dharma | af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d

Analysis

max time kernel
152s
max time network
125s
platform
windows7_x64
resource
win7-en-20211208
submitted
05-03-2022 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
Size

133KB
MD5

65a875267a495f0b3f54b4155b23ac01
SHA1

0c1ce34b1e4c24bfd410c224d86cf3edcfb3a258
SHA256

af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d
SHA512

eb481ecdfde628b7fd1f8e9fa1312b771b8093d310d6432960e4c158f47a7f409dcc91ae2a158c263b1e0eeaf09fc2e0b00d3ff3ba40672b088c6a98539f39b6

Score

10^/10

dharma neshta persistence ransomware spyware stealer

Malware Config

Signatures

Detect Neshta Payload 20 IoCs

Processes:

resource	yara_rule
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe	family_neshta
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe	family_neshta
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE	family_neshta
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe	family_neshta
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	family_neshta
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	family_neshta
C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	family_neshta
C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	family_neshta
C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	family_neshta
C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	family_neshta
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	family_neshta
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	family_neshta
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	family_neshta
C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	family_neshta
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdate.exe	family_neshta
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateCore.exe	family_neshta
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE	family_neshta

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 3 IoCs

Processes:

af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exesvchost.comsvchost.com

pid process

1252 af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
880 svchost.com
1460 svchost.com

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\UseLimit.tiff	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\Pictures\ResetDismount.tiff	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe

Drops startup file 5 IoCs

Processes:

af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe

Loads dropped DLL 6 IoCs

Processes:

af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe

pid	process
604	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
604	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
604	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
604	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
604	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
604	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe = "C:\\Windows\\System32\\af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe"	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2329389628-4064185017-3901522362-1000\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Public\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe

Drops file in System32 directory 2 IoCs

Processes:

af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe

description	ioc	process
File created	C:\Windows\System32\af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File created	C:\Windows\System32\Info.hta	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe

Drops file in Program Files directory 64 IoCs

Processes:

af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Monrovia.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Metlakatla	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up.png	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXPTOOWS.XLA	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWSHM.POC	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Bougainville.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CUPINST.WMF.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Karachi	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00204_.WMF.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02444_.WMF	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293240.WMF.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\THMBNAIL.PNG.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00177_.WMF.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RECALL.DLL	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files\GetClear.ex_	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Andorra.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Windhoek.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04174_.WMF.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196142.WMF.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199469.WMF	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME23.CSS.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02423_.WMF.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18215_.WMF.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\MSB1ESEN.DLL.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Niue.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-4.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_chromecast_plugin.dll.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_F_COL.HXK.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_zh_4.4.0.v20140623020002.jar.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341455.JPG.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOff.jpg	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00235_.WMF.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_03.MID	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\deploy.dll.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01628_.WMF	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\ARCTIC.ELM	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00074_.WMF	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239951.WMF.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0281904.WMF.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Sts.css.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityMergeFax.Dotx.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Moscow	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIP.JPG.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\FPWEC.DLL.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00174_.GIF.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01660_.WMF.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285820.WMF	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00452_.WMF	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0216516.WMF	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libidummy_plugin.dll.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\TAB_ON.GIF.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\VisioCustom.propdesc.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\gadget.xml	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\settings.css	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0281904.WMF.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay.css.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.api.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_pt-PT.dll.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONINTL.DLL.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h.id-F5A26193.[[email protected]].GLB	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe

Drops file in Windows directory 3 IoCs

Processes:

af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exesvchost.comsvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

528 vssadmin.exe
1364 vssadmin.exe

pid	process
528	vssadmin.exe
1364	vssadmin.exe

Modifies registry class 1 IoCs

Processes:

af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe

pid	process
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2000 vssvc.exe
Token: SeRestorePrivilege 2000 vssvc.exe
Token: SeAuditPrivilege 2000 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	2000	vssvc.exe
Token: SeRestorePrivilege	2000	vssvc.exe
Token: SeAuditPrivilege	2000	vssvc.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exeaf102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.execmd.execmd.exesvchost.com

description	pid	process	target process
PID 604 wrote to memory of 1252	604	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
PID 604 wrote to memory of 1252	604	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
PID 604 wrote to memory of 1252	604	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
PID 604 wrote to memory of 1252	604	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
PID 1252 wrote to memory of 1324	1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe	cmd.exe
PID 1252 wrote to memory of 1324	1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe	cmd.exe
PID 1252 wrote to memory of 1324	1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe	cmd.exe
PID 1252 wrote to memory of 1324	1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe	cmd.exe
PID 1324 wrote to memory of 1068	1324	cmd.exe	mode.com
PID 1324 wrote to memory of 1068	1324	cmd.exe	mode.com
PID 1324 wrote to memory of 1068	1324	cmd.exe	mode.com
PID 1324 wrote to memory of 528	1324	cmd.exe	vssadmin.exe
PID 1324 wrote to memory of 528	1324	cmd.exe	vssadmin.exe
PID 1324 wrote to memory of 528	1324	cmd.exe	vssadmin.exe
PID 1252 wrote to memory of 1772	1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe	cmd.exe
PID 1252 wrote to memory of 1772	1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe	cmd.exe
PID 1252 wrote to memory of 1772	1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe	cmd.exe
PID 1252 wrote to memory of 1772	1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe	cmd.exe
PID 1772 wrote to memory of 1156	1772	cmd.exe	mode.com
PID 1772 wrote to memory of 1156	1772	cmd.exe	mode.com
PID 1772 wrote to memory of 1156	1772	cmd.exe	mode.com
PID 1772 wrote to memory of 1364	1772	cmd.exe	vssadmin.exe
PID 1772 wrote to memory of 1364	1772	cmd.exe	vssadmin.exe
PID 1772 wrote to memory of 1364	1772	cmd.exe	vssadmin.exe
PID 1252 wrote to memory of 880	1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe	svchost.com
PID 1252 wrote to memory of 880	1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe	svchost.com
PID 1252 wrote to memory of 880	1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe	svchost.com
PID 1252 wrote to memory of 880	1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe	svchost.com
PID 1252 wrote to memory of 1460	1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe	svchost.com
PID 1252 wrote to memory of 1460	1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe	svchost.com
PID 1252 wrote to memory of 1460	1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe	svchost.com
PID 1252 wrote to memory of 1460	1252	af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe	svchost.com
PID 880 wrote to memory of 1928	880	svchost.com	mshta.exe

C:\Users\Admin\AppData\Local\Temp\af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
"C:\Users\Admin\AppData\Local\Temp\af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:604
- C:\Users\Admin\AppData\Local\Temp\3582-490\af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Drops startup file
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:1068
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:528
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:1156
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1364
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:880
  - - C:\Windows\SysWOW64\mshta.exe
      C:\Windows\System32\mshta.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
      4⤵
      PID:1928
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1460
  - - C:\Windows\SysWOW64\mshta.exe
      C:\Windows\System32\mshta.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
      4⤵
      PID:2008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5
5cb8649c29977feea4045a6510dc2b1c

SHA1
08b14e07aff433872756cd33f39c85b3ac4fc9e6

SHA256
c9a3aa50e07f88cc5207ee6a7017de8dd0a422d6232e942ba4836cd9e5b0f4ef

SHA512
125c3370b5fe04452880bdfe7ad9a127075ed73db2c2a37833cd87ad10108c82ba3f3bf36fc57c8c4e07ddaf42f5533d96507bb27d3c7b1dad87011176fdf5c3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5
f67473d5c7494187e2218ef2318fe0fc

SHA1
9df0338ceea6886a620f0104c94bd09d2bdc73ed

SHA256
7a98f8b80a827691b254d3cdd832a98c2f7a416e532e8f665e98031bb9fce7d4

SHA512
ac3079098e52477cfc26a03cf38a326a9e1389b167eed2efc7c2b3b541d1197cb9f1c250c53dfb8f62bf5bdbd507a1ab08c6129ea1d724186ecfa9c6a79cf4ac

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

MD5
255fbf882ec0dfda7bc11734553053a2

SHA1
b834bbb9cf584fee30241ec0db1fa6ab4ec38d21

SHA256
396a3cceeade4b20311be0a90ccfd8f7cc1793f9d6aa07335a7fbcc48f5382c4

SHA512
551047638f984169d2762579c3011f881f7eb23f318119559ed6ae6f48f3624855cab5ede18dcf71cd1ba920aa23ba4b1b17f67e4c3cf2f5f5b666c7cf8a718f

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\AF102C~1.EXE

MD5
bd3b686c6f9ef32f14dbfa7d5abed9ff

SHA1
a21e4f2fac9379bcc66f62375c9f2b70ae3b09e0

SHA256
1f9858eefa4438d1fd624892d7d923f79c5d980bc1f13db764e5996c10ab2991

SHA512
8568a619a8a88b4db903070baaded0d10de7b0f2e8949e769276c2c757380dd21a09084c03b49bb92c624b938a16b035e6123add9941c845b5bcefc353cc8add

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe

MD5
3a1c95314ce7945089bf04f10cb93140

SHA1
c22bf88cf9afb7980abaa810b1f45549bf28d171

SHA256
eddbf5b92b70d02bca4f1d404f8e61dca64015ea7e76674a1cc3b05991e02bb1

SHA512
f57c716d0989ae8a33ab5218de50fb20a80905225e6c07c82ce6befdc9ce867c1eef489a0999e1920592958411a2057b39ea6872165443fe531af1281dc1e7bd

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe

MD5
291603c34cb7bde81aed2384a3486212

SHA1
4bd867c98e2bc48e845d7450cf9ee83da171c1fb

SHA256
11bc4eda38c242ad3a2e789a58d247621d7ff05d04e2d27f42eeee3eb9525fab

SHA512
0918f4ce1b851d4969dd5eda20ec0ae359d408ebb34ca31b6844496f2eecfb8fc9f1335f6f371566d50040e187c378b5fd1ce8f196aa94a7e9f1cc74c9731bf4

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe

MD5
eef2f834c8d65585af63916d23b07c36

SHA1
8cb85449d2cdb21bd6def735e1833c8408b8a9c6

SHA256
3cd34a88e3ae7bd3681a7e3c55832af026834055020add33e6bd6f552fc0aabd

SHA512
2ee8766e56e5b1e71c86f7d1a1aa1882706d0bca8f84b2b2c54dd4c255e04f037a6eb265302449950e5f5937b0e57f17a6aa45e88a407ace4b3945e65043d9b7

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe

MD5
291603c34cb7bde81aed2384a3486212

SHA1
4bd867c98e2bc48e845d7450cf9ee83da171c1fb

SHA256
11bc4eda38c242ad3a2e789a58d247621d7ff05d04e2d27f42eeee3eb9525fab

SHA512
0918f4ce1b851d4969dd5eda20ec0ae359d408ebb34ca31b6844496f2eecfb8fc9f1335f6f371566d50040e187c378b5fd1ce8f196aa94a7e9f1cc74c9731bf4

Download Submit
C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe

MD5
c663c00a10f5b0ac13eaaf6e20eca6e4

SHA1
6fe2ff1099813252cf1deb635dfd904ee00de861

SHA256
97e3ce84d0a57f23f04abcee2025ddd34903e4da0b8575b7effa6762c4555335

SHA512
d3a46b9c3e726eb974e43ca059e0321eb825b595f33bc4f9dff6c25307a7150e7b8e1c412dc2b4d5e691a34f054c79814c1ffcc7e6ea22d5893dff2eda0c353d

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe

MD5
180c12d5dadaeb77652f364c2e6d4764

SHA1
4856798f3b96c452400289d81716e0c6b67cb4ad

SHA256
35f6fff7a06a061e32bebf420910bceed194e8d8b0bf53786fbe68687d244bfd

SHA512
d68ef0d337dd60a60bda4594687e3fa4620b3d13ac8d0df5d07a6d2b3dffb2d3c5b8e62ff7e5f45f6506b3356377a72663a1acbf8edfc912b1610b47349edb55

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe

MD5
7ea12ede9a2fcac46365f7d5c1f23fbc

SHA1
140c81cf222d2c351cc09af489c8b207d8e74796

SHA256
c866b5d56d718588ab5a85991e54589b5bc64afc9705457e727c382a9c5d0fb8

SHA512
f9930992cf101f45d209adcf527034622d02d1c6bfa5f170010baaa86f393dcaca45a08d6011abe91f771eb521ebc7667c24f63cd39e9e1eed96ddefaf2fe5ea

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE

MD5
6cf4eaefbd35cf686b284c2834dbfdc8

SHA1
8ddafb039dd1ecfad23fd153dba32d38a49d42ba

SHA256
1b531c91e5fab080a691045039e977821e46a206ee6dd4ead9af3f59d1fe1e16

SHA512
fb795dedab38fe8964ddde483c25aa6317f7ee4c693e8b48c520713ba78e564acffa48ae9f6c486e3e29a475f0231345cb51cd34416d1d223a9c27ed2e5bfb8d

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE

MD5
180c12d5dadaeb77652f364c2e6d4764

SHA1
4856798f3b96c452400289d81716e0c6b67cb4ad

SHA256
35f6fff7a06a061e32bebf420910bceed194e8d8b0bf53786fbe68687d244bfd

SHA512
d68ef0d337dd60a60bda4594687e3fa4620b3d13ac8d0df5d07a6d2b3dffb2d3c5b8e62ff7e5f45f6506b3356377a72663a1acbf8edfc912b1610b47349edb55

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE

MD5
291603c34cb7bde81aed2384a3486212

SHA1
4bd867c98e2bc48e845d7450cf9ee83da171c1fb

SHA256
11bc4eda38c242ad3a2e789a58d247621d7ff05d04e2d27f42eeee3eb9525fab

SHA512
0918f4ce1b851d4969dd5eda20ec0ae359d408ebb34ca31b6844496f2eecfb8fc9f1335f6f371566d50040e187c378b5fd1ce8f196aa94a7e9f1cc74c9731bf4

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe

MD5
cba55a970a25c6184dd6a7788b451fb4

SHA1
9565091b50b70e1388bcabda4b346cd66f4c49de

SHA256
a87f9988f52797a87177b104e712ffb04cdad82504d3e67b6c82fb99bd5f10b7

SHA512
17da3a9accbef4eb868b199dce279c7606f9e34c3289bea5f21f75fdb979829a9df04eb9fd8883cd22aa14e0ce6ff616cfee6afee3f3670221d698e98052e326

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe

MD5
6db8747bb7a00a743e92917add1583d6

SHA1
b6bfb0b4ee48305a1387e7234e060788be0f588f

SHA256
de9023fcca38853d11b8843fc8d59f8771d44b0c98d4978a832ed208a810c45b

SHA512
f6386a7428d4805dfde13d17ba6b3f13fc5462553c5b2f3eac82142792b348138ddc291eaf01f95f88145f7aeff1bf831fbea3259687e97d59cc7ccd49f76c1c

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe

MD5
467aee41a63b9936ce9c5cbb3fa502cd

SHA1
19403cac6a199f6cd77fc5ac4a6737a9a9782dc8

SHA256
99e5bea5f632ef4af76e4e5108486d5e99386c3d451b983bcd3ad2a49cc04039

SHA512
00c9ccdbbd6fd1be0c2dafd485d811be9bf2076d4efeabc256179befd92679b964e80edcb90ef21f3e874578fdb0003878227f560ca76498865770280f87113e

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5
51516f7ab74f7216f3be180b8d293618

SHA1
84b8026913019e9718228a4b22b8c4a89bc6cef4

SHA256
7c351979c59bf67b7c4c76adf9716bb21496f7054c677dd4a3893331e58db789

SHA512
c29f538868d1a7c9858aea291a87f33f69872822e31397fdb89625e893612c2cb867cb0b8a6961978500158f0689fff24f62038c4d3eca5f14c2fd387a764434

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler64.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdate.exe

MD5
3f508c3bc520b5e7bc4e47560520d862

SHA1
8096c2e859c8a6434739907a72fdbd3c7a3e8b98

SHA256
acc2a42080aa0ac421fe30c28afa1a0f3ab775a619982c0ee5abceaa5349d5d7

SHA512
bcb86d6a1ed6816cccc6e403285949c84c63bf120f5924cc0b34293f5313b7968ae863f3801b9c93a75945b0f0965276c09c8e45c61d4b028b17b6955d2c8972

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateBroker.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe

MD5
51516f7ab74f7216f3be180b8d293618

SHA1
84b8026913019e9718228a4b22b8c4a89bc6cef4

SHA256
7c351979c59bf67b7c4c76adf9716bb21496f7054c677dd4a3893331e58db789

SHA512
c29f538868d1a7c9858aea291a87f33f69872822e31397fdb89625e893612c2cb867cb0b8a6961978500158f0689fff24f62038c4d3eca5f14c2fd387a764434

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateCore.exe

MD5
d472def1665b65208339f0907988a2b2

SHA1
f32057e975f54c5eb7261835f2cda267d70304eb

SHA256
e7e2909881826d2e79baf4b80e9d954b10b4dae8388e09360068422908ced6da

SHA512
461f2d4b88138e435b2bd4bcefa0aa5dd3313ce4322f9323d4fb24b2eb19e100c207ba55cc4a99d6c09b3d187d7782f9dedd0adaf546f276097f0e0a552a0a19

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe

MD5
64ec183d8e26eeae1f5e74ce6d5556ef

SHA1
cab3c9155f64eb9213bf3352aa698242f781daa4

SHA256
ac94413101fdc3878794a36f11e65aec1ca06429bc14b8f328e7bfafd25f7c15

SHA512
3b77f48f7efcc85acf3658d0f544aae38981971212500050be387cdc5da47d1b0c829b01e13d242f18784711471cc7da364e495d006ddca503a7442b899fadc6

Download Submit
C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE

MD5
2caf66de79888f2be54cefa0c932e205

SHA1
ac6c1b04e99f34e56a1201533b411cd998609886

SHA256
a4648810f5ae1f6be570cbe35ed8c8aeb107663abf90640db65125bd58a732b2

SHA512
2ac13410259675dbfce9aaaeff6a663c09b655fc5423ea0042b3e9f2b5466393c4d8dfce3f809d2e58a598ce0ae393471bd242431272285a68cb3982d4d1666c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

MD5
180c12d5dadaeb77652f364c2e6d4764

SHA1
4856798f3b96c452400289d81716e0c6b67cb4ad

SHA256
35f6fff7a06a061e32bebf420910bceed194e8d8b0bf53786fbe68687d244bfd

SHA512
d68ef0d337dd60a60bda4594687e3fa4620b3d13ac8d0df5d07a6d2b3dffb2d3c5b8e62ff7e5f45f6506b3356377a72663a1acbf8edfc912b1610b47349edb55

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE

MD5
27018c153564afec9ed252e559bd9896

SHA1
27b1411172a1823a00ee014b147dc92e8b3d8c5c

SHA256
6553b7cf1b53a7413e881ea58420002239fdac92f57d9ccede1a06de501be40d

SHA512
621536c58ce92544164d7ac7ea507f5bcf2348c5bbbc2e727da8e96786bb53db3f56f0c173fed6162dabcf5a2866cda838e49e325c87d52d9bbe208e34544e8e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE

MD5
5b1dcfca05187dbed07c6d756b99b920

SHA1
ac2d870d2cec7f9373cba8734143f2d3f247d7a4

SHA256
b9e04e12bfdca5b19526e6ca9bc2dc571d5fb3af8fa8772a0768a9d3d63fbb38

SHA512
a01369c7d19994e1424f0431525ef7b3c3b3acf200f3509ed893996f019298c2bab863c7c7da0332d591312c6d5cc3fb63d71a5f2af85df92d59525b11b51223

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE

MD5
135d60cfe8eb1f10a438f9e0a9a80c14

SHA1
50494fa8ad27b5c13cd6f9539d3db314195c6cac

SHA256
3e374b13e506b0364a6963ec46c85311ccdb0e7d0e100514f6bc7e6affffec62

SHA512
f6c2663a449f42b3d5d0b3b12fce7b654564a443ab4eb837b0ce79ed9524e6063fc227d45031ad5ac1c527bca4e0d772811b908fd19c7bb764e4773856e7dc42

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE

MD5
9be88cc844cee48819992431ea54b79a

SHA1
43cf3ebc0faa1419afc7637b10e2031151989bb7

SHA256
013127c3a432afa2c3b14fb9eed719a79f8efd63fb7c9b50e9c725e7c4be37a9

SHA512
18737ac0c5df2f08fa39f7f6084557dfd0dbddc18f9d327018da5769823191debca9414d73aeb47c508a84c3154386f186b3ea330e50bb705bf016f774368072

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE

MD5
d391bbc85fe5ccd7b89ad6845c8a3036

SHA1
951dec5924225ad251e945e0c56846f3f12d37e8

SHA256
c5cb9e2f3f053805b9c12514f5d68e04f80730f11e9195a9ba8ee1b05fd8e414

SHA512
0a7f791bc6064123e774a94e8e9638b6be243d3dac8b5d0e51642a24c079df426cbcfb6c9c7463f11f27df1bd03dfcff7f6a1b59c4a670585adcea4a178e80e9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\misc.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe

MD5
bd3b686c6f9ef32f14dbfa7d5abed9ff

SHA1
a21e4f2fac9379bcc66f62375c9f2b70ae3b09e0

SHA256
1f9858eefa4438d1fd624892d7d923f79c5d980bc1f13db764e5996c10ab2991

SHA512
8568a619a8a88b4db903070baaded0d10de7b0f2e8949e769276c2c757380dd21a09084c03b49bb92c624b938a16b035e6123add9941c845b5bcefc353cc8add

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe

MD5
bd3b686c6f9ef32f14dbfa7d5abed9ff

SHA1
a21e4f2fac9379bcc66f62375c9f2b70ae3b09e0

SHA256
1f9858eefa4438d1fd624892d7d923f79c5d980bc1f13db764e5996c10ab2991

SHA512
8568a619a8a88b4db903070baaded0d10de7b0f2e8949e769276c2c757380dd21a09084c03b49bb92c624b938a16b035e6123add9941c845b5bcefc353cc8add

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\AF102C~1.EXE

MD5
bd3b686c6f9ef32f14dbfa7d5abed9ff

SHA1
a21e4f2fac9379bcc66f62375c9f2b70ae3b09e0

SHA256
1f9858eefa4438d1fd624892d7d923f79c5d980bc1f13db764e5996c10ab2991

SHA512
8568a619a8a88b4db903070baaded0d10de7b0f2e8949e769276c2c757380dd21a09084c03b49bb92c624b938a16b035e6123add9941c845b5bcefc353cc8add

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\AF102C~1.EXE

MD5
bd3b686c6f9ef32f14dbfa7d5abed9ff

SHA1
a21e4f2fac9379bcc66f62375c9f2b70ae3b09e0

SHA256
1f9858eefa4438d1fd624892d7d923f79c5d980bc1f13db764e5996c10ab2991

SHA512
8568a619a8a88b4db903070baaded0d10de7b0f2e8949e769276c2c757380dd21a09084c03b49bb92c624b938a16b035e6123add9941c845b5bcefc353cc8add

Download Submit
\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\AF102C~1.EXE

MD5
bd3b686c6f9ef32f14dbfa7d5abed9ff

SHA1
a21e4f2fac9379bcc66f62375c9f2b70ae3b09e0

SHA256
1f9858eefa4438d1fd624892d7d923f79c5d980bc1f13db764e5996c10ab2991

SHA512
8568a619a8a88b4db903070baaded0d10de7b0f2e8949e769276c2c757380dd21a09084c03b49bb92c624b938a16b035e6123add9941c845b5bcefc353cc8add

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe

MD5
bd3b686c6f9ef32f14dbfa7d5abed9ff

SHA1
a21e4f2fac9379bcc66f62375c9f2b70ae3b09e0

SHA256
1f9858eefa4438d1fd624892d7d923f79c5d980bc1f13db764e5996c10ab2991

SHA512
8568a619a8a88b4db903070baaded0d10de7b0f2e8949e769276c2c757380dd21a09084c03b49bb92c624b938a16b035e6123add9941c845b5bcefc353cc8add

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe

MD5
bd3b686c6f9ef32f14dbfa7d5abed9ff

SHA1
a21e4f2fac9379bcc66f62375c9f2b70ae3b09e0

SHA256
1f9858eefa4438d1fd624892d7d923f79c5d980bc1f13db764e5996c10ab2991

SHA512
8568a619a8a88b4db903070baaded0d10de7b0f2e8949e769276c2c757380dd21a09084c03b49bb92c624b938a16b035e6123add9941c845b5bcefc353cc8add

Download Submit
\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\AF102C~1.EXE

MD5
bd3b686c6f9ef32f14dbfa7d5abed9ff

SHA1
a21e4f2fac9379bcc66f62375c9f2b70ae3b09e0

SHA256
1f9858eefa4438d1fd624892d7d923f79c5d980bc1f13db764e5996c10ab2991

SHA512
8568a619a8a88b4db903070baaded0d10de7b0f2e8949e769276c2c757380dd21a09084c03b49bb92c624b938a16b035e6123add9941c845b5bcefc353cc8add

Download Submit
memory/604-55-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download