neshta | 5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
Size

1.0MB
MD5

5a5af0498cf5b99be8c91a1b5d854fb1
SHA1

6fcb0512aa212fd1bb5072acd2a77138604fd180
SHA256

5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842
SHA512

e6a627a663ec4188ec0e173b56a89ed8f4bea2505148cd85cc0e33b92508877323e618c7a78d7819c39d3089a9e1c78ea71aecd15ffdc2efa448a394f86bb64d
SSDEEP

24576:bS50o34eo3D55Qf/Ka5wjU+TUP2aWJIog8AdbTyvZFszh:k3gfQfj5a4K+DGBU

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe

pid process

1660 5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe

pid	process
1660	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 3 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

3496 regsvr32.exe
3496 regsvr32.exe
4556 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3496	regsvr32.exe
3496	regsvr32.exe
4556	regsvr32.exe

Drops file in System32 directory 14 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\LOGO.ico	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\PDF417Manager.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\readme.txt	cmd.exe
File created	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\setup.bat	cmd.exe
File created	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\iWebOffice2003.ocx	cmd.exe
File created	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\PDF417Manager.dll	cmd.exe
File created	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\rar.bmp	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\iWebOffice2003.ocx	cmd.exe
File created	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\readme.txt	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\setup.bat	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\uninstall.bat	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\LOGO.ico	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\rar.bmp	cmd.exe
File created	C:\Windows\SysWOW64\ecologyplugin\iWebOffice\uninstall.bat	cmd.exe

Drops file in Program Files directory 64 IoCs

Processes:

5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe

description	ioc	process
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MI391D~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MI9C33~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~4.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~3.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MIA062~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe

Drops file in Windows directory 1 IoCs

Processes:

5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe

description ioc process

File opened for modification C:\Windows\svchost.com 5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.execmd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBCDD82F-1447-4721-9313-934B9E5CB416}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AA64ECD-DFCB-4B88-A2B0-6A5C465D3F15}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2F5BF1DC-C7D9-4EE6-9792-AE9FCCC32565}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C01A9E2E-66D1-4B2E-95E2-68A529EE0B07}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F7FA98B-AAA1-4D45-83B8-98E95ECADCF4}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F7FA98B-AAA1-4D45-83B8-98E95ECADCF4}\TypeLib\ = "{D3C98026-41F8-40CA-BCAB-5A7B10328926}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{343DED4C-FCD6-4018-A468-7135435F4D48}\ = "IOfficeAddins"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23739A7E-5741-4D1C-88D5-D50B18F7C347}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AA64ECD-DFCB-4B88-A2B0-6A5C465D3F15}\AppID = "{869D767C-835B-4521-AB59-906D0AF6A74C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C01A9E2E-66D1-4B2E-95E2-68A529EE0B07}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{343DED4C-FCD6-4018-A468-7135435F4D48}\TypeLib\ = "{D3C98026-41F8-40CA-BCAB-5A7B10328926}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{343DED4C-FCD6-4018-A468-7135435F4D48}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBCDD82F-1447-4721-9313-934B9E5CB416}\ProgID\ = "iWebOffice2003.OfficeAddins"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C01A9E2E-66D1-4B2E-95E2-68A529EE0B07}\TypeLib\ = "{D3C98026-41F8-40CA-BCAB-5A7B10328926}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BarCodeManager.PDF417Manager\CurVer\ = "BarCodeManager.PDF417Manager.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AA64ECD-DFCB-4B88-A2B0-6A5C465D3F15}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBCDD82F-1447-4721-9313-934B9E5CB416}\InprocServer32\ = "C:\\Windows\\SysWow64\\ecologyplugin\\iWebOffice\\iWebOffice2003.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F7FA98B-AAA1-4D45-83B8-98E95ECADCF4}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23739A7E-5741-4D1C-88D5-D50B18F7C347}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C01A9E2E-66D1-4B2E-95E2-68A529EE0B07}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AA64ECD-DFCB-4B88-A2B0-6A5C465D3F15}\TypeLib\ = "{2F5BF1DC-C7D9-4EE6-9792-AE9FCCC32565}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2F5BF1DC-C7D9-4EE6-9792-AE9FCCC32565}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2F5BF1DC-C7D9-4EE6-9792-AE9FCCC32565}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C01A9E2E-66D1-4B2E-95E2-68A529EE0B07}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BarCodeManager.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2F5BF1DC-C7D9-4EE6-9792-AE9FCCC32565}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F7FA98B-AAA1-4D45-83B8-98E95ECADCF4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8F7FA98B-AAA1-4D45-83B8-98E95ECADCF4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23739A7E-5741-4D1C-88D5-D50B18F7C347}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23739A7E-5741-4D1C-88D5-D50B18F7C347}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AA64ECD-DFCB-4B88-A2B0-6A5C465D3F15}\MiscStatus\1\ = "131473"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AA64ECD-DFCB-4B88-A2B0-6A5C465D3F15}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{98C68055-BF65-49FF-9BF1-3971CBDCD3E4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{98C68055-BF65-49FF-9BF1-3971CBDCD3E4}\ = "IPDF417Manager"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C01A9E2E-66D1-4B2E-95E2-68A529EE0B07}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iWebOffice2003.iWebOffice\Insertable\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{869D767C-835B-4521-AB59-906D0AF6A74C}\ = "BarCodeManager"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BarCodeManager.PDF417Manager.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2F5BF1DC-C7D9-4EE6-9792-AE9FCCC32565}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\ecologyplugin\\iWebOffice\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{98C68055-BF65-49FF-9BF1-3971CBDCD3E4}\TypeLib\ = "{2F5BF1DC-C7D9-4EE6-9792-AE9FCCC32565}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{343DED4C-FCD6-4018-A468-7135435F4D48}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{343DED4C-FCD6-4018-A468-7135435F4D48}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23739A7E-5741-4D1C-88D5-D50B18F7C347}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AA64ECD-DFCB-4B88-A2B0-6A5C465D3F15}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C01A9E2E-66D1-4B2E-95E2-68A529EE0B07}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23739A7E-5741-4D1C-88D5-D50B18F7C347}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23739A7E-5741-4D1C-88D5-D50B18F7C347}\Verb\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iWebOffice2003.OfficeAddins\Clsid\ = "{CBCDD82F-1447-4721-9313-934B9E5CB416}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AA64ECD-DFCB-4B88-A2B0-6A5C465D3F15}\InprocServer32\ = "C:\\Windows\\SysWow64\\ecologyplugin\\iWebOffice\\PDF417Manager.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2F5BF1DC-C7D9-4EE6-9792-AE9FCCC32565}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2F5BF1DC-C7D9-4EE6-9792-AE9FCCC32565}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\ecologyplugin\\iWebOffice\\PDF417Manager.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{343DED4C-FCD6-4018-A468-7135435F4D48}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23739A7E-5741-4D1C-88D5-D50B18F7C347}\Insertable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BarCodeManager.PDF417Manager	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2F5BF1DC-C7D9-4EE6-9792-AE9FCCC32565}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98C68055-BF65-49FF-9BF1-3971CBDCD3E4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98C68055-BF65-49FF-9BF1-3971CBDCD3E4}\ = "IPDF417Manager"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98C68055-BF65-49FF-9BF1-3971CBDCD3E4}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23739A7E-5741-4D1C-88D5-D50B18F7C347}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8F7FA98B-AAA1-4D45-83B8-98E95ECADCF4}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F7FA98B-AAA1-4D45-83B8-98E95ECADCF4}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iWebOffice2003.iWebOffice\ = "iWebOffice Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23739A7E-5741-4D1C-88D5-D50B18F7C347}\Insertable\	regsvr32.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3592 NOTEPAD.EXE

pid	process
3592	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.execmd.exe

description	pid	process	target process
PID 2804 wrote to memory of 1660	2804	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
PID 2804 wrote to memory of 1660	2804	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
PID 2804 wrote to memory of 1660	2804	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
PID 1660 wrote to memory of 976	1660	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe	cmd.exe
PID 1660 wrote to memory of 976	1660	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe	cmd.exe
PID 1660 wrote to memory of 976	1660	5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe	cmd.exe
PID 976 wrote to memory of 3496	976	cmd.exe	regsvr32.exe
PID 976 wrote to memory of 3496	976	cmd.exe	regsvr32.exe
PID 976 wrote to memory of 3496	976	cmd.exe	regsvr32.exe
PID 976 wrote to memory of 4556	976	cmd.exe	regsvr32.exe
PID 976 wrote to memory of 4556	976	cmd.exe	regsvr32.exe
PID 976 wrote to memory of 4556	976	cmd.exe	regsvr32.exe
PID 976 wrote to memory of 3592	976	cmd.exe	NOTEPAD.EXE
PID 976 wrote to memory of 3592	976	cmd.exe	NOTEPAD.EXE
PID 976 wrote to memory of 3592	976	cmd.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
"C:\Users\Admin\AppData\Local\Temp\5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2804

C:\Users\Admin\AppData\Local\Temp\3582-490\5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.bat" "
3⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 C:\Windows\System32\ecologyplugin\iWebOffice\iWebOffice2003.ocx /s
4⤵
- Loads dropped DLL
- Modifies registry class
PID:3496

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 C:\Windows\System32\ecologyplugin\iWebOffice\PDF417Manager.dll /s
4⤵
- Loads dropped DLL
- Modifies registry class
PID:4556

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\System32\ecologyplugin\iWebOffice\readme.txt
4⤵
- Opens file in notepad (likely ransom note)
PID:3592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
Filesize
1000KB

MD5
f014f844aebe32c68879103d3ae0446b

SHA1
e435a599f65226ac27e85e821c5683f903ccb90f

SHA256
4c97e5548aeb492de5fa6a81469dfa5a2fd071e1856803ef9d9a78d6c11a6c81

SHA512
4fb47e0abedb9f7fb6ff49d887c8adf559b5ff8da9a850e0be6f00b36ca0adceb2d13eb9e2511f0e66f077ba5c15d8eaf2bcad46f25f6ead007963b30e5659c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\5c332a1b85edf4695901dd73c42a94fe5262b0a64e392fd7af41f4e7dedc1842.exe
Filesize
1000KB

MD5
f014f844aebe32c68879103d3ae0446b

SHA1
e435a599f65226ac27e85e821c5683f903ccb90f

SHA256
4c97e5548aeb492de5fa6a81469dfa5a2fd071e1856803ef9d9a78d6c11a6c81

SHA512
4fb47e0abedb9f7fb6ff49d887c8adf559b5ff8da9a850e0be6f00b36ca0adceb2d13eb9e2511f0e66f077ba5c15d8eaf2bcad46f25f6ead007963b30e5659c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\LOGO.ico
Filesize
2KB

MD5
41eca7a9245394106a09b2534d8030df

SHA1
b38e19173aea521d2fb00ef706abb0df7d076b0c

SHA256
f1a9670d5b4ee0fed36b7370193e4aa052f916ee038d91b6fd041cbc4dbb3683

SHA512
cd2fdc7b063e986278e463af34d040d5bd6851bfa1893841df6fadf428e740cf3555950186e98e533038d3588b97a66933c3f1564d9afec14750bd442c2dfdfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PDF417Manager.dll
Filesize
325KB

MD5
57025bb5e54588020b62dc2245bb286c

SHA1
a1da892174ffc7441be22531a939b82a69083ee9

SHA256
15214e339a330d0b0779bb700a099a84d5b6179a9280b776fd198fbc1450e093

SHA512
4ed75c96cb0d56fe50e7f8a8ee1a011b907f39605a9f9f6af733c29a75ace0820a52dc1ccdea5978de3500ff5fc7b3ec249c195b73b47dc2d435c50ccb2729ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iWebOffice2003.ocx
Filesize
2.3MB

MD5
c3ba68931b30479daee76ea188672add

SHA1
99b84c189750c1b905cfd2c2ab538d23176b0030

SHA256
1c641055ab854a611e3be7d52c65b5693c6c12734559037c2fe94971bc6b2eb7

SHA512
cb07d34a08f06ef98fd1eeb9b991188d724ff7ffd66fd3a54cad4e949cba8a0fa5a928cd79eb8f3c799bd91f2e48f4c1305641c2e3f227568eb5666ae1515e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rar.bmp
Filesize
2KB

MD5
a9fabad349a7121db3c799ede8f74d6e

SHA1
d13448fc14fa6a1e0ab7c995f319faa84750dff4

SHA256
6647c05a05cf81458ab13bbfaf98a78ea30171d8497d0b79b6dbcece8af6d993

SHA512
269b95c2ed60f65998e7a2aa0b18e3ffb08dbdb05f2bdce2070a5731bdf23b911f9a812c06879c999fee25d0dd72cac04b5026165b34fe3093414fffac641e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\readme.txt
Filesize
323B

MD5
260b7a22773cf57e575996c603238b16

SHA1
fcfbf3be4256d0d8e7161fce9569579c972425c1

SHA256
1d1fe2dc1a901872dc5e12b18b0d55348aa4f7aeb5b2bd9c2db076662b767681

SHA512
2b5ea67bc0bff51f7f2632f779b2e88302c1f8650cd970f8daf0bdd073304b052c1f82ca6b25bde946ec70c3134f00475e25b9cf33847b2736b0d60960de8d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.bat
Filesize
697B

MD5
ea0c220e652231b8358711aa464eb986

SHA1
4d9033a8d17d49ced68aa8800680d4e41cb1d985

SHA256
407412548feec64977267035fcf6556d5633937060aa27bc1137381cecde74ac

SHA512
c7d5364f6bcb79e9062e63ee24763311c30a23c47dc665bba91fc25d123acad46fc7827d27883e926e57971c0b06f88ba65ee95e03a00789b6e690acc6d1b858

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\uninstall.bat
Filesize
431B

MD5
415feabca35ebef1a5c3f3863b1d3e39

SHA1
8116cc1f0733012da9da940bff842d44ae52b725

SHA256
d6bfa605d38b20fdf5ce042956afdd4e8fc3822897f99140a60f6b5581b3224d

SHA512
1910e6b3f6928cde188cfcc59e791f725b70bda0c731d322f53581d41f1afc267a5630dfdbbf67f34cbff2ba35d0f75fd2d9bf126f36d0b0ab5624db798cef2b

Download Submit
C:\Windows\SysWOW64\ecologyplugin\iWebOffice\PDF417Manager.dll
Filesize
325KB

MD5
57025bb5e54588020b62dc2245bb286c

SHA1
a1da892174ffc7441be22531a939b82a69083ee9

SHA256
15214e339a330d0b0779bb700a099a84d5b6179a9280b776fd198fbc1450e093

SHA512
4ed75c96cb0d56fe50e7f8a8ee1a011b907f39605a9f9f6af733c29a75ace0820a52dc1ccdea5978de3500ff5fc7b3ec249c195b73b47dc2d435c50ccb2729ad

Download Submit
C:\Windows\SysWOW64\ecologyplugin\iWebOffice\PDF417Manager.dll
Filesize
325KB

MD5
57025bb5e54588020b62dc2245bb286c

SHA1
a1da892174ffc7441be22531a939b82a69083ee9

SHA256
15214e339a330d0b0779bb700a099a84d5b6179a9280b776fd198fbc1450e093

SHA512
4ed75c96cb0d56fe50e7f8a8ee1a011b907f39605a9f9f6af733c29a75ace0820a52dc1ccdea5978de3500ff5fc7b3ec249c195b73b47dc2d435c50ccb2729ad

Download Submit
C:\Windows\SysWOW64\ecologyplugin\iWebOffice\iWebOffice2003.ocx
Filesize
2.3MB

MD5
c3ba68931b30479daee76ea188672add

SHA1
99b84c189750c1b905cfd2c2ab538d23176b0030

SHA256
1c641055ab854a611e3be7d52c65b5693c6c12734559037c2fe94971bc6b2eb7

SHA512
cb07d34a08f06ef98fd1eeb9b991188d724ff7ffd66fd3a54cad4e949cba8a0fa5a928cd79eb8f3c799bd91f2e48f4c1305641c2e3f227568eb5666ae1515e22

Download Submit
C:\Windows\SysWOW64\ecologyplugin\iWebOffice\iWebOffice2003.ocx
Filesize
2.3MB

MD5
c3ba68931b30479daee76ea188672add

SHA1
99b84c189750c1b905cfd2c2ab538d23176b0030

SHA256
1c641055ab854a611e3be7d52c65b5693c6c12734559037c2fe94971bc6b2eb7

SHA512
cb07d34a08f06ef98fd1eeb9b991188d724ff7ffd66fd3a54cad4e949cba8a0fa5a928cd79eb8f3c799bd91f2e48f4c1305641c2e3f227568eb5666ae1515e22

Download Submit
C:\Windows\SysWOW64\ecologyplugin\iWebOffice\iWebOffice2003.ocx
Filesize
2.3MB

MD5
c3ba68931b30479daee76ea188672add

SHA1
99b84c189750c1b905cfd2c2ab538d23176b0030

SHA256
1c641055ab854a611e3be7d52c65b5693c6c12734559037c2fe94971bc6b2eb7

SHA512
cb07d34a08f06ef98fd1eeb9b991188d724ff7ffd66fd3a54cad4e949cba8a0fa5a928cd79eb8f3c799bd91f2e48f4c1305641c2e3f227568eb5666ae1515e22

Download Submit
C:\Windows\SysWOW64\ecologyplugin\iWebOffice\readme.txt
Filesize
323B

MD5
260b7a22773cf57e575996c603238b16

SHA1
fcfbf3be4256d0d8e7161fce9569579c972425c1

SHA256
1d1fe2dc1a901872dc5e12b18b0d55348aa4f7aeb5b2bd9c2db076662b767681

SHA512
2b5ea67bc0bff51f7f2632f779b2e88302c1f8650cd970f8daf0bdd073304b052c1f82ca6b25bde946ec70c3134f00475e25b9cf33847b2736b0d60960de8d17

Download Submit
memory/976-135-0x0000000000000000-mapping.dmp

Download
memory/1660-132-0x0000000000000000-mapping.dmp

Download
memory/3496-143-0x0000000000000000-mapping.dmp

Download
memory/3496-147-0x00000000020D0000-0x000000000231F000-memory.dmp

Filesize
2.3MB

Download
memory/3592-151-0x0000000000000000-mapping.dmp

Download
memory/4556-148-0x0000000000000000-mapping.dmp

Download