Malware Analysis Report

2024-10-19 07:09

Sample ID 240206-ydhmtseeb7
Target SWIFT TRANSFER.exe
SHA256 0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50
Tags
neshta darkcloud persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50

Threat Level: Known bad

The file SWIFT TRANSFER.exe was found to be: Known bad.

Malicious Activity Summary

neshta darkcloud persistence spyware stealer

Neshta

DarkCloud

Detect Neshta payload

Neshta family

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

Checks computer location settings

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-06 19:40

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-06 19:40

Reported

2024-02-06 19:42

Platform

win7-20231129-en

Max time kernel

143s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe"

Signatures

DarkCloud

stealer darkcloud

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2400 set thread context of 1868 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2956 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe
PID 2956 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe
PID 2956 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe
PID 2956 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe
PID 2400 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Windows\svchost.com
PID 2400 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Windows\svchost.com
PID 2400 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Windows\svchost.com
PID 2400 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Windows\svchost.com
PID 2400 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Windows\svchost.com
PID 2400 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Windows\svchost.com
PID 2400 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Windows\svchost.com
PID 2400 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Windows\svchost.com
PID 2204 wrote to memory of 1708 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 2204 wrote to memory of 1708 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 2204 wrote to memory of 1708 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 2204 wrote to memory of 1708 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 1284 wrote to memory of 2800 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 1284 wrote to memory of 2800 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 1284 wrote to memory of 2800 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 1284 wrote to memory of 2800 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 2400 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe
PID 2400 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe
PID 2400 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe
PID 2400 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe
PID 2400 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe
PID 2400 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe
PID 2400 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe
PID 2400 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe
PID 2400 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe

"C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GuQWhxmyGNWUd.exe"

C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe

C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\GuQWhxmyGNWUd.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GuQWhxmyGNWUd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D36.tmp"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe /Create /TN Updates\GuQWhxmyGNWUd /XML C:\Users\Admin\AppData\Local\Temp\tmp4D36.tmp

C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe

MD5 7f5c94b5e120641ba60ccad05710eda4
SHA1 2ccff660a2ef669821c62362efbea99e4e238a28
SHA256 e243f9678f50e9be30a9a65971da27b36470bb27568707edcb87a06fffb3e99a
SHA512 4a6ab0856337cb35fc1df956d8a5dadbc82ecb19bc8214db3b8e48f068f7d6544f52bbc2493670b65b56d8bbae0f73021b5d8097401e3ac251401075d8614304

\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe

MD5 f91c04e5badf8e6162aec12a69629efd
SHA1 dfae2766116b6d2082aca13ba7ae4d7b2058aba7
SHA256 17a7e2f443129b0445bf99a0389c770a249a2a10545aa5874a3d25355b0cecbc
SHA512 fb115e7cbe3d8118d83bb8752362b1d94bbcac6245c66d3e9785be12c9dab0f7ff6c71d194ce500b47ea19f4f2ef3974b4ef18d179ded07b46522773932edfab

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 de27615cb6e9fb2cddda904259feeb2c
SHA1 7ad4b275305fdf44d33baef89b5787543bab5870
SHA256 7b30dc0632ac2ef42e7cefbf83c516a9105b2957b643ca2f6ebf642a52848ee9
SHA512 162383c96c18167a4420dc53babb8c2713fc43cef613f6c8971b84e5d0830cc580d3844dc3a6a9e8befe92b1026813f39383a8f22dac940f0eafb5119dceb46d

C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe

MD5 eb4827d7bb7650224b19ec8d73c2221a
SHA1 7714a77ba400f40c37efcb9c62d19cf696f1f3a4
SHA256 6939ac00b60649fe9508fd34837eec3fb1ba44e8614a1766a052bd3516f28634
SHA512 130a2b3e17ac0a7e90f71f385e6ced70456204c4ab6177f992c0659386a40b95d77b7450641f38f1ce61d7c5f85c7151f1b16214f77fea48b2f878fabe01cd7f

C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe

MD5 3d8ec9a15844c0e7839e66f881e43b99
SHA1 651a9f5c7be9756ee460b6f779b9dbff3e896863
SHA256 da6ca73dc657690216e1450c91dea065b6b08966405b77a35d202e9c1bc31c48
SHA512 ac1af9df78905d15417ccab51fa277eacf0a1b8e8c72aaecea4e44454ca01413e89f7fd8ffc31ec4d1ecf98ada302159997a0c25a60bdcf381f61d0f17e69c33

C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe

MD5 2086daaf21d6b6b8f6751ed39f866370
SHA1 a41c1a27a97bc263743a9930d91476fee2af167b
SHA256 175cdfae110aad8de9758322f5c5f35c2a5524d6cf532397f161baf0e947eafd
SHA512 da0a4df18a8f093cbcb346e8cf1425440aaad802cd70d7bf00d2cf71907c0cc78d38475968bcc6f67ae630a0c8fe5e8f19555c5abcf0b7e33c7e4330bb553005

memory/2400-15-0x0000000000A50000-0x0000000000B54000-memory.dmp

memory/2400-16-0x0000000074430000-0x0000000074B1E000-memory.dmp

memory/2400-17-0x0000000004E00000-0x0000000004E40000-memory.dmp

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 f560aa94110c2c4ee7f8a0a3a489aaa7
SHA1 730bc5fc26508078a873f78c67a6911895c8d1b8
SHA256 f139ad8b66d19ba1240ff318ba2913ddbdc5df28702e9574a174fa99a57a3e85
SHA512 32dc905e569d2aaf175f2736b4e3d07d74443ca8e2fdd5a76a219d551fcfb5fa1a00935d42adcddc9e1f05f5763219bc5b8ac78c5e309c5e692a91087c9e9a80

memory/2400-51-0x0000000000350000-0x0000000000364000-memory.dmp

memory/2956-92-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2400-93-0x00000000004D0000-0x00000000004DA000-memory.dmp

memory/2400-94-0x00000000004E0000-0x00000000004EE000-memory.dmp

memory/2400-95-0x0000000005D10000-0x0000000005DB8000-memory.dmp

C:\Windows\svchost.com

MD5 b062ed524b6ca8adb3d610e1e9ca6e3d
SHA1 109f4126d0066ffd4f15e7cd0f9fd88b5caac539
SHA256 f2da19edfd2d7adb438eb4042cea781d546a07d2f9c36200202e3f37baa38935
SHA512 e7292bb0ea58a0c815f25bff11257dd20e7bf9a5ab2ee3ec5fbb2eaf6682551ee4afc427edeeb1c7a13d9e447121ee1562c5868644a5ed693664aa67605e0397

C:\Windows\directx.sys

MD5 99168af858799e13faa22f6a2cb87035
SHA1 597982ba26e82791585fec23eeb56e83df7de412
SHA256 cff4281a6e1d2e078e19af68851b756ceb0371538c83ea3f027cd58bb98cc3f4
SHA512 a2670fc578c54446ba019f5b4a60bcfe1576ec877bfadaa9b9040129fe1cbc02f7fff7afdb40bd472dab14f2d1a28761abc13edbe96eb874e35910a28ee99518

memory/2204-110-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

MD5 fcd8f6302a7ac98f5306d71114d51d76
SHA1 4816487c7e5073e659fb400b506edef76a141f00
SHA256 99f0dd3bdf422718adf2e670b954e7cbd23d0d8a260f948bd617e64bf61770e5
SHA512 baf83d64fc62da2d5c63e6d5ca8836063233fc92202498411cc294b48d7e23ad6db5ef34abcc06843e924a3c5f1a90e1001d2b2f3995dd30386fb3a74c9468b0

C:\Windows\directx.sys

MD5 b364923878bcdf692aa56a8676909f49
SHA1 769dcc85e12af7f22f975a253da496f0a26de79d
SHA256 da1f1df88b7c2e8c5634c1d03f8f556a0a5f6f939ed5743b55bc8f41b565130e
SHA512 4dd3572efce76b4ba238f576cb54f505cae24b5efc3f860930ac64456f720823f60e35659822688ecc3d98a3083e5e1c8ecf9d957510476386980f5aa44dff9b

memory/1284-118-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1868-127-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1868-125-0x0000000000400000-0x000000000045F000-memory.dmp

memory/1868-134-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2400-136-0x0000000074430000-0x0000000074B1E000-memory.dmp

memory/1868-129-0x0000000000400000-0x000000000045F000-memory.dmp

memory/1868-123-0x0000000000400000-0x000000000045F000-memory.dmp

memory/1868-121-0x0000000000400000-0x000000000045F000-memory.dmp

\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe

MD5 9912bc12355f1b65a064f5165b8296ca
SHA1 5b2fe26f535eaad3aedea014ab86d2c6a1d442c5
SHA256 fce9a966c732f6a9f164b4f5b35a39b79915adfaa94ca669105985f2a044bcf8
SHA512 9e81fb610b4bf596e54ab7da4b465601869c01e3251a1d7bf9aa29e020a75ae638ef816bb0ee5f9f820700bb737dbbb57a83bec9eb4e918c1a8ab12460654d9e

memory/1708-142-0x0000000002950000-0x0000000002990000-memory.dmp

memory/1708-141-0x0000000002950000-0x0000000002990000-memory.dmp

memory/1708-140-0x000000006DFF0000-0x000000006E59B000-memory.dmp

memory/1708-139-0x0000000002950000-0x0000000002990000-memory.dmp

memory/1708-138-0x000000006DFF0000-0x000000006E59B000-memory.dmp

memory/1708-143-0x000000006DFF0000-0x000000006E59B000-memory.dmp

memory/1868-144-0x0000000000400000-0x000000000045F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-06 19:40

Reported

2024-02-06 19:43

Platform

win10v2004-20231222-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe"

Signatures

DarkCloud

stealer darkcloud

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1496 set thread context of 4484 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{17316~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13181~1.5\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5036 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe
PID 5036 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe
PID 5036 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe
PID 1496 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Windows\svchost.com
PID 1496 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Windows\svchost.com
PID 1496 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Windows\svchost.com
PID 1404 wrote to memory of 4976 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1404 wrote to memory of 4976 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1404 wrote to memory of 4976 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1496 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Windows\svchost.com
PID 1496 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Windows\svchost.com
PID 1496 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Windows\svchost.com
PID 4708 wrote to memory of 4128 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 4708 wrote to memory of 4128 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 4708 wrote to memory of 4128 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 1496 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe
PID 1496 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe
PID 1496 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe
PID 1496 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe
PID 1496 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe
PID 1496 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe
PID 1496 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe
PID 1496 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe
PID 1496 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe
PID 1496 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe
PID 1496 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe

"C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe /Create /TN Updates\GuQWhxmyGNWUd /XML C:\Users\Admin\AppData\Local\Temp\tmp92CA.tmp

C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GuQWhxmyGNWUd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp92CA.tmp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\GuQWhxmyGNWUd.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GuQWhxmyGNWUd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe

MD5 477276bfb0e902249426fb92be293b73
SHA1 dabc91da244eb46332cc56f1cb8cab5a8b008100
SHA256 9fc5a0892a0bcfb29f4bedfbddb68404187043fa792dbc7988a2b07be25b178c
SHA512 f793f43e9e48b7bce81b50df5eea38bf53dfb73f6b3e1afd4945467ead5218cebb15657cbb1fda32673ac5739a3f191783f5de29ec8cac650c95941e35ad2067

C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe

MD5 7f5c94b5e120641ba60ccad05710eda4
SHA1 2ccff660a2ef669821c62362efbea99e4e238a28
SHA256 e243f9678f50e9be30a9a65971da27b36470bb27568707edcb87a06fffb3e99a
SHA512 4a6ab0856337cb35fc1df956d8a5dadbc82ecb19bc8214db3b8e48f068f7d6544f52bbc2493670b65b56d8bbae0f73021b5d8097401e3ac251401075d8614304

C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe

MD5 62f7b8f9f22ebb9759305ccaeab9b49f
SHA1 9026f3bef47000d57bd672baa8188c535d53cea6
SHA256 024ebfbc1b1b9ca1d1eb0a4da0b2142ff5c1e96770274655ccd93554b642fb8c
SHA512 2900a02e56298b80e321ed39e6861fa7fe5d43aa891af15712f56d4e80ea907fee486d7e1a0c2aa4559fbb8bce4328d0fc6818889267e161f0ea8bf1e477b50f

memory/1496-13-0x0000000000570000-0x0000000000674000-memory.dmp

memory/1496-15-0x0000000005560000-0x0000000005B04000-memory.dmp

memory/1496-14-0x0000000073AA0000-0x0000000074250000-memory.dmp

memory/1496-16-0x0000000005050000-0x00000000050E2000-memory.dmp

memory/1496-17-0x0000000005170000-0x0000000005180000-memory.dmp

memory/1496-18-0x0000000005110000-0x000000000511A000-memory.dmp

memory/1496-19-0x0000000005B10000-0x0000000005E64000-memory.dmp

memory/1496-20-0x0000000005350000-0x00000000053EC000-memory.dmp

memory/1496-23-0x00000000054F0000-0x0000000005512000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

MD5 752e4762c3f8205f1e2534b7012bd85d
SHA1 32b184da45ec09fcae0d2efa7a9d28b2b1457441
SHA256 2ffd7bbc194fde52cee82ad64ebe1eaa003c28b2dbdd939a7d8ebb6e405abdaf
SHA512 7c3dd67816b151f08bdf3e540a672ff29ae8fa953d5f4fc6f2f2d568bb5d6bbe20d3afe9643ebc88144932ae8b36318052669359ec77433ed8df16ac3ae3c911

memory/1496-37-0x00000000054D0000-0x00000000054E4000-memory.dmp

memory/1496-21-0x00000000054A0000-0x00000000054B2000-memory.dmp

memory/5036-109-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1496-111-0x0000000005540000-0x000000000554E000-memory.dmp

memory/1496-110-0x0000000005530000-0x000000000553A000-memory.dmp

memory/1496-112-0x0000000008350000-0x00000000083F8000-memory.dmp

C:\Windows\svchost.com

MD5 b062ed524b6ca8adb3d610e1e9ca6e3d
SHA1 109f4126d0066ffd4f15e7cd0f9fd88b5caac539
SHA256 f2da19edfd2d7adb438eb4042cea781d546a07d2f9c36200202e3f37baa38935
SHA512 e7292bb0ea58a0c815f25bff11257dd20e7bf9a5ab2ee3ec5fbb2eaf6682551ee4afc427edeeb1c7a13d9e447121ee1562c5868644a5ed693664aa67605e0397

C:\Windows\directx.sys

MD5 b364923878bcdf692aa56a8676909f49
SHA1 769dcc85e12af7f22f975a253da496f0a26de79d
SHA256 da1f1df88b7c2e8c5634c1d03f8f556a0a5f6f939ed5743b55bc8f41b565130e
SHA512 4dd3572efce76b4ba238f576cb54f505cae24b5efc3f860930ac64456f720823f60e35659822688ecc3d98a3083e5e1c8ecf9d957510476386980f5aa44dff9b

memory/4708-134-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4484-137-0x0000000000400000-0x000000000045F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe

MD5 b90cb2997bf1f32e74d2254d6dcd6b5a
SHA1 4c2c79a8a1d4260e9167c200477064a2af5d0dc1
SHA256 914378f60ced6db9bcaae8243379acf33a3d7dfb6deead1b37f0b14e66317721
SHA512 04a854bcd5d34e615e55460404510e9b6ee33558976ad5d42c01fe8eac1a713b881bedd72cfb045e473ebefe9866e1cb43db87d86ffae2d46b5676df7551e49d

C:\odt\OFFICE~1.EXE

MD5 36a10fd318d8ede0e051a02fabf45f4b
SHA1 6cdae3a3eed96a76d41b0f7294ff8adc5735d7f7
SHA256 9f900613c0bc850fd0c1e0041680311d3e1f3ae4aff89b3b0176246fa94f43b4
SHA512 215d69923349fa5e140590be69af5427af4f31619086d99c7ce392e96c7c61dd9ff4df7630bd3b674606a55870c2f8ec2071c037c79685c8e2f008784d9b9b99

C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe

MD5 73fe59bf0c98f5081ff357883bc723e0
SHA1 e14877585685d5508c122bacb4d47492ab3dfa70
SHA256 7ab379b1ec20932b7a7d4f3c8d725e6795a689891a0c40cb5b5e8f8cd075390f
SHA512 d789d40a8243fc7b424924daee2b53be28c54593afa0398783294924c216812bd6b2d26b9b98b77955a8029e4a1e06a1401e6bdd62df9fc365793ee229688473

C:\Users\Admin\AppData\Roaming\GuQWhxmyGNWUd.exe

MD5 293fc5fa9beccf9447614ddb8610eb4a
SHA1 c3e64bd6f817a04f29a8c56eb322b3f04d867f8b
SHA256 e9356f4bfee304253f9ec132f3a06171793e23ebda656a4e6685a4137daa8cf1
SHA512 95a4c3890bf4234cfbaa937a691377753e187a33ee82b5c4280fe6de896f72d3e78164aebb3c35cdbe17e18f990c6745bc9de655e99a3e3ac58a17363ad46937

memory/4484-141-0x0000000000400000-0x000000000045F000-memory.dmp

memory/1496-142-0x0000000073AA0000-0x0000000074250000-memory.dmp

C:\Windows\directx.sys

MD5 97a1b4fc59e7f5eeb09640d5a38dda6d
SHA1 90f937904823e0a9c5c255e9158bfebdfe5fc38d
SHA256 2277d70bef948f4a3d7c49f506368d1127f5634013de861d9432135d87f888cf
SHA512 759ee58c3b4cc0a4f7e75ae12c17c0cafe0e20ed30ff8c6a13e85b3f6178f39cec0aa832d61fb3ca6262e74aac33fd2927c00f57c83000982b7e34fa4ae339d8

C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

MD5 96808828e96c3040e43686d231350625
SHA1 eafb973b93da598cc99463909f68a3c9a8bfa4d1
SHA256 1d1b6c060cee6851ae9d263931a79f15093b283e49b748d7d3689e6fab594869
SHA512 f8963e2e573441e25d181284a308812081cdeda732e9b8e786ea54a26396a8744e1fb49ccb4f787dd4c88dfd749e20844a1785be43a0da1399e74d4121712f28

C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

MD5 dc1a217d34f60a9fd7491fddb08993cd
SHA1 384245abe403cc3a8177286455888605dc8ec228
SHA256 bf4e00646354b6e7fe2c3430a42bdbfcd47820de6ebc44292f354484e8be64a5
SHA512 312402bb2855cac131757c2e9e057d1b0699e6db2e49cc017fc4b46c9fcdd6fc5cd459c35c98a609cc62f3edcffd2cfc0203435d326b3e34a150fbdbd3776655

C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

MD5 e4e70240ef1dc911be637dae6104a572
SHA1 0c5f6b4599fb4382a9ef2c91c62c95b92f8bedd8
SHA256 b102cec9028ddb1d9d4dd21c1b684e77cecbb0dc9fb02a13ed858da7d552600a
SHA512 c2b3eb31c0814633958b63ee083e47b93bb6daf676bd434f0aff8b20794365813b4306f3645251372b198d08c3714a565828c0cec4cc5e7b0ba3c8dc4e71229f

memory/4976-164-0x00000000028A0000-0x00000000028B0000-memory.dmp

memory/4976-166-0x0000000004F30000-0x0000000005558000-memory.dmp

memory/4976-165-0x00000000028A0000-0x00000000028B0000-memory.dmp

memory/4976-167-0x00000000055D0000-0x0000000005636000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pd1ovt00.itr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4976-168-0x0000000005730000-0x0000000005796000-memory.dmp

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe

MD5 46399623033e1f9755071de71585d002
SHA1 d16c9d26f5094510ca9a8c86dbe04b0e0f95a6cd
SHA256 aae54114e87062fecdc6aa35a2594ee25f564be8eac6f184343f0c45bc561645
SHA512 467b241d00ce867d3fb329e304d805ab0dd494fbe5590e6019dab7707733bfee18fbfc77e866308c496b347d01918d8dcb3a9ea15e20f4ec8a4fe66763eb9174

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE

MD5 de84d898cea837f16a5e21b47e69cdc5
SHA1 4d17030dbb19666f2c487153aae731c0af0d1090
SHA256 d702b852bc2e75be69441467a3d68c62e5ecab1bdf5a4f540d56c9114f555e18
SHA512 8f97b8bef6b4ad7f4a415f6e6bc203b4a7c709ff937dca5f0f6157dac86fad2aa160c6a61584817abe0ba14c313999dcbb7ebfeb36a3157c8233c1e3209238ff

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE

MD5 cba155d87b840bc085974b8e045e3025
SHA1 8be8e26ec0722d07279fbac06126ebb7c7959870
SHA256 39ac3ba36b6ce8f83f864be65e0c00d6ad3963d3af0748c42251885ddbb530be
SHA512 bab9066ba460b54a178520c3849c8e19f6305fcdf80ebf783866f90396a0d6bc03cbcf61343a2d55c3a312334f38c048274117106a48207336a3a1580b696a63

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

MD5 699e48bf610ce9fc4d4d8794036bec20
SHA1 ecd665967d300075b38a59312e47a5d3514cffa5
SHA256 e8b1b5d28be1b6722cd9a477c9f5a6de74e09fa701e206e689d5537839d917b9
SHA512 782b4c9e6f898d2159026996121c8fcf12206068640c2c0f548b2f48e1316469cf1d92555535317d63e0ceafbaf6dffcb3879b7613a12d7ebc0f554f317ab6c8

memory/4976-219-0x0000000005D50000-0x0000000005D6E000-memory.dmp

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE

MD5 05858188bcecd946a8ac0d37abf1fdf8
SHA1 0b308d3365677c8e385288e6fc35b240dbde8d1e
SHA256 0acc4a02115037d4742a5dbc7817e58915165ee5b0560e932389e657373438bc
SHA512 764fa56e78a120c6ebd540d513b674cee3dbef9ef6bd01bdf3d7870de3ba50bbe7945006a37f79e7ee03329f053d85c03c09722b33968bf29c614fbb1e199c2d

memory/4976-220-0x0000000005D90000-0x0000000005DDC000-memory.dmp

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE

MD5 5158f8b1e183172757bedfbb6da2e71e
SHA1 e1f2b4636892da0a48b51a96b53226275a334e4c
SHA256 ab48527afcad556a67291d272ba349645b728fe84b73994ea4a25cb2b45b042f
SHA512 97e21aa0869fc21b5b6da7c3e08da404d0675bcf1fd8fd419849222129c536d884a085bac3ccf46a9f9dee41c235737e2eee3a7e58df15bedcfc028d2b662843

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE

MD5 9e1a927a34f882f34975164d02820770
SHA1 394cbc285a48166ac8bd9a69d55ea4b4ca69111a
SHA256 8f8851605212ff745f03f005d1d9fead7c7a84120a094844e3a625726075c7b9
SHA512 3f0bd52f0eb800ad00955f5bd8db33b8edc3f33cd9d55d0ea333e89dbe867e41e6715c8374e8a550db3aca7b390c6d26fe0c6e59b8dc019df21283052c22eed9

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE

MD5 e9f9c5c459b85ea688ff3dc60d553ef9
SHA1 a9d36b9ba6b18d064ce13ada5cc06e4e43ad7ef1
SHA256 c3023aa0d90985f43f9e045e4b963d99545d3efc0363775d13d6dea08ee79746
SHA512 0a92314a040e964d2c2497b33fafdb4bc7f41f3d3c44312e7d4e375079ca30f058ce9c4d493277052b6b5da9000caa03b326f9ede8f2e27e5d2b35825ed6c559

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE

MD5 6be313ed50651e007f7860ba7e4ccbfe
SHA1 d9a1d4df1ec02e03cf98c076d5f8a5f7cdcd4b1a
SHA256 dc13ae3dc996ebabe626bf6d84eb914242800d75aeb2a1e78d840c6c61addadd
SHA512 c95bf6d86c2a8d7372749cae3af96e139bccbc1268af90561ccc52116cdbd4af0ef7629a22ae8b45938d52c6f04839527833747ced7a915648b4d0f3c786ce63

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe

MD5 7d0d9e579e453759c38922786512c0bf
SHA1 fe900e7673130ecf23a8b69163bd3c47c49d3bde
SHA256 accad3723b5699fd7f329be4cee619800701416ced0fcb3eccc860fc03677e26
SHA512 d97d69e2a846444171ac3a0a7dfe3ec254b6046a47e988847afd7e812c679717c40a39ad3bb326218b5c92a59205c01c5cdb60ec6253d3ddab6a538ed81078da

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe

MD5 a4d9a6f2ac3a78cede96f870ceaec348
SHA1 bca938f62d25e38625595d3673dfadb85fc97617
SHA256 d12834bf94cd3174f1cf819219dfae903c89b727694bff1128607a8f524bab84
SHA512 e09d3ee4014ee4bf7a2820cc0aa9714e9070034e4c3d8c38383779b6515a09705c62e5a159739fefd6bc425e0983de7ab78228daa540a3a563a3a9e10a9bc44f

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE

MD5 d2bc239dda3859249b867278e2254a85
SHA1 3807473189eab77489d5d6b3942a7be7ec348db1
SHA256 8f4a0e7db7dab5a6de59818e6acd9d0667d0b7f362788916cccd3efb2a7a6a08
SHA512 989788f98ca3c5ac2f2ebad085e1342399ff5b41ecac7acdaf51d896f7b9a163a969141dff0c8b969a27c6bb2b75627c02dc36965a3837a9307e5f076bd46b7d

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE

MD5 2d49bb3a3f2b015ccfb60d49d1e0d691
SHA1 57d45590e48762b7cadd6a7ccf59f2fb64739c51
SHA256 21052806069b6db0cd98cc1aa3cb60d8c7b03ad2400ab87dd70e4f6034bd76fb
SHA512 858de1c3ac718cbb6534968f319942c69f1302841a7099c80485a248143d74ee7b21070e699ca31446a4b57d9b26d5f3362ca6833ed42e2471153d7828e9377e

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE

MD5 d1aba7f7bf7bf9bae97b789044960654
SHA1 a6e95f1ab0d680bc1b5cf2963e0a8a75ee6c0154
SHA256 0e58e32c5909f564e74678aaa5ab57306cb20b6e4edb896df65a7c95cf2f48f9
SHA512 1822fe9fbb092b98fd27c07f662c595e50eb3e8f36ee172b1cec1f02d6a69e2ad97079cd901f835cbc7981304bf31aff0933e525bc278a4695f207640eb9be6a

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE

MD5 c4c8ae4fe90b688cb5f338c79f075fef
SHA1 98f14c679798c5d3c62425eccbaafba099e94f33
SHA256 02af5afa032ebfb58de07b4e031ad809760f78f63df86437dfc196545ab99746
SHA512 3c03ac3e9bd2ce27e577133b8c337b3c8e54df17340c13110b1fae881200bedd42f5caf969be758c23218a4b241f440a9a505e5203c96770fb6bc4ba2bae53b5

C:\PROGRA~2\Google\Update\DISABL~1.EXE

MD5 8e8ecb92923b2e4ff05f6144bffd0e54
SHA1 3397cd279a47cfa09e70b1e7b1a3ab84d90372c7
SHA256 65a03ada84306bdb4845da96d458c3a662ceb558f81c4fc5270129cb247fded5
SHA512 ad124a65724ab35d4a96d054427c557f30ce9d0c0f5b2ae1afcae6035371b0f8fe7cf7bdc49d4699936d6ba950d7bb0752a31c713cccae039326d23941236745

C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE

MD5 29ea03d318c604b51ae4ec4daa32ae49
SHA1 b0a11a47223027daf26279e41dde80fb8d589e85
SHA256 23d6faec677a16b404dee1ca4a49bb89c44ed864d787881a3d32487a67d62926
SHA512 a8221c487ffbd870a955893e00b9dec5ff6fb130d49c6aafcea79286b52c9f54d716f5404804a53d13c7c619d8f61ecb08f745465c09474a55f27bcc03a7ff1d

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE

MD5 3de5bd5582ebe49a35480579fdb8c551
SHA1 c2c830a7dc6681605b246f977b013f5fa798e998
SHA256 f5fd593c88c549288c5c9705a60ed20f4f841a02fe266dbef57f0c4fe24149a9
SHA512 d67917cdee8fafba1d7d3adf35274e0876698a9fb0a0f8c5e10658994d7d464df859278b37834b45f842b9b0a557bfa250116fe36e4079b8a3f579ba68b1ebf7

C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE

MD5 88137db8be2c64745ac2ad9dd9b6287b
SHA1 b859bc361290b671ef4ee62e100293b7f0b85f41
SHA256 d0091855063537eb6b02b7c7a3fec849cf768df8720ebf87ba0580e8e2d2ab52
SHA512 f395e11f0b9e6b86fc2b33d189faa5317c9d4b7e49a905ad12aca5b0ca1f99c09870a2d4d5a49ec3f5a60da63fbaef0d25b338d5cf699440eb8360fc0892b0cb

C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE

MD5 d6eb5be4bedab55ffb9b49ce09c3986a
SHA1 003061f4c0c30b8306be3abcf8c428ae7e8f818a
SHA256 7f3ccdf2d14acec4111ec251a9e6f1318fff10b7aa17548da14e48ef0b8af055
SHA512 4728bdcc11fea649d5c931e3db641a0deaca02adfd0a9cc9bc9a543ba5d10f6889c42f5a893d218e64bb2d6410285d6a0faba2c9c0d60d411bdaf94de7baab98

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE

MD5 2a73c56a784d4793929edb36cf7de2c4
SHA1 7b819f239402a78bd22e37851f88fbc09350f461
SHA256 18e0664ce7cfd8b342150a5e92dbddf7ec2ef6a303ca4b34521b5255d6b1ebe3
SHA512 ce383f52d1f94d281e0f5cb6548221a6e9ed07aafe739f10e53d7792ec8135775fd86d0d67b280ee9dc2eb681920350b365373c4c37fbf97b5cadb5a46f7beae

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE

MD5 0f75f8478ee441ab42d10f0803b4a895
SHA1 755c3ca2788ad6bdb38ec8c263abf39c43314342
SHA256 27c8bc25efd0699f7065e606fbc6b2535cadd12784d33ebe1f5476ee68f0ad67
SHA512 516faac27b5a5daec417912173910d4bb174922dfd12f2ed7c1f42c7e464801de0596196df5cf2c89c47e821eb1e6d8a179519a7fe3a422145f5898e2511c29f

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE

MD5 d14a523dc3546d6a5425e2f047a151c4
SHA1 f91ee3578a63868bc63d1ef4773032c89d12767a
SHA256 fb78b29cb8798c8a0db1a2242c4e4a1b1e6a4964b1c69c48a9636d7311935578
SHA512 b4fbbfe15b99230b6cf43dbc80cb90500b54faa776b3e65aba57b183732b25fbea7156abdf7b44fc433a55b408e7cc9e10772a2920b60186173489444e828cf0

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe

MD5 9e488e2e2d612013897341fd2e282f3d
SHA1 0136cf1e708873a1248752273f88f3283e58486c
SHA256 b8d522c90a85ff76b2db0247aa4ce295e9f530e52a0d3a915c5b74e9d09b47ee
SHA512 2c0c0e8c6c38bf862e3e0cbbdbf144e6bea2c2e53f59647da8ba8cc3573985ab7508071af2811210794e575f5c043b3ca2b392f3990e36739d930dfa2471bb75

C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13181~1.5\MICROS~1.EXE

MD5 f4e9fddeed748d8605e70e996c65007f
SHA1 527eeb71059c82444ec46b6cf384ba86d2e2fe6e
SHA256 d8148636a3d92de35a099d47fbc1effc875dfdc4d6c1824391277cc740e3c652
SHA512 2e1dc330160eb6af188854f879b75e99144b02414ed6559b5be602de50ae98086c997807093e8f3a7f2c2794f9bd0af89d0a43374f1171da295cd6cded28fbde

C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MIA062~1.EXE

MD5 419689ca27421c9e088617cfee9cb74a
SHA1 9ccb7470598c571db3e224b0a034f65afc0c52d3
SHA256 5bd7607580eaeb48a6db920c512549e77e7f46660514dc1c74fc18217719b8fb
SHA512 00ebf01277f1706246d60092c1e608af3ddb46829f9896851035b7198bfc789d1ab5ca70105885458b07062c0cd1ac70d277b0347ebb56f7fae1dcbd411f5433

C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MI9C33~1.EXE

MD5 c68386950fd8a6e5818f29fb80d2b0d7
SHA1 25d371d09f5356cd5a8ab64f27f74ae4ae066ee8
SHA256 85ba90c574f4e8dbccc90d8f4b5c0b84c567a55efc97c7c0dbff30f6e3f17c7d
SHA512 814d848083aa5667061e1880cc66178f3305397f739d31a70ca1bc7ac25e06926ba4bbc8d1420f8a97966c1b26221ffa1b6a67f81c91ce0bae86c4b7a2470afb

C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~2.EXE

MD5 da3147407a5d64e7142aa19feb0beb23
SHA1 253281ebdfddd22823018eec66322801bedf691d
SHA256 318d20cfd1d1f44dfb0590c0456451f55bdb527a40cc5033ba2a1d68b06241da
SHA512 96a87dadcdf40d56de45fafeb8f45d690df3087c8e1aa13da30c34e8ece530e03454728317d1dc5a4f9774da5276fec5062aedb115f89253b2cc562ecca7e39a

C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~3.EXE

MD5 d4a6b9f3eee3d2372e3f56b83118ab79
SHA1 fba093c616f26d98e61b060cccae4ee1238650e0
SHA256 82a220ed12b2c0a7025eb5c8279dda652935396e46c47c9f6b655770f38f6312
SHA512 f55094d83da840a8be0c5aa56222518151037915501e3b7de549d27cd945f5039c391cfeaee36f0c940bbeb839f49fd7177fe483723d0e7144cfd19b9642dac5

C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MI391D~1.EXE

MD5 74f6cad55368e5734889114ebfde53f8
SHA1 9c87ae5c7bf0a7dccaff42a55d66f8fa60f450ec
SHA256 b738764aa0683fbb6dd37a5def637ee7c70c5a6c98f9e9aea6d709b19784878d
SHA512 6ec6968af793730e7d75e4a7b433fd9ee7f268d0f684cd7589232fd2aa0b8862998cf48cead119803b47a5a5f155529e294746b273d34e9fc247daf016bdac05

C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~1.EXE

MD5 de8842ff9072a16fc9235985945edb47
SHA1 6da25bca054c70cea595e799fd6e9ef6be0fde95
SHA256 6e37e9ab837362231a25908a9d7da14f50e2865cc48a55f2f844a6bf7e8ab6df
SHA512 aaa8a688371e57a28c8cf991c9580e9eda8cba4aa2e495a130881b86ab4ae6bb93c831be0a3756dd4fee33bd0e8c89f3c821449e5056dad4a2dd9f9622e7d683

C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~4.EXE

MD5 64993350f219606d789fa3b6eafa57b5
SHA1 45caaecc23d0e8a3016b5948d5190916af057306
SHA256 2e63c06526aca478979c136da6f50c4dacfdbd9abcda47edb7ae9ef868e4ca3e
SHA512 0b501c5cec7e47b8d02c66c8114acb120603f5284b2994d8818798fa25f8d404be6ebe45c1869d5371e508fdf0e9b99f6d4db9c3f42920ac357251e773cb5708

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

MD5 3ed7bc1bdf89a89f5c67df3cade86741
SHA1 7e74c91798c9a343bd555e6c18538646cf33b2fb
SHA256 d4a35ac7e092732eda1db2619db692a658fa3626f8e5029b8630f884090bda96
SHA512 bc4f6a2df686c2a130c43340c3a1d860515217c0c18fae1e8bc54877a3e0d1b4fa4b465618185f1060a31524d367b57556bb4bdbd488f26cfb234d99278eab87

C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

MD5 c17e445400c9061a285d9e20f222771a
SHA1 656a8b36f419a6a3a9d96331f9c40747160262e3
SHA256 66938c27470f7cbfc7eaadd05c4033a8d725b59e37a8f6976528ed28d743ae45
SHA512 1f1d3c683ffe0bbd58c667c95f28bf39017861cfb9a664043384b9e8bdd10bb2f4b8696f7e6025add888bc3aaf2044ffcbe93f8b7fa9a0081645ae8e3e49056f

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe

MD5 d5844dff8bf863c961c5b6ced94eb9fd
SHA1 f3f5fbfb1e036d099bf137099d71e4deb4a948e4
SHA256 02103426cd35e0c4b669b8014eb5ce9717342c59736501278d1d63d5197a990f
SHA512 56a725db0ffcb068d66455fe6478a2dfe61bf4e9f915ca66f8a20f252042b6b385f79fa257e9d78ecfb39e34d716d002d982c68672967700185ac625f738e038

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe

MD5 e6e17f5b5fb3cbf26627f2202e56a408
SHA1 361173c64e3d4d73aaa913221e65d50a16b47a86
SHA256 54e72aa80cfc9dc96eecc64924d23f877d47e8ac597d088d793ec88a0036b3f6
SHA512 efe04477c8a6cf2b97dbb36f9126ef0997865e6c41b07ca63adcc7b6704ac5cb3555f8a9609ff299e353d3990c4dbeea696d72b423a435f4be146a563021c745

C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe

MD5 2ef6576d04664ef8618aca664588fdb8
SHA1 f8a44e82687accbb18f762019f80c9229c71dcca
SHA256 92a1975c0f8190a0d5b6c11ec95b9a39b1f8a56c3c9db4f4857dae6d5d49e0b8
SHA512 1f5553050cf8a1c73a533251589cfb6408501f9930c87d133d872bbe47902621946d55f914c07cd23034d293bb395f3c831aa1728f5bdf0090504d0e2d91ccd2

C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

MD5 f0256ce68b53ac506b9c4d7091a4b224
SHA1 60efd5b468170aad52919f2a174e142e5ba2b27e
SHA256 7e0f709d8fd2601bbf61d2390aca7f5dd075752c9bc61ee97afb15f5d703b04b
SHA512 2896627241c7fe0a8c7326ca11cf9e6144fdd443923c77853c97990df9e3b52b9af23f2deb518abfa437314f91274f7a6b0a1d9c928d7812f807f95a59eb7de4

memory/4976-187-0x00000000058A0000-0x0000000005BF4000-memory.dmp

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe

MD5 13f02d1b119a609f2444c62457855fb0
SHA1 9497db57581df7370715f0cda6d2faaf12761773
SHA256 611b4c4a80acbd5b44b05045d99f927ccd281a88115f13ad5c5044c83b9b7961
SHA512 ded904c2bb4be52fc907b7b0772c2ef24ddb25e92ddda2ba34f69b56e4829d787bc14067065c9963af04a28a180e85e349b4b65a10eba7c8d325a46488cebe77

C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE

MD5 3b35b268659965ab93b6ee42f8193395
SHA1 8faefc346e99c9b2488f2414234c9e4740b96d88
SHA256 750824b5f75c91a6c2eeb8c5e60ae28d7a81e323d3762c8652255bfea5cba0bb
SHA512 035259a7598584ddb770db3da4e066b64dc65638501cdd8ff9f8e2646f23b76e3dfffa1fb5ed57c9bd15bb4efa3f7dd33fdc2e769e5cc195c25de0e340eb89ab

memory/4976-222-0x000000007EE60000-0x000000007EE70000-memory.dmp

memory/4976-223-0x0000000070230000-0x000000007027C000-memory.dmp

memory/4976-236-0x00000000028A0000-0x00000000028B0000-memory.dmp

memory/4976-235-0x0000000006F20000-0x0000000006FC3000-memory.dmp

memory/4976-234-0x00000000028A0000-0x00000000028B0000-memory.dmp

memory/4976-233-0x00000000062F0000-0x000000000630E000-memory.dmp

memory/4976-221-0x0000000006320000-0x0000000006352000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

MD5 b086b18ba5da00f0672481b626f07ff0
SHA1 6e32be14683e5e3dc0358a67baa6269058dd215b
SHA256 18d046c2d6d64a5c1987cc1a30a60eb8a450f85e3009ddbb02600f4571b96091
SHA512 d23f9d2f8f3aa15a8ae0073b248fec5cf4efc95a50e5e46abd6a064594fd3d950eb34de923855c427645b11a737f187be94043ab4ebdd1ee1833c5a9801f70f5

memory/4976-237-0x00000000076A0000-0x0000000007D1A000-memory.dmp

memory/4976-238-0x0000000007060000-0x000000000707A000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

MD5 a248b9bdafbd3dc1ed19eebc9f1c53db
SHA1 e01d26a747894f8fd0c07b01c98a2eb719ec9755
SHA256 02e356749e9177ddfd015e9b1d2803ad577c468a522a304875bca47a87dfd4ae
SHA512 a0c771d68925d8effded646df861a2f812e3781c5ef829c41e309dd914603a413c86d9928c74e63a02a1f3d78956bf14eaa3f707f687a3299465c700d2f7b62a

C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

MD5 5791075058b526842f4601c46abd59f5
SHA1 b2748f7542e2eebcd0353c3720d92bbffad8678f
SHA256 5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394
SHA512 83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

MD5 4de1e6679e0432e77e8672c01e37a315
SHA1 c45baef455bc5aaab7b842a5c9b9a01e732be79f
SHA256 26fe38fd4dad6596df71848ff809185249ac46e6120bf944c1cfbe643879c5dc
SHA512 04414dd47db9b622df3170c02f88ccc56fe4d859f8cf79f27001d8d319a3c211b1c58ee1addf7b8eaada617e96f64a9f5700a20d5e530cab46a941aab5e20f38

C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

MD5 cce8964848413b49f18a44da9cb0a79b
SHA1 0b7452100d400acebb1c1887542f322a92cbd7ae
SHA256 fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5
SHA512 bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

memory/4976-239-0x00000000070D0000-0x00000000070DA000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE

MD5 3b1981a0cbb29d94a178a9bd0b183ddb
SHA1 13274c8a3f4b3f5be92d233205790070f2068cec
SHA256 4dce4713111a5016486beddf37b02234eda10e163f32376c3961d6805a42f5e6
SHA512 2ecd753c01fda558d3efbc0a0ecc7120557d5d7021c0b68a49a57e8aa80f937fc3a1dd19050e35f0b2ae1d74b1d755ed6c78130ec8dec75b033c60bca7a1debe

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

MD5 576410de51e63c3b5442540c8fdacbee
SHA1 8de673b679e0fee6e460cbf4f21ab728e41e0973
SHA256 3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe
SHA512 f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 3b73078a714bf61d1c19ebc3afc0e454
SHA1 9abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256 ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA512 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

MD5 1a0c49ae9c776ab7d1fdcbd4743cfea6
SHA1 28af3c9a21753029edec9fae2fdfa05ea5a184c5
SHA256 f4b6e8632c0c9ac0ce2032c20553f3625d1f1dcc5f32ea3fc599c0aa7e1303f4
SHA512 7aa31ba45c1ba24a3cf9b25c9f418523f92ff8816015572c75c81ebdbe0a331651185415e193a7b63a635bb3aabd0cf1c73ede85cb0de77b4e99929d1b9b4602

memory/4976-240-0x00000000072E0000-0x0000000007376000-memory.dmp

memory/4976-241-0x0000000007260000-0x0000000007271000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

MD5 61c05af7f12d5eae1543fc298b3ca270
SHA1 84bc4184d88b0a92a6a43d4054849d410d11958c
SHA256 d2942064f91abe728b330f93a01133f4020ed6c347fcd39efa5c47e49410d682
SHA512 691d2a8078d2f7b3956f30352e586bc5c0a8690c7404cefab47a86122d4fa9cbfbfd8fcdf622e4fd56d4c4cb4646a48b18dea308e21a0750ce6551628c3289dc

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

MD5 f3cd2d985d64b5eab16cffeabf95bb7e
SHA1 39212f6e9046ba61e4607dddb163a50e6dad24a2
SHA256 27f3199b98ad06c7f4a1997e3b4a5f93e48ed2bf6a35306077b4edbddc3c7b8d
SHA512 9b8d2df8a7b1dcd618e4f63e9ee2c0a5df272ab1bd03e0370c57e175b667e246345b42a3029a573d6a1b0ee1699bc284e933c6f59f084c7d4a1808b3ad131eb5

memory/5036-163-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4976-148-0x00000000739A0000-0x0000000074150000-memory.dmp

memory/4976-147-0x00000000028B0000-0x00000000028E6000-memory.dmp

memory/4976-242-0x0000000007290000-0x000000000729E000-memory.dmp

memory/4976-243-0x00000000072A0000-0x00000000072B4000-memory.dmp

memory/4976-244-0x00000000073A0000-0x00000000073BA000-memory.dmp

memory/4976-245-0x0000000007380000-0x0000000007388000-memory.dmp

memory/4976-248-0x00000000739A0000-0x0000000074150000-memory.dmp

memory/5036-250-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1404-252-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4484-253-0x0000000000400000-0x000000000045F000-memory.dmp