Analysis Overview
score
10/10
SHA256
7ad27c7e62ff08d9c6398c7471e61f77bf84d42ac29c8a74283ca84dec2d66be
Threat Level: Known bad
The file 240426-w39rhahe53_pw_infected.zip was found to be: Known bad.
Malicious Activity Summary
Phobos
Neshta family
Detect Neshta payload
Neshta
Modifies boot configuration data using bcdedit
Deletes shadow copies
Renames multiple (310) files with added filename extension
Deletes backup catalog
Modifies Windows Firewall
Reads user/profile data of web browsers
Modifies system executable filetype association
Loads dropped DLL
Executes dropped EXE
Drops startup file
Enumerates connected drives
Adds Run key to start application
Drops desktop.ini file(s)
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Interacts with shadow copies
Uses Volume Shadow Copy service COM API
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Opens file in notepad (likely ransom note)
Uses Task Scheduler COM API
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-26 22:49
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Neshta family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-26 22:49
Reported
2024-04-26 22:51
Platform
win7-20240221-en
Max time kernel
129s
Max time network
130s
Command Line
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe"
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Neshta
Phobos
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Renames multiple (310) files with added filename extension
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| N/A | N/A | C:\Windows\svchost.com | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\system32\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskmgr.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
Drops desktop.ini file(s)
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\zi\Asia\Kuala_Lumpur.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\updater.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Filters\odffilt.dll | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\RECALL.DLL | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files\StartRevoke.mid | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Apex.eftx | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\de-DE\setup_wm.exe.mui | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\slideshow_glass_frame.png | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386764.JPG.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\Notebook03.onepkg | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239063.WMF | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01157_.WMF.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15274_.GIF.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL081.XML.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LOGO98.POC | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL096.XML | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Makassar.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\plugin-container.exe.sig.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\13.png | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183328.WMF | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_F_COL.HXK.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\gadget.xml | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\Microsoft.VisualStudio.Tools.Applications.Blueprints.tlb | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\Microsoft.Office.Infopath.dll.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi_3.10.1.v20140909-1633.jar.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcer.dll.mui | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK_K_COL.HXK.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\1033\XLINTL32.REST.IDX_DLL.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\gadget.xml | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01145_.WMF.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099190.JPG.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107750.WMF.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0238983.WMF | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WCOMP98.POC.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Pacific\Palau | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Hearts\HeartsMCE.lnk.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099156.JPG.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_K_COL.HXK.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\zi\Antarctica\Vostok.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00256_.WMF | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18214_.WMF | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14578_.GIF | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImagesMask.bmp.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\security\US_export_policy.jar.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_asf_plugin.dll.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00395_.WMF | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02736G.GIF | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10254_.GIF.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\ir.idl.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Antarctica\Davis | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0283209.GIF.id[F1FE1791-3455].[[email protected]].Carver | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI6134.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI66B3.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File created | C:\Windows\Installer\f765f8e.mst | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI67BE.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI685B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\Installer\MSI6339.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6183.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f765f91.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5FFB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6750.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6F2F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f765f91.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f765f8e.mst | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Carver_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\xmlfile\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE\" /verb open \"%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.Carver | C:\Windows\system32\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler\ = "{AB968F1E-E20B-403A-9EB8-72EB0EB6797E}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Carver_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\xmlfile\ShellEx\IconHandler | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit\command\ = "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE\" /verb edit \"%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\xmlfile\shell\open | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit\command | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\xmlfile\shell\edit\command | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\xmlfile\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.Carver\ = "Carver_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Carver_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Carver_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\xmlfile\shell\edit | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon\ = "\"%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Carver_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Carver_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx | C:\Windows\system32\msiexec.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\ReadReset.sql.id[F1FE1791-3455].[[email protected]].Carver
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9624FCDC12F4A022A34346990EE9C2DC
C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 89A82086B6811A03F51C0559BB279ED0
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\system32\taskmgr.exe" /4
C:\Windows\SysWOW64\taskmgr.exe
C:\Windows\system32\taskmgr.exe /4
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\MountConnect.odt.id[F1FE1791-3455].[[email protected]].Carver
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x584
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
N/A
Files
\Users\Admin\AppData\Local\Temp\3582-490\2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe
| MD5 | 5cfee29eae9f476e8b32491f4ef8ae2f |
| SHA1 | 543fa596bbb19f5b5b55f0a09a01d6a792caab9d |
| SHA256 | 67ac5287c69a442e4e833c0f9ed669c05f1447e4104097bd843f8b3d127515a5 |
| SHA512 | 403ee67f5df1da6735c7f4f1211e29a74a0917fee2f2ec05d8cb65057508b2b0d2ef0d9d4636100022c023f68ef9817f7acd32800ea9813db2ed5c0fabece522 |
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
| MD5 | cf6c595d3e5e9667667af096762fd9c4 |
| SHA1 | 9bb44da8d7f6457099cb56e4f7d1026963dce7ce |
| SHA256 | 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d |
| SHA512 | ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80 |
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
| MD5 | 9e2b9928c89a9d0da1d3e8f4bd96afa7 |
| SHA1 | ec66cda99f44b62470c6930e5afda061579cde35 |
| SHA256 | 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043 |
| SHA512 | 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id[F1FE1791-3455].[[email protected]].Carver
| MD5 | 2ee4d6c6a4d4bd96dc606955a82912b0 |
| SHA1 | c40e2e0aa28c7ba508387731b7ac5f36fc4c004d |
| SHA256 | f20854e7d768df150789122d06105a902a2675395f5621fc5407261f5a905bc5 |
| SHA512 | 2a8b33aa3a0d40e959cc31e9e4cda39d0d999f0ee38a9bb07cdd29b7f5a41d2cffbafcc73ad9e728e9be8fb4fd84189a717cc95026f9beb0f8467af819294e76 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
| MD5 | 58b58875a50a0d8b5e7be7d6ac685164 |
| SHA1 | 1e0b89c1b2585c76e758e9141b846ed4477b0662 |
| SHA256 | 2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae |
| SHA512 | d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
| MD5 | 566ed4f62fdc96f175afedd811fa0370 |
| SHA1 | d4b47adc40e0d5a9391d3f6f2942d1889dd2a451 |
| SHA256 | e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460 |
| SHA512 | cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7 |
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
| MD5 | 02ee6a3424782531461fb2f10713d3c1 |
| SHA1 | b581a2c365d93ebb629e8363fd9f69afc673123f |
| SHA256 | ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc |
| SHA512 | 6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec |
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
| MD5 | 3ec4922dbca2d07815cf28144193ded9 |
| SHA1 | 75cda36469743fbc292da2684e76a26473f04a6d |
| SHA256 | 0587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801 |
| SHA512 | 956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7 |
C:\PROGRA~2\MICROS~1\Office14\OIS.EXE
| MD5 | 4545e2b5fa4062259d5ddd56ecbbd386 |
| SHA1 | c021dc8488a73bd364cb98758559fe7ba1337263 |
| SHA256 | 318f1f3fbdd1cf17c176cb68b4bc2cf899338186161a16a1adc29426114fb4f8 |
| SHA512 | cf07436e0219ca5868e11046f2a497583066a9cf68262e7cca22daad72aded665ac66afea8db76182c172041c45fcef1628ea6852751c4bf97969c9af6cfefa1 |
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
| MD5 | 5ae9c0c497949584ffa06f028a6605ab |
| SHA1 | eb24dbd3c8952ee20411691326d650f98d24e992 |
| SHA256 | 07dd9364be7babc5f9a08f0ccd828a9a55137845df1782b147f12943f234ea4e |
| SHA512 | 2e99bb500c281c367cc54fa283905b2537905ea4fe8986f676adbb1aaf58460dd2db082bb46a3dbe9dc836fbae3ee8832990839432dd99c74de58cc9b9295788 |
memory/2316-3729-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe
| MD5 | 831270ac3db358cdbef5535b0b3a44e6 |
| SHA1 | c0423685c09bbe465f6bb7f8672c936e768f05a3 |
| SHA256 | a8f78ac26c738b13564252f1048ca784bf152ef048b829d3d22650b7f62078f0 |
| SHA512 | f64a00977d4b6f8c43f53cee7bb450f3c8cbef08525975055fde5d8c515db32d2bfad92e99313b3a10a72a50dd09b4ffe28e9af4c148c6480622ba486776e450 |
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe
| MD5 | 8c4f4eb73490ca2445d8577cf4bb3c81 |
| SHA1 | 0f7d1914b7aeabdb1f1e4caedd344878f48be075 |
| SHA256 | 85f7249bfac06b5ee9b20c7f520e3fdc905be7d64cfbefb7dcd82cd8d44686d5 |
| SHA512 | 65453075c71016b06430246c1ee2876b7762a03112caf13cff4699b7b40487616c88a1160d31e86697083e2992e0dd88ebf1721679981077799187efaa0a1769 |
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe
| MD5 | eef2f834c8d65585af63916d23b07c36 |
| SHA1 | 8cb85449d2cdb21bd6def735e1833c8408b8a9c6 |
| SHA256 | 3cd34a88e3ae7bd3681a7e3c55832af026834055020add33e6bd6f552fc0aabd |
| SHA512 | 2ee8766e56e5b1e71c86f7d1a1aa1882706d0bca8f84b2b2c54dd4c255e04f037a6eb265302449950e5f5937b0e57f17a6aa45e88a407ace4b3945e65043d9b7 |
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe
| MD5 | e1833678885f02b5e3cf1b3953456557 |
| SHA1 | c197e763500002bc76a8d503933f1f6082a8507a |
| SHA256 | bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14 |
| SHA512 | fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe |
C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe
| MD5 | 2f6f7891de512f6269c8e8276aa3ea3e |
| SHA1 | 53f648c482e2341b4718a60f9277198711605c80 |
| SHA256 | d1ee54eb64f31247f182fd62037e64cdb3876e1100bc24883192bf46bab42c86 |
| SHA512 | c677f4f7bfb2e02cd0babed896be00567aad08304cbff3a85fcc9816b10247fedd026fee769c9bd45277a4f2814eabe6534f0b04ea804d0095a47a1477188dd6 |
C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe
| MD5 | 7ce8bcabb035b3de517229dbe7c5e67d |
| SHA1 | 8e43cd79a7539d240e7645f64fd7f6e9e0f90ab9 |
| SHA256 | 81a3a1dc3104973a100bf8d114b6be35da03767a0cbbaf925f970ffcbe5f217c |
| SHA512 | be7fcd50b4f71b458ca001b7c019bf1169ec089d7a1ce05355134b11cbe75a5a29811f9efec803877aeb1a1d576ea2628926e0131361db23214275af6e89e80c |
C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe
| MD5 | 6a091285d13370abb4536604b5f2a043 |
| SHA1 | 8bb4aad8cadbd3894c889de85e7d186369cf6ff1 |
| SHA256 | 909205de592f50532f01b4ac7b573b891f7e6e596b44ff94187b1ba4bcc296bb |
| SHA512 | 9696e4f60a5b1166535ca8ca3fb495d718086463d1a12fa1facc08219ad5b918208ddd2a102f7955e29153b081e05985c4ae6e4302ab36d548bb62991a47db18 |
C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe
| MD5 | 2d18d7cee9c7d699b5771ef5523fa5f9 |
| SHA1 | 89e61f2298e77dd9e998f88d04d5409b308939b0 |
| SHA256 | c688c02996fbe71904a34e91c2ecb7b855c3c6d9996f683d9402179675a4451b |
| SHA512 | 174ecae67c263ae37453212162d2bada095cf82e40af86d849b3456554179ea0c31990cb60c6370abcfc4a76d87883dccb4e02aea28b74579f9a336cf4befa61 |
C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE
| MD5 | d4fdbb8de6a219f981ffda11aa2b2cc4 |
| SHA1 | cca2cffd4cf39277cc56ebd050f313de15aabbf6 |
| SHA256 | ba3dc87fca4641e5f5486c4d50c09d087e65264e6c5c885fa6866f6ccb23167b |
| SHA512 | 7167e13dbcc8c96114fef5fc7ae19afa31173617db153dd283aa6d8256f6b8c09c8f906f5d418efe9f7f242cdfaef24b93c11c451701c4d56eb48d18de4e88bf |
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE
| MD5 | a24fbb149eddf7a0fe981bd06a4c5051 |
| SHA1 | fce5bb381a0c449efad3d01bbd02c78743c45093 |
| SHA256 | 5d13230eae7cd9b4869145c3280f7208788a8e68c9930a5c9aa3e822684a963d |
| SHA512 | 1c73b762c340a8d7ea580985ba034a404c859d814690390a6e0b6786575c219db9ca20880ea20313bb244560e36cf24e4dda90229b3084d770495f4ceedfd5de |
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE
| MD5 | 28f7305b74e1d71409fec722d940d17a |
| SHA1 | 4c64e1ceb723f90da09e1a11e677d01fc8118677 |
| SHA256 | 706db4d832abdf4907a1386b917e553315660a59bfb4c180e38215b4a606d896 |
| SHA512 | 117de88d0bc437023ca2f1f54b1f2cf03b00c8cb52e4b728cabcb3140659c67cdb6d2c203d3ca13767312831c6308622dfa65d6c5361ec28aaf4ec0870f9ba6e |
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE
| MD5 | 3f67da7e800cd5b4af2283a9d74d2808 |
| SHA1 | f9288d052b20a9f4527e5a0f87f4249f5e4440f7 |
| SHA256 | 31c10320edb2de22f37faee36611558db83b78a9c3c71ea0ed13c8dce25bf711 |
| SHA512 | 6a40f4629ddae102d8737e921328e95717274cea16eb5f23bff6a6627c6047d7f27e7f6eb5cb52f53152e326e53b6ee44d9a9ee8eca7534a2f62fa457ac3d4e3 |
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE
| MD5 | 12a5d7cade13ae01baddf73609f8fbe9 |
| SHA1 | 34e425f4a21db8d7902a78107d29aec1bde41e06 |
| SHA256 | 94e8ea2ed536484492d746f6f5808192cb81ae3c35f55d60826a2db64a254dd5 |
| SHA512 | a240f5c59226749792cfb9fbd76b086d2544a493b834a72c0bfd8b076ed753ec8876ff056fc35f63f5497183d985f8f8c5c7b6abbcad70981f1ec83af1b3bd76 |
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe
| MD5 | da31170e6de3cf8bd6cf7346d9ef5235 |
| SHA1 | e2c9602f5c7778f9614672884638efd5dd2aee92 |
| SHA256 | 7737ab500cbbd5d507881d481eef9bd91cf6650bf8d2b41b47b1a8c5f2789858 |
| SHA512 | 2759d938d6ad963e0bf63481a700f7c503d06011a60bcfc1071b511e38afa87d903deb36f9cbfa0b3fd08f1ecb88d2c0bddf0d3b5f2dea2a0cca1a80471669f3 |
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe
| MD5 | 60f6a975a53a542fd1f6e617f3906d86 |
| SHA1 | 2be1ae6fffb3045fd67ed028fe6b22e235a3d089 |
| SHA256 | be23688697af7b859d62519807414565308e79a6ecac221350cd502d6bf54733 |
| SHA512 | 360872d256ef91ea3debfb9b3efa22ee80859af9df29e0687c8e1b3c386d88ff1dc5635b86e714fbf1a7d4d6bc3d791efa31a9d9d13e0f79547b631bddb5108d |
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe
| MD5 | 034978c5262186b14fd7a2892e30b1cf |
| SHA1 | 237397dd3b97c762522542c57c85c3ff96646ba8 |
| SHA256 | 159776d43dd2a8d843b82ece0faf469f9088a625d474ce4eea9db59d94a844e6 |
| SHA512 | d216e757616121d9902b0db2669b6e2aa9eb2697427c9ea2804ebda9690abbf9219c6e603d63ff19dc6115a072985ca862499b5f8319ca057a16e81aec9ea949 |
C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe
| MD5 | 467aee41a63b9936ce9c5cbb3fa502cd |
| SHA1 | 19403cac6a199f6cd77fc5ac4a6737a9a9782dc8 |
| SHA256 | 99e5bea5f632ef4af76e4e5108486d5e99386c3d451b983bcd3ad2a49cc04039 |
| SHA512 | 00c9ccdbbd6fd1be0c2dafd485d811be9bf2076d4efeabc256179befd92679b964e80edcb90ef21f3e874578fdb0003878227f560ca76498865770280f87113e |
C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
| MD5 | 46e43f94482a27df61e1df44d764826b |
| SHA1 | 8b4eab017e85f8103c60932c5efe8dff12dc5429 |
| SHA256 | dc6658dec5bf89f65f2d4b9bdb27634bac0bf5354c792bc8970a2b39f535facd |
| SHA512 | ce5bdd3f9a2394ffda83c93fc5604d972f90bd72e6aded357bdf27a2b21a0469f6ac71ce40d9fb4ed8c845468c4171a3c5b4501edbae79447c4f4e08342d4560 |
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe
| MD5 | 5da33a7b7941c4e76208ee7cddec8e0b |
| SHA1 | cdd2e7b9b0e4be68417d4618e20a8283887c489c |
| SHA256 | 531e735e4e8940dfe21e30be0d4179ceaecb57ce431cf63c5044e07048ac1751 |
| SHA512 | 977aeecfbc693c9d5746fedf08b99e0b0f6fd7b0c7b41ac2b34a832e68a2e6f3c68f38af2e65c87075fcf00c1c6103e34324df45d7da9412cbbeea7e410794b6 |
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe
| MD5 | 3b0e91f9bb6c1f38f7b058c91300e582 |
| SHA1 | 6e2e650941b1a96bb0bb19ff26a5d304bb09df5f |
| SHA256 | 57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d |
| SHA512 | a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f |
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
| MD5 | 25e165d6a9c6c0c77ee1f94c9e58754b |
| SHA1 | 9b614c1280c75d058508bba2a468f376444b10c1 |
| SHA256 | 8bbe59987228dd9ab297f9ea34143ea1e926bfb19f3d81c2904ab877f31e1217 |
| SHA512 | 7d55c7d86ccabb6e9769ebca44764f4d89e221d5756e5c5d211e52c271e3ce222df90bc9938248e2e210d6695f30f6280d929d19ef41c09d3ea31688ae24d4bf |
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe
| MD5 | e5589ec1e4edb74cc7facdaac2acabfd |
| SHA1 | 9b12220318e848ed87bb7604d6f6f5df5dbc6b3f |
| SHA256 | 6ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67 |
| SHA512 | f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a |
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe
| MD5 | 96a14f39834c93363eebf40ae941242c |
| SHA1 | 5a3a676403d4e6ad0a51d0f0e2bbdd636ae5d6fc |
| SHA256 | 8ee4aa23eb92c4aba9a46b18ac249a5fa11c5abb7e2c1ca82cd5196401db790a |
| SHA512 | fbf307a8053e9478a52cfdf8e8bad3d7c6664c893458786ae6ee4fffc6fe93006e99a2a60c97fb62dad1addd5247621517f4edee5d9545717c4587a272cef9a2 |
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe
| MD5 | 400836f307cf7dbfb469cefd3b0391e7 |
| SHA1 | 7af3cbb12d3b2d8b5d9553c687c6129d1dd90a10 |
| SHA256 | cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a |
| SHA512 | aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8 |
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe
| MD5 | f7c714dbf8e08ca2ed1a2bfb8ca97668 |
| SHA1 | cc78bf232157f98b68b8d81327f9f826dabb18ab |
| SHA256 | fc379fda348644fef660a3796861c122aa2dd5498e80279d1279a7ddb259e899 |
| SHA512 | 28bc04c4df3f632865e68e83d045b3ecd2a263e62853c922b260d0734026e8a1541988fcbf4ddc9cf3aba6863214d6c6eb51f8bbb2586122a7cb01a70f08d16c |
C:\Windows\Installer\MSI5FFB.tmp
| MD5 | d1f5ce6b23351677e54a245f46a9f8d2 |
| SHA1 | 0d5c6749401248284767f16df92b726e727718ca |
| SHA256 | 57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc |
| SHA512 | 960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba |
C:\Windows\Installer\MSI6134.tmp
| MD5 | 4a843a97ae51c310b573a02ffd2a0e8e |
| SHA1 | 063fa914ccb07249123c0d5f4595935487635b20 |
| SHA256 | 727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086 |
| SHA512 | 905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2 |
C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE
| MD5 | 685db5d235444f435b5b47a5551e0204 |
| SHA1 | 99689188f71829cc9c4542761a62ee4946c031ff |
| SHA256 | fde30bfdd34c7187d02eabe49f2386b4661321534b50032a838b179a21737411 |
| SHA512 | a06d711574fbe32f07d20e1d82b7664addd664bf4a7ee07a8f98889172afe3653f324b5915968950b18e76bbfc5217a29704057fd0676611629aa9eb888af54a |
C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE
| MD5 | 71509f22e82a9f371295b0e6cf4a79bb |
| SHA1 | c7eefb4b59f87e9a0086ea80962070afb68e1d27 |
| SHA256 | f9837240f5913bfa289ac2b5da2ba0ba24f60249d6f7e23db8a78bb10c3c7722 |
| SHA512 | 3ea6347bbb1288335ac34ee7c3006af746ca9baccfbc688d85a5ca86b09d3e456047239c0859e8dd2cdc22d254897fccd0919f00826e9665fd735cfb7c1554e7 |
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
| MD5 | b1e0da67a985533914394e6b8ac58205 |
| SHA1 | 5a65e6076f592f9ea03af582d19d2407351ba6b6 |
| SHA256 | 67629b025fed676bd607094fa7f21550e18c861495ba664ee0d2b215a4717d7f |
| SHA512 | 188ebb9a58565ca7ed81a46967a66d583f7dea43a2fc1fe8076a79ef4a83119ccaa22f948a944abae8f64b3a4b219f5184260eff7201eb660c321f6c0d1eba22 |
C:\Windows\Installer\MSI66B3.tmp
| MD5 | 85221b3bcba8dbe4b4a46581aa49f760 |
| SHA1 | 746645c92594bfc739f77812d67cfd85f4b92474 |
| SHA256 | f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f |
| SHA512 | 060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d |
C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE
| MD5 | 4f8fc8dc93d8171d0980edc8ad833b12 |
| SHA1 | dc2493a4d3a7cb460baed69edec4a89365dc401f |
| SHA256 | 1505f3721dd3d7062dadde1633d17e4ee80caf29fd5b6aa6e6a0c481324ffd4e |
| SHA512 | bdc3f83d7428418516daf23a9c2d00571cbaa3755391dfd8c500b6df7f621a67ad8e27775bcdaa20b159cd77d08bcdaf81a0cb7fffdd812978888d43512113a6 |
C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE
| MD5 | 92ee5c55aca684cd07ed37b62348cd4e |
| SHA1 | 6534d1bc8552659f19bcc0faaa273af54a7ae54b |
| SHA256 | bee98e2150e02ad6259184a35e02e75df96291960032b3085535fb0f1f282531 |
| SHA512 | fc9f4569a5f3de81d6a490f0fff4765698cdc891933979a3ce661a6291b606630a0c2b15647fc661109fcea466c7a78552b9cfbca6c5b2079ea1632a9f1b6e22 |
C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE
| MD5 | 34fdd00083bea5895bf17df0d69842ba |
| SHA1 | 1be75d8c886bc2ac83504e63f26406dd1c26dbcc |
| SHA256 | 1fde18e2190290a97e23f166dcb7cd33985a98fef9991534819ab4aedf41e41b |
| SHA512 | c4d20cf3b3529bf8a745612a7c018104c6b8a3f217f979a75d13c8361c75d92139f8b630b58d1af25bff7e7a6e85be1a0c43a7b8fab9fc98147b4b3a74a3d5db |
C:\Windows\Installer\MSI67BE.tmp
| MD5 | 33908aa43ac0aaabc06a58d51b1c2cca |
| SHA1 | 0a0d1ce3435abe2eed635481bac69e1999031291 |
| SHA256 | 4447faacefaba8f040822101e2a4103031660de9139e70ecff9aa3a89455a783 |
| SHA512 | d5216a53df9cfbe1a78629c103286eb17042f639149c46b6a1cd76498531ae82afd265462fbe0ba9baaff275fc95c66504804f107c449f3fc5833b1ed9c3da46 |
C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE
| MD5 | 06ac9f5e8fd5694c759dc59d8a34ee86 |
| SHA1 | a29068d521488a0b8e8fc75bc0a2d1778264596b |
| SHA256 | ab6a5bfc12229c116033183db646125573989dfc2fc076e63e248b1b82f6751d |
| SHA512 | 597dfd9cb82acc8f3033f2215df7138f04445f5826054528242e99e273f9cc4a7a956c75f280e6145fcdb22824a1f258246e22637de56a66dcae72ac2c1d14fe |
C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe
| MD5 | 8acc19705a625e2d4fa8b65214d7070a |
| SHA1 | ad16e49369c76c6826a18d136bf9618e8e99ec12 |
| SHA256 | 3fb179a3ae88a3d14db48de29d4b9d43243b80b2118b578b8117ad776ce47f12 |
| SHA512 | 92e22275194b5a73d825e1e7ad5a5cb5649d3679f545f88328aa72e39c161c4d797b7b3462e590edf546ddbd53c1508a49056f50fa63b113134e1bdc7d977dec |
memory/2316-9943-0x0000000000400000-0x000000000041B000-memory.dmp
C:\info.hta
| MD5 | c28d17b72ad12bca5db6f04acccbc0a0 |
| SHA1 | 3842e136ff95df31590d06095c177d484f322e69 |
| SHA256 | 126f6734eeb539d0cb5c7142fd85d9d90e55b80013a622676a653bc71e9ddef1 |
| SHA512 | f73095225332dd8dff4120faac5bee8d7378059bebf89cc2996960b22fb764193c5e2ed6c985816ffd0ccb4be639ea655c9c4fc1c0d0618e2a91970a6654c571 |
memory/2316-10472-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2232-10507-0x0000000000400000-0x000000000041B000-memory.dmp