neshta | 3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56

Analysis

max time kernel
151s
max time network
42s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-06-2022 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
Size

129KB
MD5

e8c9a2905b86ab77e6a0db50ecff3c10
SHA1

ab3a02c180404722d399e671ed4b1973bc03c8ce
SHA256

3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56
SHA512

d213916918dc973dde4df998e537bfa2f5c97e34eb5172e860f0dc12a6be2360357a8d134dbb843536362263a153e34e2f3173a997ad119c61d4359a190b8542

Score

10^/10

neshta njrat hacked evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

ramial.no-ip.biz:1257

Mutex

e226bbcb766435e5c6575e6b41aa5e6d

Attributes

reg_key
e226bbcb766435e5c6575e6b41aa5e6d
splitter
|'|'|

Signatures

Detect Neshta Payload 57 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1704-55-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
behavioral1/memory/2024-74-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral1/memory/1704-78-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
C:\Windows\svchost.com	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	family_neshta
C:\PROGRA~2\Google\Update\DISABL~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	family_neshta
behavioral1/memory/1764-140-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
C:\PROGRA~2\MICROS~1\Office14\misc.exe	family_neshta
C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	family_neshta
C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	family_neshta
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	family_neshta
behavioral1/memory/2024-142-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral1/memory/1764-145-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 5 IoCs

Processes:

3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exesvchost.comEXE~1svchost.comsvchost.exe

pid process

2032 3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
2024 svchost.com
1996 EXE~1
1764 svchost.com
240 svchost.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1832 netsh.exe

pid	process
2032	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
2024	svchost.com
1996	EXE~1
1764	svchost.com
240	svchost.exe

pid	process
1832	netsh.exe

Loads dropped DLL 7 IoCs

Processes:

3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exesvchost.comsvchost.com

pid	process
1704	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
2024	svchost.com
2024	svchost.com
1704	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
1764	svchost.com
1764	svchost.com
2024	svchost.com

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\e226bbcb766435e5c6575e6b41aa5e6d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\e226bbcb766435e5c6575e6b41aa5e6d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe

Drops file in Program Files directory 64 IoCs

Processes:

3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exesvchost.com

description	ioc	process
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	svchost.com

Drops file in Windows directory 4 IoCs

Processes:

svchost.com3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exesvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeDebugPrivilege	240	svchost.exe
Token: 33	240	svchost.exe
Token: SeIncBasePriorityPrivilege	240	svchost.exe
Token: 33	240	svchost.exe
Token: SeIncBasePriorityPrivilege	240	svchost.exe
Token: 33	240	svchost.exe
Token: SeIncBasePriorityPrivilege	240	svchost.exe
Token: 33	240	svchost.exe
Token: SeIncBasePriorityPrivilege	240	svchost.exe
Token: 33	240	svchost.exe
Token: SeIncBasePriorityPrivilege	240	svchost.exe
Token: 33	240	svchost.exe
Token: SeIncBasePriorityPrivilege	240	svchost.exe
Token: 33	240	svchost.exe
Token: SeIncBasePriorityPrivilege	240	svchost.exe
Token: 33	240	svchost.exe
Token: SeIncBasePriorityPrivilege	240	svchost.exe
Token: 33	240	svchost.exe
Token: SeIncBasePriorityPrivilege	240	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exesvchost.comEXE~1svchost.comsvchost.exe

description	pid	process	target process
PID 1704 wrote to memory of 2032	1704	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
PID 1704 wrote to memory of 2032	1704	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
PID 1704 wrote to memory of 2032	1704	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
PID 1704 wrote to memory of 2032	1704	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
PID 2032 wrote to memory of 2024	2032	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe	svchost.com
PID 2032 wrote to memory of 2024	2032	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe	svchost.com
PID 2032 wrote to memory of 2024	2032	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe	svchost.com
PID 2032 wrote to memory of 2024	2032	3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe	svchost.com
PID 2024 wrote to memory of 1996	2024	svchost.com	EXE~1
PID 2024 wrote to memory of 1996	2024	svchost.com	EXE~1
PID 2024 wrote to memory of 1996	2024	svchost.com	EXE~1
PID 2024 wrote to memory of 1996	2024	svchost.com	EXE~1
PID 1996 wrote to memory of 1764	1996	EXE~1	svchost.com
PID 1996 wrote to memory of 1764	1996	EXE~1	svchost.com
PID 1996 wrote to memory of 1764	1996	EXE~1	svchost.com
PID 1996 wrote to memory of 1764	1996	EXE~1	svchost.com
PID 1764 wrote to memory of 240	1764	svchost.com	svchost.exe
PID 1764 wrote to memory of 240	1764	svchost.com	svchost.exe
PID 1764 wrote to memory of 240	1764	svchost.com	svchost.exe
PID 1764 wrote to memory of 240	1764	svchost.com	svchost.exe
PID 240 wrote to memory of 1832	240	svchost.exe	netsh.exe
PID 240 wrote to memory of 1832	240	svchost.exe	netsh.exe
PID 240 wrote to memory of 1832	240	svchost.exe	netsh.exe
PID 240 wrote to memory of 1832	240	svchost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
"C:\Users\Admin\AppData\Local\Temp\3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\3582-490\3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\EXE~1"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\EXE~1
C:\Users\Admin\AppData\Local\Temp\EXE~1
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1764

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
7⤵
- Modifies Windows Firewall
PID:1832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
Filesize
859KB

MD5
9306f2a522a57b846007a08f1ca66f03

SHA1
df4ba0ea9393304bce52879d4b9344a0f1277d20

SHA256
0b3954c2f43c8c55e3d23bc7c97acf57022b9ced4360fe7d8660e77a1fbb3372

SHA512
dfc6336d1115a7337905341d0579700df3f821d4be340faa603a30668152e061818628e7544a2f0b4767c40baffe37554d040644dfd0d1da8ef3de0e25dd171b

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
Filesize
547KB

MD5
e0f2257e0ad4b04429c932673ead4884

SHA1
352fcc1fe1019cd069ab52b409b31bbd0a08ea9a

SHA256
6e11a49479c1d2b35f15901b0700e307712338f343e1c03fcfe715946fab5969

SHA512
d77e790e63b1b2307df2ef0bb774bcbfa5cdc716764050dfa055a23449cffa5c6f61759b0819712f3e3be06037cbc3469082ba2b02af990017f28658f0103763

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe
Filesize
186KB

MD5
05137767de39f2bb28b365b2238f32e1

SHA1
5e62f303be2d32f16da8ebe555eb80491f7c0efb

SHA256
ca65573ff40bd61e73cf21f24a122de99e5face2ce75a2e0753f93e10cf6495b

SHA512
9f29611adeac506c6db62a47d82fe5891688cfffc7217ad1dd076fc88e54ea4b9291974b168922245f6c8e302f4e03a273bf0ac9942ac4d1cf6c5a6099b9f0be

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
Filesize
1.1MB

MD5
98359abd5f26fc75169bafd6edcf00cd

SHA1
c0bdcc5b5f48c72275f84d6166a42519cc5f2028

SHA256
958bf8d76d4de0bbba6aadea0c4aff0ec7be9cc69ab9fa61cd29dcecbf3528fa

SHA512
573e374866e93b14cec6b5192ba45529a89c140d023ec0e471bad563fd6893cbef2a2fb0b106732f40fd4a2629869c8074b991539b05ade3d38f32aa26751fe2

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE
Filesize
285KB

MD5
bb87ad346389595fc5bceb796253d45c

SHA1
d2b41075deb4dedd58c979d0e993d8725f8552bd

SHA256
ffdd6cefd1058970796d0b111a4553bf9c67d498ef6e90601ee397f890c2ba41

SHA512
1bf8d11cc40d14f3e8ee92581a359de54c13e34c1a4bcfc945870d74e354dd56b87a434e9d67e2c7a45964fe660962ac9b42d14912234b2dbf2999dca5baa5fb

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE
Filesize
313KB

MD5
ce11b1fd51aed18060e9d8f990e6a1ba

SHA1
98c6cbc07ebde744fc829221c976239e2fb0d513

SHA256
89e79a856284e8639db443583cc57340ea1268abce2fdb56c8011b6a3fa3718d

SHA512
6b986f799cbaf05dc6e53a2e2f9b418f00afb1b8748d2f900493b922873d64e03150884233ae32c82093c88f5289b5c4c681d332999c6c0d5ce60dab135fe861

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE
Filesize
569KB

MD5
660a04c0fc44c6ea534d291af68edcce

SHA1
eaee64ad7e34e8522049c0b1e8c7aecb4d2517f7

SHA256
ce79c8db512149d2ed0bb526ab5f74c7d71d43ba576380fd5e91595898e8719c

SHA512
59adaf605f550dbd2ad6e5e778268dd3108f2912fbec3a45026324c198bb6637a53dce58afbaa6b136e45df8be6d9e98c95a34cd869e624f8728386bff064674

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe
Filesize
381KB

MD5
155ddabff4b588dc081291f97214f8be

SHA1
5fe2febbd1e5b80c8d19c67aec26f49f2a1113ae

SHA256
9ce4515a150137df2238f91e6773f4e21633b8cb8850d5ff99789dddbc66ecd0

SHA512
f1b9df7bc1c9f28dcb2cb02bfc4378a99e70f221a4ef325159288d809ebbbb6ff4e6f1a1b26bd8fa455439061d42a616121c2b0fb9d547763f5434ee327189d1

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe
Filesize
137KB

MD5
9b9869e0df0acac9babac95a1f8d5c7d

SHA1
9ea411c302c9a2c565c941631128a7b23992530f

SHA256
963167bf45b0acb36b0d968e70e486f0956ace3fe2a48e6e26e9482df829c9d3

SHA512
cae5f2e81f7811f6c3307cfbfd2d8e8350bb048333ff3484a090cde2ac13b2709fc0f95f0a851b00d16d27601cb4e457028ecd689b66ed3ac8a716454403c0a2

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe
Filesize
373KB

MD5
8b21fbe39ceac3e94fec9557a47ff82b

SHA1
985f19acbb293120b914bb8cc7445e0964342009

SHA256
950907716ca2af884d4955355a02e3d75d2182475f3e6ea6b6af9ae200cdcab8

SHA512
fe5d3a859eb8dfa0da7b5e97658b195aa35e0c18ee413a91cffed246c56985da32a0e876f3e1278ed84e282e72262f58550a0396de2b44743ea0076c15c6302e

Download Submit
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE
Filesize
100KB

MD5
21807f4c6a9c444a081899ce30b589f0

SHA1
ef88c39a594a7685fdb6dde39fcf4dda0fb24ac9

SHA256
85c7041bd9d3497a1ae7fdf5f49153dd9ec023b99c814d61f14d079967af06de

SHA512
86ccede357f4b90486058d0e8c5dd474a9e4616bdb53d2483320c0d14dd8021db3a9ec51ae40e9b0323eb8a27ecadddef6c5d8b7e07c9d7de37be7b889fef708

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE
Filesize
130KB

MD5
db9cff27cebe87b332f8bd12227cdf0b

SHA1
a1da9b5223fbbf5fde39aa5c7c42acde770af080

SHA256
f6f42fbc07d32ed9b45e5ffa39f99bf5e4f7fdfc7eb88936f438a2b8722d91cc

SHA512
b54f37cff55be3f66eaa0011ea3635174e83a73779783f09cf7d0905f20a133372e345c7c4824c31de3d99bcda4f15f6784b7256ef0c00bf016a9f012f1670c8

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE
Filesize
2.4MB

MD5
db4ed76e14b8be57b7eeb1db2f39e183

SHA1
c993c7b28f3fd2da1d27d6a6c51c2c9566be1e41

SHA256
35aaaf68347229ac34793c50fe5c465a6e87df1c52106acd00106e509ff5d196

SHA512
9739b895f50f19e583fa354bb5ea9d59a285bc0ccaa1c3ee845399852bff3d3c0fcf6f2df5e6c611d8bf61d521cb95e28317854e9975443a5700eca5b64581c6

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
Filesize
859KB

MD5
9306f2a522a57b846007a08f1ca66f03

SHA1
df4ba0ea9393304bce52879d4b9344a0f1277d20

SHA256
0b3954c2f43c8c55e3d23bc7c97acf57022b9ced4360fe7d8660e77a1fbb3372

SHA512
dfc6336d1115a7337905341d0579700df3f821d4be340faa603a30668152e061818628e7544a2f0b4767c40baffe37554d040644dfd0d1da8ef3de0e25dd171b

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE
Filesize
547KB

MD5
e0f2257e0ad4b04429c932673ead4884

SHA1
352fcc1fe1019cd069ab52b409b31bbd0a08ea9a

SHA256
6e11a49479c1d2b35f15901b0700e307712338f343e1c03fcfe715946fab5969

SHA512
d77e790e63b1b2307df2ef0bb774bcbfa5cdc716764050dfa055a23449cffa5c6f61759b0819712f3e3be06037cbc3469082ba2b02af990017f28658f0103763

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE
Filesize
571KB

MD5
02cd3034cdb0948cb1530ac85ad7d5fd

SHA1
484fa6ca7e6fbf0e6446132747bda47ed6f74dbf

SHA256
ff0d60071e375e49c78aef90ac5106b74f8572a5e8aa94067048b45d5064f2b5

SHA512
938db47a6a9621fa07f63fd8d0c0bd76a64800c78631b1e757a3a6d825a890be7c827434aba6cbc43455bf63dd88bb88c2749e12f394d0e5e9021f77adbe5361

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE
Filesize
157KB

MD5
a243203e62aa506c46b4e3ce55343c92

SHA1
f14354587cf4cbc1a23868274a4065574a297c0d

SHA256
0d2aa4ceb84e8b8dab96908eae150b67f6e203449cb4476a04f0763070d8f5f1

SHA512
f09f91d23c023e0bca2c5ebed774fb1d79c75d57c5f973aa881b336f2813606717240a634ccbde0d7b851b04049012ac0d8607726a0ccd29f29e9b72fdf26f2a

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE
Filesize
229KB

MD5
e9b0cfd2ef80bb5ed61ff41db54c37ec

SHA1
274c117a6f7f4baf4773634d55ea78b618ecaa51

SHA256
dd6f4bc3696c04e93c7cebf38836dd0e2efe0f1121ac7642acef00b5220a9809

SHA512
520563a22051bf8e3564fa55f6bf4d56e9cedcf10a9a64fcd98c1d5ab1d92c0039c7057315af58edebdba289b292e316cac216466a2ce13a81d1fcfd0ff725de

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE
Filesize
503KB

MD5
0ce26d04f6d3a466c88b99ddacb61cff

SHA1
80f569e84e9a54c7cbabe51a1e5809e82941228d

SHA256
49faeef5c582a235ea0f46efb447c8f5acd90dd3839baa241d90ee2c37149c7c

SHA512
c759c311334c819a77d6d061874a9a57a02bfe15f75b4ebad065767646807b34ffdd6b3ecd212303cc5b7b2ba32068fd0ebaee9ea969b66ea52645ee02354ddc

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE
Filesize
153KB

MD5
41865f5ed0507666e31c33f4c92b938a

SHA1
22201438b1cbabb9fd23b6a6dc0b6101d423a034

SHA256
0cf09c4d6566ee6508caa1ee296599793d089f6d3eaa8eacda8191b6f10709b8

SHA512
fa286cb90eb7da708dbd31945c123ead3d45178c59b31d3ca3d59015dc77ad6c4e1e75946da12a4d11b2fdca3429f9585a99dac729065d901e3f71da917af9bf

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe
Filesize
539KB

MD5
ea106f3f7550a79f82907e360ef25439

SHA1
8b6039347b814f2f9792f396d310c4f5d310a63e

SHA256
40e4c82b68b180ae790e0358127621255e5a0d01e986f6bc13e3e2c08e6d1158

SHA512
3bbb01d2fb5984878b640cacd6fb0d954ea162f76b9bc6be3bd9d3ae593dd3ce98f05038dd249e759db572cbcb5d89251a9b3b45395d6982e7653d49d1e664de

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe
Filesize
1.1MB

MD5
5cc654c5f5f0c605ec1fad7fa8f8cc9f

SHA1
fc688d058c3a28e895326b0d2c2efd1c7f1573c5

SHA256
b97ab8af825ff2fea4f279c37dee991666f2afda936e3e5b6a2b6acce07dd6b2

SHA512
ab5ae6790544ec90bac9df5990dc4a3c01f4f887610676a58e2ea8726e41b92d56c26c6bc6b0b3402943eb23c13970bff9c5062a5e9a2675b44d40ae5fd0f186

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe
Filesize
205KB

MD5
6eea1c6956abf465de7e9aa91260e3fc

SHA1
7c44a5f58d25e45ab04c39ec2b415f0722548609

SHA256
798cfa1564dd3d9717c87076153b9254af53b0f39462c29af8c9a62ca1f642ea

SHA512
93b5a05849ffa7017d5d0b30ccd34488afb382a923156164780bc3c7df7ce7a56f3b8d4f33e2e3463928cc2382ab7d61bf54b87f35c2bb0fcc6f52146bcfdc1d

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE
Filesize
186KB

MD5
05137767de39f2bb28b365b2238f32e1

SHA1
5e62f303be2d32f16da8ebe555eb80491f7c0efb

SHA256
ca65573ff40bd61e73cf21f24a122de99e5face2ce75a2e0753f93e10cf6495b

SHA512
9f29611adeac506c6db62a47d82fe5891688cfffc7217ad1dd076fc88e54ea4b9291974b168922245f6c8e302f4e03a273bf0ac9942ac4d1cf6c5a6099b9f0be

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe
Filesize
1.2MB

MD5
6a93ddfcc9e15fbbe9a96fa806146550

SHA1
3a2d202f009f8c9a168aeb2152520009414bed85

SHA256
9161768c2f7953132b25f179ab1e6d5f7bef856032650f70794e6fa69f1d25be

SHA512
5d1aa05442319bfe2c5ca72df9f66c582ddc183575a0945fb072b8021dc86dc62c0d220ed6e6841a0483233983e277f80fe2945c3e4019a1a399ac065ca4764e

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE
Filesize
125KB

MD5
36efa3650f0ae4d3d4bf66efaf963358

SHA1
25d6436e707c37ceafddbedd89786376437a2d56

SHA256
631f3259d546b9a409a2624c47a38f3a78f1256088f33ae8190c523a9158350e

SHA512
aa3509a6926ea2fc1f9596e65117cbb98abc63da73d2c83e4f2ccb1863729544ac6d54226c81d46c993836195f2d0b8a9a47afd169379ed9e53a164f8d85bbf7

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE
Filesize
138KB

MD5
304731232b74594859f8344aba1e15fb

SHA1
805e7726d4098aeefaaa51e62a46614b9eb7cf4a

SHA256
5d8baaf7cbe1e7f6831c1b2f7f0dbc22a54e5a0fd00f01b722b86a2bf76f2196

SHA512
a696290b9240fd6b771944bce738d8c358197006d2d59a39d8a59737537ba46472aa34c826f3c3f49c428ca6ccdc2134191506ceefccf1233fc58d6c8f2c670e

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE
Filesize
217KB

MD5
6a8ca93a4395e800e10a0804b38f66f7

SHA1
435a3e5978b057601fbcdf160d1a7677038c5aa8

SHA256
c3fb470259507741e479a6be5241fedf3736ba3fb8943059f599e348c3b9fbd4

SHA512
ccb3139c4ce4002c2fa781cbde368efe884d508e1d73d1f672bb73aab906f86b7f3b000a45380fcd5ede8bf7c78544f2d124b7dc8e356854275edc55f54aa7c9

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE
Filesize
138KB

MD5
fecec6c7cdc0168ded783dd2697ab4df

SHA1
8cf55b38db0eb119c1b73faf7617b4d1a409fa26

SHA256
2248bcd0ff3538afcfa931462da4b6c33855affc9fd9b642e3e33ca7f2129a7a

SHA512
634e7ebc73ed23321d4ddbd464480fb7daa99978e6df33d1262413cc329e8449996eb88d7da62b598231f200c843aaae36c6ba48cb566bb96aff20e2badf3c00

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE
Filesize
191KB

MD5
025d88a713cf487d65f968e4fdc8322e

SHA1
54c914a292b12f95cce372000448f68beda1832f

SHA256
58983bb819f5d6cfc2928e38d08a8b3ab0e3f9e8a8193eaccb6e621828747cc3

SHA512
b841a5015df71751a295655e9026d2fdbffadfe1073a012cc96d5d844b8d911a43820768d0857af0a83ddb635c04de6cc0a07ba0c307cb3f97ef4554c3ac9d58

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE
Filesize
251KB

MD5
819e6a9927072c240e04cecaa3d995fd

SHA1
b8b44b7d87c8d68838bdf78354569e40916d7392

SHA256
4967aca492afad6f4490a4ae5370d620355782338ab9f44dde144ac6a3700f7a

SHA512
9c9cbf43b4eab1fe34abde474229b2ed6af5976b88fda5cae5935d5b51f2a7abd370412d611ab7ff650d61264f7761e3470fbb91524f245c4005679c2ca72fb3

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE
Filesize
326KB

MD5
b12b084b97415e9cc77d56593556f739

SHA1
5d76b08fc4937f8a9e479f56ca9a17e09efdac2f

SHA256
070593ddb10cbdbf9045eb2beeec3c2ea305518601886ed8dc82b4ec64acff9a

SHA512
3746ab11a897c25ba8b1ae2743f35194bd5aa42ca98e339f3c570f7915fae01c915a461b715362801600a7aa9b3939c00bf7c0ad7670fa3feca865e0b3ffe6c7

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE
Filesize
404KB

MD5
2de9b2802a5e7a69bb0f790c6bce9730

SHA1
7659dc8a3b87c16587f5ef218f3e89c9dbca4ee6

SHA256
623885c39a4ac992a5ecf56e7c1afa8048787500f5e5a375761368c148f8492b

SHA512
c28b7cb41c1431565ef7a2072aaca7265391ea8ad9e258d6de66fee08e26da8cab1e5c0b7f8cf7653794cde2deec2b4b6af675e90f4e648ab20519f82ecc5b65

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE
Filesize
191KB

MD5
025d88a713cf487d65f968e4fdc8322e

SHA1
54c914a292b12f95cce372000448f68beda1832f

SHA256
58983bb819f5d6cfc2928e38d08a8b3ab0e3f9e8a8193eaccb6e621828747cc3

SHA512
b841a5015df71751a295655e9026d2fdbffadfe1073a012cc96d5d844b8d911a43820768d0857af0a83ddb635c04de6cc0a07ba0c307cb3f97ef4554c3ac9d58

Download Submit
C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE
Filesize
85KB

MD5
5c228c0e407c20102a1585c5ddc8f68a

SHA1
cf181c9eac6ab3d7297d75ae06f584c1a6c398ea

SHA256
c6bcc986a1e642dfbcdb58cd376c75921dabb1c18daef04c61d5bb723d0e65e0

SHA512
4b2ec72091c703a9ddad24786cfb4eae2b0763733db764587219005c2aef63fef33ef0f10df80018e2aa27408f64601094fd4d182515524a735774552182ff8f

Download Submit
C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE
Filesize
1.4MB

MD5
afc922d99042d6ff95e6fe6aa2a27fcb

SHA1
230d811bccf34ba477fc59bf380f9b85851af714

SHA256
2b51a97692eed109d6a06d38b7b6bab3c7937ee652cafffe554f64a46c2882c9

SHA512
5abb4f522004e33512f0167c19d5debacec65f452ff96ca58a02ef5015288be745ef58e16a64c9a478411650dc3ce417d06f7961d3230c33b1b5264f81393335

Download Submit
C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe
Filesize
129KB

MD5
23e259885366c1f36ce94a3353ad1e36

SHA1
500a92fe2e93cd084b4fcb4bdaaf4913219b7847

SHA256
b838b3af76d48746abd62c7d39128d8cbf86e63c0f30e443a7b998431aa7b20f

SHA512
672a7f013ea4c5325dd51dbfb9f683cf591dea50cf3c7ff582e07bfe9a99d98f5b3b570510a7b2e5e9f9b5725b82107fa3b08d41ca1b9d2111a17945460e9ed4

Download Submit
C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE
Filesize
246KB

MD5
72798f1025ecb8b6a2431cb42089f8a3

SHA1
fd29f0710b032503a60b62bcc6f9b496cb8b5724

SHA256
a00ccbe382e8316c441bf6d972e2e20579a1d18a8253af8fdfb8521db2a2cd39

SHA512
a7f546b139a5ceaafe8430dc0325c63f17d039151b61d4298e6a8871cb29b888ae9186e6dd549a13916d21fc5f359802c58d6e09ccf33b08531839f3798ac9d3

Download Submit
C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE
Filesize
188KB

MD5
b2850a6e7a0569bc3a143497248240be

SHA1
8615c8b89ceace3f1b2dbcf66d0377148f1abde0

SHA256
140e6a3dd26f354434ae855a2a3650e70b0cdfd73cb2fe78961928355b731051

SHA512
d4ce39a0e2b916e8cb2f73a5f9937cdf4b01e126f13fa902deabe8f25fbc9d1ec595c7987f36196ac4f8ac96fdc9213b5f5a6123b4cdf3af99f4cb2bd900b767

Download Submit
C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE
Filesize
4.1MB

MD5
0a832b5375b17c992a0becc3a995addd

SHA1
c7fdc4df60126c7b36d420c4a1efa8bb968552fb

SHA256
70b6104619cd138dfc24d8973ba295799c4ab89e8b8bbd40c849b4f4324824f4

SHA512
4ec6bb7d62afaa12ad42864355039229d94c558ac73da9e3a4f0969c36d5cfbea59310b7d598c0e3ccfca79ccd6d098f4110c531be305a9d05dc87ad4082a143

Download Submit
C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE
Filesize
962KB

MD5
132db56ffbb368392a6c1080914749d0

SHA1
8806937d3d9b1afe5aa102391930d342a55513e1

SHA256
c9692d5c3c36aaaa7a7f7cbbd541aea70786f75551b4751ffa65fd5ce0bb54c2

SHA512
d3780fa9acd0aeb6c631764fbab082bc2f730719c34eb1ada0189c5d15f657b38c6bfd6f2cdd3b55d6b98839fdca37445195405ef69749f8026d1ba65e8db225

Download Submit
C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE
Filesize
605KB

MD5
48c9aff5be5cf16eefa2cd30aa4ce672

SHA1
797a62900ad1e0c5c9e371f396a82bd80e57af99

SHA256
3000f367c652139ae07ea09f9c8284faa825225024d63cf1bc25020dbeed4fa3

SHA512
d64383dd1f08bd01a664e23d912c0c962df0a16bdc13afa4de31724decec238a30bc31d103a8b5707ced1ec274a388d41a5d768432ecf8fa3c953cec03de7b56

Download Submit
C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE
Filesize
1.7MB

MD5
e52d58ea4d349d8f0f9b25e377996bea

SHA1
6aa0fb1b72f257410fd8c576bcb07d0bd22488e1

SHA256
0cb4bfa6e7288ac4e819918f74228ac1c2a9318ade490092f6c708f017ea27a6

SHA512
efeb61da39d9510e54a9310bee1403cdb402d3071b5e1dbaca4771248513fa41a10a2cbbcd18a8c86e6125f7808f03d793fc2ba8e5d4ecf64f049d261da1ed32

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE
Filesize
109KB

MD5
284ea3fe849ae9a75cd032c9262a48f4

SHA1
e18a164db046ca9c5897ac6ba64cd9d99c244fb7

SHA256
954b57ec8f87157851c657d36a98307217fac93189afbf36bcb0a1c098485295

SHA512
308157f7baf0147876a1312a7a3f1842668bfd5f8ea09412d1a9cf98fd79a40d46627ec5013edeb2a1c2f8cfdb1147b02b32436e7aaa2c587f17791966803f0c

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE
Filesize
741KB

MD5
9e9218b109d79d4f943f379cfcf8133b

SHA1
8cf77c60ad2028b6eef401469ff6bfcdaf9f9e46

SHA256
21561cd643413d20759942f4e4fbb963cbeb65aa1df97169a99a404e6c91e1a7

SHA512
ccc375c8ef738678728131fa01f452eeba05917731bcdc5f8562f65e58066923e0917b34ab0f6ac3d64d91cdf55c891e768004a23f51ec3d02812daf9463c84e

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE
Filesize
392KB

MD5
88ab72587a515a3658cc3619d073c693

SHA1
77d809e0c3b70eea42867a714de290d8c8878883

SHA256
d387772ef8a68e455da9e8af11504d6239ba0be8fc1e6c6a5337dab6d60d829d

SHA512
88722fc4afc6465bb8af87291efc65ed0cc7a61bebcc86472a81fa41507d884519bee69b8813e23369243d527f943f33bff2a92e6a69e56e0b619245fc4c7252

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE
Filesize
694KB

MD5
1b5da53c10407feaf793d4fd037de501

SHA1
76a760d39f48fcac70f62f86ab39ef5045ee1d2d

SHA256
66185f86c7be4dbb0c17183591db2ed2b968e19b8d6ed43e8809e9738692b2bb

SHA512
2b174d9403f3ff2d380fe1c1d3fbf75dcf5f39acfd3d2f6a604ca82da20e698d0ecc996824c5e06b26f411bc3cc91ed6c9ad0ecb63ee642381c4cf342e22588a

Download Submit
C:\PROGRA~2\MICROS~1\Office14\misc.exe
Filesize
598KB

MD5
c0af4601c54671e3b88bb641364396ca

SHA1
cea138d9c716d3cbccb608712d32240c8a3f132e

SHA256
8dabd06c79b3c54427edd98d0b08cbb526b9df9c2ef3cfa63871ae9c443e9bb2

SHA512
d422ddfafc788a5fb22dabca83849e2dc496881276171430b7ac50488c95a19a8b96e66a40cf6294816a01ff663687420887456432adf4a8819deefe4d700337

Download Submit
C:\Users\Admin\AppData\Local\Temp\.exe
Filesize
22KB

MD5
75e7d97c280b06597d1eff565a96397c

SHA1
6d9e1c7a1cbc36746fd14ac74c6209c2bc3e450c

SHA256
bd3bbc20168503242e9959baa4cc0b2bb740f5d9c16d5ac9546706be9e4a92dc

SHA512
4fa14cbedd03190cd47ff26c18c34ac98212a9cce28617000b763038c7daaf7745a82063ad9212b51de981df8e50bd3fa0a0df0fc49b1106aabe6b83445b0869

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
Filesize
89KB

MD5
6063b7032ee9b1cf59d2f4a017e488b7

SHA1
ef0c1976efd20369f7a0072acc857cd4fbe555fa

SHA256
aa12af588be3b16d3842d78b0d3893b08f05268007edc357948ed99f2cdfd7cd

SHA512
4ef8393b8d8fccaf186281f02d6c51c329e07cc5ecfac6f6e659e7d978f805e3d105af5c043b3ed6dd215a62dc1b912a9ad36d40c9eb3635cad47ba5237ef5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
Filesize
89KB

MD5
6063b7032ee9b1cf59d2f4a017e488b7

SHA1
ef0c1976efd20369f7a0072acc857cd4fbe555fa

SHA256
aa12af588be3b16d3842d78b0d3893b08f05268007edc357948ed99f2cdfd7cd

SHA512
4ef8393b8d8fccaf186281f02d6c51c329e07cc5ecfac6f6e659e7d978f805e3d105af5c043b3ed6dd215a62dc1b912a9ad36d40c9eb3635cad47ba5237ef5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXE~1
Filesize
22KB

MD5
75e7d97c280b06597d1eff565a96397c

SHA1
6d9e1c7a1cbc36746fd14ac74c6209c2bc3e450c

SHA256
bd3bbc20168503242e9959baa4cc0b2bb740f5d9c16d5ac9546706be9e4a92dc

SHA512
4fa14cbedd03190cd47ff26c18c34ac98212a9cce28617000b763038c7daaf7745a82063ad9212b51de981df8e50bd3fa0a0df0fc49b1106aabe6b83445b0869

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
22KB

MD5
75e7d97c280b06597d1eff565a96397c

SHA1
6d9e1c7a1cbc36746fd14ac74c6209c2bc3e450c

SHA256
bd3bbc20168503242e9959baa4cc0b2bb740f5d9c16d5ac9546706be9e4a92dc

SHA512
4fa14cbedd03190cd47ff26c18c34ac98212a9cce28617000b763038c7daaf7745a82063ad9212b51de981df8e50bd3fa0a0df0fc49b1106aabe6b83445b0869

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
22KB

MD5
75e7d97c280b06597d1eff565a96397c

SHA1
6d9e1c7a1cbc36746fd14ac74c6209c2bc3e450c

SHA256
bd3bbc20168503242e9959baa4cc0b2bb740f5d9c16d5ac9546706be9e4a92dc

SHA512
4fa14cbedd03190cd47ff26c18c34ac98212a9cce28617000b763038c7daaf7745a82063ad9212b51de981df8e50bd3fa0a0df0fc49b1106aabe6b83445b0869

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
8748e7e7fdc1fc078cce4beb287292ac

SHA1
3a90bbcd713d422a619879abff5adad6ed680317

SHA256
706fb37988354ab8a2a9e76fc0edf5e71767126144ea777a3f9fc666c42e5a12

SHA512
e6516e9f02f624ac5978b2260d00ea43bdba96c9a29a188c3840fe8451ceb09d316fa60eee6db0c497972766d84c9335d75086b16fdb02521da5dd6fa067b474

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
8748e7e7fdc1fc078cce4beb287292ac

SHA1
3a90bbcd713d422a619879abff5adad6ed680317

SHA256
706fb37988354ab8a2a9e76fc0edf5e71767126144ea777a3f9fc666c42e5a12

SHA512
e6516e9f02f624ac5978b2260d00ea43bdba96c9a29a188c3840fe8451ceb09d316fa60eee6db0c497972766d84c9335d75086b16fdb02521da5dd6fa067b474

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
8748e7e7fdc1fc078cce4beb287292ac

SHA1
3a90bbcd713d422a619879abff5adad6ed680317

SHA256
706fb37988354ab8a2a9e76fc0edf5e71767126144ea777a3f9fc666c42e5a12

SHA512
e6516e9f02f624ac5978b2260d00ea43bdba96c9a29a188c3840fe8451ceb09d316fa60eee6db0c497972766d84c9335d75086b16fdb02521da5dd6fa067b474

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\3a923993e88010cc912d2784a3793855f7c362fe5e06ccb067c3dfce4155bb56.exe
Filesize
89KB

MD5
6063b7032ee9b1cf59d2f4a017e488b7

SHA1
ef0c1976efd20369f7a0072acc857cd4fbe555fa

SHA256
aa12af588be3b16d3842d78b0d3893b08f05268007edc357948ed99f2cdfd7cd

SHA512
4ef8393b8d8fccaf186281f02d6c51c329e07cc5ecfac6f6e659e7d978f805e3d105af5c043b3ed6dd215a62dc1b912a9ad36d40c9eb3635cad47ba5237ef5b1

Download Submit
\Users\Admin\AppData\Local\Temp\EXE~1
Filesize
22KB

MD5
75e7d97c280b06597d1eff565a96397c

SHA1
6d9e1c7a1cbc36746fd14ac74c6209c2bc3e450c

SHA256
bd3bbc20168503242e9959baa4cc0b2bb740f5d9c16d5ac9546706be9e4a92dc

SHA512
4fa14cbedd03190cd47ff26c18c34ac98212a9cce28617000b763038c7daaf7745a82063ad9212b51de981df8e50bd3fa0a0df0fc49b1106aabe6b83445b0869

Download Submit
\Users\Admin\AppData\Local\Temp\EXE~1
Filesize
22KB

MD5
75e7d97c280b06597d1eff565a96397c

SHA1
6d9e1c7a1cbc36746fd14ac74c6209c2bc3e450c

SHA256
bd3bbc20168503242e9959baa4cc0b2bb740f5d9c16d5ac9546706be9e4a92dc

SHA512
4fa14cbedd03190cd47ff26c18c34ac98212a9cce28617000b763038c7daaf7745a82063ad9212b51de981df8e50bd3fa0a0df0fc49b1106aabe6b83445b0869

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
22KB

MD5
75e7d97c280b06597d1eff565a96397c

SHA1
6d9e1c7a1cbc36746fd14ac74c6209c2bc3e450c

SHA256
bd3bbc20168503242e9959baa4cc0b2bb740f5d9c16d5ac9546706be9e4a92dc

SHA512
4fa14cbedd03190cd47ff26c18c34ac98212a9cce28617000b763038c7daaf7745a82063ad9212b51de981df8e50bd3fa0a0df0fc49b1106aabe6b83445b0869

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
22KB

MD5
75e7d97c280b06597d1eff565a96397c

SHA1
6d9e1c7a1cbc36746fd14ac74c6209c2bc3e450c

SHA256
bd3bbc20168503242e9959baa4cc0b2bb740f5d9c16d5ac9546706be9e4a92dc

SHA512
4fa14cbedd03190cd47ff26c18c34ac98212a9cce28617000b763038c7daaf7745a82063ad9212b51de981df8e50bd3fa0a0df0fc49b1106aabe6b83445b0869

Download Submit
memory/240-85-0x0000000000000000-mapping.dmp

Download
memory/240-146-0x0000000070100000-0x00000000706AB000-memory.dmp

Filesize
5.7MB

Download
memory/240-139-0x0000000070100000-0x00000000706AB000-memory.dmp

Filesize
5.7MB

Download
memory/1704-78-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1704-60-0x0000000002740000-0x0000000002750000-memory.dmp

Filesize
64KB

Download
memory/1704-138-0x0000000002740000-0x0000000002750000-memory.dmp

Filesize
64KB

Download
memory/1704-55-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1704-54-0x00000000755B1000-0x00000000755B3000-memory.dmp

Filesize
8KB

Download
memory/1764-79-0x0000000000000000-mapping.dmp

Download
memory/1764-145-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1764-140-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1832-143-0x0000000000000000-mapping.dmp

Download
memory/1996-77-0x0000000070100000-0x00000000706AB000-memory.dmp

Filesize
5.7MB

Download
memory/1996-91-0x0000000070100000-0x00000000706AB000-memory.dmp

Filesize
5.7MB

Download
memory/1996-70-0x0000000000000000-mapping.dmp

Download
memory/2024-142-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2024-74-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2024-64-0x0000000000000000-mapping.dmp

Download
memory/2032-73-0x0000000000680000-0x00000000006AB000-memory.dmp

Filesize
172KB

Download
memory/2032-141-0x0000000000680000-0x00000000006AB000-memory.dmp

Filesize
172KB

Download
memory/2032-57-0x0000000000000000-mapping.dmp

Download
memory/2032-61-0x0000000001370000-0x000000000138E000-memory.dmp

Filesize
120KB

Download
memory/2032-72-0x0000000000680000-0x00000000006AB000-memory.dmp

Filesize
172KB

Download