Malware Analysis Report

2024-10-19 07:09

Sample ID 240208-bngf7abg42
Target 397cd818297d991cdd6497572d261a25.bin
SHA256 4a930ad4164e05378212a38bfc00145abe6519bb4edced481a2d93e8f82d0261
Tags
neshta darkcloud persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a930ad4164e05378212a38bfc00145abe6519bb4edced481a2d93e8f82d0261

Threat Level: Known bad

The file 397cd818297d991cdd6497572d261a25.bin was found to be: Known bad.

Malicious Activity Summary

neshta darkcloud persistence spyware stealer

Detect Neshta payload

Neshta family

Neshta

DarkCloud

Reads user/profile data of web browsers

Executes dropped EXE

Modifies system executable filetype association

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-08 01:17

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-08 01:17

Reported

2024-02-08 01:19

Platform

win7-20231215-en

Max time kernel

149s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe"

Signatures

DarkCloud

stealer darkcloud

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe
PID 2372 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe
PID 2372 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe
PID 2372 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe
PID 1504 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Windows\svchost.com
PID 1504 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Windows\svchost.com
PID 1504 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Windows\svchost.com
PID 1504 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Windows\svchost.com
PID 1504 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Windows\svchost.com
PID 1504 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Windows\svchost.com
PID 1504 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Windows\svchost.com
PID 1504 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Windows\svchost.com
PID 2552 wrote to memory of 1980 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 2552 wrote to memory of 1980 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 2552 wrote to memory of 1980 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 2552 wrote to memory of 1980 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
PID 1960 wrote to memory of 1620 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 1960 wrote to memory of 1620 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 1960 wrote to memory of 1620 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 1960 wrote to memory of 1620 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe
PID 1504 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe
PID 1504 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe
PID 1504 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe
PID 1504 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe
PID 1504 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe
PID 1504 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe
PID 1504 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe
PID 1504 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe

"C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GuQWhxmyGNWUd.exe"

C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe

C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\GuQWhxmyGNWUd.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GuQWhxmyGNWUd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7A4E.tmp"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe /Create /TN Updates\GuQWhxmyGNWUd /XML C:\Users\Admin\AppData\Local\Temp\tmp7A4E.tmp

C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe

MD5 7f5c94b5e120641ba60ccad05710eda4
SHA1 2ccff660a2ef669821c62362efbea99e4e238a28
SHA256 e243f9678f50e9be30a9a65971da27b36470bb27568707edcb87a06fffb3e99a
SHA512 4a6ab0856337cb35fc1df956d8a5dadbc82ecb19bc8214db3b8e48f068f7d6544f52bbc2493670b65b56d8bbae0f73021b5d8097401e3ac251401075d8614304

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 cf6c595d3e5e9667667af096762fd9c4
SHA1 9bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512 ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

memory/1504-15-0x0000000000820000-0x0000000000924000-memory.dmp

memory/1504-16-0x0000000074060000-0x000000007474E000-memory.dmp

memory/1504-17-0x0000000001FC0000-0x0000000002000000-memory.dmp

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

memory/1504-55-0x0000000000380000-0x0000000000394000-memory.dmp

memory/2372-91-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1504-92-0x0000000000550000-0x000000000055A000-memory.dmp

memory/1504-93-0x0000000000560000-0x000000000056E000-memory.dmp

memory/1504-94-0x0000000005DA0000-0x0000000005E48000-memory.dmp

C:\Windows\svchost.com

MD5 b062ed524b6ca8adb3d610e1e9ca6e3d
SHA1 109f4126d0066ffd4f15e7cd0f9fd88b5caac539
SHA256 f2da19edfd2d7adb438eb4042cea781d546a07d2f9c36200202e3f37baa38935
SHA512 e7292bb0ea58a0c815f25bff11257dd20e7bf9a5ab2ee3ec5fbb2eaf6682551ee4afc427edeeb1c7a13d9e447121ee1562c5868644a5ed693664aa67605e0397

C:\Windows\directx.sys

MD5 99168af858799e13faa22f6a2cb87035
SHA1 597982ba26e82791585fec23eeb56e83df7de412
SHA256 cff4281a6e1d2e078e19af68851b756ceb0371538c83ea3f027cd58bb98cc3f4
SHA512 a2670fc578c54446ba019f5b4a60bcfe1576ec877bfadaa9b9040129fe1cbc02f7fff7afdb40bd472dab14f2d1a28761abc13edbe96eb874e35910a28ee99518

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

MD5 02ee6a3424782531461fb2f10713d3c1
SHA1 b581a2c365d93ebb629e8363fd9f69afc673123f
SHA256 ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc
SHA512 6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

MD5 566ed4f62fdc96f175afedd811fa0370
SHA1 d4b47adc40e0d5a9391d3f6f2942d1889dd2a451
SHA256 e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460
SHA512 cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

memory/1960-119-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 b364923878bcdf692aa56a8676909f49
SHA1 769dcc85e12af7f22f975a253da496f0a26de79d
SHA256 da1f1df88b7c2e8c5634c1d03f8f556a0a5f6f939ed5743b55bc8f41b565130e
SHA512 4dd3572efce76b4ba238f576cb54f505cae24b5efc3f860930ac64456f720823f60e35659822688ecc3d98a3083e5e1c8ecf9d957510476386980f5aa44dff9b

C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

MD5 58b58875a50a0d8b5e7be7d6ac685164
SHA1 1e0b89c1b2585c76e758e9141b846ed4477b0662
SHA256 2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae
SHA512 d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe

MD5 055328d0fc5cbf628c277309f5d82580
SHA1 f4d374d40c2b66efd1a7d25b503866f5f7806c78
SHA256 fa59592ea9c8820da9bd8b85a3cfd379d581294b906276d360945936ca74da7c
SHA512 9108003bbc66b2d203b7061d0c7ee42242e7f61ecd4dbfb400b504c68ccb5874357dbdb46abc9cdf6a2c25f1fc1f10963c4212322fe90445203965c0f6d472f8

memory/2928-122-0x0000000000400000-0x000000000045F000-memory.dmp

C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE

MD5 154b891ad580307b09612e413a0e65ac
SHA1 fc900c7853261253b6e9f86335ea8d8ad10c1c60
SHA256 8a3598c889dbcb1dca548a6193517ed7becb74c780003203697a2db22222a483
SHA512 39bf032033b445fc5f450abec298ea3f71cadecfeafc624f2eb1f9a1d343a272181a874b46b58bb18168f2f14d498c3b917c3392d4c724fe4e5ae749113c2ad6

C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE

MD5 3c973cbf443ac800fb89f8a1152b09de
SHA1 f2b83006826cdce235c266377bbed1a0b4856508
SHA256 36adc67cc8b07a00ff4555741a468d7d74d2eacdcc3e365efb55806b05207a03
SHA512 b1c862dc4a7f5618b4f011a1821227998d147957a3764778ffd6dae1ab532b449bf9ac20bd1bf85f2dde51e2525e900e74b35b10fb4bcc99ada0680a63bba562

C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE

MD5 84f1bbd31e7d4235ae499fb530cc7d0e
SHA1 6aeef925ac9cde58e3fa5badb5b95dfb38404b03
SHA256 1384da5514b0d6507eab6c96e0f7f03d002a10222e5e02cffd50f59686e59d03
SHA512 cd53d208285a30e15a0d5a29a930b8727a6913dd49d5d5c2839540757ce11cf27a77ee8010c39267102029f5b2243056b4e0ade59b38e5b80a71f466f126df5f

C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE

MD5 f89ee3c7fc820446643d411943d0235c
SHA1 3b151793256468a523ffb6c79e866e56008cade4
SHA256 b1e16654f931f64f9a7f30ae7b5962ed7aaca31a85c4e4b6796a8344ab31a281
SHA512 72afa413daab8c664477e4da9e8e6ef409c8906236090753b4aa5ddb9e1a7067cb1a789ee7e1eb1397f6982b19a1b51cc4404cb2839c311d1c90cef9050779fa

C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE

MD5 027b43022628354d67d6b58b1f9ebc2b
SHA1 71fdbd970fc9d132f9476629037196a6f2cff0e4
SHA256 fd4d61e5e43572cea011a84a55ed3eac6ecefe8f16618ec1aa707d047987640f
SHA512 08cfcaa7349bb390527e5f3a86e423163cc3840b899ff12c2e2d3b4354c18fb7f1cb283f8f36b8cf5cc74d65f4ceb525a5faf1ddf381aef0f6b2947091b6250a

C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE

MD5 c99472289b8dfb2a819b93303f0f1552
SHA1 8aa9ce613d56195cb4105af99b1b277453550a6d
SHA256 a578fd43737d7950ae29618cbdb0d9478b4357dd1fcb43cb66ba05444fb85b3b
SHA512 4dd58a445f93c629b4181ce5e910813ca7579802de0df36a76368335151702b5a7fc3cb7be7a46994a7d934d30d23c4aaadcab25663672a35870a8018ffaf656

C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE

MD5 44623cc33b1bd689381de8fe6bcd90d1
SHA1 187d4f8795c6f87dd402802723e4611bf1d8089e
SHA256 380154eab37e79ed26a7142b773b8a8df6627c64c99a434d5a849b18d34805ba
SHA512 19002885176caceb235da69ee5af07a92b18dac0fb8bb177f2c1e7413f6606b1666e0ea20f5b95b4fa3d82a3793b1dbe4a430f6f84a991686b024c4e11606082

C:\PROGRA~2\MICROS~1\Office14\misc.exe

MD5 7fb6f4e27e6fe2e308a451737c6cb917
SHA1 04c520dc3bee12def6f23dd1aa6851ee209a8998
SHA256 b81d8cdf9f5b17efbc93ddb3ca7c478bfd93b0fc67866a8a9388a84c21715c54
SHA512 30bd43be6af9faca6cf754ec0a58cb4b82394a1cf7b8d9cce6c266463ea1501d1a699022251fc15b25646313c487b48db7a64c9cfbb661bb8702b1d443814d00

C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE

MD5 984690083ab0c0d2e8967c6e97a7c0b0
SHA1 4160241fa1cd3eee234f7df08001e236288cd6f7
SHA256 f5b5c5ec353c9c74e3bf970053e8e753be47bee5b1232fce0c6d4a5e2b9b5f14
SHA512 566266f46cfc658d920ca3f3968a11a1e1f15d04609c6b9a290a511540bba9280e160a47572ae9e79c18c4303e4fd399be847e1bbd52ab59b40353c94fac9a46

C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE

MD5 99de0a027489c0335d4a985759c2f84d
SHA1 1d4de26b86965bc9909e38dba965fd0b39a333c6
SHA256 6c65cd56641c71d8d985736528a800dbb908732e68091f8109fc1703dcf7dd4b
SHA512 cb3ef334d59b232f72b6e221cb19dfb1b0136c0c4cf042b45830e5e9c83bc14cfc1c80a79fa32722f4ea42caefead6c3be32c74139502bd03c3f5af48b552edf

C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE

MD5 8b4dcc47e359e6e8330097f618243e84
SHA1 51ac828fb4f411012a25f5772dd10292b2d1e973
SHA256 c6cac79981d2831bca7cc87fda3799dd977605b62f73e71a2015cf4e9f134d8f
SHA512 e2531cea2babf4ebad9645f4627795f414c84af03007165be5dd134f6472a16b0aef79a2392f0fb5ea72f2687e582c0cf8b023189268212701879ef46a043229

C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE

MD5 df7e3c9c25408345b8f6428e19f252b5
SHA1 5af4033a43b66ef63a0091be3a8f2d83e613c3c1
SHA256 86d9c6c1eb515066ad2aa02f14f1cb1d1bdc9c3620859b76c59d958c3bc40b87
SHA512 88334a533804f38e75d1642a344173d5934d2737b63f88d15313aed2f4db0fc358f2e371675a88efbde1228691e5485b7965f0e10f14b3abfbff31ecc1746f25

C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE

MD5 327546f32b1caa14b966c92ff9e088a2
SHA1 a5419df2c4eba8994d103ab31f8a07ca342bfeff
SHA256 e75d79a4c4648e1eafa2bcb742325d8a3b107af7508a49e96dae25a95d0d6165
SHA512 514e48d04da1406697fb118f8faeb740ceb17bf499d92be565b3258ec221c5ed815327e5594646e525eea135057de1f4a97d9c098bbcacaa4688e6fe1ddad6f7

C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE

MD5 7915af7a9bd4dfcb4820f8fdd5172a52
SHA1 409dd33582bff22746d6000c8d39ee311ef91bfe
SHA256 b3a5328afaf76074bb279911d1d7a1e9a0c4e7ee3e34d3053b6b7512f8679ac6
SHA512 df125e41b042a38674ed6a9717e026012e5b9b444c872e770a78f9dda55446e4837b48dad6898d4b6e6f50f7d2d0a92424489d87aec08ad0f9273b4aad684e29

C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe

MD5 b1e0da67a985533914394e6b8ac58205
SHA1 5a65e6076f592f9ea03af582d19d2407351ba6b6
SHA256 67629b025fed676bd607094fa7f21550e18c861495ba664ee0d2b215a4717d7f
SHA512 188ebb9a58565ca7ed81a46967a66d583f7dea43a2fc1fe8076a79ef4a83119ccaa22f948a944abae8f64b3a4b219f5184260eff7201eb660c321f6c0d1eba22

C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE

MD5 c7be6725f7bfb31e4ec2e1db7075472a
SHA1 24ac8118d5a7b27373e6d42ac2f40c56a01f54c1
SHA256 06a21dfc56d93cf6d1f7dc7aa07f49d058cd89db5a3b233d92e9fbe6a8bab9c9
SHA512 51b933b7a2668698fa5d59db0c97fd2e930ab00e316906c7f5105f9d11f48d6b81daa5dd703c3978734f5ae8f320b0df1743c0e9fa92086b778f526b62dcf7df

C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE

MD5 685db5d235444f435b5b47a5551e0204
SHA1 99689188f71829cc9c4542761a62ee4946c031ff
SHA256 fde30bfdd34c7187d02eabe49f2386b4661321534b50032a838b179a21737411
SHA512 a06d711574fbe32f07d20e1d82b7664addd664bf4a7ee07a8f98889172afe3653f324b5915968950b18e76bbfc5217a29704057fd0676611629aa9eb888af54a

C:\PROGRA~2\Google\Update\DISABL~1.EXE

MD5 148593f01d881fb204d73ab1d97ac070
SHA1 d155e1bd3a6468bf6544622676c4233298c2109c
SHA256 c6fb86bb942efe8fd8391d69c65c85087c44a05b4c833797aff0345160c8f5a1
SHA512 075c8da7d71fe2b69d9d0366456e3b51a90c0e6d6a183b1d93846210cc0f3999ca76fa42848b3a151a8f05ffd608722f96d8e57a8a5caa2d9995059ef37acef0

C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE

MD5 f7c714dbf8e08ca2ed1a2bfb8ca97668
SHA1 cc78bf232157f98b68b8d81327f9f826dabb18ab
SHA256 fc379fda348644fef660a3796861c122aa2dd5498e80279d1279a7ddb259e899
SHA512 28bc04c4df3f632865e68e83d045b3ecd2a263e62853c922b260d0734026e8a1541988fcbf4ddc9cf3aba6863214d6c6eb51f8bbb2586122a7cb01a70f08d16c

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE

MD5 4cbaeaae7a5dac97f9bd6437d03405b9
SHA1 21f77b3c62f2b7e043955a3d599faa3db6dd3cff
SHA256 7c6b00fabf42d6ca5eb77ed190d46dbb2a5f3bf91a439008b464bae1409ab8f4
SHA512 6099ec6c19e83838620a767f2322bdfa347827e155e6fc8810c6b6bb3792c4c3b6f41af1dc9c81d728f754aaee579976433478a9098e6169a284aeacfb876603

C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE

MD5 654fd2f6b5dd0df5803a4689b73d7121
SHA1 d05dd8dbc0eafcf25fd77a172fb428f720b31a42
SHA256 9548fcd1f4af69e76aa27082c251622b563445b00e9afaa92699e01a6743fef9
SHA512 5cc9bd9fa771e773cc2ac189bcf78e424a040708a072da5514344572a19f335ac48a33fda6080afcf93153a25a6610cc1b8d75e2688356f00f8032d5fc5acec9

C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE

MD5 96a14f39834c93363eebf40ae941242c
SHA1 5a3a676403d4e6ad0a51d0f0e2bbdd636ae5d6fc
SHA256 8ee4aa23eb92c4aba9a46b18ac249a5fa11c5abb7e2c1ca82cd5196401db790a
SHA512 fbf307a8053e9478a52cfdf8e8bad3d7c6664c893458786ae6ee4fffc6fe93006e99a2a60c97fb62dad1addd5247621517f4edee5d9545717c4587a272cef9a2

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE

MD5 a3ee5d4ad936946ce714acdfe7cb7e73
SHA1 5d928f794b708150b11830abbfc16b5cd5aa97b4
SHA256 ab7691d3350fbbab8b78ff9dbc2d26c8f0ed98ae5bcc6f22f52ebd120f9755ae
SHA512 87f695b2d3e727e6a7f15a17409bdf9801f926e3771c7698dcde33ffd3ea032cbc0f43a2ca935b58394ac8b511d459a7b503a6ea847bda45366445d272f37519

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE

MD5 955b7c0945c2a8ff67a9282798662d5e
SHA1 e756505aead76d84e165d318a9f9131e4e828543
SHA256 2b10045700abe894b6f497f59121de8988b95272cd99a133e789eb201a1fb064
SHA512 a8336dfc199a86d8bb16cd95268485a98447983914618706ffa3809ec339ee88f009ae11af6d12a7bf39385d11f877658eacfd9f252a6e15c994bb1923b738e1

C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

MD5 46e43f94482a27df61e1df44d764826b
SHA1 8b4eab017e85f8103c60932c5efe8dff12dc5429
SHA256 dc6658dec5bf89f65f2d4b9bdb27634bac0bf5354c792bc8970a2b39f535facd
SHA512 ce5bdd3f9a2394ffda83c93fc5604d972f90bd72e6aded357bdf27a2b21a0469f6ac71ce40d9fb4ed8c845468c4171a3c5b4501edbae79447c4f4e08342d4560

C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe

MD5 08404a8e7ce9a203eca464c860768c2a
SHA1 01409e6b332173e2dc8161d3202e37611390cc99
SHA256 f870e34a63fd23ec066f9b8c9e8c7b23ba0da1fb5642a45cb0ddd482f3c77183
SHA512 b01a7bf6c84f0be7907fd67982377133b62cbcb01968683af665d918ea48f0a10a90354190eda2c0932846183ffc39334731205a1916c07f5879d2dac3ea7075

C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe

MD5 f67473d5c7494187e2218ef2318fe0fc
SHA1 9df0338ceea6886a620f0104c94bd09d2bdc73ed
SHA256 7a98f8b80a827691b254d3cdd832a98c2f7a416e532e8f665e98031bb9fce7d4
SHA512 ac3079098e52477cfc26a03cf38a326a9e1389b167eed2efc7c2b3b541d1197cb9f1c250c53dfb8f62bf5bdbd507a1ab08c6129ea1d724186ecfa9c6a79cf4ac

memory/2928-173-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2372-171-0x0000000000400000-0x000000000041B000-memory.dmp

C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe

MD5 60f6a975a53a542fd1f6e617f3906d86
SHA1 2be1ae6fffb3045fd67ed028fe6b22e235a3d089
SHA256 be23688697af7b859d62519807414565308e79a6ecac221350cd502d6bf54733
SHA512 360872d256ef91ea3debfb9b3efa22ee80859af9df29e0687c8e1b3c386d88ff1dc5635b86e714fbf1a7d4d6bc3d791efa31a9d9d13e0f79547b631bddb5108d

C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe

MD5 da31170e6de3cf8bd6cf7346d9ef5235
SHA1 e2c9602f5c7778f9614672884638efd5dd2aee92
SHA256 7737ab500cbbd5d507881d481eef9bd91cf6650bf8d2b41b47b1a8c5f2789858
SHA512 2759d938d6ad963e0bf63481a700f7c503d06011a60bcfc1071b511e38afa87d903deb36f9cbfa0b3fd08f1ecb88d2c0bddf0d3b5f2dea2a0cca1a80471669f3

C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE

MD5 12a5d7cade13ae01baddf73609f8fbe9
SHA1 34e425f4a21db8d7902a78107d29aec1bde41e06
SHA256 94e8ea2ed536484492d746f6f5808192cb81ae3c35f55d60826a2db64a254dd5
SHA512 a240f5c59226749792cfb9fbd76b086d2544a493b834a72c0bfd8b076ed753ec8876ff056fc35f63f5497183d985f8f8c5c7b6abbcad70981f1ec83af1b3bd76

C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE

MD5 3f67da7e800cd5b4af2283a9d74d2808
SHA1 f9288d052b20a9f4527e5a0f87f4249f5e4440f7
SHA256 31c10320edb2de22f37faee36611558db83b78a9c3c71ea0ed13c8dce25bf711
SHA512 6a40f4629ddae102d8737e921328e95717274cea16eb5f23bff6a6627c6047d7f27e7f6eb5cb52f53152e326e53b6ee44d9a9ee8eca7534a2f62fa457ac3d4e3

C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE

MD5 28f7305b74e1d71409fec722d940d17a
SHA1 4c64e1ceb723f90da09e1a11e677d01fc8118677
SHA256 706db4d832abdf4907a1386b917e553315660a59bfb4c180e38215b4a606d896
SHA512 117de88d0bc437023ca2f1f54b1f2cf03b00c8cb52e4b728cabcb3140659c67cdb6d2c203d3ca13767312831c6308622dfa65d6c5361ec28aaf4ec0870f9ba6e

C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE

MD5 a24fbb149eddf7a0fe981bd06a4c5051
SHA1 fce5bb381a0c449efad3d01bbd02c78743c45093
SHA256 5d13230eae7cd9b4869145c3280f7208788a8e68c9930a5c9aa3e822684a963d
SHA512 1c73b762c340a8d7ea580985ba034a404c859d814690390a6e0b6786575c219db9ca20880ea20313bb244560e36cf24e4dda90229b3084d770495f4ceedfd5de

C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE

MD5 d4fdbb8de6a219f981ffda11aa2b2cc4
SHA1 cca2cffd4cf39277cc56ebd050f313de15aabbf6
SHA256 ba3dc87fca4641e5f5486c4d50c09d087e65264e6c5c885fa6866f6ccb23167b
SHA512 7167e13dbcc8c96114fef5fc7ae19afa31173617db153dd283aa6d8256f6b8c09c8f906f5d418efe9f7f242cdfaef24b93c11c451701c4d56eb48d18de4e88bf

C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE

MD5 6a091285d13370abb4536604b5f2a043
SHA1 8bb4aad8cadbd3894c889de85e7d186369cf6ff1
SHA256 909205de592f50532f01b4ac7b573b891f7e6e596b44ff94187b1ba4bcc296bb
SHA512 9696e4f60a5b1166535ca8ca3fb495d718086463d1a12fa1facc08219ad5b918208ddd2a102f7955e29153b081e05985c4ae6e4302ab36d548bb62991a47db18

C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE

MD5 593fa33d816ee54eb9a923d4853ac23e
SHA1 994cc751b1eda4c8d8a34714987a3c578df9d685
SHA256 7df74c5f04d08dbfbf51ff9523f8c4f9a64628ade81e87a86838d80e02bb1733
SHA512 bbc48b18f9f37d422a06616ccd81e0d3cfa483a02b503e4c33477cd53f4795b33b39a4579e675545162ea62c90c61a31678c7aa8d52a97cc0637471077828b00

C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE

MD5 7ce8bcabb035b3de517229dbe7c5e67d
SHA1 8e43cd79a7539d240e7645f64fd7f6e9e0f90ab9
SHA256 81a3a1dc3104973a100bf8d114b6be35da03767a0cbbaf925f970ffcbe5f217c
SHA512 be7fcd50b4f71b458ca001b7c019bf1169ec089d7a1ce05355134b11cbe75a5a29811f9efec803877aeb1a1d576ea2628926e0131361db23214275af6e89e80c

C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe

MD5 2f6f7891de512f6269c8e8276aa3ea3e
SHA1 53f648c482e2341b4718a60f9277198711605c80
SHA256 d1ee54eb64f31247f182fd62037e64cdb3876e1100bc24883192bf46bab42c86
SHA512 c677f4f7bfb2e02cd0babed896be00567aad08304cbff3a85fcc9816b10247fedd026fee769c9bd45277a4f2814eabe6534f0b04ea804d0095a47a1477188dd6

C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe

MD5 e1833678885f02b5e3cf1b3953456557
SHA1 c197e763500002bc76a8d503933f1f6082a8507a
SHA256 bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14
SHA512 fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe

C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE

MD5 eef2f834c8d65585af63916d23b07c36
SHA1 8cb85449d2cdb21bd6def735e1833c8408b8a9c6
SHA256 3cd34a88e3ae7bd3681a7e3c55832af026834055020add33e6bd6f552fc0aabd
SHA512 2ee8766e56e5b1e71c86f7d1a1aa1882706d0bca8f84b2b2c54dd4c255e04f037a6eb265302449950e5f5937b0e57f17a6aa45e88a407ace4b3945e65043d9b7

C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

MD5 3ec4922dbca2d07815cf28144193ded9
SHA1 75cda36469743fbc292da2684e76a26473f04a6d
SHA256 0587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801
SHA512 956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7

C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE

MD5 8c4f4eb73490ca2445d8577cf4bb3c81
SHA1 0f7d1914b7aeabdb1f1e4caedd344878f48be075
SHA256 85f7249bfac06b5ee9b20c7f520e3fdc905be7d64cfbefb7dcd82cd8d44686d5
SHA512 65453075c71016b06430246c1ee2876b7762a03112caf13cff4699b7b40487616c88a1160d31e86697083e2992e0dd88ebf1721679981077799187efaa0a1769

C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE

MD5 831270ac3db358cdbef5535b0b3a44e6
SHA1 c0423685c09bbe465f6bb7f8672c936e768f05a3
SHA256 a8f78ac26c738b13564252f1048ca784bf152ef048b829d3d22650b7f62078f0
SHA512 f64a00977d4b6f8c43f53cee7bb450f3c8cbef08525975055fde5d8c515db32d2bfad92e99313b3a10a72a50dd09b4ffe28e9af4c148c6480622ba486776e450

memory/2928-177-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2928-181-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2928-183-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2928-185-0x0000000000400000-0x000000000045F000-memory.dmp

memory/1504-186-0x0000000074060000-0x000000007474E000-memory.dmp

memory/1980-189-0x0000000073210000-0x00000000737BB000-memory.dmp

memory/1980-190-0x0000000073210000-0x00000000737BB000-memory.dmp

memory/1980-191-0x0000000002760000-0x00000000027A0000-memory.dmp

memory/1980-192-0x0000000002760000-0x00000000027A0000-memory.dmp

memory/1980-193-0x0000000073210000-0x00000000737BB000-memory.dmp

memory/2372-194-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2552-195-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2552-199-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2372-197-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2928-200-0x0000000000400000-0x000000000045F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-08 01:17

Reported

2024-02-08 01:19

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe"

Signatures

DarkCloud

stealer darkcloud

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{17316~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{FB050~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13181~1.5\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Windows\svchost.com N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3516 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe
PID 3516 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe
PID 3516 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe
PID 940 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Windows\svchost.com
PID 940 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Windows\svchost.com
PID 940 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Windows\svchost.com
PID 3356 wrote to memory of 1268 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3356 wrote to memory of 1268 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3356 wrote to memory of 1268 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 940 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Windows\svchost.com
PID 940 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Windows\svchost.com
PID 940 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Windows\svchost.com
PID 2044 wrote to memory of 2004 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 2044 wrote to memory of 2004 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 2044 wrote to memory of 2004 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\schtasks.exe
PID 940 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe
PID 940 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe
PID 940 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe
PID 940 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe
PID 940 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe
PID 940 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe
PID 940 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe
PID 940 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe

"C:\Users\Admin\AppData\Local\Temp\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GuQWhxmyGNWUd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\GuQWhxmyGNWUd.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GuQWhxmyGNWUd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCAF1.tmp"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe /Create /TN Updates\GuQWhxmyGNWUd /XML C:\Users\Admin\AppData\Local\Temp\tmpCAF1.tmp

C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 188.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe

MD5 7f5c94b5e120641ba60ccad05710eda4
SHA1 2ccff660a2ef669821c62362efbea99e4e238a28
SHA256 e243f9678f50e9be30a9a65971da27b36470bb27568707edcb87a06fffb3e99a
SHA512 4a6ab0856337cb35fc1df956d8a5dadbc82ecb19bc8214db3b8e48f068f7d6544f52bbc2493670b65b56d8bbae0f73021b5d8097401e3ac251401075d8614304

memory/940-13-0x0000000000640000-0x0000000000744000-memory.dmp

memory/940-14-0x00000000731D0000-0x0000000073980000-memory.dmp

memory/940-15-0x0000000005630000-0x0000000005BD4000-memory.dmp

memory/940-16-0x0000000005120000-0x00000000051B2000-memory.dmp

memory/940-17-0x00000000052E0000-0x00000000052F0000-memory.dmp

memory/940-18-0x00000000051E0000-0x00000000051EA000-memory.dmp

memory/940-19-0x0000000005BE0000-0x0000000005F34000-memory.dmp

memory/940-20-0x0000000005480000-0x000000000551C000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

MD5 8ffc3bdf4a1903d9e28b99d1643fc9c7
SHA1 919ba8594db0ae245a8abd80f9f3698826fc6fe5
SHA256 8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6
SHA512 0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

memory/940-35-0x0000000007F50000-0x0000000007F62000-memory.dmp

memory/940-36-0x0000000007FA0000-0x0000000007FC2000-memory.dmp

memory/940-37-0x0000000007F80000-0x0000000007F94000-memory.dmp

memory/3516-109-0x0000000000400000-0x000000000041B000-memory.dmp

memory/940-110-0x0000000007FE0000-0x0000000007FEA000-memory.dmp

memory/940-111-0x0000000007FF0000-0x0000000007FFE000-memory.dmp

memory/940-112-0x0000000008430000-0x00000000084D8000-memory.dmp

memory/3516-113-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\svchost.com

MD5 b062ed524b6ca8adb3d610e1e9ca6e3d
SHA1 109f4126d0066ffd4f15e7cd0f9fd88b5caac539
SHA256 f2da19edfd2d7adb438eb4042cea781d546a07d2f9c36200202e3f37baa38935
SHA512 e7292bb0ea58a0c815f25bff11257dd20e7bf9a5ab2ee3ec5fbb2eaf6682551ee4afc427edeeb1c7a13d9e447121ee1562c5868644a5ed693664aa67605e0397

C:\Windows\directx.sys

MD5 97a1b4fc59e7f5eeb09640d5a38dda6d
SHA1 90f937904823e0a9c5c255e9158bfebdfe5fc38d
SHA256 2277d70bef948f4a3d7c49f506368d1127f5634013de861d9432135d87f888cf
SHA512 759ee58c3b4cc0a4f7e75ae12c17c0cafe0e20ed30ff8c6a13e85b3f6178f39cec0aa832d61fb3ca6262e74aac33fd2927c00f57c83000982b7e34fa4ae339d8

C:\odt\OFFICE~1.EXE

MD5 c3b1c280e9021376c9cea44548a947ba
SHA1 bcafaca1b0f20a6f5d7f038bdc85554e9bc450c8
SHA256 a559e887463a9b544db313f656cb6271e848ae816f63f6af1021c943b7391d87
SHA512 3f2fef5c4e2d745480aee388a1758aa8a792a1a0b155c5213c41839a7ee2c37f06458fb044c035f9e6f2ea63303ffe87e9abaa3001063baec637f2646115c4a4

memory/2044-135-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 b364923878bcdf692aa56a8676909f49
SHA1 769dcc85e12af7f22f975a253da496f0a26de79d
SHA256 da1f1df88b7c2e8c5634c1d03f8f556a0a5f6f939ed5743b55bc8f41b565130e
SHA512 4dd3572efce76b4ba238f576cb54f505cae24b5efc3f860930ac64456f720823f60e35659822688ecc3d98a3083e5e1c8ecf9d957510476386980f5aa44dff9b

memory/2888-137-0x0000000000400000-0x000000000045F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50.exe

MD5 2dff9c418adee0b503983c151182464f
SHA1 8e1189ec1030bdb01c27749ebb8891e36da48eb8
SHA256 3444b2dce38f5266e932d8be70890c11fc227c617be9a85e34b5e66103048b14
SHA512 da775ff64806e85c937ac19969d57d4dd0a6368657b654c6b78c0c8301fbcd2eacdcd1b11ef9d8e96dd45b15a0bb3acaab7d28a9f89ffb6250034d785f47a0c4

memory/2888-140-0x0000000000400000-0x000000000045F000-memory.dmp

memory/940-143-0x00000000731D0000-0x0000000073980000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

MD5 9dfcdd1ab508b26917bb2461488d8605
SHA1 4ba6342bcf4942ade05fb12db83da89dc8c56a21
SHA256 ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5
SHA512 1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

MD5 176436d406fd1aabebae353963b3ebcf
SHA1 9ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a
SHA256 2f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f
SHA512 a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a

C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

MD5 12c29dd57aa69f45ddd2e47620e0a8d9
SHA1 ba297aa3fe237ca916257bc46370b360a2db2223
SHA256 22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880
SHA512 255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

MD5 92dc0a5b61c98ac6ca3c9e09711e0a5d
SHA1 f809f50cfdfbc469561bced921d0bad343a0d7b4
SHA256 3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc
SHA512 d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

MD5 8c753d6448183dea5269445738486e01
SHA1 ebbbdc0022ca7487cd6294714cd3fbcb70923af9
SHA256 473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997
SHA512 4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

MD5 4ddc609ae13a777493f3eeda70a81d40
SHA1 8957c390f9b2c136d37190e32bccae3ae671c80a
SHA256 16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950
SHA512 9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

MD5 5791075058b526842f4601c46abd59f5
SHA1 b2748f7542e2eebcd0353c3720d92bbffad8678f
SHA256 5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394
SHA512 83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

MD5 cce8964848413b49f18a44da9cb0a79b
SHA1 0b7452100d400acebb1c1887542f322a92cbd7ae
SHA256 fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5
SHA512 bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE

MD5 f15a17edb2f853066bb751f6ac2dd3a0
SHA1 e950af8e5ac384601e03d209a8c2236782560c39
SHA256 70301c1599d551db5dd68d45e779a3e41df90eb3c77e328125d1a217b8c9a87c
SHA512 956063a3044b6c1e626c8805979e30f2d6a1bf2be0a824fdc756bccbbf24d94dd8d1e13ee93fc6c4dd1662e2a023b450c16991cd47df7a86ac98bc6b0a1cea83

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

MD5 576410de51e63c3b5442540c8fdacbee
SHA1 8de673b679e0fee6e460cbf4f21ab728e41e0973
SHA256 3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe
SHA512 f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 3b73078a714bf61d1c19ebc3afc0e454
SHA1 9abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256 ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA512 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

MD5 62fccf74ad44d4e27e72d59d951a3e40
SHA1 202f43ccc7afa403f36bfb5477e8a8774569f672
SHA256 99f97517d2578a7425009cd53de65cf4b7ce7c477a1f5829526db7b9853d0ac5
SHA512 82d3e75a814619aef399b7ac975d545efd07fb019c30af65485c4fc7fbf67e06085c18f4c40ad2cabdc3180e4fce3b654986762242710336365e689ce34ae76e

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

MD5 39c8a4c2c3984b64b701b85cb724533b
SHA1 c911f4c4070dfe9a35d9adcb7de6e6fb1482ce00
SHA256 888a1dd0033e5d758a4e731e3e55357de866e80d03b1b194375f714e1fd4351d
SHA512 f42ca2962fe60cff1a13dea8b81ff0647b317c785ee4f5159c38487c34d33aecba8478757047d31ab2ee893fbdcb91a21655353456ba6a018fc71b2278db4db2

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe

MD5 3a4e197f41b04570cfb8028b5c5e5993
SHA1 2e698220f5e0e76b1cb3ecf105f546e00416cae4
SHA256 39aaa74a5f5839b91d975a83f120c50dad8fab708a5c9116d9f4cbfbfb6ab767
SHA512 96cd7232a620edc2e5982c3ecaf672a57e6d0775f2fdf696bb461e4cc8f5532617f3224e208137e0efd82c64c00cf04621a263ea066fc9a928f0f7775b90a1dd

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe

MD5 452c3ce70edba3c6e358fad9fb47eb4c
SHA1 d24ea3b642f385a666159ef4c39714bec2b08636
SHA256 da73b6e071788372702104b9c72b6697e84e7c75e248e964996700b77c6b6f1c
SHA512 fe8a0b9b1386d6931dc7b646d0dd99c3d1b44bd40698b33077e7eeba877b53e5cb39ff2aa0f6919ccab62953a674577bc1b2516d9cadc0c051009b2083a08085

memory/1268-170-0x0000000073050000-0x0000000073800000-memory.dmp

C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe

MD5 3b974db9caec16d476221e84f22b2457
SHA1 8f2d052bf398516979e4cd479c4f4ddd8b7e7179
SHA256 1d77e7be4e3a2418d94ad304307995be097d9f439e7653d6f0418125748ce50c
SHA512 7c62e437455cf9e11c633dfa3e6a84afb44516fcb3ee51766d3328a56fa6710fbe111724f41b5c54f99dd9009cab551b76ce196ca8e87c6db012ca03c06365e1

memory/1268-204-0x0000000003300000-0x0000000003310000-memory.dmp

memory/1268-206-0x0000000005B10000-0x0000000006138000-memory.dmp

memory/1268-205-0x0000000003300000-0x0000000003310000-memory.dmp

C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13181~1.5\MICROS~1.EXE

MD5 0bce0b4859a4407fd10edebfc0490f96
SHA1 29b3d9706984c8eca9988ef9accbaa98270bce53
SHA256 ee3c2b3bccb66c1a842e3b57a4aea2159d0e2a870193db968a161a690f477783
SHA512 1757f66f5c6dec63567eb3cd02e5c8116f69d7dbb251804157bfed07bc9638964de7ae8a9dffc6552f9375cc8c1f3090b89cf2acf1b690d5f63f5f76f118e504

C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MI9C33~1.EXE

MD5 24a4e328a2322343a2715848d1849671
SHA1 f1d53e9233d52c06fc092bb1cf1fd12f8bed7c46
SHA256 6d3c21dc244e5f801b1b95211bd22f91289b83ddb14dd9aaa4e7b1acc1d31ac0
SHA512 b692fbd874041c92ce536bfb9b802ca83d0b5ffd823eb453a1c8fe827764c43e3d1579cb656471056c7d15a8df40c6476cbc543f455b9019fee87310f08dafb7

C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~2.EXE

MD5 d50d5563a0f3bbeac05661284bd7f111
SHA1 c99a1216ddb50aa84e1d31b72fcf9fe0165d9686
SHA256 e0b43960a847d8c46ad1046f454b5a956964b82900a0b19f8547d993669ca08c
SHA512 28d60fa87df80d50f1e4111557be281442f9a5b8e062ba3d73c61dee9774d84811657d2ee0e8f4984509fe923abf3663f3316a3791e0b28835b7276a55c54af5

C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~3.EXE

MD5 db2502fa360c5aa507011a3a20980f0b
SHA1 0a9f9552cc56446cedb6432aa295d821ead7adc2
SHA256 d364fbae1c0d0462cde31536a63145158d4dfe452d32a62d5372c29650d12cb0
SHA512 5c7fb0a35f552cabf0a079e1ec4976a6fae8477d6c8c81d65c694b7e13830dae5dd76eaa28c0a056ffe042a370c6362650d794b726f532da7cf0cb4786782015

C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MI391D~1.EXE

MD5 1bb5c59086e921fb54976c247fa8cba9
SHA1 ab3c73c39a44a9ff59f78ed9303ce797f4737dc3
SHA256 b66e1190ffa0c605b7ab7cf28337e9c5227b4951dce05d1b07909e26ef7b4048
SHA512 ee946a8439be3eea9b95011fd1711aae34dde70fa637b5568e911a311b392e735e7c572d545dcb1da17e42214655ca3196e03ce157364b92f5a4a884688f24a5

C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~1.EXE

MD5 f6c3b79378bb217b4a7d61400031fa4e
SHA1 add5512945206e7d968757a820ed411c5c266ca5
SHA256 cf560e93e0994963da6927299628dbc5cdeb94692bcbc5231f65aeb432276af5
SHA512 7ef4fe05834df7b7da358da6b2c561a94f96f15dba59e1016970e55279a47299af6203e8caaa9a8a4a246eef972e368717d2111171040c560d570ad256de35a8

C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~4.EXE

MD5 90e7e5b44ecfe56969db66e5f57f28b9
SHA1 621b6855ecca41e60ae91e822ff8cd3bddf8373a
SHA256 e17ca633c35be60fe37c6bd205eda28a328c3b3841b63559f509e7cc244b1f34
SHA512 fb0ff791d160a50b743605a8419a2d89ed7901d91f46e726cd5c7b6635ef0305e24161e22f920c35339ad11cf2f9918a82a8afaef7289d2023fc93100d088098

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE

MD5 5c78384d8eb1f6cb8cb23d515cfe7c98
SHA1 b732ab6c3fbf2ded8a4d6c8962554d119f59082e
SHA256 9abd7f0aa942ee6b263cdc4b32a4110ddb95e43ad411190f0ea48c0064884564
SHA512 99324af5f8fb70a9d01f97d845a4c6999053d6567ba5b80830a843a1634b02eaf3c0c04ced924cf1b1be9b4d1dbbcb95538385f7f85ad84d3eaaa6dcdebcc8a6

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE

MD5 a5d9eaa7d52bffc494a5f58203c6c1b5
SHA1 97928ba7b61b46a1a77a38445679d040ffca7cc8
SHA256 34b8662d38e7d3d6394fa6c965d943d2c82ea06ba9d7a0af4f8e0571fb5a9c48
SHA512 b6fdc8389bb4d736d608600469be6a4b0452aa3ea082f9a0791022a14c02b8fb7dcd62df133b0518e91283094eaba2be9318316f72d2c4aae6286d3e8686e787

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

MD5 2334445441ea6136e0588eaae6010a20
SHA1 a75748398f5e6f5acc164e36ba73258a68d703a8
SHA256 a353aae6df95209720348a7fb6aa3ad828f71e2e2035540762a4a585c19ee397
SHA512 500d01df1d120697991d1ee5db5df6a20d29af5b4f0441689bfce5429ff0d8ff74203ea1b65d58671d71fd927588f4f5e8941ee3a4493dcf69aa4850778e8afd

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE

MD5 2cdfeb46262f2e8212c7e26e0a65651e
SHA1 8c53b7483b18c9721268c28f422869a50dfcf64d
SHA256 29976f120b49760711814d690865986925d1a5aa8556b61394160a8ece09fbc0
SHA512 42289dd0bd0d41a7b239dd1e336d95ae0df9aa4248839244ad1e09bd97bdf34127cad4c3dbcd4ca04830abf70e4ab3ccf904d42e630864c4f7c4bd62fddb3f96

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE

MD5 0b46386f2409ab0322c4823607b718d0
SHA1 98e5bb27683ad789081b3045d51f23506cf28c76
SHA256 f8a163c3302fd8c61645e9d4a9ca7326b5e1f4ef2f6fdc99c227b8ffbcfb3821
SHA512 4d09847872bea7b0bb4e3eed57c8c8c4a02158282513463137574906d1caa61f3097dba0ccce74185fa6586ed7b5e137edf99445da8428e0916faf44fd8580a4

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE

MD5 6ab4fac6058348d460533daf6733e90d
SHA1 0a907d63bed94c1d9965f8cc9f1372fd0bc1a4e5
SHA256 8cbde069e9fc80b26ec43a714eb12af1fd96b89553c79bc36339f71c57f6fbb2
SHA512 8d17c2ed7ac409a90e935720490c5caf57076fa963f1d3171da064cdb384bada12525d6d927fe71304bc2294a963773c4ba225f1fcc6dd3a57176e4230d308c4

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe

MD5 53c35c4d6258479e185a7e42e82487e6
SHA1 f978312f7f1c189a29949d6bba1bb5a135f91324
SHA256 001011197c50e6ae79288cc59be252aee06672f556ff8632d49133b41c665079
SHA512 df23c61d483c691d582b83ed362ccbf1fc45086b48ce1c7a54fcce3773443a979429fc0560a550f6938d4e5c856d92ee10ddd91003eab366c1b9138e87f8b796

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe

MD5 42d833d4d2dc549ef0b1e7921f30cdb5
SHA1 78e61b6aeff11a44716809367757d296e0adcdcc
SHA256 673921617270d24847a7e34b1512f886ec34e16be96d7e972e5765e298b2bb55
SHA512 c0d1ca7aa070046fadc348bf6a77521010695035e904d903a685cebc68f873b4b0930c7d4591a919ad38bfa487ab6c9ebc26e6fe7a0939ffd374add6ecd92287

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE

MD5 301d7f5daa3b48c83df5f6b35de99982
SHA1 17e68d91f3ec1eabde1451351cc690a1978d2cd4
SHA256 abe398284d90be5e5e78f98654b88664e2e14478f7eb3f55c5fd1c1bcf1bebee
SHA512 4a72a24dec461d116fe8324c651913273ccaa50cb036ccdacb3ae300e417cf4a64aa458869b8d2f3b4c298c59977437d11b241d08b391a481c3226954bba22e4

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE

MD5 ee4fcfbb7b5d4ef4b15421ead121755c
SHA1 e5215a8caee5a57541077cba05589c2b69ac0482
SHA256 ebf99679f4d90dc5ba9b8e866d75ba78e60eebc09c30ab790884bfaeff800d04
SHA512 de9643058a1ccba6bc2be829ad701750266422074e0712f342381017762bd70f1e6c6b7bb22d16a7d929bb90cced7147879ea6f065641122653c6f3f49f304d1

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE

MD5 5e08d87c074f0f8e3a8e8c76c5bf92ee
SHA1 f52a554a5029fb4749842b2213d4196c95d48561
SHA256 5d548c2cc25d542f2061ed9c8e38bd5ca72bddb37dd17654346cae8a19645714
SHA512 dd98d6fa7d943604914b2e3b27e1f21a95f1fe1feb942dd6956e864da658f4fbd9d1d0cf775e79ceaae6a025aafd4e633763389c37034134bd5245969bec383e

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE

MD5 7c73e01bd682dc67ef2fbb679be99866
SHA1 ad3834bd9f95f8bf64eb5be0a610427940407117
SHA256 da333c92fdfd2e8092f5b56686b94f713f8fa27ef8f333e7222259ad1eb08f5d
SHA512 b2f3398e486cde482cb6bea18f4e5312fa2db7382ca25cea17bcba5ab1ff0e891d59328bc567641a9da05caca4d7c61dc102289d46e7135f947ce6155e295711

C:\PROGRA~2\Google\Update\DISABL~1.EXE

MD5 3b0e91f9bb6c1f38f7b058c91300e582
SHA1 6e2e650941b1a96bb0bb19ff26a5d304bb09df5f
SHA256 57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d
SHA512 a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f

C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE

MD5 f7c714dbf8e08ca2ed1a2bfb8ca97668
SHA1 cc78bf232157f98b68b8d81327f9f826dabb18ab
SHA256 fc379fda348644fef660a3796861c122aa2dd5498e80279d1279a7ddb259e899
SHA512 28bc04c4df3f632865e68e83d045b3ecd2a263e62853c922b260d0734026e8a1541988fcbf4ddc9cf3aba6863214d6c6eb51f8bbb2586122a7cb01a70f08d16c

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE

MD5 25e165d6a9c6c0c77ee1f94c9e58754b
SHA1 9b614c1280c75d058508bba2a468f376444b10c1
SHA256 8bbe59987228dd9ab297f9ea34143ea1e926bfb19f3d81c2904ab877f31e1217
SHA512 7d55c7d86ccabb6e9769ebca44764f4d89e221d5756e5c5d211e52c271e3ce222df90bc9938248e2e210d6695f30f6280d929d19ef41c09d3ea31688ae24d4bf

C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE

MD5 e5589ec1e4edb74cc7facdaac2acabfd
SHA1 9b12220318e848ed87bb7604d6f6f5df5dbc6b3f
SHA256 6ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67
SHA512 f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a

C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE

MD5 96a14f39834c93363eebf40ae941242c
SHA1 5a3a676403d4e6ad0a51d0f0e2bbdd636ae5d6fc
SHA256 8ee4aa23eb92c4aba9a46b18ac249a5fa11c5abb7e2c1ca82cd5196401db790a
SHA512 fbf307a8053e9478a52cfdf8e8bad3d7c6664c893458786ae6ee4fffc6fe93006e99a2a60c97fb62dad1addd5247621517f4edee5d9545717c4587a272cef9a2

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE

MD5 400836f307cf7dbfb469cefd3b0391e7
SHA1 7af3cbb12d3b2d8b5d9553c687c6129d1dd90a10
SHA256 cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a
SHA512 aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE

MD5 5da33a7b7941c4e76208ee7cddec8e0b
SHA1 cdd2e7b9b0e4be68417d4618e20a8283887c489c
SHA256 531e735e4e8940dfe21e30be0d4179ceaecb57ce431cf63c5044e07048ac1751
SHA512 977aeecfbc693c9d5746fedf08b99e0b0f6fd7b0c7b41ac2b34a832e68a2e6f3c68f38af2e65c87075fcf00c1c6103e34324df45d7da9412cbbeea7e410794b6

memory/1268-207-0x00000000059D0000-0x0000000005A36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zgz0uwi1.fxg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1268-208-0x00000000061B0000-0x0000000006216000-memory.dmp

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe

MD5 892cf4fc5398e07bf652c50ef2aa3b88
SHA1 c399e55756b23938057a0ecae597bd9dbe481866
SHA256 e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781
SHA512 f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

MD5 9a8d683f9f884ddd9160a5912ca06995
SHA1 98dc8682a0c44727ee039298665f5d95b057c854
SHA256 5e2e22ead49ce9cc11141dbeebbe5b93a530c966695d8efc2083f00e6be53423
SHA512 6aecf8c5cb5796d6879f8643e20c653f58bad70820896b0019c39623604d5b3c8a4420562ab051c6685edce60aa068d9c2dbb4413a7b16c6d01a9ac10dc22c12

memory/1268-218-0x0000000006320000-0x0000000006674000-memory.dmp

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe

MD5 028aea45f143a63ba70146a4abe2ceeb
SHA1 c616258da4d8a7c9ff7dd5fff089d983d1553e09
SHA256 adc7b8fc26491206149496e2bceaf3686424274f444f14e2dd6fbf2ac7423ddf
SHA512 a266d0e2fd2676db41317622938cc03ff33c1904129d4ba0ef2d97a88313c882e719c8d4798c18a97ca64bc5ebdb90dd05290f25569e967966e2f5399f1f511d

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe

MD5 ce82862ca68d666d7aa47acc514c3e3d
SHA1 f458c7f43372dbcdac8257b1639e0fe51f592e28
SHA256 c5a99f42100834599e4995d0a178b32b772a6e774a4050a6bb00438af0a6a1f3
SHA512 bca7afd6589c3215c92fdaca552ad3380f53d3db8c4b69329a1fa81528dd952a14bf012321de92ad1d20e5c1888eab3dd512b1ac80a406baccc37ee6ff4a90dc

C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

MD5 bcd0f32f28d3c2ba8f53d1052d05252d
SHA1 c29b4591df930dabc1a4bd0fa2c0ad91500eafb2
SHA256 bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb
SHA512 79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10

C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe

MD5 d47ed8961782d9e27f359447fa86c266
SHA1 d37d3f962c8d302b18ec468b4abe94f792f72a3b
SHA256 b1ec065f71cc40f400e006586d370997102860504fd643b235e8ed9f5607262a
SHA512 3e33f2cdf35024868b183449019de9278035e7966b342ba320a6c601b5629792cbb98a19850d4ca80b906c85d10e8503b0193794d1f1efa849fa33d26cff0669

C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE

MD5 3b35b268659965ab93b6ee42f8193395
SHA1 8faefc346e99c9b2488f2414234c9e4740b96d88
SHA256 750824b5f75c91a6c2eeb8c5e60ae28d7a81e323d3762c8652255bfea5cba0bb
SHA512 035259a7598584ddb770db3da4e066b64dc65638501cdd8ff9f8e2646f23b76e3dfffa1fb5ed57c9bd15bb4efa3f7dd33fdc2e769e5cc195c25de0e340eb89ab

memory/1268-161-0x0000000003370000-0x00000000033A6000-memory.dmp

C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

MD5 cbd96ba6abe7564cb5980502eec0b5f6
SHA1 74e1fe1429cec3e91f55364e5cb8385a64bb0006
SHA256 405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa
SHA512 a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc

memory/1268-219-0x00000000055B0000-0x00000000055CE000-memory.dmp

memory/1268-220-0x0000000006970000-0x00000000069BC000-memory.dmp

memory/3356-222-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3516-221-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1268-223-0x0000000003300000-0x0000000003310000-memory.dmp

memory/1268-224-0x000000007F540000-0x000000007F550000-memory.dmp

memory/1268-225-0x00000000079C0000-0x00000000079F2000-memory.dmp

memory/1268-226-0x0000000074110000-0x000000007415C000-memory.dmp

memory/1268-236-0x0000000006D60000-0x0000000006D7E000-memory.dmp

memory/1268-237-0x0000000007A00000-0x0000000007AA3000-memory.dmp

memory/1268-238-0x0000000008130000-0x00000000087AA000-memory.dmp

memory/1268-239-0x0000000007AF0000-0x0000000007B0A000-memory.dmp

memory/1268-240-0x0000000007B60000-0x0000000007B6A000-memory.dmp

memory/1268-241-0x0000000007D70000-0x0000000007E06000-memory.dmp

memory/1268-242-0x0000000007CF0000-0x0000000007D01000-memory.dmp

memory/1268-243-0x0000000007D20000-0x0000000007D2E000-memory.dmp

memory/1268-244-0x0000000007D30000-0x0000000007D44000-memory.dmp

memory/3516-245-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1268-246-0x0000000007E30000-0x0000000007E4A000-memory.dmp

memory/1268-247-0x0000000007E10000-0x0000000007E18000-memory.dmp

memory/1268-250-0x0000000073050000-0x0000000073800000-memory.dmp

memory/3356-251-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3516-252-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2888-253-0x0000000000400000-0x000000000045F000-memory.dmp

memory/3356-254-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3516-255-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3356-256-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3516-260-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3356-259-0x0000000000400000-0x000000000041B000-memory.dmp