Analysis
-
max time kernel
151s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 18:11
Behavioral task
behavioral1
Sample
a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
Resource
win10v2004-20220812-en
General
-
Target
a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
-
Size
261KB
-
MD5
0063bb0a460508738af4af2f11fdf880
-
SHA1
9b3a753a220d631c3333fefcf63ef8ffe8b29edd
-
SHA256
a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514
-
SHA512
0c82c75d4f1def4deaa6ff8ef3fc44b217070b4daa616999f06928c2678fb95f04a4a4119148fa4408ad5d25b2d9b8d9df9af85787cac4504b9472a1db6e78e6
-
SSDEEP
6144:k9Lrgq6hbWjq/zbu6OKdCQ3mkxxNc56ud8csg06n21XDalEdi:SrCNvoB2zudA/GWdi
Malware Config
Signatures
-
Detect Neshta payload 35 IoCs
Processes:
resource yara_rule C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe family_neshta C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe family_neshta C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE family_neshta C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe family_neshta C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE family_neshta C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe family_neshta \PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE family_neshta C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE family_neshta C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE family_neshta C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE family_neshta C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE family_neshta C:\PROGRA~2\MICROS~1\Office14\OIS.EXE family_neshta C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE family_neshta C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE family_neshta \PROGRA~2\MICROS~1\Office14\ONENOTE.EXE family_neshta C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE family_neshta \PROGRA~2\MICROS~1\Office14\SELFCERT.EXE family_neshta C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE family_neshta C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE family_neshta C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE family_neshta C:\PROGRA~2\MOZILL~1\UNINST~1.EXE family_neshta C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE family_neshta C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE family_neshta C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 2 IoCs
Processes:
a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exesvchost.compid process 1296 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe 564 svchost.com -
Loads dropped DLL 10 IoCs
Processes:
a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exesvchost.comregasm.exepid process 2016 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe 564 svchost.com 2016 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe 2016 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe 1088 regasm.exe 1088 regasm.exe 1088 regasm.exe 1088 regasm.exe 2016 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe 2016 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regasm.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{40aef60b-a6f8-4389-9003-a683dd75b850} regasm.exe -
Drops file in Program Files directory 64 IoCs
Processes:
svchost.coma91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE svchost.com File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe svchost.com File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe svchost.com File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.coma91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exedescription ioc process File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe File opened for modification C:\Windows\directx.sys svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 23 IoCs
Processes:
regasm.exea91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\InprocServer32\ = "mscoree.dll" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\InprocServer32\Class = "ie2.BHO" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\InprocServer32\Assembly = "ie2, Version=1.0.0.0, Culture=neutral, PublicKeyToken=8e4675c62620fdea" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\InprocServer32\1.0.0.0\RuntimeVersion = "v4.0.30319" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\Implemented Categories regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Internet Helper regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Internet Helper\ = "ie2.BHO" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\InprocServer32 regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\InprocServer32\ThreadingModel = "Both" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\InprocServer32\1.0.0.0 regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\InprocServer32\1.0.0.0\Assembly = "ie2, Version=1.0.0.0, Culture=neutral, PublicKeyToken=8e4675c62620fdea" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\InprocServer32\1.0.0.0\CodeBase = "file:///C:/Users/Admin/AppData/Roaming/Founder Systems/ie2.DLL" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\ProgId regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\ = "ie2.BHO" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\ProgId\ = "Internet Helper" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\InprocServer32\RuntimeVersion = "v4.0.30319" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\InprocServer32\CodeBase = "file:///C:/Users/Admin/AppData/Roaming/Founder Systems/ie2.DLL" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\InprocServer32\1.0.0.0\Class = "ie2.BHO" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Internet Helper\CLSID\ = "{40AEF60B-A6F8-4389-9003-A683DD75B850}" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850} regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Internet Helper\CLSID regasm.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exepid process 1296 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe 1296 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe 1296 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe 1296 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe 1296 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe 1296 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe 1296 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe 1296 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe 1296 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe 1296 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe 1296 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exedescription pid process Token: SeDebugPrivilege 1296 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exea91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exesvchost.comdescription pid process target process PID 2016 wrote to memory of 1296 2016 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe PID 2016 wrote to memory of 1296 2016 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe PID 2016 wrote to memory of 1296 2016 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe PID 2016 wrote to memory of 1296 2016 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe PID 1296 wrote to memory of 564 1296 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe svchost.com PID 1296 wrote to memory of 564 1296 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe svchost.com PID 1296 wrote to memory of 564 1296 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe svchost.com PID 1296 wrote to memory of 564 1296 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe svchost.com PID 564 wrote to memory of 1476 564 svchost.com cacls.exe PID 564 wrote to memory of 1476 564 svchost.com cacls.exe PID 564 wrote to memory of 1476 564 svchost.com cacls.exe PID 564 wrote to memory of 1476 564 svchost.com cacls.exe PID 1296 wrote to memory of 1088 1296 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe regasm.exe PID 1296 wrote to memory of 1088 1296 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe regasm.exe PID 1296 wrote to memory of 1088 1296 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe regasm.exe PID 1296 wrote to memory of 1088 1296 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe regasm.exe PID 1296 wrote to memory of 1088 1296 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe regasm.exe PID 1296 wrote to memory of 1088 1296 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe regasm.exe PID 1296 wrote to memory of 1088 1296 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe regasm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe"C:\Users\Admin\AppData\Local\Temp\a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe"1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /silent /codebase "C:\Users\Admin\AppData\Roaming\Founder Systems\ie2.dll"3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cacls.exe" C:\Windows\System32\GroupPolicy /t /e /g Everyone:f3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cacls.exeC:\Windows\System32\cacls.exe C:\Windows\System32\GroupPolicy /t /e /g Everyone:f4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXEFilesize
859KB
MD502ee6a3424782531461fb2f10713d3c1
SHA1b581a2c365d93ebb629e8363fd9f69afc673123f
SHA256ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc
SHA5126c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec
-
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exeFilesize
547KB
MD5cf6c595d3e5e9667667af096762fd9c4
SHA19bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80
-
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exeFilesize
186KB
MD558b58875a50a0d8b5e7be7d6ac685164
SHA11e0b89c1b2585c76e758e9141b846ed4477b0662
SHA2562a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae
SHA512d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b
-
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exeFilesize
1.1MB
MD5566ed4f62fdc96f175afedd811fa0370
SHA1d4b47adc40e0d5a9391d3f6f2942d1889dd2a451
SHA256e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460
SHA512cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7
-
C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXEFilesize
610KB
MD541b87061bb3a2ffc31e3f74b3d575328
SHA1579039f93ea8dd62986253f0d9f3ed3cc0e6deec
SHA2563a36c66c1aa202ce5d2bdf617d4dae08774faf51ed51020391d06347c9f56b14
SHA51254284e62251317d24cad368425786b0a63dbce8a978c1713ef00e1c0d78eea00d98b3c8a6acb9c868f326e4e331583282e402e5f829a3426f12ce49444e9268a
-
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exeFilesize
137KB
MD5e1833678885f02b5e3cf1b3953456557
SHA1c197e763500002bc76a8d503933f1f6082a8507a
SHA256bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14
SHA512fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe
-
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXEFilesize
178KB
MD522913149a9d766c415c21e613e4e1d1b
SHA136b33b1ab48615ebe7bd25472d50ba3de56a21c6
SHA256495ac0a638059cb60b2eebf3ac5e8fd17d5fbc7424195308f19e2ffeac3e0ced
SHA512d9e5396bb24e3ad7ba31b45e8e1bfeb74c32895ab3af6544715c5db04da0442fafd82b06c49a920d964cf0a8fac7a58ccef4a173f1a5879c6733748edc180b14
-
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXEFilesize
292KB
MD5a6e53bba7581f77c0a0624b82caff875
SHA1a53cce0d23e2cae98a15c67791cf573faecb7b94
SHA256c8c9eebf6dadaa6d433bec14a9b9aa521b3b7ecdd74df542aa2cee9cd5f0725b
SHA5128a1b5f6b47186611dcfc3ed8b84a76c4d0a099ae24bfdb906b128f1f288a92cacfaf36610579fe26743c2943615f89954bb23937f88e744c6af53eda74e8f92e
-
C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXEFilesize
109KB
MD544623cc33b1bd689381de8fe6bcd90d1
SHA1187d4f8795c6f87dd402802723e4611bf1d8089e
SHA256380154eab37e79ed26a7142b773b8a8df6627c64c99a434d5a849b18d34805ba
SHA51219002885176caceb235da69ee5af07a92b18dac0fb8bb177f2c1e7413f6606b1666e0ea20f5b95b4fa3d82a3793b1dbe4a430f6f84a991686b024c4e11606082
-
C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXEFilesize
741KB
MD55d2fd8de43da81187b030d6357ab75ce
SHA1327122ef6afaffc61a86193fbe3d1cbabb75407e
SHA2564d117648525a468532da011f0fc051e49bf472bbcb3e9c4696955bd398b9205f
SHA5129f7470978346746b4e3366f9a6b277aa747cc45f13d36886fc16303221565d23348195b72ac25f7b1711789cd7cb925d7ceea91e384ef4f904a4e49b4e06d9b2
-
C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXEFilesize
392KB
MD525b9301a6557a958b0a64752342be27d
SHA10887e1a9389a711ef8b82da8e53d9a03901edebc
SHA2565d916f7c7f6cb6cfd7545a57cb9c9d9c6df16af3517298c346901081a9135303
SHA512985f6b2fcac2f0425a1a339a55616012879a393caa747412d04c1ee4de3b12aff2cc051860066d84ecbeae335eaa5116ccb8a02090a2674eded367378c56b1ab
-
C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXEFilesize
726KB
MD5c3ee902099b98a299b1a215aba1b27bb
SHA1602b023806464db25f5f8e4ffc157cc7d7e9886b
SHA256e657a9f85af7cb5ded734e162db514e466256a83d51f4454abbf19c54b30686f
SHA5123538548c99f266404395ce9bdcadb542171799865ac5feddce936305ff2b09ecb939bed60d1e7011a39ca8548af39f9b4ee723b15674a1df54404270fc5afc9f
-
C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXEFilesize
144KB
MD5a2dddf04b395f8a08f12001318cc72a4
SHA11bd72e6e9230d94f07297c6fcde3d7f752563198
SHA256b35e60f1551870c1281d673380fe3101cd91b1f0b4d3c14c2383060f5e120373
SHA5122159df98d90467720b738be68bee5aba38980d2449c18d2ea4b7b9bae7d222b4a85845d0f9597017d0ee417964190bc3d95cb4809e33aac16b6cfa6ec200dce3
-
C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXEFilesize
127KB
MD5154b891ad580307b09612e413a0e65ac
SHA1fc900c7853261253b6e9f86335ea8d8ad10c1c60
SHA2568a3598c889dbcb1dca548a6193517ed7becb74c780003203697a2db22222a483
SHA51239bf032033b445fc5f450abec298ea3f71cadecfeafc624f2eb1f9a1d343a272181a874b46b58bb18168f2f14d498c3b917c3392d4c724fe4e5ae749113c2ad6
-
C:\PROGRA~2\MICROS~1\Office14\OIS.EXEFilesize
308KB
MD54545e2b5fa4062259d5ddd56ecbbd386
SHA1c021dc8488a73bd364cb98758559fe7ba1337263
SHA256318f1f3fbdd1cf17c176cb68b4bc2cf899338186161a16a1adc29426114fb4f8
SHA512cf07436e0219ca5868e11046f2a497583066a9cf68262e7cca22daad72aded665ac66afea8db76182c172041c45fcef1628ea6852751c4bf97969c9af6cfefa1
-
C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXEFilesize
1.6MB
MD508ee3d1a6a5ed48057783b0771abbbea
SHA1ebf911c5899f611b490e2792695924df1c69117d
SHA2563f6decd82b72a5ba1ee224b52d9fbd6486be22a0b855e28eaad47ae92df266f0
SHA5121711d023c60d4b047d553a654797bc3a2eecd951b310698c1a2c549e136c33f55e0fc1167a4a38f793b7796f7cfc3fb30017935127b147a21da2812eb38faac5
-
C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXEFilesize
262KB
MD52d1b4a44f1f9046d9d28e7e70253b31d
SHA16ab152d17c2e8a169956f3a61ea13460d495d55e
SHA256d1d73220342ff51a1514d2354654c6fcaedc9a963cb3e0a7e5b0858cfc5c5c7d
SHA512dd8f5e343417a3e131b3362f1aecaf9ce0f8a55c9f90aa3b7e55b6ddb6c5f4e06b3e76a7f4481fa13e2f325ab2490553f6977178acf7c486c7315755c05fc7c3
-
C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXEFilesize
549KB
MD561631e66dbe2694a93e5dc936dd273be
SHA1b1838b8ca92fa5ca89e1108ceb2630a6ecd2b8c2
SHA2565811b7b694d99c703b4c4bc72d6b7d846d05b2b0f45a7e3e4279cdb6fd81265f
SHA512323463c267ccdb701d5967198f4f72158056f5a6e889c47bf19d1a670233ab071a5fe8c108430beb67753b77af1c59028007101a8e1266618fe91fa0127b4dcf
-
C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXEFilesize
606KB
MD59b1c9f74ac985eab6f8e5b27441a757b
SHA19a2cf7d2518c5f5db405e5bd8d37bf62dcaf34f5
SHA2562a189b995a7283b503bb5864dd9ca57976b3812a6a34aaf89a7551336c43bc24
SHA512d72e83aeaf1d34627a6c6aa469821af8a8d464a72c764fbb064484adea509a8c1d3628e2166859286e84daae8ebdf4f800693ce203984a8c313b1f2263e101c4
-
C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXEFilesize
1.4MB
MD55ae9c0c497949584ffa06f028a6605ab
SHA1eb24dbd3c8952ee20411691326d650f98d24e992
SHA25607dd9364be7babc5f9a08f0ccd828a9a55137845df1782b147f12943f234ea4e
SHA5122e99bb500c281c367cc54fa283905b2537905ea4fe8986f676adbb1aaf58460dd2db082bb46a3dbe9dc836fbae3ee8832990839432dd99c74de58cc9b9295788
-
C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXEFilesize
1.8MB
MD5fc87e701e7aab07cd97897512ab33660
SHA165dcd8e5715f2e4973fb6b271ffcb4af9cefae53
SHA256bb1814297615d6b22fa20ee4f8613c8bc9fa67d93cb7fe032f46f377569e2f46
SHA512b03e3b3f7b0f11b85757d8bf5678542f4281407e95cf8e074da4ddc421c217fcfaf23cc927ccd0bbca2891a424b2d3565072aba6406dc46c2fa1fdba7a249eec
-
C:\PROGRA~2\MOZILL~1\UNINST~1.EXEFilesize
129KB
MD5e7d2d4bedb99f13e7be8338171e56dbf
SHA18dafd75ae2c13d99e5ef8c0e9362a445536c31b5
SHA256c8ef54853df3a3b64aa4b1ecfb91615d616c7ff998589e5a3434118611ad2a24
SHA5122017dea799cc03b02a17e3616fb6fbe8c86ab2450b1aaf147fce1e67cc472ded12befd686d395386ffdaa992145996eb421d61d3a922cea45e94ac40eef76adc
-
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXEFilesize
536KB
MD5bcb5db16e576464d3d8d93e1907bf946
SHA1b10f3c3dc4baef4655ae2c30543be9d3c40b9781
SHA25624c9b3b4cf5e45a56c90d7fd112b05f07dd89cf96e98729beb2f6081fca758c0
SHA512c36339b06a00938c8a63ba4d54a766dc3ca3d1e34d69e9b4b2bfa9ca79c5c65d07f216f84af2b60be0c9cbdccadc5c271018efed52def8bd778dc01743d61229
-
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXEFilesize
525KB
MD50d9146d70ac6a41ead1ea2d50d729508
SHA1b9e6ff83a26aaf105640f5d5cdab213c989dc370
SHA2560b876ddeefd88d5e98de7e409c5b6546ba8ffa195c168f9a4b6ba33b44d437ab
SHA512c9394decfd469bfedd883095d604e11208aa290334ff5c0dce852f2ca74fba27c37ba2984dab8b27430e573681e22c9f903e53b01510a4b77d337cbd92c56cb3
-
C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXEFilesize
495KB
MD507e194ce831b1846111eb6c8b176c86e
SHA1b9c83ec3b0949cb661878fb1a8b43a073e15baf1
SHA256d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac
SHA51255f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5
-
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXEFilesize
485KB
MD586749cd13537a694795be5d87ef7106d
SHA1538030845680a8be8219618daee29e368dc1e06c
SHA2568c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5
SHA5127b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c
-
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXEFilesize
714KB
MD53c86c25a76c1413747ae8851bead4bac
SHA19342be761a661f51d85fd49fa9b75818aa0c4851
SHA256b7ff698e4395c9e682027bc710a529139dcc602d97e374fc294bcf5198073493
SHA512e70376561100d6a4769bc91e4daa3c224ed39f8412391a5ee9b9cae83d08dd2229a25f9099f5336810a757d95b6e81faa30608f35d8761b1c4cc0f41313cb43f
-
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXEFilesize
674KB
MD59c10a5ec52c145d340df7eafdb69c478
SHA157f3d99e41d123ad5f185fc21454367a7285db42
SHA256ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36
SHA5122704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f
-
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXEFilesize
536KB
MD5bcb5db16e576464d3d8d93e1907bf946
SHA1b10f3c3dc4baef4655ae2c30543be9d3c40b9781
SHA25624c9b3b4cf5e45a56c90d7fd112b05f07dd89cf96e98729beb2f6081fca758c0
SHA512c36339b06a00938c8a63ba4d54a766dc3ca3d1e34d69e9b4b2bfa9ca79c5c65d07f216f84af2b60be0c9cbdccadc5c271018efed52def8bd778dc01743d61229
-
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXEFilesize
525KB
MD572f0402b1b4c9d952e3d1163a6e7d9c6
SHA1948951f556fc1717617aa9b652a10b4d03823f23
SHA25651b384d4ffbaba25d64e832a8744eca9b1dc633ff05176bda8a506cbc3ede4d1
SHA51299bba188b9bb431be82200325c0d2d1167b82d360902b279e26d21e47c1c1365ae274439171662fc3532915fb54354c0a0b89a0b303e433dad9d4e7c3f32b2b0
-
C:\Users\Admin\AppData\Local\Temp\3582-490\a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exeFilesize
221KB
MD578fd3c836cedce62224ddde7915a8bef
SHA1f7048bbcb528f1370dd1b492e4f03c0d815b4ef4
SHA256b0e03deeb9c303b1ec3725db1a8b6a82910cbd1aebab8289287fc9a49d8c2e7b
SHA512ac95bd2714d62733c8426ad17ceaac796a40c50c657d01ae3e20f13d4cab3c956cd35d82b82c4ecc1ed693f4bc0ffdc902de883a96e50be63a1be37d3302f8d1
-
C:\Users\Admin\AppData\Local\Temp\3582-490\a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exeFilesize
221KB
MD578fd3c836cedce62224ddde7915a8bef
SHA1f7048bbcb528f1370dd1b492e4f03c0d815b4ef4
SHA256b0e03deeb9c303b1ec3725db1a8b6a82910cbd1aebab8289287fc9a49d8c2e7b
SHA512ac95bd2714d62733c8426ad17ceaac796a40c50c657d01ae3e20f13d4cab3c956cd35d82b82c4ecc1ed693f4bc0ffdc902de883a96e50be63a1be37d3302f8d1
-
C:\Users\Admin\AppData\Roaming\Founder Systems\ie2.dllFilesize
17KB
MD508ce6457e0dad32ec2b95b85d8d12768
SHA1b51ec32c5bbdfbd5b154f2d83a168e41f1691025
SHA2561441a82b4a990a11d2374b028f91c9ddddc0d43f9359924d0d0cfdc3f7755140
SHA512f531243975bc1d4f52a4aceff34973b803a9d2e41114d69f131e81f67cc112ea7cc6b8c2b7f107234e66811f67d66b49c59f9c6ab8b708ceda2133702cd12307
-
C:\Windows\svchost.comFilesize
40KB
MD536fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comFilesize
40KB
MD536fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exeFilesize
137KB
MD5e1833678885f02b5e3cf1b3953456557
SHA1c197e763500002bc76a8d503933f1f6082a8507a
SHA256bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14
SHA512fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEFilesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEFilesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\PROGRA~2\MICROS~1\Office14\ONENOTE.EXEFilesize
1.6MB
MD508ee3d1a6a5ed48057783b0771abbbea
SHA1ebf911c5899f611b490e2792695924df1c69117d
SHA2563f6decd82b72a5ba1ee224b52d9fbd6486be22a0b855e28eaad47ae92df266f0
SHA5121711d023c60d4b047d553a654797bc3a2eecd951b310698c1a2c549e136c33f55e0fc1167a4a38f793b7796f7cfc3fb30017935127b147a21da2812eb38faac5
-
\PROGRA~2\MICROS~1\Office14\SELFCERT.EXEFilesize
549KB
MD561631e66dbe2694a93e5dc936dd273be
SHA1b1838b8ca92fa5ca89e1108ceb2630a6ecd2b8c2
SHA2565811b7b694d99c703b4c4bc72d6b7d846d05b2b0f45a7e3e4279cdb6fd81265f
SHA512323463c267ccdb701d5967198f4f72158056f5a6e889c47bf19d1a670233ab071a5fe8c108430beb67753b77af1c59028007101a8e1266618fe91fa0127b4dcf
-
\Users\Admin\AppData\Local\Temp\3582-490\a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exeFilesize
221KB
MD578fd3c836cedce62224ddde7915a8bef
SHA1f7048bbcb528f1370dd1b492e4f03c0d815b4ef4
SHA256b0e03deeb9c303b1ec3725db1a8b6a82910cbd1aebab8289287fc9a49d8c2e7b
SHA512ac95bd2714d62733c8426ad17ceaac796a40c50c657d01ae3e20f13d4cab3c956cd35d82b82c4ecc1ed693f4bc0ffdc902de883a96e50be63a1be37d3302f8d1
-
\Users\Admin\AppData\Roaming\Founder Systems\ie2.dllFilesize
17KB
MD508ce6457e0dad32ec2b95b85d8d12768
SHA1b51ec32c5bbdfbd5b154f2d83a168e41f1691025
SHA2561441a82b4a990a11d2374b028f91c9ddddc0d43f9359924d0d0cfdc3f7755140
SHA512f531243975bc1d4f52a4aceff34973b803a9d2e41114d69f131e81f67cc112ea7cc6b8c2b7f107234e66811f67d66b49c59f9c6ab8b708ceda2133702cd12307
-
\Users\Admin\AppData\Roaming\Founder Systems\ie2.dllFilesize
17KB
MD508ce6457e0dad32ec2b95b85d8d12768
SHA1b51ec32c5bbdfbd5b154f2d83a168e41f1691025
SHA2561441a82b4a990a11d2374b028f91c9ddddc0d43f9359924d0d0cfdc3f7755140
SHA512f531243975bc1d4f52a4aceff34973b803a9d2e41114d69f131e81f67cc112ea7cc6b8c2b7f107234e66811f67d66b49c59f9c6ab8b708ceda2133702cd12307
-
\Users\Admin\AppData\Roaming\Founder Systems\ie2.dllFilesize
17KB
MD508ce6457e0dad32ec2b95b85d8d12768
SHA1b51ec32c5bbdfbd5b154f2d83a168e41f1691025
SHA2561441a82b4a990a11d2374b028f91c9ddddc0d43f9359924d0d0cfdc3f7755140
SHA512f531243975bc1d4f52a4aceff34973b803a9d2e41114d69f131e81f67cc112ea7cc6b8c2b7f107234e66811f67d66b49c59f9c6ab8b708ceda2133702cd12307
-
\Users\Admin\AppData\Roaming\Founder Systems\ie2.dllFilesize
17KB
MD508ce6457e0dad32ec2b95b85d8d12768
SHA1b51ec32c5bbdfbd5b154f2d83a168e41f1691025
SHA2561441a82b4a990a11d2374b028f91c9ddddc0d43f9359924d0d0cfdc3f7755140
SHA512f531243975bc1d4f52a4aceff34973b803a9d2e41114d69f131e81f67cc112ea7cc6b8c2b7f107234e66811f67d66b49c59f9c6ab8b708ceda2133702cd12307
-
memory/564-61-0x0000000000000000-mapping.dmp
-
memory/1088-82-0x0000000000820000-0x000000000082A000-memory.dmpFilesize
40KB
-
memory/1088-69-0x0000000000000000-mapping.dmp
-
memory/1088-71-0x0000000001220000-0x0000000001232000-memory.dmpFilesize
72KB
-
memory/1088-85-0x0000000000820000-0x000000000082A000-memory.dmpFilesize
40KB
-
memory/1296-59-0x000007FEF3BC0000-0x000007FEF45E3000-memory.dmpFilesize
10.1MB
-
memory/1296-56-0x0000000000000000-mapping.dmp
-
memory/1476-64-0x0000000000000000-mapping.dmp
-
memory/2016-54-0x00000000761F1000-0x00000000761F3000-memory.dmpFilesize
8KB