Analysis Overview
SHA256
cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9
Threat Level: Known bad
The file cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9 was found to be: Known bad.
Malicious Activity Summary
Detect Neshta Payload
Modifies system executable filetype association
Neshta family
Imminent RAT
Neshta
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
Drops desktop.ini file(s)
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Runs ping.exe
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-20 23:07
Signatures
Detect Neshta Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Neshta family
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-20 23:07
Reported
2022-06-20 23:13
Platform
win7-20220414-en
Max time kernel
151s
Max time network
155s
Command Line
Signatures
Detect Neshta Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Imminent RAT
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
Neshta
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| N/A | N/A | C:\Windows\svchost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE | N/A |
| N/A | N/A | C:\Windows\svchost.com | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| N/A | N/A | C:\Windows\svchost.com | N/A |
| N/A | N/A | C:\Windows\svchost.com | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "\\Scanner\\run.exe" | C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Scanner\\run.exe" | C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe
"C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE"
C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE
C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\3582-490\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\3582-490\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp |
Files
memory/1672-54-0x00000000763C1000-0x00000000763C3000-memory.dmp
memory/1788-56-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\3582-490\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe
| MD5 | 9f448e7ab94a398b3500147ca6786cdf |
| SHA1 | 6dbb6fae2082f7dec84f2d20a67b21ce1ac3fd91 |
| SHA256 | d374669526f689b7d622129caf6c843dc6cfde3561993bab096e9b6cf6e19971 |
| SHA512 | b772841ffd252e6adc314a17bc30a3826ef20f0cb64a1b87d0f86d80000cae780b0ebb565c047561128667f6b1ceb63c16a281b770e4866fe476e1af9749b833 |
C:\Users\Admin\AppData\Local\Temp\3582-490\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe
| MD5 | 9f448e7ab94a398b3500147ca6786cdf |
| SHA1 | 6dbb6fae2082f7dec84f2d20a67b21ce1ac3fd91 |
| SHA256 | d374669526f689b7d622129caf6c843dc6cfde3561993bab096e9b6cf6e19971 |
| SHA512 | b772841ffd252e6adc314a17bc30a3826ef20f0cb64a1b87d0f86d80000cae780b0ebb565c047561128667f6b1ceb63c16a281b770e4866fe476e1af9749b833 |
C:\Users\Admin\AppData\Local\Temp\3582-490\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe
| MD5 | 9f448e7ab94a398b3500147ca6786cdf |
| SHA1 | 6dbb6fae2082f7dec84f2d20a67b21ce1ac3fd91 |
| SHA256 | d374669526f689b7d622129caf6c843dc6cfde3561993bab096e9b6cf6e19971 |
| SHA512 | b772841ffd252e6adc314a17bc30a3826ef20f0cb64a1b87d0f86d80000cae780b0ebb565c047561128667f6b1ceb63c16a281b770e4866fe476e1af9749b833 |
memory/1672-60-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1788-61-0x0000000074490000-0x0000000074A3B000-memory.dmp
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
| MD5 | 9e2b9928c89a9d0da1d3e8f4bd96afa7 |
| SHA1 | ec66cda99f44b62470c6930e5afda061579cde35 |
| SHA256 | 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043 |
| SHA512 | 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156 |
C:\Windows\svchost.com
| MD5 | 1583aedafbae9cbc29b4dc36a9f81be0 |
| SHA1 | c7594e0808a1b392a81ea470a4a2acd03d26d3b7 |
| SHA256 | f32b96978e474940c4e8fc8b3c2e5e9b70c146980dea5bb25dc9b5f535a8468a |
| SHA512 | 7ba30d335bfdd3d9cf887222c473a5b4437a9dd4cb669f261cc7fe675a0f8de192400fd3ff97e9a39827e4698ad5142b2d2af61d8d90e10578f374ffa5fc6a5d |
memory/2000-64-0x0000000000000000-mapping.dmp
C:\Windows\svchost.com
| MD5 | 1583aedafbae9cbc29b4dc36a9f81be0 |
| SHA1 | c7594e0808a1b392a81ea470a4a2acd03d26d3b7 |
| SHA256 | f32b96978e474940c4e8fc8b3c2e5e9b70c146980dea5bb25dc9b5f535a8468a |
| SHA512 | 7ba30d335bfdd3d9cf887222c473a5b4437a9dd4cb669f261cc7fe675a0f8de192400fd3ff97e9a39827e4698ad5142b2d2af61d8d90e10578f374ffa5fc6a5d |
C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE
| MD5 | 9f448e7ab94a398b3500147ca6786cdf |
| SHA1 | 6dbb6fae2082f7dec84f2d20a67b21ce1ac3fd91 |
| SHA256 | d374669526f689b7d622129caf6c843dc6cfde3561993bab096e9b6cf6e19971 |
| SHA512 | b772841ffd252e6adc314a17bc30a3826ef20f0cb64a1b87d0f86d80000cae780b0ebb565c047561128667f6b1ceb63c16a281b770e4866fe476e1af9749b833 |
\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE
| MD5 | 9f448e7ab94a398b3500147ca6786cdf |
| SHA1 | 6dbb6fae2082f7dec84f2d20a67b21ce1ac3fd91 |
| SHA256 | d374669526f689b7d622129caf6c843dc6cfde3561993bab096e9b6cf6e19971 |
| SHA512 | b772841ffd252e6adc314a17bc30a3826ef20f0cb64a1b87d0f86d80000cae780b0ebb565c047561128667f6b1ceb63c16a281b770e4866fe476e1af9749b833 |
memory/1784-69-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE
| MD5 | 9f448e7ab94a398b3500147ca6786cdf |
| SHA1 | 6dbb6fae2082f7dec84f2d20a67b21ce1ac3fd91 |
| SHA256 | d374669526f689b7d622129caf6c843dc6cfde3561993bab096e9b6cf6e19971 |
| SHA512 | b772841ffd252e6adc314a17bc30a3826ef20f0cb64a1b87d0f86d80000cae780b0ebb565c047561128667f6b1ceb63c16a281b770e4866fe476e1af9749b833 |
memory/1132-72-0x0000000000000000-mapping.dmp
C:\Windows\svchost.com
| MD5 | 1583aedafbae9cbc29b4dc36a9f81be0 |
| SHA1 | c7594e0808a1b392a81ea470a4a2acd03d26d3b7 |
| SHA256 | f32b96978e474940c4e8fc8b3c2e5e9b70c146980dea5bb25dc9b5f535a8468a |
| SHA512 | 7ba30d335bfdd3d9cf887222c473a5b4437a9dd4cb669f261cc7fe675a0f8de192400fd3ff97e9a39827e4698ad5142b2d2af61d8d90e10578f374ffa5fc6a5d |
C:\Windows\directx.sys
| MD5 | a7ef1efca7b1b2d2675985dad08d293d |
| SHA1 | b0318f9d8484d187f39f5dfc1151c9ce81ded1a7 |
| SHA256 | 57212e5592378074599ef0b04a2ed87ab04463ff2de57953f68ada5996e26867 |
| SHA512 | 682b99672ec02cf8bbc14cc059e4cd2c99b79efcae910351ea66ff8ebc2277fecacc741e8c104766c58062be81754d121153be6685edd3aa65888019fdc2eee7 |
memory/1564-76-0x0000000000000000-mapping.dmp
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
| MD5 | aaf5ea14def275c96addeefda6d74af1 |
| SHA1 | 05198209d612d07c2af9ba78d62caaca8fb61bdc |
| SHA256 | 3bf5583e3e26573a9f1072fbc86077076b24a66d4684f6d2255c4af2b38550f8 |
| SHA512 | 24a126944ab48a029429d51d6c546527c4ea8c98b0b24ea518c047fb665ef59824a4eaa7a6a27625b4d0af8823a2de7821ffa39a508f4772118161181595e898 |
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
| MD5 | aaebb251ff8302d9686326bbdfc77a84 |
| SHA1 | 3b756192653bf6aafdcfae395ab3683527907bea |
| SHA256 | 714141d87dd499e77c3987a80e67b8c18a1e4ea09ae6ea63c9e8bc8519f05cc9 |
| SHA512 | efd5051f16dda516707ba1a6d5fbbe6f2c7e69649ef2f367eb0a08401c5c0776361b7da1fd1b2a23ba8d876a787b058f48083578ad7155568c8f8b06a7fcc654 |
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
| MD5 | 52845926603792e4c2ffe78a57bf20b4 |
| SHA1 | f120ab52a8668beb81b79917d45d792ac1050a08 |
| SHA256 | 543d3eb4d5c98ec9d644b6e8aac7c07588d10dcb228254383e08fbb9f56e0138 |
| SHA512 | 4f4a3f7cbded108f06b540c9145cc8e8a27c4d0a2cd7f998e720d952b47e647505444daf4fd9f62005ddf80be0a6193f71367b24704eb3c1d49ee4c36e308c9d |
memory/1788-81-0x0000000074490000-0x0000000074A3B000-memory.dmp
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe
| MD5 | 47971869eacecc1f7871fc6301667d3a |
| SHA1 | 5441f0e876712cd98c5fa58b82f6991d9ceb76fa |
| SHA256 | 3c8b1f5acad60b683b6eae5d89025f38ef4dce7b38fa1178e47c8bdab1f3802b |
| SHA512 | 07f102839fcb725dba3ed274d520edd33bbe1ec062b5b78bf6200d51f4dfcfccaf2698920cd24271e8afcb16b3d317bcf45ae59bc0f52ba59091a894470d8406 |
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe
| MD5 | 43cc76f85ff6ed4bb5292c418a306b12 |
| SHA1 | 373571638379b22b7b86f957a5b349c108b67268 |
| SHA256 | a7dd2b0d317d1bdb8c30a9615cadc7154d3a45aa1ceefebb205f629ea7f93897 |
| SHA512 | bd0744ce5d99db4c53fafd34d24ecd5aabc0a16fad55a626867cb33ed1724c86bb946ecd4149cefe9b74117b10d342e482c44fcd50cb3159ad0dc3bbfc8b02de |
C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE
| MD5 | 285f6fbfc7a7cc0cdf160a06088d48df |
| SHA1 | ccca460c2737b47a2a272083af5c953c8c8afb73 |
| SHA256 | cecb4a650589b19581b17d8896060be46244af59efa9d3197279f7bffcb690a2 |
| SHA512 | 38d348eb6902e53f742fbadb69100f6c3ab7b7ae0524ff1108b56abfc26fd767e78253982688f675df13f541b46a0f653d988527b5c4fea7f3c942cc421c951f |
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe
| MD5 | f8afba82449f01cb8dcac9dbee7a5a33 |
| SHA1 | dec8f1a577ce0b23f7e1ea0f596b4e30419c9eec |
| SHA256 | a98c3f909ce58f7b6a5956b992b69b46baf0b60c8a7bb68e86ce3435cafd12de |
| SHA512 | fe03625a4f667676d46579fe542a19a25693f61f96b5f9473c234ed3c9c4671f6a265223644ec1c134a1d534a0626cfc89c4152ddc88bdb691f80bb202b373dc |
C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE
| MD5 | 2740c5f7b99a01dd874727fbefd46dea |
| SHA1 | a0c6c9c2fa27690158ad9112d3e85cc007059837 |
| SHA256 | c7c56986169d03381efddaf59aafd1aa8df58475a51570794eca79e278ed28e4 |
| SHA512 | df34ae45ac3c2a51a08fcd9b4087a4c8840224850fde1ab341d7d2deab9c5921a69d57608e50512c42204c1347aefadfad3f161221495279cbaaef49a824e70e |
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE
| MD5 | aaf5ea14def275c96addeefda6d74af1 |
| SHA1 | 05198209d612d07c2af9ba78d62caaca8fb61bdc |
| SHA256 | 3bf5583e3e26573a9f1072fbc86077076b24a66d4684f6d2255c4af2b38550f8 |
| SHA512 | 24a126944ab48a029429d51d6c546527c4ea8c98b0b24ea518c047fb665ef59824a4eaa7a6a27625b4d0af8823a2de7821ffa39a508f4772118161181595e898 |
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
| MD5 | aaebb251ff8302d9686326bbdfc77a84 |
| SHA1 | 3b756192653bf6aafdcfae395ab3683527907bea |
| SHA256 | 714141d87dd499e77c3987a80e67b8c18a1e4ea09ae6ea63c9e8bc8519f05cc9 |
| SHA512 | efd5051f16dda516707ba1a6d5fbbe6f2c7e69649ef2f367eb0a08401c5c0776361b7da1fd1b2a23ba8d876a787b058f48083578ad7155568c8f8b06a7fcc654 |
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE
| MD5 | f94b05906e895ad4235a4eeec5dba28f |
| SHA1 | 1fc7c8f6e82ecedafab17192a95b4584a44de21e |
| SHA256 | b63a21f004552dba06067db3fe4e9696cb342a5c472b8af0725ba1d353584219 |
| SHA512 | 13ca65e11e70724558266588bc35fdd84f08fb5a03f426388db45131a3a76c5065811e4cbb4ef779eba4d33a8c62247733c3729ce090396814dd37ed83f19b97 |
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE
| MD5 | 6bb7f55e6bfb467b4f3adbe2b9119519 |
| SHA1 | 5045d449060abf6fe12593513043e61fb7343354 |
| SHA256 | 49624cbc7d6d70355cbde0a1f4ea1d8fc46953d0267f48383ca249052add886e |
| SHA512 | 25faf72ae86409b83b920d00c96a748ba1fe18d304e003656c34a7059c632f1ecab09361b87cfbe661ab4aa7fa11ffdc9d4bcafb0f4a0858b2cbb69762bb326e |
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE
| MD5 | be8f3fae7af395f6cd7868ba7cb83b29 |
| SHA1 | 16174194f95b4c5a3fd6633aa77306aaecc2c8a5 |
| SHA256 | bbe335d3f6997ab3161c116857216e3ab1c0142af958f2657612b01040f5a0df |
| SHA512 | 1f655ad368f023de2fd17fb649054bc058e98db8c2742e892f775d530d9b2ffb30011b13908c705241358f1510ffde20db1de1b5bae98d03ecea4837cc996f56 |
C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe
| MD5 | bf0dc9638f16e6c263c07d5c6bc7091e |
| SHA1 | e168f04304b509dd867e838db897fe621049c278 |
| SHA256 | 366f46ebef9206c8c3107723d33102fd9b5faf091c865fba05267215e8039567 |
| SHA512 | 1a1b1f73c941e4054be48ed663bd5a103a2c64be9f70c79719814631a250a7a80b42c6317561a3055f31e5139003b1a1b5abb45e93cb992001711908356413e5 |
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
| MD5 | 9e2b9928c89a9d0da1d3e8f4bd96afa7 |
| SHA1 | ec66cda99f44b62470c6930e5afda061579cde35 |
| SHA256 | 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043 |
| SHA512 | 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156 |
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE
| MD5 | bc1cc2eda4137e6f857a489456faf89a |
| SHA1 | 6de318058b8e6248a5f35805b776aa02bb6d94f2 |
| SHA256 | d707ecadbd2f4ad1e787e2a0ba051de182bae6f4414fbd07b31b2067d029a0e6 |
| SHA512 | 02e90cfda17f8deed826b7d5193215d28d1e591e775f61567d0a64c1504c0d9420fa495aefb6d02690bf42743573d50516299386800a6a097df669dbb859a5e9 |
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE
| MD5 | b4e69ac40c8203cf34d7d4ff7fdd20ec |
| SHA1 | f61e42690c95662270dc9e8e972106ec5d9172e7 |
| SHA256 | e4d381fbfaeca3a447357e5acf5ee41f1655d4e2e20a4b72621127dfe0886e5e |
| SHA512 | a430f670f15e4f8a8d3a913ea3be5098f0c85fca897f00c1f96b1d76b23ba526e12baafc25f1a1dfdab640a5e2037b4f8ea1b754d67204d574e5f81bea3de552 |
memory/1964-82-0x0000000000000000-mapping.dmp
C:\PROGRA~2\MICROS~1\Office14\OIS.EXE
| MD5 | 448c2b7020e5d1f00ccc2fec7363dfa0 |
| SHA1 | f4f3d05a10b0f8e1b90734c8cfb4d5ec4d303538 |
| SHA256 | 2aef4c91758ca38f905294f755f616f9ddfbda68123cf5d90ec006bc9efcf65b |
| SHA512 | b815dacafdaed3640b17b3abc9a49add7df095d3746cf7170fcfb0c79f490ce45c3adde8ca382f3ef6514a9909a89e3e26c3f48df89dadb3db02f8aa3a88b1fc |
C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE
| MD5 | f1b6baa8bef1f840462f2a9fb4aca7c1 |
| SHA1 | ffbeb611bd8ebe493c1bdbde4a0986517205a27d |
| SHA256 | 6c21dd62374ed1cdbed0836dfabf7414f43845b41235244c695e1b9a9ba072e7 |
| SHA512 | bfb95f585786d7b7da7ab4de8e84fa7c222469b1405901d47bac8da5140a4896c6222aafdb72894627a228fc754cab53f552965780be904ddfec6a078b8393f3 |
C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE
| MD5 | 9f122fb86b64b4cd776319185a0f760e |
| SHA1 | a74874a2507b012fa97e48be340ea2a24a756a5f |
| SHA256 | 44d143ede573326cba5c8c3bfcddac9f22f8e9c12bb515299f00fd4f8f538d69 |
| SHA512 | fb2603eb6f65cc08c43961050dd38c3e7128f9deb029620f20e7c1f637ca42f89036b8348a8070a48458cb44b5980c1b0b4812f66d649955ab9eba34c9705f90 |
C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE
| MD5 | edc394e427a968efe836a4e45a11992c |
| SHA1 | 4c12a4f3a2a76d063d706d4a08f8d2779e76ff80 |
| SHA256 | eb452c2240aabf6d9628d13cd07c44dc36946441929b85e21734392bd2270328 |
| SHA512 | 15f83cd2686ebf0d73990423eb9289bc35434e462ba6665078a04bd0c18712a2dd4bb94250b5e6ba753e473e3536ba0d51b109e245dd6d99a81132a5f344d50d |
C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE
| MD5 | 39845c297dd4f3672c4ecef019f934b6 |
| SHA1 | 8677f38693dcb3ef41850d864397d8f1a5bb649a |
| SHA256 | be4ea1584edf9ba49c4008c9d9565eede0ad6d65f44b5f26ca4809cca2be4e35 |
| SHA512 | ab4406966dd882c60d40143140d3a8831c0386cdef431de56c98f7f95b98ed4c6bd028cbf406a7a43ba4ea1dd888886ad00e90a64a76897f9679ff1ccbb40b8f |
C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE
| MD5 | f643dcc212cbb9725d7c67c9ce016536 |
| SHA1 | 42745c5e913a1690f1157f2c7a2657d88fffd343 |
| SHA256 | 40d83c29918ee88df9720310368b84cd0308d88a46133b23806dec1f63f3d471 |
| SHA512 | 2d007459668db547cf3f265099e7e88cfcf134e42c65fa1c7217925b10a9c59e0f090e33e2a749251cd853b9558e6a87ebdf5ac2fe2b094c51d795b58548a8ad |
C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE
| MD5 | a9fbdde1dae1b65167abd35956234695 |
| SHA1 | 58568c01b283480c61e7e86e509b5bb71a774880 |
| SHA256 | 8d79f6d8a40db22c1a278ab617fd7f954aa20c2bc53476986081cf9bad14a476 |
| SHA512 | 645b64cf19eae10f8aee01c783f163b40dd6ff74806d68856cd64758dd99dfc4bbea8706daf96a149cc1a1aade78be06596b81dec24b6bc867d51b94d549afb7 |
C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE
| MD5 | dbb1914fba2a9632bf2514754fb69672 |
| SHA1 | a64ac278a070682bc41f325d4de6344c711f8e04 |
| SHA256 | 59542b02b570cab6a3dd23254cf3c230959b939cbe7b4e7b96fc55b29107cf28 |
| SHA512 | ddf66940158e75887285ab3ffc0d198b07e447fc36c3ab22209146c20ed6824a913aaafacbcdb7110457bcf3948e94c92348f36dc598eb9050f5aea745fa9e5b |
C:\PROGRA~2\MICROS~1\Office14\misc.exe
| MD5 | 9f84404c7434ccada75ce5066d97912f |
| SHA1 | 013eba45e21d10b554aa406c42071ea12a3f10a8 |
| SHA256 | e6cfe214abfcafc5890aac690f813436e5477cd2312938fdb172820a5c53313b |
| SHA512 | b2a8de6f8716d4d8b5cb4fc2569e83948752f3f915b597a4a4ad4199a000f833fcc0a7c024d570f9d078b992ab77b5b63251b452d8e94d47acbb90bd07aed9a5 |
C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE
| MD5 | 45a1f3db8d66cd3fcab36eee9a1b9b9f |
| SHA1 | 1e27c83564c7e1557ddac8b36f569f7c61ca7542 |
| SHA256 | 9a7404d5bbf63ab1831c97d44cdf54251ee37fc5415a6a00cdaecf247a16d064 |
| SHA512 | d06814a6b082c21ac621542b0e3edd5441435d657a4766c32718d5da02a9d29ce2c04a690dc8b64cc67cb04afe6b90381ba0454a6f46943b7020ae62e7fba3b3 |
C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE
| MD5 | 7a2029a6405c72d8c175822756dfab52 |
| SHA1 | 7572075a34ae63d03db609923c4617c09450c941 |
| SHA256 | b9fa3b76e4ea03c48f845ae4d09ab317f238356df9453e2dd2d9a4e980eae864 |
| SHA512 | c2c1a389b094652f7d22218b631cbebbf19d0ddaca6e66688f95d54d9faeabd4b44addb45df63e6f28a0f559b0306e0671c22b20d0f9ea19c93621681ad92152 |
memory/2000-132-0x0000000000400000-0x000000000041B000-memory.dmp
C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE
| MD5 | f88274ecda8568cee0a1ee24060a5c2f |
| SHA1 | c8f45de9e0bba2fda9933f11ff53dde895045a07 |
| SHA256 | 18cda909c718e1c501e377b6cc6e6443ce8b0d3afd06f97f5261246ee6a28d46 |
| SHA512 | 710e4c0c417e2981301d87d5e066c6d52d2b2e6e2a2d802da2f51de37ac8ee44402836ab06637bc84ab1c74e1df66f862955a5c9b9d56459fc5355a1c8d91e64 |
C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE
| MD5 | e650e5893ef18fcb881fb9120aa895f9 |
| SHA1 | e72e2d2f68f4171967f6014106626802008eebbc |
| SHA256 | fef3130015978f5bd436963534d901208cb1af668522e724ad0ea71d3034b5bd |
| SHA512 | 10ec2776fba912440d0d220a76fd87fa1801484279307a7af44a706efa010f4395b8d2c791a20bb1a065263b156a0e04cbfee43c7a15ba13765365c6911833ac |
C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE
| MD5 | f24998a73ed68dd2ab019272d31a6e5b |
| SHA1 | 7a97d49c69878db61fffac85b451300ad112b738 |
| SHA256 | 48b75806dacd57be75a71709075493ce4410063e4c09134c2d73fc3234d91c69 |
| SHA512 | 8dee601293a30579ae60490c8688dcd8cd2eecb4ee8657636c6e72275fe3099045fb1f6f4dceb7f45561f086db82a7db5b86dc1d7aa368e067b148d858e253d7 |
C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE
| MD5 | dec859cb3e1d0366ad78d5152794b4c9 |
| SHA1 | fee3940680ceb4a1f377cf750f4027e027b4d6e9 |
| SHA256 | df1daf2225fb6081a88ed7b56ea589c3df97cd59724add9f509eccfdaf85ff58 |
| SHA512 | 7594cf2acd7485206f3dba1f894a1eed876464f5be80e3ef19d83b4470c10bbf59bb42fd8cfd0d077fd7cc1f915778fddfb9bbaae8f5d6fef0f60dc8809a46d8 |
C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe
| MD5 | f6add995904a5f679d6b5c8157dd6b76 |
| SHA1 | 4e7f97535491185fe49cab7d9b2cc22957e83880 |
| SHA256 | 6896b1abd0805a082ae7d754ab0eb01091edcb4cd4655ea4273f9c8dcbcf783b |
| SHA512 | f96263bef554873c6c149ce3706dc5e0d5c77dc34a069d684e011b897648777c0940a996ad5734fa6444903308aa68beff9226586aa5fc48e020b889a3fe96e8 |
C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE
| MD5 | 8ec285db5c6e3eef3bf60689fbbc4221 |
| SHA1 | 1c4b3f411f7fb87a73739292994404c29d204163 |
| SHA256 | a7f9a04d3cb8b355a9c5cf424c4fa6f70fee05c1c2f4f187bdd6c9ad570871c1 |
| SHA512 | 595f7d54da6e42df23d3204ef04f1effdfdb2b86330c98776f911d91dd396a16fade4f936c2bed0cabb883eb73ecf5aefdda416be6a254e94af6c60d37c4f2c0 |
C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE
| MD5 | 91727f14137478ddd5497795ef7b6c60 |
| SHA1 | 23b346c2298d8a7cc46a7aef7b94808955f29d53 |
| SHA256 | e03969f0c2cf39ca15542ab47c7c18356d46d9756f88ce660fd45091a7c6deca |
| SHA512 | 7cc8d1090e212dd22f02e6f57b3050f440cbaa63925b5f3c64e23b2fc4c06d80e8edf3c5a5574b88078b035279612e9a9d9467884e973e054e02b0101c74163c |
C:\PROGRA~2\Google\Update\DISABL~1.EXE
| MD5 | 35f35abdd5fc891583c950ce356a8f58 |
| SHA1 | 93b856f00e00f61913507c989e2ca51656da2f2f |
| SHA256 | a9f837dfc560dc77091d198ae00bfd3fda4e719de7e61ea2c56b6a4580be7bd0 |
| SHA512 | 8cbb8c97b5d3e286c42e397b3ff9fc6c85b0cdd688353fe3954b8fb8a2afd345307d1fd40f9c32244640837387f84cfe44c31a9de57bc5273096fa1c15d81c43 |
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE
| MD5 | b783789cba88be5b314d54e708d8eda4 |
| SHA1 | a93444e20515e7843ac5dc07bd2e3b7ee1973874 |
| SHA256 | b72761a45738def20eed309f83a7016a8c1cebd4d43b42f76fc10863a7187857 |
| SHA512 | 062f3be366a0b82b9ea0cb16a60d9c1ba5c74bbdb397a14c5e234370b1b70a769326a0f79ad9e16f23adc35d97a85bde0291f683ae9d0c0884150a8a1f7088e9 |
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE
| MD5 | ea03836421bc87343be28696136739e6 |
| SHA1 | a6cec71a54a226bd1613e12c4d3049308508a07d |
| SHA256 | c25387de9c6f41935d1c4a250defeea8da661f10049276250e9985eb74336938 |
| SHA512 | 1b8dc7990d62bd365161f45d38ae6c8274cc3bfc244c1b97ce9f58f1a0aec2938c82aca186159cd0716c978267f74be2fdd6eff8137f6871c1724f2d8a497483 |
C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE
| MD5 | d39a793827722b93fb59c30afea7a028 |
| SHA1 | 3041e7032493a638a87c107980347d2f81bde98f |
| SHA256 | 7cb15f28e5c2c0c132a07392c183b68176e4ad694190f50a73fb93032695c46a |
| SHA512 | 52d8413354823849f44d6e3a7058f3aa78450c40a1a731df14749b95b3eddf4ae89c44d9c54145f40167973adcc2c69bf01085aeebe312ed16aca03321984542 |
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE
| MD5 | 61a27b377f9526a6fea3929e9d1228e6 |
| SHA1 | 298d0518d80af854e9821cdb84aa00fc96c5fb7e |
| SHA256 | 7b9ba64ac1be9506f7a3fef114743ff5a949f3ae76d1ff29e198f475b69fefd3 |
| SHA512 | efa823fe4a05ace777bd3090ef81f2c2552c4123d476a1d98bbe3be92c7b3fafe3c3df734754d01fdf758c5818b9843a7f784c59f67ba99087b8b931adddf98b |
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE
| MD5 | 35f35abdd5fc891583c950ce356a8f58 |
| SHA1 | 93b856f00e00f61913507c989e2ca51656da2f2f |
| SHA256 | a9f837dfc560dc77091d198ae00bfd3fda4e719de7e61ea2c56b6a4580be7bd0 |
| SHA512 | 8cbb8c97b5d3e286c42e397b3ff9fc6c85b0cdd688353fe3954b8fb8a2afd345307d1fd40f9c32244640837387f84cfe44c31a9de57bc5273096fa1c15d81c43 |
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE
| MD5 | fbe35490e036d495a6c6099daf2ede46 |
| SHA1 | a30e77af27fe8dc21f01d7513896f769e00b0673 |
| SHA256 | 6be8d0d1d91d1f1c7bc1c6b21b8f65dd88b64b187d56ee68a1521d2ab2d2a0fe |
| SHA512 | c10e36ff63c788f5e81683a0dfc6e9be92da83526361d584bc8afd5be89e33d117561f170533711582e562685e70e4c0da08419141e700b86baab88497b7bb3b |
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE
| MD5 | 92a216234b3df2be42d9bfcd95ceaea6 |
| SHA1 | 573ac6b382f1311047df5514727f3bee0cbeada9 |
| SHA256 | 757ba55e8754cd4241a71643a1b9fbc2157c70056a1e4e8327d1e60eda9f0fe8 |
| SHA512 | d5acfedef4acd564cef4f0e6f0d43d8dc9c5299aea05b43c2b02613bebafe810d19c59afa55c771a23047332b33eb8282b8cac7535f2ef3cde4347edb46a87af |
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE
| MD5 | 16486f3e02396b19629b74f91da1b251 |
| SHA1 | af52e37ce9134e34ec990ade4549cabf3aba9e06 |
| SHA256 | a52382719f5993aa585e1e44fd85cd70b30ec68a582b55579329f82732c30e89 |
| SHA512 | d5f61ea4a93441c0732508b09828ec3d563884d8d1f4225474c209bdda6d33f854f6c3bb94636d0867333b664f50979157a45c958b72315537eafc6ab3bcc83c |
C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe
| MD5 | 46065c3d4143eea601a4c4e5c25dcdc7 |
| SHA1 | ccd5706653e9eda4a4bd0f59ec7365188c80d6a1 |
| SHA256 | 314cbb6290aad994a011062fa301fe20c6c646ad5f40223214e40363000a4e41 |
| SHA512 | 61a009a16eeb6f6f926a0d224a656dc7e062681629894e63ec07b19e5b37e7ff7c87b6a93c24feb1a9172d2218d44e6c19dedd92aff70875db76be7d03aca31c |
memory/1784-133-0x0000000074490000-0x0000000074A3B000-memory.dmp
C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE
| MD5 | 47971869eacecc1f7871fc6301667d3a |
| SHA1 | 5441f0e876712cd98c5fa58b82f6991d9ceb76fa |
| SHA256 | 3c8b1f5acad60b683b6eae5d89025f38ef4dce7b38fa1178e47c8bdab1f3802b |
| SHA512 | 07f102839fcb725dba3ed274d520edd33bbe1ec062b5b78bf6200d51f4dfcfccaf2698920cd24271e8afcb16b3d317bcf45ae59bc0f52ba59091a894470d8406 |
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe
| MD5 | a7e7a7872bfe4b3cb819249726df42fc |
| SHA1 | 97ab22f9abff04aacf5f64228303f96fe73fc54c |
| SHA256 | deafc340232e2a6de10982fa84418735fef359720740d9dbfeeff9095878e847 |
| SHA512 | c2607825ba21c31ca38f011a34d7b483ca2b3e829100a5b6735b193421f7d43ebfd5bcf9f2ba198d5416f8643e24ae511731d96987fed0b74b43240d26a4aeff |
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe
| MD5 | 883242848b04aef351f7da31c19ba781 |
| SHA1 | 65f66131622ff83c077be135a514e81b3f3ebd5d |
| SHA256 | 8560be9d63ae1524142e53df3302abcaf145559ea2f04359130fa9072c2c5a69 |
| SHA512 | 49825da9e7f6c1b3b67644cc839c42be201c6d26e565dda51311cdfc71a41307c58953ea2f864d7787b4a9f3d68508733f446795c7b042c3ee9e77cbbc3173fe |
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe
| MD5 | 242944239e1059ed74064eab73ae32cb |
| SHA1 | 02c5b4e6de19672e09bf0da61bfd081536442467 |
| SHA256 | 4973afa378a6478014b2d64b40d791b1207a9d820123dcc552f93f34b4a0bf2a |
| SHA512 | 694da3c88bdb688ad5bf75ce4aed2b6f3ef63c2b0c00822750fee9b01ed7aabc4cf06a1d42b5dba66ded826328e72f45d2902bda188f19a3b18e119993035b6a |
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE
| MD5 | 1197d6871ed93dfe3614092dc9f4d746 |
| SHA1 | 0cc302bac1b12faf994fd5f9532cd772fa3ff57a |
| SHA256 | 2f5e1f0a763ee892c8735d6f5d4bc2fc76655667add7065f74907556ade07b56 |
| SHA512 | a75fb6f28c28338a7f6a7868b290a8ebf888faae3ead7d55497207825b1dfecb8999c8df3d68b3278382644cb5d9c041c645f12ef7df07b49c94c7a353c6f5b2 |
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE
| MD5 | f0df3994c263f788169d758fdef1c2fc |
| SHA1 | cebdc4aa82ddf579d7f44dc14fd9ea126ebe065e |
| SHA256 | 15eda99247b8e7bbcdef25b6da97a585ee67e72ce19558390f6a58a261b81dcb |
| SHA512 | cdfe53ac349f130f25b91ef94b92e3faf8b136fc384d56435491ff518019daa468ccd163e75c04d156530d61478eddeb1bb901b33966f515088dc1561007e2ed |
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE
| MD5 | a08290283b99f49fe14b792974412ebf |
| SHA1 | d40c66a988707b2b607f338a6c511b8ad9b1a410 |
| SHA256 | bd4c669ff7b1580b240d91abf09eed7128bfbc3b7ab087fd71f4953c4802d0bb |
| SHA512 | bd8c6ca61954aed0ec9eae21a9e1747dfbd1d16311d537654023905e191b588824ec32a8331e75cb7872ff832c5753b57479f2ab601f0e4723897e5022c51046 |
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE
| MD5 | a1a792480a570157731472139de819b7 |
| SHA1 | 8fa1acf60e4b6a6f387cb7b7c7826028794a03ac |
| SHA256 | ef9fb0fa737f9e2aa8e0e8e2741bfb2900c5ae71c69ac39d9c08a9844463a538 |
| SHA512 | ab5a5b58f7c04a5f14986ed49ade5bf37713dbb40d55090ec519195222a74d0217452a6a10e348bb6bede425a27dd2fdc8438b652648f33806ab54866b979a73 |
memory/1132-134-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2000-135-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1672-136-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1784-137-0x0000000074490000-0x0000000074A3B000-memory.dmp
memory/1132-138-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1672-140-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1132-139-0x0000000000400000-0x000000000041B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-20 23:07
Reported
2022-06-20 23:12
Platform
win10v2004-20220414-en
Max time kernel
130s
Max time network
152s
Command Line
Signatures
Detect Neshta Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Imminent RAT
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
Neshta
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| N/A | N/A | C:\Windows\svchost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE | N/A |
| N/A | N/A | C:\Windows\svchost.com | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "\\Scanner\\run.exe" | C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Scanner\\run.exe" | C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\setup_wm.exe | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmpconfig.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13157~1.61\MICROS~1.EXE | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\MOZILL~1\UNINST~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmprph.exe | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmprph.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmplayer.exe | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI8A19~1\ImagingDevices.exe | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\MOZILL~1\UNINST~1.EXE | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\wabmig.exe | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmpconfig.exe | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\DISABL~1.EXE | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ExtExport.exe | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ieinstal.exe | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13157~1.61\MICROS~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmplayer.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\wab.exe | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI8A19~1\ImagingDevices.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmpshare.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\wab.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmlaunch.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\wabmig.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe
"C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE"
C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE
C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\3582-490\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\3582-490\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| IE | 13.69.239.73:443 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| US | 67.24.169.254:80 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| US | 67.26.211.254:80 | tcp | |
| US | 67.26.211.254:80 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp | |
| DE | 79.134.225.26:1234 | tcp |
Files
memory/4912-130-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3582-490\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe
| MD5 | 9f448e7ab94a398b3500147ca6786cdf |
| SHA1 | 6dbb6fae2082f7dec84f2d20a67b21ce1ac3fd91 |
| SHA256 | d374669526f689b7d622129caf6c843dc6cfde3561993bab096e9b6cf6e19971 |
| SHA512 | b772841ffd252e6adc314a17bc30a3826ef20f0cb64a1b87d0f86d80000cae780b0ebb565c047561128667f6b1ceb63c16a281b770e4866fe476e1af9749b833 |
C:\Users\Admin\AppData\Local\Temp\3582-490\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe
| MD5 | 9f448e7ab94a398b3500147ca6786cdf |
| SHA1 | 6dbb6fae2082f7dec84f2d20a67b21ce1ac3fd91 |
| SHA256 | d374669526f689b7d622129caf6c843dc6cfde3561993bab096e9b6cf6e19971 |
| SHA512 | b772841ffd252e6adc314a17bc30a3826ef20f0cb64a1b87d0f86d80000cae780b0ebb565c047561128667f6b1ceb63c16a281b770e4866fe476e1af9749b833 |
memory/4552-131-0x0000000000000000-mapping.dmp
memory/4552-134-0x0000000073530000-0x0000000073AE1000-memory.dmp
memory/4912-135-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4552-136-0x0000000073530000-0x0000000073AE1000-memory.dmp
memory/4680-137-0x0000000000000000-mapping.dmp
C:\Windows\svchost.com
| MD5 | 1583aedafbae9cbc29b4dc36a9f81be0 |
| SHA1 | c7594e0808a1b392a81ea470a4a2acd03d26d3b7 |
| SHA256 | f32b96978e474940c4e8fc8b3c2e5e9b70c146980dea5bb25dc9b5f535a8468a |
| SHA512 | 7ba30d335bfdd3d9cf887222c473a5b4437a9dd4cb669f261cc7fe675a0f8de192400fd3ff97e9a39827e4698ad5142b2d2af61d8d90e10578f374ffa5fc6a5d |
C:\Windows\svchost.com
| MD5 | 1583aedafbae9cbc29b4dc36a9f81be0 |
| SHA1 | c7594e0808a1b392a81ea470a4a2acd03d26d3b7 |
| SHA256 | f32b96978e474940c4e8fc8b3c2e5e9b70c146980dea5bb25dc9b5f535a8468a |
| SHA512 | 7ba30d335bfdd3d9cf887222c473a5b4437a9dd4cb669f261cc7fe675a0f8de192400fd3ff97e9a39827e4698ad5142b2d2af61d8d90e10578f374ffa5fc6a5d |
C:\Users\Admin\AppData\Local\Temp\CB6E9D~1\CB6E9D~1.EXE
| MD5 | 9f448e7ab94a398b3500147ca6786cdf |
| SHA1 | 6dbb6fae2082f7dec84f2d20a67b21ce1ac3fd91 |
| SHA256 | d374669526f689b7d622129caf6c843dc6cfde3561993bab096e9b6cf6e19971 |
| SHA512 | b772841ffd252e6adc314a17bc30a3826ef20f0cb64a1b87d0f86d80000cae780b0ebb565c047561128667f6b1ceb63c16a281b770e4866fe476e1af9749b833 |
C:\Users\Admin\AppData\Local\Temp\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9\cb6e9d7a23f652290ac5ad33a4723c4b92f9b4c255dc1fcc6f5014e81af5d3a9.exe
| MD5 | 9f448e7ab94a398b3500147ca6786cdf |
| SHA1 | 6dbb6fae2082f7dec84f2d20a67b21ce1ac3fd91 |
| SHA256 | d374669526f689b7d622129caf6c843dc6cfde3561993bab096e9b6cf6e19971 |
| SHA512 | b772841ffd252e6adc314a17bc30a3826ef20f0cb64a1b87d0f86d80000cae780b0ebb565c047561128667f6b1ceb63c16a281b770e4866fe476e1af9749b833 |
memory/2332-141-0x0000000000000000-mapping.dmp
memory/544-143-0x0000000000000000-mapping.dmp
memory/3320-146-0x0000000000000000-mapping.dmp
C:\Windows\directx.sys
| MD5 | a7ef1efca7b1b2d2675985dad08d293d |
| SHA1 | b0318f9d8484d187f39f5dfc1151c9ce81ded1a7 |
| SHA256 | 57212e5592378074599ef0b04a2ed87ab04463ff2de57953f68ada5996e26867 |
| SHA512 | 682b99672ec02cf8bbc14cc059e4cd2c99b79efcae910351ea66ff8ebc2277fecacc741e8c104766c58062be81754d121153be6685edd3aa65888019fdc2eee7 |
C:\Windows\svchost.com
| MD5 | 1583aedafbae9cbc29b4dc36a9f81be0 |
| SHA1 | c7594e0808a1b392a81ea470a4a2acd03d26d3b7 |
| SHA256 | f32b96978e474940c4e8fc8b3c2e5e9b70c146980dea5bb25dc9b5f535a8468a |
| SHA512 | 7ba30d335bfdd3d9cf887222c473a5b4437a9dd4cb669f261cc7fe675a0f8de192400fd3ff97e9a39827e4698ad5142b2d2af61d8d90e10578f374ffa5fc6a5d |
C:\odt\OFFICE~1.EXE
| MD5 | e46e7547af67d2cbcadaa431487f235e |
| SHA1 | 6e8b797e07d70336735b6c5c057fb293d7abd52f |
| SHA256 | e207f7b55ee6854094d969edbfc423e31fab81d3f10c848d2e5f6452683b365a |
| SHA512 | 89aee7c9495fb981b82cac3c31bcd2975a2bb7453c4558d0947b59d6ec5f7b39de9a74b0b6b815e1aa029499a77c7f6dd9c1886930c5a70a304b648c472ac0db |
memory/4680-148-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2332-149-0x0000000073530000-0x0000000073AE1000-memory.dmp
memory/544-150-0x0000000000400000-0x000000000041B000-memory.dmp
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE
| MD5 | 2f993d9221d3985926e367d07dee7e11 |
| SHA1 | 08f0a0f504f65870b65c608a863ef6115b5442ba |
| SHA256 | ea371eb8e478f48ca83564360f56a87521602ef726c71c08d698f0718a956737 |
| SHA512 | 3d82b3f70c3ddf95543673307e5d6a53f8027717eadc36113a7efb66b7a7f4997cc325f9753a0fd57db362e9a01f65af71ed3822a2f9ce76ce2bd56bc51ad1c2 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE
| MD5 | 076950f4e4be607ea17842a5a5263357 |
| SHA1 | 0a4becf15b827dff484a14ab71db267bb612f3f6 |
| SHA256 | 14a4fbda0573b57b96adc9e3d198af40624b0ba767ee6e02dd8ea773ede00381 |
| SHA512 | b480ecfcaf1f1108b8a6bbdf521eab896d6fb108fc0ecff7e930a6da312f92a04b90109353dc98dc5bf6b6717afb98acbf6991f5bb02a08dbd27b307942bf23a |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE
| MD5 | 9ea394b07888d20a1940c024163f5074 |
| SHA1 | 18168316d5963fccfd0a65d1665bd136bbc0403e |
| SHA256 | be57da1c691c8e24fe36b117933bf9e71de6771f608171b8d8ce5f2056aee60b |
| SHA512 | f9b4ee1c670070b1b93b9091872eff703e5ab15f341d18e518189be9147910d67aa983584ccca24c2d73cc6ab181525379e19fc346e0240283b414ae2968dfce |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE
| MD5 | d231bc01654b92b512574bc626d29f7f |
| SHA1 | 2903b9d576ae81ba6c084399034a45774c143d06 |
| SHA256 | b4cb60eefd624eafa10df7f1b582d2684d63cdbc133525ef3832274aaa488fda |
| SHA512 | 1c76394c1d3cdcf41db51eacce35685891cf1a874a5b2d5aa2cf6bcfea4e175daf2a65665b452bcf62f0fb815dfbcb3493322bcd36adc6b41e7980c8c695632d |
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE
| MD5 | df5902e76935de8b9d0d896a318810c4 |
| SHA1 | 5dde85c32c5745fcb913c2efb8a5527da3ae7cdc |
| SHA256 | 10a8b61eba3039d2b31e8a7105caf59cdc2978929714a2672e641e9530bcc8ea |
| SHA512 | 9f9fbd3baa678eca5cd0cc9b65bcbaf3287e8721946c5fc9ffab9ab317751b6e1bcb36dc367d5a72ba43c8e178cc62c9f9004d3813410b081dac8d963f499be5 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE
| MD5 | d231bc01654b92b512574bc626d29f7f |
| SHA1 | 2903b9d576ae81ba6c084399034a45774c143d06 |
| SHA256 | b4cb60eefd624eafa10df7f1b582d2684d63cdbc133525ef3832274aaa488fda |
| SHA512 | 1c76394c1d3cdcf41db51eacce35685891cf1a874a5b2d5aa2cf6bcfea4e175daf2a65665b452bcf62f0fb815dfbcb3493322bcd36adc6b41e7980c8c695632d |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE
| MD5 | 825bf2dd0675b96e95727580b7e82ec6 |
| SHA1 | e96cb8186478c2b4572a0af4e32752f103f81ec2 |
| SHA256 | 6deb59d96768e3d8d939fe2c554aada6580895937f3db56ac1a86b95e5456100 |
| SHA512 | c1dcaac25098526fa88c05958dabe9d0f2c96a6e4f7b5f661d2a7c9ea0d1d3b02d5cffda9ecb67285c3e22f7dd9874de399f1c67d5fe39b9cc4d0883fce307e8 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE
| MD5 | 13a07514838ef04b8937d41b26abd17b |
| SHA1 | a1da9d701acf178e5293c55ba601be5dac66c5f8 |
| SHA256 | f6fbac322af96d6417a48052a640ec85b184cae3d6563a15b2e728a787edb6e6 |
| SHA512 | 2fb71c2950aedcfcd72735d18370859a83abf39558f9f5dc6e251222078b2c4961d38dc46d7a7170918757fbfd1dee4c586c4808865b17a2b6af9e4013b80775 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE
| MD5 | dbc5054a29678df8bf7285f04cbf84ff |
| SHA1 | 5402cf5366ff47a6a1f87ba2ac41a084c81da361 |
| SHA256 | 315ae36f5eec010a833c71e5f0655df2d9a1a5f3fae2a315bef5d3a3a7b5b32b |
| SHA512 | 57f067aad0d0b9f672e09288b9afa29fc1a6141b7f49c3afdde4c8822df076d2e835747444f0edbc04598cb99c4813900cb45d84ac1849f4719b3568032d8d6b |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE
| MD5 | 825bf2dd0675b96e95727580b7e82ec6 |
| SHA1 | e96cb8186478c2b4572a0af4e32752f103f81ec2 |
| SHA256 | 6deb59d96768e3d8d939fe2c554aada6580895937f3db56ac1a86b95e5456100 |
| SHA512 | c1dcaac25098526fa88c05958dabe9d0f2c96a6e4f7b5f661d2a7c9ea0d1d3b02d5cffda9ecb67285c3e22f7dd9874de399f1c67d5fe39b9cc4d0883fce307e8 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE
| MD5 | 68fe149c0db3a3f01def292f8a428297 |
| SHA1 | 2de8c2dc7c9a001de70a4bb8a485f0c5ec7df38f |
| SHA256 | 935d5dede8a03efad311247fe5d86b55fcb3a93f72ba7d29a48cb709018dae87 |
| SHA512 | 83d891bf8b9ed7e6f634f5b2710729cb457aa24b0c27d6c509eec2527d0e139bc44d6169502103a308471b5c87ff1d14a536cde7fdb4692a215f4f7d50b8ce68 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe
| MD5 | 178420a2a9d1304855e2ed29da601e5e |
| SHA1 | fb1f785152f69075f320a4d38d05adef622db602 |
| SHA256 | 32cc210dadf075d52576316dc963c433b9447a2de1d544bd081fbbae35ea3865 |
| SHA512 | 92602a7765776ccf16ab7de98961fd98dbb3f04ed66f7f4c7b5a0f6735585a568cfa5463e57778bdc22ae958a7629f5d6d91f261931477b6bc8c6113da6137e2 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe
| MD5 | 7cb8edd0b63b5719b60cfb93b42401ff |
| SHA1 | 809b45dffcd3251f9b38c6bf0f3a2517a449046c |
| SHA256 | 57420fbba11150e500b67d082ea3a6eb125a7ba4784b7391359d841e77da10db |
| SHA512 | 168152ee2c0880a6f84386ef32b444c6a605d3b7991d2182dc1e7e8468be67136b29121afe47413b61edd30f7036a65adb3651cd4b29e6c20b0b068dca2aba56 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE
| MD5 | e15c22f9d869a0b2776a31de5cdc3816 |
| SHA1 | 2e8d9879ce115cf8c32bd1449ba1fb41180b1491 |
| SHA256 | da0c11e20d011ae9d431d8d27a417c03176e927c71dc769a74b6aef7d86e93f7 |
| SHA512 | baa367b99fec3a304ce665c5652741a2895df9e9bd0151914ae6ed17b7a38d95bed55f081cca31b264f2e60886a871dfbed7449c6de6eb11a44d8c463b7bd19c |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE
| MD5 | 0bcf3f1ae41c6a99fca824fa84c98fe9 |
| SHA1 | d06676aa6f45e82f07e6ab25382d1ca3ff63b107 |
| SHA256 | f23007449b1a5ff7b03b86ebaebc0f00fd0070e4ae2573fc12129a569584c957 |
| SHA512 | 58bf008bf8d928e2bd2d29d4ea78651e4a3690f215b2ba4edfa78e348812c0c2739eda3502cddd77c3d5c3ed917a86c3c08b58fdc441110b7acdfc5e650ee9c1 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE
| MD5 | 8cb8c2150857764b054644a5adf9ad8a |
| SHA1 | 0e24c046b464fee16856abec03e4ae0a86f300ea |
| SHA256 | 8fa34a4bee83c3720d45bf13d3413e00a9a61be7385daca40460669479d4abc2 |
| SHA512 | e68d48645612e2734e868475f612375f210c4bac92a2896d7371650de67363b5c1b73549fbb6b605a5d22cfeb2f7f1b082a090ee5abe16d15f0f6dc6b59ab0bf |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE
| MD5 | 682565bce005e2bddc8489400fb8361c |
| SHA1 | 94e7cd302a5f223ac1e7b8950338e0b288359003 |
| SHA256 | d63f45e9a142b7fc8bc8c195caf3b6642762f91e2d6b72a0a8d342229ecfb105 |
| SHA512 | 5e1a67a9e9488bdc72af30aa7a99898dece39adba9702a0b6d1a00cd90d1cd74165134773c78ee0bac64df3630fc9b8da5ef3b3c1b291dc5852c9de494192b1c |
C:\PROGRA~2\Google\Update\DISABL~1.EXE
| MD5 | 35f35abdd5fc891583c950ce356a8f58 |
| SHA1 | 93b856f00e00f61913507c989e2ca51656da2f2f |
| SHA256 | a9f837dfc560dc77091d198ae00bfd3fda4e719de7e61ea2c56b6a4580be7bd0 |
| SHA512 | 8cbb8c97b5d3e286c42e397b3ff9fc6c85b0cdd688353fe3954b8fb8a2afd345307d1fd40f9c32244640837387f84cfe44c31a9de57bc5273096fa1c15d81c43 |
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE
| MD5 | b783789cba88be5b314d54e708d8eda4 |
| SHA1 | a93444e20515e7843ac5dc07bd2e3b7ee1973874 |
| SHA256 | b72761a45738def20eed309f83a7016a8c1cebd4d43b42f76fc10863a7187857 |
| SHA512 | 062f3be366a0b82b9ea0cb16a60d9c1ba5c74bbdb397a14c5e234370b1b70a769326a0f79ad9e16f23adc35d97a85bde0291f683ae9d0c0884150a8a1f7088e9 |
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE
| MD5 | ea03836421bc87343be28696136739e6 |
| SHA1 | a6cec71a54a226bd1613e12c4d3049308508a07d |
| SHA256 | c25387de9c6f41935d1c4a250defeea8da661f10049276250e9985eb74336938 |
| SHA512 | 1b8dc7990d62bd365161f45d38ae6c8274cc3bfc244c1b97ce9f58f1a0aec2938c82aca186159cd0716c978267f74be2fdd6eff8137f6871c1724f2d8a497483 |
C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE
| MD5 | d39a793827722b93fb59c30afea7a028 |
| SHA1 | 3041e7032493a638a87c107980347d2f81bde98f |
| SHA256 | 7cb15f28e5c2c0c132a07392c183b68176e4ad694190f50a73fb93032695c46a |
| SHA512 | 52d8413354823849f44d6e3a7058f3aa78450c40a1a731df14749b95b3eddf4ae89c44d9c54145f40167973adcc2c69bf01085aeebe312ed16aca03321984542 |
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE
| MD5 | 61a27b377f9526a6fea3929e9d1228e6 |
| SHA1 | 298d0518d80af854e9821cdb84aa00fc96c5fb7e |
| SHA256 | 7b9ba64ac1be9506f7a3fef114743ff5a949f3ae76d1ff29e198f475b69fefd3 |
| SHA512 | efa823fe4a05ace777bd3090ef81f2c2552c4123d476a1d98bbe3be92c7b3fafe3c3df734754d01fdf758c5818b9843a7f784c59f67ba99087b8b931adddf98b |
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE
| MD5 | 35f35abdd5fc891583c950ce356a8f58 |
| SHA1 | 93b856f00e00f61913507c989e2ca51656da2f2f |
| SHA256 | a9f837dfc560dc77091d198ae00bfd3fda4e719de7e61ea2c56b6a4580be7bd0 |
| SHA512 | 8cbb8c97b5d3e286c42e397b3ff9fc6c85b0cdd688353fe3954b8fb8a2afd345307d1fd40f9c32244640837387f84cfe44c31a9de57bc5273096fa1c15d81c43 |
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE
| MD5 | fbe35490e036d495a6c6099daf2ede46 |
| SHA1 | a30e77af27fe8dc21f01d7513896f769e00b0673 |
| SHA256 | 6be8d0d1d91d1f1c7bc1c6b21b8f65dd88b64b187d56ee68a1521d2ab2d2a0fe |
| SHA512 | c10e36ff63c788f5e81683a0dfc6e9be92da83526361d584bc8afd5be89e33d117561f170533711582e562685e70e4c0da08419141e700b86baab88497b7bb3b |
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE
| MD5 | 92a216234b3df2be42d9bfcd95ceaea6 |
| SHA1 | 573ac6b382f1311047df5514727f3bee0cbeada9 |
| SHA256 | 757ba55e8754cd4241a71643a1b9fbc2157c70056a1e4e8327d1e60eda9f0fe8 |
| SHA512 | d5acfedef4acd564cef4f0e6f0d43d8dc9c5299aea05b43c2b02613bebafe810d19c59afa55c771a23047332b33eb8282b8cac7535f2ef3cde4347edb46a87af |
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE
| MD5 | 7a1ffffa39cba6bc82408722d2c19f9a |
| SHA1 | edc65bec2fca5c1e1c8f300fbe339cf735d3ee94 |
| SHA256 | 22295a6e94476f71dde4247ca641bd6daec07c4f05aaf8617c893e406a98e6bc |
| SHA512 | 5190dfbbe977091c26a951bc832a85975b3d4d09c1852937549e7bdf1dc04f7a7017c534eae3a9c5d63c74b56ae41fbf377051c88e5478cfbb62948f18c4f676 |
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe
| MD5 | c400ce81f2210ec3f2dabb971f5392a9 |
| SHA1 | 6fa3b2fc56ff0afd6cef7b7226a1eee3ba0ea64a |
| SHA256 | e7a17b731bb07d94a88308a9216884d15169b0290f1432cf5f28087ea993106e |
| SHA512 | 98674c8e303abb994e6bc6436b896d9c7ecc82a122ad7e3c1164711f9066f6e0c7f6f1f8d93aa4a9e8d48e814b12b8c6fb686d67e7edf534160ed65977babc6d |
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe
| MD5 | af8255b6848d8a813afd4bc0be90e46e |
| SHA1 | 2c4203ba3d78963be60dcd4b63ff81fc8b3d58ff |
| SHA256 | 6c7c888c6830e83f10191a0692ec7eb16c3c016c32efcdad2a54c376889c56b1 |
| SHA512 | e8195963f8589a783a3275460a33e08216cc30db59f52461f8f0ef1c484d8b11faedb9df98c55b1d219afee8a4a1da08b3082d1b4f866f7ceb28d5190395880a |
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe
| MD5 | 9771486b48dccd315b470dc282e16485 |
| SHA1 | 2c7f3e2a9be298bec9b9e82e5a9a089cda04cb60 |
| SHA256 | f81e1f0c21f49e86c04f4b3dce1d87e93b01016f17f728a97bc3b1f0d7ef0414 |
| SHA512 | 6bf06ed41be8c34226d1fc52cb1e5525d2033c85cc36d71697153f58f4d4530a331cd58d05bea9a326f78fb1568579391e7e42c449c0fe493c16d18396620d0e |
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE
| MD5 | 284a76ff912a51d01a0034749f6354b6 |
| SHA1 | 09f0a0822107ef40304c8ae9be33d216f1499fbe |
| SHA256 | dd7e95ef9618d4596468a723226d004b20bfbc585aaf79d5786f19652ec34697 |
| SHA512 | cfe2a13d23c39c394d7995d31b7844c8cc8bbd1f109d6078b619772b16fe3b6a00b0d29e727f4e3a9c089d6c9667c5dc9408ce1b39d89271566f6afeb418a607 |
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe
| MD5 | a59a944384bd39a39ac05f3110c72bb4 |
| SHA1 | c9a92c3f77d76a48f23d638f21a3ce6d95a40e57 |
| SHA256 | 36d8e9a567037c3c3e2648c65d4acbb13222cd9b22dc3f92e1eae912cf976761 |
| SHA512 | 4855747bbc4ab445b63cb62329089ecacd6fec11592f51bf1000feabee470ddb6c66e0387c9c4253d4bee9b50ba1b48cef89e95af9c1e859b3324b0894d47e05 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE
| MD5 | 0b82ab5594220753e22ef2f6a9e770a0 |
| SHA1 | 7a58797574e3c4334273782149c38d2c7149e017 |
| SHA256 | a4fab765529adf6e58d5839692b24e66aa38489faa51657992f409ffc4b5772d |
| SHA512 | e5e9f5fbe72f8983fa4d8e873f3d9a84f6fac6fa0c723849ecf2dec3b803a015aeaa9b7e214fb10a8132382e523f3173a587a4ef0b4cf1e55d4bee39bfc58d4d |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE
| MD5 | e7dd8ecb98d4f72ac8951d0196382e4c |
| SHA1 | 34008b4fe44db2e2dbfbc0c3d04aad90be76f505 |
| SHA256 | 157cb880305aa68a51fda2ae115aff27710d999ddd5f39e9a6e1c6b4330668d7 |
| SHA512 | 7b45f7b35df2f6704f42133b43ee2de9ab570492499721f7c61ea11f80bd5c67c6e7b1fbb365f4a8b7b8d3d03f5400d5c278eb971083ce9352f4a6a7b8c324fa |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE
| MD5 | c2b28310f77fe544c11066fe6703df5b |
| SHA1 | 19daf5804013664a7182c1d6761a694bd2e15165 |
| SHA256 | 47c17ce87c4268e3aa8056cbb02a1bc47ac129e6efaeda021d150476f4121e41 |
| SHA512 | cc4573ecc69c265ff6ac40c30512b242b70c2ae9e6e23732044a6234202be33c2d3c181da221d564395127cb1d9614b5de0ae51759a7a4e4d3d6655d31d5bc0a |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe
| MD5 | 21464452898a3b2e18a3aa35a47d6c47 |
| SHA1 | 84b881f194714a0fc4d1f40392e6ee2e022590f2 |
| SHA256 | 7bad2041f835b847c5fe9809275c1ae5c042f42add781c8fcb8f1ddd8a608c6a |
| SHA512 | 7ef891901bcb269b235596be75905ad8f89adac7de66d4b329a7208d541e7ba65040aa8df05613d887cefb7e1dff05cb7d0a40f8949f2bafa440b8dca6725787 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE
| MD5 | c8144c8e06bc730b1faaab8a16e98514 |
| SHA1 | ae32d2c78d555f1f57a46af50eae21f21cced0a5 |
| SHA256 | d207ca5b2919059df0deae905838afd2059084e1a5af4673458bcde75f678efc |
| SHA512 | e483f0c6746fa5585bc1cd4a80307871adc7599217549660b17d6c321b9f06de1a6b41430664a9b45e5a85bfed4db0e9221f9fa030a4e8e01c8db05ea0ed5ba2 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe
| MD5 | 7869f7b989507a9efe19c3e6d9ba0b22 |
| SHA1 | f02e339e0a54120e577262ff1d4de0be68cc2b49 |
| SHA256 | e8720a82c3722b8656ac42d081a517ce541735a4efc02f3a2bdd72a512402570 |
| SHA512 | 587e0ad5dc53591c741f74e895c4c27eefa907d978b9ec49b42007fefd96576f36ea575897511b12b6ce7eb7e952d94516258a5fc570f8e9f5a0647acc2d555e |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE
| MD5 | 20614d8ffb8efcaeff847b161b9c7b6a |
| SHA1 | cc4113784bfdc90b6ada1b24e7110e5b553c3303 |
| SHA256 | cdb305d331a18d063e61f86f71d488adef8d168dd069ba4e90b839fdeaedcdf0 |
| SHA512 | 375b9612a88dad0989a04b2aa9b059ec3e897b80e05ddedfa65eefb03882ef412a99a5f4b68e4dea3ab215ec268ed51a62056a4c09c792cbfa856bb6ed6ce7f8 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe
| MD5 | a7de2f57f114cbff6f974b8efcadad4a |
| SHA1 | 890ddd004509cd100fdb52542fa316505d340ca1 |
| SHA256 | a7a24ed5c0cc38b287834a34e40926e87a0dd7b5d8cfdb742cef32f3edd569ab |
| SHA512 | 296bbfe4d71442bfd3464e0ddf8c5113dffa3fa3668181374c3623322a1fe42cf5eb9d09e86395cf6f58617ad955e365f417a1fa7c9a51fb48309aa7ba8c2922 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
| MD5 | 7a7921f011fa09a0385e88a4913da004 |
| SHA1 | c7b3b18acb55a4f54ba83b7acefa740849549e24 |
| SHA256 | 1bef7aaa5351802209b55fbfe3f3586a514a13234aa9753cd9c391f175c0d659 |
| SHA512 | da437d54c04669270e6dc6b0fb3e1c9d4b12c477136d12fc17f90ba62fcf96eac53f1ed1f5952baaf63ec69398dd9ce7f357137236f0a71dfff57bb7b1bc8c0b |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
| MD5 | 8c0bda4cfca7bc0b1b3776f7ec8785d1 |
| SHA1 | 9b95809f4efc705fca5e2a2f35a7df0587191187 |
| SHA256 | 96342f0518533cdbf16b2139165a3eebaba216cf55837886c81b24d20cab12c1 |
| SHA512 | eb058d71b144217babe69b31159a8b9001adb4c679a7d9a4d946a002e513184c269d77b595f8ba952cd1ad88ed9232b1dab96ebcb12e22452c90fa2b3ab4582d |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe
| MD5 | 363081c311340255718dd555ef02cbe0 |
| SHA1 | ef422ea284c15162b420eb735adaefabd335ded2 |
| SHA256 | 53b370eabd4463684e519e1b4e26f8b038ecb46ec43b8be9c2ee97a71f469eb3 |
| SHA512 | 780ae8baca6001329dd6768c96c4a879b4512790d73686dcb46c7ebfcab1c041bf2ac726248cbbd227a6b7f207a4202f5e54f6976bf2893c32f45e91d0a3ea12 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE
| MD5 | cd1f04f9c75a87830eae7d73d1ad351d |
| SHA1 | 405e8c37a2fb940872a1ac55e5642bc4a32ca93b |
| SHA256 | 4f7c2ed99a30cccf693ba5df98c2c478b8ef3ae7649058547b9f2462ebe7e563 |
| SHA512 | ec38444eb24b8ff3bfe68b55275375a47e676a704405f57a57a339b625d0bab191ceb2195966e7f60e847351bbb7b43ddd5bf6490b89c0e00dfe3ee0d17c70aa |
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe
| MD5 | 3ac88020f00361880666524e36757efd |
| SHA1 | 01ebda24cf36e8fab8f664c2b981a5b6096bfa33 |
| SHA256 | 9df4f2a3fa91f9efdb3b73c3140a55636006dca5824ea52ce8d51f9e24007e00 |
| SHA512 | d62aa872848e14aa78fa630586dc3cb49dee3c5fdbb095dabd9336a7f39047fe4686bbc8277adeb42be645db9e1c45d561c6adf80d46ab88fcad8f031630dc92 |
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE
| MD5 | 75714c4aac7eb3c81829352cd0a2e025 |
| SHA1 | 3718ef468df3d922f6b6ef0b23b33239759d9b2f |
| SHA256 | bea6d0737287df33b4a48cc929a8cd0f4847ec95c7af8b7f153a9663345a566a |
| SHA512 | 1d1d643b0ca6767b9601849befb9a9f3af1af4fe17d263a703c598acd6a4eff4492c66e634010834e452b1e0c582dd5ee659089ac398cb5a1eb04cb7d39c8587 |
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE
| MD5 | 779a807c4a8890e863682f967d077d3f |
| SHA1 | 86eaf3ab7b6a727867302587d101819b857ea12f |
| SHA256 | b79caad45be3b9698e0451343569ab45e754b84986a45ece13185549d90b8a83 |
| SHA512 | 154a45433d3c7d5f1a68a2b0b415c71804d99b5462b3fd62138af2c6f3a448a900087c8feabc32de225cf84fc21f619c08c41b1fbb1871601eca113167397b34 |
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE
| MD5 | 322729b3a7ba4dfc77cc74c50115fd38 |
| SHA1 | 1b6be78c2afb1c4ee372023f7420dedc186d45d3 |
| SHA256 | bdea7c83e19ebcc427158e0cc93d0aed9c61390b8c0f73c8ee64cdf7452401e8 |
| SHA512 | f07315cfdbfdff257a2d36b4bb825f0edaaff780c66dc92ab53e3b595eb354a3104dcb7853ea52a166a54ed8ec5bd48d3d9ff598c5f90e6c02eb05233324fca3 |
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE
| MD5 | 8f4dc63dc32c9e38d511b7bbad73b7c7 |
| SHA1 | 2f8247ba88025bdad99c8bcbbdbf26043053e653 |
| SHA256 | b28387447dab248c6034fe7c2a85134633db22bf94a5caf2352eb42739ef6ecc |
| SHA512 | ce1ce2a620148fbdfae4512a1ee28fbc059543adb6565a6b8e5cfd4a5ee445a0dea3d888fdd2aeaecb7c6a2fc65531a2cce2f890254368c5ea641e2235c09a0f |
memory/4680-194-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2296-201-0x0000000000000000-mapping.dmp
memory/4552-200-0x0000000073530000-0x0000000073AE1000-memory.dmp
C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe
| MD5 | e1a5cbd1ff25ab64f12b1e08c9e6aff6 |
| SHA1 | cd98983191d000e42365c197026cb3a4cd6d0d12 |
| SHA256 | 4b5140ff1175a0db1f3c3f11ed3c0337b75a5326e0b4a31306af01ede15a3543 |
| SHA512 | f713bf07b557dafb2aa20dbb84c44fba1abe3ef77e95749f59952a69ce199ca476281253ca4585d9c113768db2f896fc8b90b6727550bae4c104a641c4d88269 |
C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE
| MD5 | 50981fa5e631a1feaaa155df13cc22db |
| SHA1 | 76acac9f671d6f173efd1d04da2c5e3575c0d242 |
| SHA256 | 2eecdd772c6bce6a2cad7a93195cc86932206b972cfe89462f7cfd7ae7ec809e |
| SHA512 | 140e94f33920d8a254b7d187dedbb4584385df30790a3b28749433d425bf8c9098027e3eebbfefc6cfa64e246a22d15985cc35ceecc9ee56c8c1c04314347b6e |
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE
| MD5 | 84b78c5a397c237db9f7bdabe1f0e388 |
| SHA1 | 8538ad6a25f0d325fc417510d5f7a86f217cc837 |
| SHA256 | f76517dd43b717174f526a2f3db5fee77848ed257e394b0741a213a338cc560a |
| SHA512 | 062428862e89d7a14363ba06d969822fdbae43b2740b3a42be54415507e260066648b769eeb7411ab9febd5d3162828228be0edc098bf7af1da2128c55dfa00a |
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE
| MD5 | 3c4c31e581004cff7c84121d3d68a380 |
| SHA1 | 9a30ab731ea61e59b43f8c8363bf28d8e750e7b8 |
| SHA256 | 95716e0ba2ff38c4c73cb43a070bb9b7ae829960aeaa8d59780e451061e0b9e6 |
| SHA512 | 0f3c7aaf80b2f5585f9961a060b6603d5c3919e8d2dc134a9e3a8123de216891d7c2e4cbba4f72a2bda22ee6a04124e77405b36f2271af77792c412f724979fb |
C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE
| MD5 | 7c99bbacb79b766408969a587c7874e1 |
| SHA1 | 7d6055aab16a0f035ac4ce251a1bfae77fdd834a |
| SHA256 | adfe6e95ccb0af81f3b9562375d80386fcfb3033efd0a21885a73cd1f3dd2887 |
| SHA512 | 8cc40caef43c4adc54aa289d5c5b7d9aa2cbbc853c1286354c0a7abf2c9cc07973f10d4bfeb81f8eaafdace6a905d088f020e4870e0fc9838af5907ea85fb1c8 |
C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE
| MD5 | d5962158bde87c06120a7dbba1c47175 |
| SHA1 | 30590036b70a3c99d6a561c1a12f397377635470 |
| SHA256 | f495e28e3d0d9820c415562ee287fec0d24233946f8533686795d692022608cd |
| SHA512 | 2f7ec882f71d9618f0928f740b55be1a9fb382b80012ce488cda759ad676b94eb9c747ac7ff3c7ec82f0809881ba0a069b6b3c6b09e5d57374ca4fc1255e130b |
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILECO~1.EXE
| MD5 | c84b7934f5c3be467c7f3701ec99180e |
| SHA1 | 00a236d27d04525d3c16d3d51c79f15f9332f446 |
| SHA256 | dd58c3ec136378761b9bb1596e18ac69b407d33d13d02680918eab26ce718527 |
| SHA512 | c1bf1a5442ead86884a214614aff5b33fd09f046e32a199c673633a9ff0339eb8dd149eeabd8e55ac193748a25912474f0e762bba1a6c203ac139fb48d2b97d6 |
memory/2332-210-0x0000000073530000-0x0000000073AE1000-memory.dmp
memory/544-211-0x0000000000400000-0x000000000041B000-memory.dmp