
MD5
b706d7238bfa8de4c6ae332f943b47b3

SHA1
f90730069fc84e6f96ef0ca09901a6dae061b386

SHA256
4d1c0b2f4bc5b36ccd1f6a9cdee78fa8d9611a50c7a10424da7d394aefde0151

SHA512
ce85d6422287d1c7bc2804fe4bcf1373f8e646e6adbdca528ad10096a068ac442eac4625b3e6b0d13c7cedecbe1c70b3874c8b9726901279ab73eeb1880fcd25

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe
MD5
467aee41a63b9936ce9c5cbb3fa502cd

SHA1
19403cac6a199f6cd77fc5ac4a6737a9a9782dc8

SHA256
99e5bea5f632ef4af76e4e5108486d5e99386c3d451b983bcd3ad2a49cc04039

SHA512
00c9ccdbbd6fd1be0c2dafd485d811be9bf2076d4efeabc256179befd92679b964e80edcb90ef21f3e874578fdb0003878227f560ca76498865770280f87113e

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
MD5
46e43f94482a27df61e1df44d764826b

SHA1
8b4eab017e85f8103c60932c5efe8dff12dc5429

SHA256
dc6658dec5bf89f65f2d4b9bdb27634bac0bf5354c792bc8970a2b39f535facd

SHA512
ce5bdd3f9a2394ffda83c93fc5604d972f90bd72e6aded357bdf27a2b21a0469f6ac71ce40d9fb4ed8c845468c4171a3c5b4501edbae79447c4f4e08342d4560

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler.exe
MD5
09f0c144ff13cebc21267e71326324e7

SHA1
338ca67ba76427c48aace86ad68b780eb38a252d

SHA256
56977618a0fbd66c0ef0ca042290dfe464f4ad5b4b737a4b9db47631a7178f13

SHA512
126ed94d3efd7aa54b181ffe35be6dbe6aea1481eaf28f6f418a23717d052e3d53e49c1de8f7aa68120f9be9b84e965ab5ccf3b0f0a1b25de6321217d67e6284

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler64.exe
MD5
ea78ed9e7eb4cc64544163627476fe4b

SHA1
67aed91a59742a36c0ff635b15c692cde3eb3a9d

SHA256
d5adfd6c8160892716ad5f2907cc66888aee97e1d296404503e1d42dd30ba562

SHA512
eeee54e5ffbd243fe7ef6c93744c754bc238e5b05e85c7ca3b25edc02a8692cd10225edff40444fe2536608d0ed25578573e309503cb8f90f43d089d86f8710f

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdate.exe
MD5
dd5586c90fad3d0acb402c1aab8f6642

SHA1
3440cd9e78d4e4b3c2f5ba31435cedaa559e5c7f

SHA256
fba2b9270ade0ce80e8dfc5e3279db683324502f6103e451cd090c69da56415e

SHA512
e56f6d6b446411ba4ed24f0d113953d9c9e874b2ac4511d33e5c5b85dddd81216579695e35c34b6054c187b00ee214d5648594dad498297f487f2fd47f040a4d

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateBroker.exe
MD5
950000c930454e0c30644f13ed60e9c3

SHA1
5f6b06e8a02e1390e7499722b277135b4950723d

SHA256
09786f64db91266470b56046098d9825253ba5d6a5361c2f4e6dbc8ec28c9bb2

SHA512
22e3c677c83c755e53a7bf8735734541223f57151d588c3380bc758e5433b706441666d0d95c42bd23a720b093a6942a62346dab24ee3f0a18bee3e5ad1cd9d9

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe
MD5
ad0efa1df844814c2e8ddc188cb0e3b5

SHA1
b1a8a09f2223aab8b8e3e9bc0e58cc83d402f8ab

SHA256
c87fd5b223cb6dc716815b442b4964d4670a30b5c79f4fb9f1c3a65ec9072e5a

SHA512
532cc173d9ef27098ff10b6b652c64231b4a14f99df3b5de2eb1423370c19590e2a6032023d3ed02e2080f2f087b620ebbbd079e4a47a584ef11f3eaa0eb8520

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateCore.exe
MD5
33cb4562e84c8bbbc8184b961e2e49ee

SHA1
d6549a52911eaeebcceb5bc39d71272d3b8f5111

SHA256
1f455ea6bab09377e5fdfbd5df102f79c5cbbb5fe5ce456f2fbb34f94ec848bb

SHA512
0b638a6e86816ba5d83de5fc381c85371f2f4fe0a2fdff40141859a42e255a082903e5692a49ef253265a42ec99924e5a0aa150cb7ed6cd5521f42f6c9fe27a9

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe
MD5
fafb18b930b2b05ac8c5ddb988e9062f

SHA1
825ea5069601fb875f8d050aa01300eac03d3826

SHA256
c17785fe7e6b5e08fe5a4ca3679fee85ba6f2e5efcce0fb9807727cf8aa25265

SHA512
be034e7377bd27092aad02e13a152fb80ff74c1ba2fb63ccb344cd55315d115ee47e46727cbe55ca808efafa58d7924e3eed965e9a2fd3b9ae2dff7834383e54

Download Submit
C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe
MD5
dd5586c90fad3d0acb402c1aab8f6642

SHA1
3440cd9e78d4e4b3c2f5ba31435cedaa559e5c7f

SHA256
fba2b9270ade0ce80e8dfc5e3279db683324502f6103e451cd090c69da56415e

SHA512
e56f6d6b446411ba4ed24f0d113953d9c9e874b2ac4511d33e5c5b85dddd81216579695e35c34b6054c187b00ee214d5648594dad498297f487f2fd47f040a4d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE
MD5
02f0b3ce78acbdee2c94fb7661a75243

SHA1
c9d711b536433234b31ea36249df5c1d2659f762

SHA256
3e695633336ff9320d5bf1f3a82a2df5ccf01e0f4a489229de2640d2d6f7ab93

SHA512
0d296e6c3ccfd568dd5b164477dd34c3480efa4642803dbbea0c8150c6ea4c1ad7ef08316f6fed099ff91bb146c7c361395ce209610faf3be723a8f2e12dde0c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
MD5
b1e0da67a985533914394e6b8ac58205

SHA1
5a65e6076f592f9ea03af582d19d2407351ba6b6

SHA256
67629b025fed676bd607094fa7f21550e18c861495ba664ee0d2b215a4717d7f

SHA512
188ebb9a58565ca7ed81a46967a66d583f7dea43a2fc1fe8076a79ef4a83119ccaa22f948a944abae8f64b3a4b219f5184260eff7201eb660c321f6c0d1eba22

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE
MD5
4f8fc8dc93d8171d0980edc8ad833b12

SHA1
dc2493a4d3a7cb460baed69edec4a89365dc401f

SHA256
1505f3721dd3d7062dadde1633d17e4ee80caf29fd5b6aa6e6a0c481324ffd4e

SHA512
bdc3f83d7428418516daf23a9c2d00571cbaa3755391dfd8c500b6df7f621a67ad8e27775bcdaa20b159cd77d08bcdaf81a0cb7fffdd812978888d43512113a6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE
MD5
92ee5c55aca684cd07ed37b62348cd4e

SHA1
6534d1bc8552659f19bcc0faaa273af54a7ae54b

SHA256
bee98e2150e02ad6259184a35e02e75df96291960032b3085535fb0f1f282531

SHA512
fc9f4569a5f3de81d6a490f0fff4765698cdc891933979a3ce661a6291b606630a0c2b15647fc661109fcea466c7a78552b9cfbca6c5b2079ea1632a9f1b6e22

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE
MD5
56f047ff489e52768039ce7017bdc06e

SHA1
3f249d6a9e79c2706ed2e0e12f7e76ebd5e568fc

SHA256
62d6c979d708efe21c9618a18232fd2c74e85bb9560daa298025ab9af784202d

SHA512
a2eae7eae6548d325480560dcca83283a022f00f7d9bd19c0ae801a7acec133a33c5c5eb79432d47c8258d153cadea988217845d58eb4e8aa8070a068befe5e8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE
MD5
06ac9f5e8fd5694c759dc59d8a34ee86

SHA1
a29068d521488a0b8e8fc75bc0a2d1778264596b

SHA256
ab6a5bfc12229c116033183db646125573989dfc2fc076e63e248b1b82f6751d

SHA512
597dfd9cb82acc8f3033f2215df7138f04445f5826054528242e99e273f9cc4a7a956c75f280e6145fcdb22824a1f258246e22637de56a66dcae72ac2c1d14fe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe
MD5
8acc19705a625e2d4fa8b65214d7070a

SHA1
ad16e49369c76c6826a18d136bf9618e8e99ec12

SHA256
3fb179a3ae88a3d14db48de29d4b9d43243b80b2118b578b8117ad776ce47f12

SHA512
92e22275194b5a73d825e1e7ad5a5cb5649d3679f545f88328aa72e39c161c4d797b7b3462e590edf546ddbd53c1508a49056f50fa63b113134e1bdc7d977dec

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE
MD5
33cb3cf0d9917a68f54802460cbbc452

SHA1
4f2e4447fabee92be16806f33983bb71e921792b

SHA256
1230b2032d2d35a55cd86d1215eb38fa18bcf590c3c19b9ac4dda5350c24e10a

SHA512
851f0a098020cb1da3f5f48febce3b9eaef3b885df9134b3fb6b364f3a7572a8c516456710a15f66f0a44eff59cfa50f2dc8bb5d274e5c093294b2ea96fd49cb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE
MD5
44623cc33b1bd689381de8fe6bcd90d1

SHA1
187d4f8795c6f87dd402802723e4611bf1d8089e

SHA256
380154eab37e79ed26a7142b773b8a8df6627c64c99a434d5a849b18d34805ba

SHA512
19002885176caceb235da69ee5af07a92b18dac0fb8bb177f2c1e7413f6606b1666e0ea20f5b95b4fa3d82a3793b1dbe4a430f6f84a991686b024c4e11606082

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
MD5
5d2fd8de43da81187b030d6357ab75ce

SHA1
327122ef6afaffc61a86193fbe3d1cbabb75407e

SHA256
4d117648525a468532da011f0fc051e49bf472bbcb3e9c4696955bd398b9205f

SHA512
9f7470978346746b4e3366f9a6b277aa747cc45f13d36886fc16303221565d23348195b72ac25f7b1711789cd7cb925d7ceea91e384ef4f904a4e49b4e06d9b2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE
MD5
25b9301a6557a958b0a64752342be27d

SHA1
0887e1a9389a711ef8b82da8e53d9a03901edebc

SHA256
5d916f7c7f6cb6cfd7545a57cb9c9d9c6df16af3517298c346901081a9135303

SHA512
985f6b2fcac2f0425a1a339a55616012879a393caa747412d04c1ee4de3b12aff2cc051860066d84ecbeae335eaa5116ccb8a02090a2674eded367378c56b1ab

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE
MD5
7a4edc8fb7114d0ea3fdce1ea05b0d81

SHA1
02ecc30dbfab67b623530ec04220f87b312b9f6b

SHA256
ff16fdc703e55ddfe5ee867f343f3b20b496e7199c6c4b646335a01026f74550

SHA512
39519685b1dd872008abfa967f79fd3b7a5e6f6ee1b9c3de891aae64490b2d0feb56bcd3f5dab4527d2c6d07646db5966028df153f38a1c09ee88a1ba9a1ef44

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE
MD5
c3ee902099b98a299b1a215aba1b27bb

SHA1
602b023806464db25f5f8e4ffc157cc7d7e9886b

SHA256
e657a9f85af7cb5ded734e162db514e466256a83d51f4454abbf19c54b30686f

SHA512
3538548c99f266404395ce9bdcadb542171799865ac5feddce936305ff2b09ecb939bed60d1e7011a39ca8548af39f9b4ee723b15674a1df54404270fc5afc9f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE
MD5
a2dddf04b395f8a08f12001318cc72a4

SHA1
1bd72e6e9230d94f07297c6fcde3d7f752563198

SHA256
b35e60f1551870c1281d673380fe3101cd91b1f0b4d3c14c2383060f5e120373

SHA512
2159df98d90467720b738be68bee5aba38980d2449c18d2ea4b7b9bae7d222b4a85845d0f9597017d0ee417964190bc3d95cb4809e33aac16b6cfa6ec200dce3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE
MD5
154b891ad580307b09612e413a0e65ac

SHA1
fc900c7853261253b6e9f86335ea8d8ad10c1c60

SHA256
8a3598c889dbcb1dca548a6193517ed7becb74c780003203697a2db22222a483

SHA512
39bf032033b445fc5f450abec298ea3f71cadecfeafc624f2eb1f9a1d343a272181a874b46b58bb18168f2f14d498c3b917c3392d4c724fe4e5ae749113c2ad6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE
MD5
4545e2b5fa4062259d5ddd56ecbbd386

SHA1
c021dc8488a73bd364cb98758559fe7ba1337263

SHA256
318f1f3fbdd1cf17c176cb68b4bc2cf899338186161a16a1adc29426114fb4f8

SHA512
cf07436e0219ca5868e11046f2a497583066a9cf68262e7cca22daad72aded665ac66afea8db76182c172041c45fcef1628ea6852751c4bf97969c9af6cfefa1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE
MD5
08ee3d1a6a5ed48057783b0771abbbea

SHA1
ebf911c5899f611b490e2792695924df1c69117d

SHA256
3f6decd82b72a5ba1ee224b52d9fbd6486be22a0b855e28eaad47ae92df266f0

SHA512
1711d023c60d4b047d553a654797bc3a2eecd951b310698c1a2c549e136c33f55e0fc1167a4a38f793b7796f7cfc3fb30017935127b147a21da2812eb38faac5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
MD5
2d1b4a44f1f9046d9d28e7e70253b31d

SHA1
6ab152d17c2e8a169956f3a61ea13460d495d55e

SHA256
d1d73220342ff51a1514d2354654c6fcaedc9a963cb3e0a7e5b0858cfc5c5c7d

SHA512
dd8f5e343417a3e131b3362f1aecaf9ce0f8a55c9f90aa3b7e55b6ddb6c5f4e06b3e76a7f4481fa13e2f325ab2490553f6977178acf7c486c7315755c05fc7c3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
MD5
6b63036a88f260b7a08da9814cf17ce0

SHA1
cac1bd549343a1c3fcefacc2d588155a00c4467b

SHA256
8f9fb3c2ce132a64e157738feaf82bb512ec03d03fa2da95c26470defeef513d

SHA512
383b8676a85e0f2447536bd15019c23bed15a51d633dafe5ac7bcbea75d8064ef9fd938461eab25df7f3eae3de18b87640e8cc12e95f7b58de1209937d8da284

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE
MD5
525f8201ec895d5d6bb2a7d344efa683

SHA1
a87dae5b06e86025abc91245809bcb81eb9aacf9

SHA256
39a089d363b15c37cca9f747a17e89ad1dbe0bc86ff23466526beaa5e36d6d4b

SHA512
f0a2070f11eb3f0bdf996ada42becc7710aab76e84268e5cdbbd9ecbf13ef5fb85b52b6227711137a9c511f8d731b018530cbf1935f8fcfd61ff2ef6c1348d63

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE
MD5
61631e66dbe2694a93e5dc936dd273be

SHA1
b1838b8ca92fa5ca89e1108ceb2630a6ecd2b8c2

SHA256
5811b7b694d99c703b4c4bc72d6b7d846d05b2b0f45a7e3e4279cdb6fd81265f

SHA512
323463c267ccdb701d5967198f4f72158056f5a6e889c47bf19d1a670233ab071a5fe8c108430beb67753b77af1c59028007101a8e1266618fe91fa0127b4dcf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE
MD5
9b1c9f74ac985eab6f8e5b27441a757b

SHA1
9a2cf7d2518c5f5db405e5bd8d37bf62dcaf34f5

SHA256
2a189b995a7283b503bb5864dd9ca57976b3812a6a34aaf89a7551336c43bc24

SHA512
d72e83aeaf1d34627a6c6aa469821af8a8d464a72c764fbb064484adea509a8c1d3628e2166859286e84daae8ebdf4f800693ce203984a8c313b1f2263e101c4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
MD5
5ae9c0c497949584ffa06f028a6605ab

SHA1
eb24dbd3c8952ee20411691326d650f98d24e992

SHA256
07dd9364be7babc5f9a08f0ccd828a9a55137845df1782b147f12943f234ea4e

SHA512
2e99bb500c281c367cc54fa283905b2537905ea4fe8986f676adbb1aaf58460dd2db082bb46a3dbe9dc836fbae3ee8832990839432dd99c74de58cc9b9295788

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE
MD5
fc87e701e7aab07cd97897512ab33660

SHA1
65dcd8e5715f2e4973fb6b271ffcb4af9cefae53

SHA256
bb1814297615d6b22fa20ee4f8613c8bc9fa67d93cb7fe032f46f377569e2f46

SHA512
b03e3b3f7b0f11b85757d8bf5678542f4281407e95cf8e074da4ddc421c217fcfaf23cc927ccd0bbca2891a424b2d3565072aba6406dc46c2fa1fdba7a249eec

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE
MD5
93766da984541820057ae0ab3d578928

SHA1
ea19a657c6b1b5eb5accc09c45dcf04f063151c3

SHA256
ad3a9f7beaaea0bc49a7ccba83198cfb2882d462441203684076695b0ef6c514

SHA512
e14c86e13ab79fa9b9eb1a05d69764d522c4acfab7742c200080b215bb3bc31ec7f3dd2abf44cbc996d2e58a0ca1990b18ab055b232b243fe61b5fb018a9b719

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\misc.exe
MD5
02e02577a83a1856dc838f9e2f24e8d2

SHA1
2ab44e2072a3598fc7092b2ccb9aff3a2c5d4ced

SHA256
3b6ca9d9fcbb0c1677fe4caeef03e4db326f70166f030b5f9fa9f2856031d4fc

SHA512
a95d454a4f9e5271bc52e6c245c7840a92b8331b84260b2556432ac66dd07bec1b2c3dcf41282d6d8ae581a152f3147e75dc673ce0c7ecbb653dcc61bc1d1bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
MD5
6c4021d6052dde1fabfadcc07af03fa9

SHA1
caf395a6718f9d26f9ecf9f1b6ed038efb3ac61d

SHA256
017baccd5152d165806f1cbb77aca2d4976a6976ec29bada732d6534038d9e99

SHA512
a1789ac12adc67b2590d8a109bf4b11bb8b605443272745184bea95fe2db91c625eb6bb75b65a4ceeeffa3b11643d758900699b759a29170e84023d4bb0d11da

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
MD5
6c4021d6052dde1fabfadcc07af03fa9

SHA1
caf395a6718f9d26f9ecf9f1b6ed038efb3ac61d

SHA256
017baccd5152d165806f1cbb77aca2d4976a6976ec29bada732d6534038d9e99

SHA512
a1789ac12adc67b2590d8a109bf4b11bb8b605443272745184bea95fe2db91c625eb6bb75b65a4ceeeffa3b11643d758900699b759a29170e84023d4bb0d11da

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
MD5
6c4021d6052dde1fabfadcc07af03fa9

SHA1
caf395a6718f9d26f9ecf9f1b6ed038efb3ac61d

SHA256
017baccd5152d165806f1cbb77aca2d4976a6976ec29bada732d6534038d9e99

SHA512
a1789ac12adc67b2590d8a109bf4b11bb8b605443272745184bea95fe2db91c625eb6bb75b65a4ceeeffa3b11643d758900699b759a29170e84023d4bb0d11da

Download Submit
memory/1100-55-0x0000000075421000-0x0000000075423000-memory.dmp

Filesize
8KB

Download