neshta | 2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85

Analysis

max time kernel
5s
max time network
48s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
Size

428KB
MD5

bdfee2dd635bbe47650d38f9ecbb3816
SHA1

910557b2baaa5b8a2c749931990cf50c502f0730
SHA256

2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85
SHA512

8d221ee3adab5668319dd67f5fa6d6abcbe9e18df122f8c3f2dce7ddfcbacb754a1c57620250aae049922fed7ede8cabb87f14e2f146b6d6c85cef18b729f013

Score

10^/10

neshta persistence spyware

Malware Config

Signatures

Detect Neshta Payload 44 IoCs

Processes:

resource	yara_rule
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	family_neshta
C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\misc.exe	family_neshta
C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	family_neshta
C:\PROGRA~2\Google\Update\DISABL~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	family_neshta
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe

pid process

900 2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe

pid	process
900	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe

Loads dropped DLL 2 IoCs

Processes:

2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe

pid	process
112	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
112	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe

Drops file in Program Files directory 64 IoCs

Processes:

2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe

Drops file in Windows directory 1 IoCs

Processes:

2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe

description ioc process

File opened for modification C:\Windows\svchost.com 2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe

Modifies registry class 1 IoCs

Processes:

2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe

pid process

900 2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe

description pid process

Token: SeDebugPrivilege 900 2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe

pid	process
900	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe

description	pid	process
Token: SeDebugPrivilege	900	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe

description	pid	process	target process
PID 112 wrote to memory of 900	112	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
PID 112 wrote to memory of 900	112	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
PID 112 wrote to memory of 900	112	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
PID 112 wrote to memory of 900	112	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe	2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe

C:\Users\Admin\AppData\Local\Temp\2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
"C:\Users\Admin\AppData\Local\Temp\2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:112
- C:\Users\Admin\AppData\Local\Temp\3582-490\2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  PID:900
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'vlc';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'vlc' -Value '"C:\Users\Admin\AppData\Roaming\vlc\vlc.exe"' -PropertyType 'String'
    3⤵
    PID:1304
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\vlc\vlc.exe"
    3⤵
    PID:364
  - - C:\Users\Admin\AppData\Roaming\vlc\vlc.exe
      C:\Users\Admin\AppData\Roaming\vlc\vlc.exe
      4⤵
      PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe

Download Submit
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE

Filesize
100KB

MD5
6a091285d13370abb4536604b5f2a043

SHA1
8bb4aad8cadbd3894c889de85e7d186369cf6ff1

SHA256
909205de592f50532f01b4ac7b573b891f7e6e596b44ff94187b1ba4bcc296bb

SHA512
9696e4f60a5b1166535ca8ca3fb495d718086463d1a12fa1facc08219ad5b918208ddd2a102f7955e29153b081e05985c4ae6e4302ab36d548bb62991a47db18

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE

Filesize
130KB

MD5
7ce8bcabb035b3de517229dbe7c5e67d

SHA1
8e43cd79a7539d240e7645f64fd7f6e9e0f90ab9

SHA256
81a3a1dc3104973a100bf8d114b6be35da03767a0cbbaf925f970ffcbe5f217c

SHA512
be7fcd50b4f71b458ca001b7c019bf1169ec089d7a1ce05355134b11cbe75a5a29811f9efec803877aeb1a1d576ea2628926e0131361db23214275af6e89e80c

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE

Filesize
188KB

MD5
0a8121736c64914be7beb77865c70697

SHA1
d4966c28ff6be4278ae7887f7fd020b001138e28

SHA256
04a0adef5f68420411e4397ece5cc1c072995ecf61465d887418f7cc905008ce

SHA512
69ae3040a5742942eab0dcb88a4d077a75bbe2052bbf2bff9958b1857069611be225141128e41a614b5acc099b1c6baf1f9aabd5e6a3a729249eb52d147c79a2

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE

Filesize
130KB

MD5
ec7eec78d7de4ac337b9f141e9935d2a

SHA1
cd4c0bc32b4cb064ba1540f158750068d9788ea0

SHA256
66e05d9df7b74bcbbfaf542cfaef5e250b3cbad704067e443da36d75797ca2b1

SHA512
662b85a05c83d45c2a4e335947a10cbf2286b825aaaf2fea28da89b625e0e3bd818d57a374fc1bb1288b378c72c3b6186d65e22fe00208f27e3341642f6e0f34

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE

Filesize
153KB

MD5
a026765f5f125b1719822d6c3ce85b35

SHA1
38457638b697039b0f21b53b0a714a892f006e5e

SHA256
0a3d88a32cb703d1b64081d86d9366a350f85dc6a661fb733e61c357af9cdc35

SHA512
f609f04f72932c11e20f38a57b0d924cee269980b65105816e8c6a5580abefc4f010fd8ad29df5743f421c63af4c9ea7d4c52abbafbb859f5b94d5cd69858a38

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE

Filesize
134KB

MD5
b017c98c1726cef6d08f3275fe3fd880

SHA1
5bc5746f8ae6d1035666a6bb59896e822b9eaaa2

SHA256
229d4cbb1550a684ad1bd25afdcdb7db7dad47f3ce779113599db018cf603517

SHA512
11432b0ec17e0878b68c5f1c52d625b6998f063290d9f9ea7aae4085715d4b507198c67e9ec2579a29276c8cff8a56acb1f157046a36ba4f8c89fba3c9d2dfd7

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE

Filesize
142KB

MD5
7d50614e35bc855876659bcd2d6fefc9

SHA1
2437887342d95a2762263abaa8fab5da9ba3426a

SHA256
aaff35ca520ebc99ae2724b87eeb2d2cd111e291e912683207a9d95c4caf3fc1

SHA512
6e8a30bf8fd5bc6dd3bfa12314ce56a71ccf8e798a7f2cb6998e924749b77088e1f71f1bfc081dd71fc8adbb40a7082603105a9b556046ee602b42cbd1135515

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE

Filesize
142KB

MD5
b33a19b29769bdfd5780b1f7bda88d52

SHA1
40c29f823002877bc10460dbd8e0a705409b0eb0

SHA256
f6b73592dd0d627af7706cdb32e6a70ea003e45764cc1cbe612c734572941b64

SHA512
d0af3e736522059eaa42caa642b28c26d1c3faab4104f81006e5c4dff7e7e46ac3b33aad86090170c9208dd56606f8493f29c9c762927502dc0618a165c12a75

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE

Filesize
109KB

MD5
00b4d75af66fd74d166406009c413c8d

SHA1
e1ee9b615bf3ee39998c8825c6cc18c7b357aa67

SHA256
d2e31eb18d0e226e691481bd1d19a3d512a01d05a80893945ae7d6d3ced6ade4

SHA512
de09a5c3acdcf6520f3d539cf44db47e7c188631793947d63add2f3435ec2db4a68ebafbea8cc1d58ddfccde50c2e478f320ce6c190cb05b37cdd29de1f26680

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE

Filesize
144KB

MD5
b19eb80da540af8a95938fb4ebcab414

SHA1
90949e5e907c203b6c11e9ea541942835c4df45b

SHA256
7eca2d81e6a4565178e24c42637c153454a4d74bb0c5530961d25fd0389e9110

SHA512
9395a9d6aaaa054e16ac04c61d6b248a521710e9e601dbaade78df4c7edfec9c6954534f8838c4e6164a8cde23a854dcc0e8dd3679baa2d80b505f93744e1a16

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe

Filesize
145KB

MD5
4de808c1c0ad412c643fcb2f752e15e8

SHA1
999b6f802adea154e72453c2fe8d0037a9c150ba

SHA256
e0864126b2a40df17ebf185f67424c84cc6fc701e9dce80627a997885c7e0742

SHA512
b7cb9903a6cf3561cc29d5c734c8e0af0abb662efda862e54c1e6103da3306bb711aa7db7263b4eab75c02a9bfd30aa7c4987eb51f07537267359134ad5239d3

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe

Filesize
162KB

MD5
e358d80751d7c30b547bb84126fbe195

SHA1
52a28ddcabedc6dadba876ded1eba3c11a1e63be

SHA256
a85b5152b150b09b2c7ce7993f638d8fa9c8cecbbc39e23cacf92ac14d82aaa6

SHA512
dbf460eaab0083b53ad1fd8f31d5fc8079f0a2d8ae4a29d384c6d039e2b550e5743e9f8aa977f5cd94232ea84f99569e857e83831c77791300b9fa2658b53447

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe

Filesize
125KB

MD5
025b1953cf252d406a3982b1803039f5

SHA1
80409a5e2d6ea6a31d36cf7e4ee5432185afc3cc

SHA256
6e876792797232f0da166761079aa0436ee1f7307708ad5e3dc9cfaffde2ae63

SHA512
ee3f3877c825bd403b8c96b503a41f1abd882beed9b735926caa0fcace01d2fff01471f4f1bd37aea2a2277346c8660bd3540b177d28190d95e37ab042b761c1

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE

Filesize
68KB

MD5
7f118f99387db4232e05e705524bb682

SHA1
2b7d74da41d1260ba679a6f475a391d68cc3f5b5

SHA256
08776e810e973e37d1f49300948ce07b9ec6acc3d97093c0574e643986f9235e

SHA512
1ddba168069609451096cdb6031643c3f536f0576a44f1b625dcb132f83c5253f3973b2744520251f73d685ea8d744b5d989bd35228e802ce58f8df6bc437d52

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe

Filesize
87KB

MD5
7a00c67ae094fd67c5d1de4562c9d0a8

SHA1
24c6f413dadeb4cd6206b54befa65d6c723b89e5

SHA256
4149070f59bfd0c3c9e5fb1d0d67534fcd89b6c41245cf38adac99a78e64faae

SHA512
c2f711fa5840a9008b30c8948e8b703b380ef77593639aa493a6cc59c1ab987c049ef5e1ebc5d29cd4ee9cf3a72eb35515749cb4b9e140932dddc4db2fe1c939

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

Filesize
103KB

MD5
ea6690af464f62463dee4a36f95590e4

SHA1
50e2465608ff6579ce560bae4065b1add9aa5225

SHA256
e61a5350eeff33518edbc273ca6efc19e8832b6803d098fd9e66b93a05ab5bdc

SHA512
558f9ca956bef8aba266761382f2b56332d03829c9d2f621b160f96ede61a857d0887e4ab1c823f2a8a16e594bcd864aeb513a028660651cb7fd52d6c48a0219

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE

Filesize
116KB

MD5
1613edcc820b6c8cad0deff500ce9dee

SHA1
c83f8c85a49ffd97ab208f7293dd1888e469a0a6

SHA256
4f8eb46d3eb779d58543087d3cf0fa4975d4250af96c02235d37d1580b809f3a

SHA512
e0059cc08aa153ba49e5e9316a47ef67ff21d64b3e513e53170ddefc6caed63258c671cbb395320b8c3022927342b9f7617a260abb0e7680225721013ab5ff9f

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE

Filesize
72KB

MD5
fecd166fb2e22797d0caa572cc26a901

SHA1
cf2a052a2caed2eeb7de01ab1438260cd577065c

SHA256
e7b091ff4950fcb40b873b14cbe2cec8f32db54f91f2686d813ad8ab1f750ab9

SHA512
1091a3cf72213e3b1b25cbe255d928ec67b94ef0e360a23ac39258fe174d6fc648c08321315c0510d702a1a58bff966c19d5f0164d42887cc7d91b147ce29d82

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE

Filesize
138KB

MD5
fafb18b930b2b05ac8c5ddb988e9062f

SHA1
825ea5069601fb875f8d050aa01300eac03d3826

SHA256
c17785fe7e6b5e08fe5a4ca3679fee85ba6f2e5efcce0fb9807727cf8aa25265

SHA512
be034e7377bd27092aad02e13a152fb80ff74c1ba2fb63ccb344cd55315d115ee47e46727cbe55ca808efafa58d7924e3eed965e9a2fd3b9ae2dff7834383e54

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE

Filesize
89KB

MD5
035a778d14b245cfcf6cea29d158ce56

SHA1
467820c7c49dc4d81984145d99cd1a439f6c373c

SHA256
70f84109ac1a32f77f2d8dbe68551efdb11781f676e9fef9948cb81d223c4dbd

SHA512
8a04357ce69cafb9e0ea7ad0bc56177579aaa876c755b5366e4425638877a0fb9f050eb57ffde8596cfa3ac37773d1776f6b4a9590a776f374dd9433c3992688

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE

Filesize
70KB

MD5
849a733784f7ef0335dc633bba49dd38

SHA1
42135d488dab3dd62d6c3d937d4363c004e34775

SHA256
668319223854dc793530fab55d141390159deeaf5ea572aaeeba459b46302ab9

SHA512
e87427bbe5b237127572ead4a719696a7384fa5d6693b5217b683fdc36932eb1030db1b8c4c560b42167680bc17cdc0fad443b391f39cc379a4b1689b383d87d

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE

Filesize
92KB

MD5
c5be7328f13605bb890eadc45169a167

SHA1
1277a8fe6c944f842a908ff387794e583686f63c

SHA256
418d127329705281e996249c27e05f3fef0d331afaa8dc00e256bd5f12b86de1

SHA512
c6126d8c9829f5fb7bc63e3f7dd1ad4e5acd27846c1cf43c1e5b860c2639392c7b9b956425bd9c67bc0152ba8194dd9e073347e911d80b75a65fbfed305e043b

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE

Filesize
135KB

MD5
7bb9807c07f657182ec0400860d756da

SHA1
e539dae636bba82d2b7f5c3b5ad63e8a9b1dac18

SHA256
7cefb6bc3d9f7fed2ed28b393f4c10d4becc4fb60feff3a3037483e371c575b5

SHA512
78879d75f4262fed057eb22f1197c0d567d04eaedcb61071f9cf8f71208637228a5174c4592c9bd367d4fc7bceb50509b07dc1daa19bde7abf2ad9ffb07890fa

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE

Filesize
92KB

MD5
87495a60d3cf61b4fa0e17a4eb5d8e85

SHA1
751a05c05a824b7b3697ec9c21d65cc32f1188ae

SHA256
f618fe42843df7044a47d2081e7753d520384d7f448af6e63a6b1c849f87225b

SHA512
aa3e07a71d9580348cc3d591b4be4bfd6525ad8065dca7a0c3f3e69641e89f92c4c055126c57579aac6c2e0d8395e8ffb70be2040ef2ef33f7ce172c464d8984

Download Submit
C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE

Filesize
85KB

MD5
685db5d235444f435b5b47a5551e0204

SHA1
99689188f71829cc9c4542761a62ee4946c031ff

SHA256
fde30bfdd34c7187d02eabe49f2386b4661321534b50032a838b179a21737411

SHA512
a06d711574fbe32f07d20e1d82b7664addd664bf4a7ee07a8f98889172afe3653f324b5915968950b18e76bbfc5217a29704057fd0676611629aa9eb888af54a

Download Submit
C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE

Filesize
85KB

MD5
952447288c4360d5419856fe1abd8143

SHA1
a38c192b982b815b56f6746f20d530e785dec7fe

SHA256
aa287f60c6b1d1004a04ac08bc98a6e519ae7f2b3479fe1cf38772d2c46e02e1

SHA512
1cf0988d17736d36ec74b67dd28ccd12ff428e64ca7126add921a13d54046b64349f414b0c5c455cb58bca346d5bfd33ec26e30adbff093c44aebe764c099800

Download Submit
C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe

Filesize
91KB

MD5
0e8dd532ea8487f6f0ebc35240a79590

SHA1
6c1bc9db0c76b63b921fabab917cfe44607d65ed

SHA256
1354d9c66e9bf1b9adbdda6a662aa29a7dceb0e3e3c9b847d493cbcaa31b896a

SHA512
a513c4d79f515e86305bb287d194ea66e32e8d7e9e9c90292eb7c34c0718f32195f97c11d6a98cc64745358434b41498523295bb0dd366be385f037ef8cb1676

Download Submit
C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE

Filesize
93KB

MD5
a2a3ac53392bb4f9fc02658314715c71

SHA1
335318da07d318fa17d4619dede10f0681cca8de

SHA256
0f1a9d56ac10b68c8680f3ff6c3c7afdb0ca6224a010974c59d42689b123928a

SHA512
6e9a6b8681bc377533a591fa49081834cf11aacbad1f95a95c21f4b195aaac498fec94c4f36a4364aa3ed8351ba3bd12c5c7bbeb086978a9e644ec3d05b48f6d

Download Submit
C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE

Filesize
53KB

MD5
50511343a6878e0f768d194820634b77

SHA1
cff6e740d21de8e1bc4ab708bef0cb8d9f839f81

SHA256
ad0b58ba3952591eed4e39b15882036fc3ae05cbc2d0acdb00306e4864606e94

SHA512
5983fdf95664cb98d4644754265c55587729c8b42fb6dedcb66e8df692201d51c901ed60d3edd550ad742284053c9bd455a67837da4f741ed87a264f8412222f

Download Submit
C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE

Filesize
84KB

MD5
90ee7a20b288386456914fbc7c553c3c

SHA1
c26398f417007f74860160fe9e33a174e7172c56

SHA256
c201e1af1bad1093f467afb4a5be58a4e7e6691c0bb7d68cf9399b10ebff4d3c

SHA512
58d31fe099d727113c16fa1c71a5a19c38307ed2697bfeee93ed9707eba141e43df6b82c2160afb5f01604439bc1ba81802b249ab81faf7deceb84ff56d70fbe

Download Submit
C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE

Filesize
94KB

MD5
24f34dbaa873d1b7cc69e5836c2f985d

SHA1
d678fa75aba508c587f7e9cf1764741699609ab6

SHA256
c14a7f69c302703d3130ad3108967db21dc93aaa474fba79cdcc897f664dc7f4

SHA512
8032980c0860493c9a814bac446d077df2bd440e621c26339d05f096c933bcc8951e1af273bced6b299464f2f6c90e5c7eb5b256614585fab7e5f162eb0d6611

Download Submit
C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE

Filesize
109KB

MD5
fb5508b174c6e0fe825d0f9158072412

SHA1
42f6e8edc6a1b8a9cb0364dcde7e648ac2223b3a

SHA256
5e2e4a0d7c90155ef59c9bc04bef00c6b15a3c3ce8ef2a5c3acdd5e7b2ebc055

SHA512
626adda50fe356e26353ef4d8ee4f5a21ba72931869af5be09addf320fff488f3837a7fc6352d8e3791114100daba0d6ddfe3bb6e75fc4d350969489fa0a9688

Download Submit
C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE

Filesize
88KB

MD5
33f115718f9d6cd567fd76a3e6ec81bb

SHA1
fd2f16ac9bcd89c2e7efb68aef0c5939803e8ae4

SHA256
77c8172b8c1a757fc3dd39add9df527f7b1274c02fd878b6615da4ff2ba41a2d

SHA512
987d2d143fe80883357c80d9ef1439864f0bda27c9ba7a16de09f35482369ba2745dfedc202be7b779c7e70a89b061c9b039a2cfff1abd950f4f8b4a557db445

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE

Filesize
98KB

MD5
8eb2d5a075979b482d376d3b43688f75

SHA1
a637c797e50ed5404cf864c0e9fb9d715b6721a5

SHA256
afe588df1ed6bd254c2dce70eb8c4dc52b32ac7a223377357fc805f4af9b97d5

SHA512
17c00b5197b30ee28065e819469017d1b11d475907832afc6ad97b3eadc5c77649ce106217a31146b0ce893a5d4553ae50f2d087b220fba13a8c14b4fdf96912

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE

Filesize
63KB

MD5
bddfe2ef9b9a1e4cd2db04fcae8e5a16

SHA1
8775b08f8c0c6d631502f74f2a652c609e4f4f45

SHA256
14e7c27eee11cc18bf1382157630c2ac1bb08882c1341163ec3e48631c08f052

SHA512
8a4d59859f5a5867204e1a55fcc96c44010cb0098de040b1a805b58600c8b96f3dcfe896b90c115e3031992f26777e7f66fb430ca20ac3ec0496136848bb94a9

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE

Filesize
105KB

MD5
80e4112cf007cff950006f76e19a5270

SHA1
a10b7c094eda42a4bbefa1553975774182e357e3

SHA256
c877ec76a33702bac795c5e00cf18d0147e92af0223c44fb83d44d978274db0b

SHA512
d4a87223b3972953b3e1a28353b2073b79388692ddd9380556c7ae567d401eba536687186ab03ee7fceec42b5a8cc86b75161c3dcc723ec8ab6661fcf80838a7

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE

Filesize
79KB

MD5
213d54f0b11607f42f396fe5532291ec

SHA1
037cd0bc29450f814da65c8386da229e2102cd0b

SHA256
5076ee6a979f9a89e98f8a3446d5d40c9aedd0f328393dd12ac4b1b128132a5a

SHA512
aa8b736c289f77ee58195a003e2bd85e79478d8995409f680128d7235151b07a7881bcf4f4ee30b3d26bedf4f69f658d05bbd4893737010f947b918917cd9484

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE

Filesize
88KB

MD5
0646b41815d5074c9c86f8bab51dfdd4

SHA1
51e73e99de781425a75ed4cfb7a923b74d795034

SHA256
ceef31a4068e55fd96aee11af5b092218fae68d708365f39bd5e7d1e605c7450

SHA512
8b299eb932eef6e64d8c0d8031d504cde97149c51c4f1572c1e433da757ccddfc019f59c6694cff34348f6336542880f5f21474d442f19a735bdf4f0d43273d6

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE

Filesize
92KB

MD5
518feea3a303fbfeb7b10ef08285905a

SHA1
6fcfb48c9a08c5ae02c7ccd11c38ed756bef68b1

SHA256
c92c413b13d0119712bb4092139d6a71687476c5a63705c1c0d94a02b1c67670

SHA512
3f7c6c75f5c165ae53287c56c7c1a2d3928d4c03ea6e6a2eccaf4437fe8b7b795281f712240361026494bfee2e8a0d68d3110c52f0bdd337a6c8f767f8b3789b

Download Submit
C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE

Filesize
79KB

MD5
e171de2fd6b2c5cd3288e9594701ea2b

SHA1
d5ed99293477a2587dcdf29e3a0e9cf7812ad249

SHA256
6d4ddc9a6edadf024c452a4a114b23b79cc58daf536ad2bac6609632505ba4d8

SHA512
072e3377ea97dc1c0813b0ee5fe7247cfa0cd7dd0637b1646d72b6aaf99e9b95c16c1f56e449f0e53579d581d3d74f5c71a60c7410bc197e9226de310788f5c1

Download Submit
C:\PROGRA~2\MICROS~1\Office14\OIS.EXE

Filesize
92KB

MD5
6492b39123fc044051369e7969c6fb87

SHA1
947b5882ce060a7a422a5da14e6774623216d976

SHA256
084e12fd679f1ae7d245f3b61dbf408cc936c8e443af4179a7c2cadee6150712

SHA512
1453018d2941f4cdfcc6a52b1355df87989ca7bd240e6f4133c4c29d3cfd509fd4f5bc090feeaf0ab449602d12185f4dfc87295afdf06f74c9f4c6f61bfc3d44

Download Submit
C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE

Filesize
92KB

MD5
fcd0cf7eba225f3b2b557dc8c19c9a39

SHA1
0ab5eac9396f0255cbf9a7f4f8e13781bd550a2b

SHA256
4ec9c2fc144548f499bacb61703fef95021b1f883c0ae6e81f0c88956ab9ba2c

SHA512
73c7901889106f3e00145c63d2834d05b16ea1588d1f23f53fb130d09cb7d6538288958a51c3e12b180a703db97c4a9c3b75af34d0800dd1731ef401e55913d8

Download Submit
C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE

Filesize
148KB

MD5
f987c05e23a9c052bc3e55a2dcfb466c

SHA1
f6395990ba401a9d11d03a56544451d1b729908c

SHA256
9e2283779b91b9f33e9318c25394b5a90d1f4ba9e3c2767b7f3020b845cb48c1

SHA512
f5ec4c269c5dcff455605242664f0e9463b6bd5b0255e7b751f974b6b865fdf0253807138385db19292ac11df2cc63f328e5d4af15df156fa07621faf3e73b02

Download Submit
C:\PROGRA~2\MICROS~1\Office14\misc.exe

Filesize
110KB

MD5
283f9f5c4f9bcb784835764dd4ec74db

SHA1
51e211b17eba136fc3ee8ce1eab3a74138201f2b

SHA256
59a9f191ebcd09b34bb6f16b8a9e4e30c5cfd8c543b52ecad4637136b172e2b6

SHA512
a0c508dcf74b1d86ca6749dc7a0050c719556610da9d6926904073c249477f53c2a3877523e8e11b0fed46b1510216272f36f1f362dc90a9a1d8eeab69ba005d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc.exe

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc.exe

Download Submit
C:\Windows\svchost.com

Download Submit
C:\Windows\svchost.com

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\2a45821cae914aa4542b87c4fcd91017b4d46c41d5b1fbd9d012e1a74ad79e85.exe

Download Submit
\Users\Admin\AppData\Roaming\vlc\vlc.exe

Download Submit
memory/112-54-0x0000000076191000-0x0000000076193000-memory.dmp

Filesize
8KB

Download
memory/320-70-0x0000000000000000-mapping.dmp

Download
memory/320-72-0x00000000003E0000-0x0000000000448000-memory.dmp

Filesize
416KB

Download
memory/364-64-0x0000000000000000-mapping.dmp

Download
memory/900-56-0x0000000000000000-mapping.dmp

Download
memory/900-59-0x0000000001370000-0x00000000013D8000-memory.dmp

Filesize
416KB

Download
memory/1304-62-0x0000000000000000-mapping.dmp

Download
memory/1304-129-0x000000006F630000-0x000000006FBDB000-memory.dmp

Filesize
5.7MB

Download