neshta | c90cfb29c3a12d7e51649f59308c1d59ad948d2ddbf001d0a12d98d7a09f7b46

Resubmissions

22-06-2024 18:45

240622-xefdeszbjd 10

22-06-2024 15:30

240622-sxqvnaxarp 10

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
22-06-2024 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
Size

98KB
MD5

8d4fc2fab29b53848f56f876cc33b6ed
SHA1

d7aba458e645a315dd4981e9fc080d851fcfaa46
SHA256

c90cfb29c3a12d7e51649f59308c1d59ad948d2ddbf001d0a12d98d7a09f7b46
SHA512

e07492e9bdf8712d4fb3a0d6f8268f809e7f86dd2d8101172ecd1ea4503bb64226f0b9710b888fb3a9af6e0731951389eef3c506b93d2fc4a8d08b01bf512657
SSDEEP

1536:JxqjQ+P04wsmJCKttkryVJLucrHolNeRBl5PT/rx1mzwRMSTdLpJ7M:sr85C0tkrgLucYQRrmzwR5Jo

Score

10^/10

neshta phobos defense_evasion evasion execution impact persistence privilege_escalation ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Public\Desktop\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>1B9674A1-2686</span></div> <div class='bold'>In case of no answer in 24 hours write us to this e-mail:<span class='mark'>[email protected]</span></div> <div class='bold'>Our online operator is available in the messenger Telegram: <span class='mark'><a href='https://t.me/devos_2686'>@devos_2686</a></span> <div class='bold'>If there is no response from our mail, you can install the Jabber client and write to us in support of <span class='mark'>[email protected]</span> </div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='title'>Jabber client installation instructions:</div> <div class='note info'> <ul> <li>Download the jabber (Pidgin) client from https://pidgin.im/download/windows/</li> <li>After installation, the Pidgin client will prompt you to create a new account.</li> <li>Click "Add"</li><li>In the "Protocol" field, select XMPP</li> <li>In "Username" - come up with any name</li> <li>In the field "domain" - enter any jabber-server, there are a lot of them, for example - exploit.im</li> <li>Create a password</li><li>At the bottom, put a tick "Create account"</li> <li>Click add</li> <li>If you selected "domain" - exploit.im, then a new window should appear in which you will need to re-enter your data:</li> <ul> <li>User</li> <li>password</li> <li>You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below)</li> </ul> <li>If you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - <a href = "https://www.youtube.com/results?search_query=pidgin+jabber+install">https://www.youtube.com/results?search_query=pidgin+jabber+install</a></li> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

class='mark'>[email protected]</span>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

https://pidgin.im/download/windows/</li>

Signatures

Detect Neshta payload 33 IoCs

Processes:

resource	yara_rule
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe	family_neshta
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe	family_neshta
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	family_neshta
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	family_neshta
C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	family_neshta
C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	family_neshta
C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	family_neshta
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	family_neshta
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	family_neshta
behavioral1/memory/2936-1517-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	family_neshta
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	family_neshta
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	family_neshta
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	family_neshta
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	family_neshta
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	family_neshta
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	family_neshta
behavioral1/memory/2936-8800-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	family_neshta
behavioral1/memory/2936-13891-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\misc.exe	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

352 bcdedit.exe
928 bcdedit.exe
2056 bcdedit.exe
3060 bcdedit.exe
Renames multiple (212) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

1448 wbadmin.exe
1748 wbadmin.exe
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

376 netsh.exe
1200 netsh.exe

pid	process
352	bcdedit.exe
928	bcdedit.exe
2056	bcdedit.exe
3060	bcdedit.exe

pid	process
1448	wbadmin.exe
1748	wbadmin.exe

pid	process
376	netsh.exe
1200	netsh.exe

Drops startup file 3 IoCs

Processes:

2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe

Executes dropped EXE 2 IoCs

Processes:

2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe

pid process

2540 2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2704 2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe

Loads dropped DLL 3 IoCs

Processes:

2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe

pid	process
2936	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2936	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2936	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe"	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe"	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe

description	ioc	process
File opened for modification	C:\Users\Public\Downloads\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UIYQP923\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QE6QYUAB\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\L54IQZD2\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6KIMP0IT\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Public\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ASWW3GU0\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\334W6EWO\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XHX8DMHP\desktop.ini	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0238983.WMF.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_COL.HXT	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hardware Tracker.fdt.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXE8SharedExpat.dll.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00078_.WMF	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EAST_01.MID.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PG_INDEX.XML.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked-loading.png	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\OCT.CHM.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLSTS.ICO.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\URBAN_01.MID	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Thatch.xml.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLADDR.FAE	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\OnLineBusy.ico.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\logsession.dll	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01039_.WMF.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00170_.WMF	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.IE.XML	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304875.WMF.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIconsMask.bmp.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\PROCDB.XLAM	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_09.MID.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL044.XML.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN110.XML	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FORM98.POC.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\hxdsui.dll	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FPLACE.DLL	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182902.WMF	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099195.GIF	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107192.WMF.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152894.WMF.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC_K_COL.HXK	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART12.BDR.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01140_.WMF.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\INDST_01.MID.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GKPowerPoint.dll.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Country.css	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\MINUS.GIF.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090149.WMF.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_F_COL.HXK.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBrowserUpgrade.html	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB1A.BDR	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBAR11.POC	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\WindowsBase.resources.dll	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\picturePuzzle.html	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09194_.WMF.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02444_.WMF.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18193_.WMF	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01473_.WMF.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02262_.WMF.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART7.BDR.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00236_.WMF	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00236_.WMF.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382966.JPG.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssui.dll.mui	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01166_.WMF.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MsMpLics.dll	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0146142.JPG.id[1B9674A1-2686].[[email protected]].Devos	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00633_.WMF	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\SUBMIT.JS	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe

Drops file in Windows directory 1 IoCs

Processes:

2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe

description ioc process

File opened for modification C:\Windows\svchost.com 2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exe

pid process

792 vssadmin.exe
3016 vssadmin.exe

pid	process
792	vssadmin.exe
3016	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exemshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry class 1 IoCs

Processes:

2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe

pid	process
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exevssvc.exeWMIC.exewbengine.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
Token: SeBackupPrivilege	1440	vssvc.exe
Token: SeRestorePrivilege	1440	vssvc.exe
Token: SeAuditPrivilege	1440	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1680	WMIC.exe
Token: SeSecurityPrivilege	1680	WMIC.exe
Token: SeTakeOwnershipPrivilege	1680	WMIC.exe
Token: SeLoadDriverPrivilege	1680	WMIC.exe
Token: SeSystemProfilePrivilege	1680	WMIC.exe
Token: SeSystemtimePrivilege	1680	WMIC.exe
Token: SeProfSingleProcessPrivilege	1680	WMIC.exe
Token: SeIncBasePriorityPrivilege	1680	WMIC.exe
Token: SeCreatePagefilePrivilege	1680	WMIC.exe
Token: SeBackupPrivilege	1680	WMIC.exe
Token: SeRestorePrivilege	1680	WMIC.exe
Token: SeShutdownPrivilege	1680	WMIC.exe
Token: SeDebugPrivilege	1680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1680	WMIC.exe
Token: SeRemoteShutdownPrivilege	1680	WMIC.exe
Token: SeUndockPrivilege	1680	WMIC.exe
Token: SeManageVolumePrivilege	1680	WMIC.exe
Token: 33	1680	WMIC.exe
Token: 34	1680	WMIC.exe
Token: 35	1680	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1680	WMIC.exe
Token: SeSecurityPrivilege	1680	WMIC.exe
Token: SeTakeOwnershipPrivilege	1680	WMIC.exe
Token: SeLoadDriverPrivilege	1680	WMIC.exe
Token: SeSystemProfilePrivilege	1680	WMIC.exe
Token: SeSystemtimePrivilege	1680	WMIC.exe
Token: SeProfSingleProcessPrivilege	1680	WMIC.exe
Token: SeIncBasePriorityPrivilege	1680	WMIC.exe
Token: SeCreatePagefilePrivilege	1680	WMIC.exe
Token: SeBackupPrivilege	1680	WMIC.exe
Token: SeRestorePrivilege	1680	WMIC.exe
Token: SeShutdownPrivilege	1680	WMIC.exe
Token: SeDebugPrivilege	1680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1680	WMIC.exe
Token: SeRemoteShutdownPrivilege	1680	WMIC.exe
Token: SeUndockPrivilege	1680	WMIC.exe
Token: SeManageVolumePrivilege	1680	WMIC.exe
Token: 33	1680	WMIC.exe
Token: 34	1680	WMIC.exe
Token: 35	1680	WMIC.exe
Token: SeBackupPrivilege	2104	wbengine.exe
Token: SeRestorePrivilege	2104	wbengine.exe
Token: SeSecurityPrivilege	2104	wbengine.exe
Token: SeIncreaseQuotaPrivilege	868	WMIC.exe
Token: SeSecurityPrivilege	868	WMIC.exe
Token: SeTakeOwnershipPrivilege	868	WMIC.exe
Token: SeLoadDriverPrivilege	868	WMIC.exe
Token: SeSystemProfilePrivilege	868	WMIC.exe
Token: SeSystemtimePrivilege	868	WMIC.exe
Token: SeProfSingleProcessPrivilege	868	WMIC.exe
Token: SeIncBasePriorityPrivilege	868	WMIC.exe
Token: SeCreatePagefilePrivilege	868	WMIC.exe
Token: SeBackupPrivilege	868	WMIC.exe
Token: SeRestorePrivilege	868	WMIC.exe
Token: SeShutdownPrivilege	868	WMIC.exe
Token: SeDebugPrivilege	868	WMIC.exe
Token: SeSystemEnvironmentPrivilege	868	WMIC.exe
Token: SeRemoteShutdownPrivilege	868	WMIC.exe
Token: SeUndockPrivilege	868	WMIC.exe
Token: SeManageVolumePrivilege	868	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2936 wrote to memory of 2540	2936	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
PID 2936 wrote to memory of 2540	2936	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
PID 2936 wrote to memory of 2540	2936	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
PID 2936 wrote to memory of 2540	2936	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
PID 2540 wrote to memory of 1572	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	cmd.exe
PID 2540 wrote to memory of 1572	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	cmd.exe
PID 2540 wrote to memory of 1572	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	cmd.exe
PID 2540 wrote to memory of 1572	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	cmd.exe
PID 2540 wrote to memory of 1784	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	cmd.exe
PID 2540 wrote to memory of 1784	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	cmd.exe
PID 2540 wrote to memory of 1784	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	cmd.exe
PID 2540 wrote to memory of 1784	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	cmd.exe
PID 2540 wrote to memory of 2344	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	cmd.exe
PID 2540 wrote to memory of 2344	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	cmd.exe
PID 2540 wrote to memory of 2344	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	cmd.exe
PID 2540 wrote to memory of 2344	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	cmd.exe
PID 1784 wrote to memory of 376	1784	cmd.exe	netsh.exe
PID 1784 wrote to memory of 376	1784	cmd.exe	netsh.exe
PID 1784 wrote to memory of 376	1784	cmd.exe	netsh.exe
PID 2344 wrote to memory of 792	2344	cmd.exe	vssadmin.exe
PID 2344 wrote to memory of 792	2344	cmd.exe	vssadmin.exe
PID 2344 wrote to memory of 792	2344	cmd.exe	vssadmin.exe
PID 1784 wrote to memory of 1200	1784	cmd.exe	netsh.exe
PID 1784 wrote to memory of 1200	1784	cmd.exe	netsh.exe
PID 1784 wrote to memory of 1200	1784	cmd.exe	netsh.exe
PID 2344 wrote to memory of 1680	2344	cmd.exe	WMIC.exe
PID 2344 wrote to memory of 1680	2344	cmd.exe	WMIC.exe
PID 2344 wrote to memory of 1680	2344	cmd.exe	WMIC.exe
PID 2344 wrote to memory of 352	2344	cmd.exe	bcdedit.exe
PID 2344 wrote to memory of 352	2344	cmd.exe	bcdedit.exe
PID 2344 wrote to memory of 352	2344	cmd.exe	bcdedit.exe
PID 2344 wrote to memory of 928	2344	cmd.exe	bcdedit.exe
PID 2344 wrote to memory of 928	2344	cmd.exe	bcdedit.exe
PID 2344 wrote to memory of 928	2344	cmd.exe	bcdedit.exe
PID 2344 wrote to memory of 1448	2344	cmd.exe	wbadmin.exe
PID 2344 wrote to memory of 1448	2344	cmd.exe	wbadmin.exe
PID 2344 wrote to memory of 1448	2344	cmd.exe	wbadmin.exe
PID 2540 wrote to memory of 236	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	mshta.exe
PID 2540 wrote to memory of 236	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	mshta.exe
PID 2540 wrote to memory of 236	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	mshta.exe
PID 2540 wrote to memory of 236	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	mshta.exe
PID 2540 wrote to memory of 2188	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	mshta.exe
PID 2540 wrote to memory of 2188	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	mshta.exe
PID 2540 wrote to memory of 2188	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	mshta.exe
PID 2540 wrote to memory of 2188	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	mshta.exe
PID 2540 wrote to memory of 776	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	mshta.exe
PID 2540 wrote to memory of 776	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	mshta.exe
PID 2540 wrote to memory of 776	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	mshta.exe
PID 2540 wrote to memory of 776	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	mshta.exe
PID 2540 wrote to memory of 376	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	mshta.exe
PID 2540 wrote to memory of 376	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	mshta.exe
PID 2540 wrote to memory of 376	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	mshta.exe
PID 2540 wrote to memory of 376	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	mshta.exe
PID 2540 wrote to memory of 1944	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	cmd.exe
PID 2540 wrote to memory of 1944	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	cmd.exe
PID 2540 wrote to memory of 1944	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	cmd.exe
PID 2540 wrote to memory of 1944	2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe	cmd.exe
PID 1944 wrote to memory of 3016	1944	cmd.exe	vssadmin.exe
PID 1944 wrote to memory of 3016	1944	cmd.exe	vssadmin.exe
PID 1944 wrote to memory of 3016	1944	cmd.exe	vssadmin.exe
PID 1944 wrote to memory of 868	1944	cmd.exe	WMIC.exe
PID 1944 wrote to memory of 868	1944	cmd.exe	WMIC.exe
PID 1944 wrote to memory of 868	1944	cmd.exe	WMIC.exe
PID 1944 wrote to memory of 2056	1944	cmd.exe	bcdedit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2936

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe"
3⤵
- Executes dropped EXE
PID:2704

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:792

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:352

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:928

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:1448

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:1572

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:376

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1200

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
3⤵
- Modifies Internet Explorer settings
PID:236

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
3⤵
- Modifies Internet Explorer settings
PID:2188

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
3⤵
- Modifies Internet Explorer settings
PID:776

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"
3⤵
- Modifies Internet Explorer settings
PID:376

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:3016

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:2056

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:3060

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:1748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2380

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2736

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Netsh Helper DLL

T1546.007

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
Filesize
186KB

MD5
dd88cd2e2873a04f1b44b81e2a40ba87

SHA1
ee29ca31f99fa067cde7d35cec7e64cbb9111650

SHA256
83cd4395b42a80615a1267bb2a2e71dd8953f253f3d50b1d2020c3bc975d0678

SHA512
580c8d2ef4a58ef64885455b4d92dea544e7e56181629cd0146433990f7d8e94008c1b7ab8c4f0dae5ed9b6f14208b5c70f48d0c2168b3258a50ade2ec094fe6

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.id[1B9674A1-2686].[[email protected]].Devos
Filesize
6.3MB

MD5
56076c500c4818c8817548ff2015aa3e

SHA1
92ba632b3b941bab44854fe29d788c104ade7eb2

SHA256
f0b5b5e8af5f796ce7374b2cdf22e1ed1dfd9e7578d900503e4ff5cd7bc27125

SHA512
0321027a6b121c93c95d8fd7a78f632c90d03021291991c600e00028634ba787a7053da479ec830eb93bf683cfbe956533188a1b750a737a508125c047be9c9a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
Filesize
1.1MB

MD5
d059b46b8bb34111db0040eec1d29a04

SHA1
ed1d6d999e0c514b93c67171b47c41483ed18166

SHA256
c7b86c8d4e21008b8f24cd003ae7725cda9fbe15d83c9b5d60f01d529adf2588

SHA512
5d599d0c00e80cf92c4fcb9360d889cf4d46e4214ca533e5b4f73e51a23d1ed62467e3e21a04f357a299650d0a56803e3df079f862397430b639f71d95e7a5b2

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
Filesize
859KB

MD5
e13383b5b1f1eeadbc837a8c07ca8911

SHA1
3c3dce72323c4262962921dce61d8106f1578570

SHA256
51e4db873d14549cfc617f0a48ecfd06c6ec885917493e1e62476db55f6faed1

SHA512
dca8d18b24c267fdd8a66309ebfcdba0bb54885e7135508c9460bcb61b8dfb24a29cc2b9ad635a76a4d3ec34759869d93060fbda0ed04318106841c9b1c2ec7a

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
Filesize
547KB

MD5
40c8e8c5758557477573172e1a41080f

SHA1
25f67b9dd8cb5c73de0e028ac8d8b7b526adb27d

SHA256
a90f989f5f6b4f932feb14477d2a042460a944a0ddc5e2dd5d5d733f20020935

SHA512
1c99a7837cb6fdbede180a7e4646dc1880de85927acf1afd127322faa19a53633888c070eb1d2d7f423d0784fae5ef1e6f447a847518fdb738302d0cc2a04133

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe
Filesize
285KB

MD5
f4988d7ec7286976af1ebd5c7443be9b

SHA1
5c9d293127395d240112aca3191f6763e377ea69

SHA256
365151e60b6d5d3faa3b6bda819524b98e96b66913d74cd1911010389583a237

SHA512
9cb87e2c8d83a7f52700626d1b774264a164ce44d920c4a083754cb0105884e51345e422176fafca3f36262d978ddbedd01c9e7d934b66b42235287bddb7586a

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe
Filesize
313KB

MD5
8c4f4eb73490ca2445d8577cf4bb3c81

SHA1
0f7d1914b7aeabdb1f1e4caedd344878f48be075

SHA256
85f7249bfac06b5ee9b20c7f520e3fdc905be7d64cfbefb7dcd82cd8d44686d5

SHA512
65453075c71016b06430246c1ee2876b7762a03112caf13cff4699b7b40487616c88a1160d31e86697083e2992e0dd88ebf1721679981077799187efaa0a1769

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
Filesize
381KB

MD5
c1c197ea35f355dd77226d0c9f97bb4c

SHA1
701421a95883d9ddcd2f57de5e65fde3d3c4a289

SHA256
1696f25ea7574d62ceb2e0d786a7edf9c98e74c1322927c3f32d3e25ef5814f2

SHA512
b414f7efd5d68a5a2640771566572576b7498d0a7c819cbcd4c8b4c982a416de2fae8ef881f88a2a9ede5f2475452c330266dd778f8d0441293f584b27712cb8

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe
Filesize
569KB

MD5
eef2f834c8d65585af63916d23b07c36

SHA1
8cb85449d2cdb21bd6def735e1833c8408b8a9c6

SHA256
3cd34a88e3ae7bd3681a7e3c55832af026834055020add33e6bd6f552fc0aabd

SHA512
2ee8766e56e5b1e71c86f7d1a1aa1882706d0bca8f84b2b2c54dd4c255e04f037a6eb265302449950e5f5937b0e57f17a6aa45e88a407ace4b3945e65043d9b7

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe
Filesize
137KB

MD5
fb54e7953d62fa86aea496cffd7e6498

SHA1
b34a52b311a4c9420e244754e5d47d2bbdade2bd

SHA256
e390461689549b8570fb395e5f68c343c09e22619e402481ca5ff3069b884284

SHA512
44616503ef0c1b4359eed861ba87d912c75f006d50a27652e0bb0f4f69c0c44386b2eb419513fe29f0e11f0b223c31850acca348bc359a7daa7f5b901d3dc0b0

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe
Filesize
373KB

MD5
9574e987abe9f8a2a545e60e2c4fd458

SHA1
321b59df4983b2be0ef9eb231146d3c03a155460

SHA256
0a22bb73c3f2e43d03b9d453e549b83483d0003561b8dbd2345e8be4610926f1

SHA512
1f17d19a312593829eb70ce1dacd5911b5c9b02b4f7eb38f1d23e1995c680017f6bda6e9401c3c6838219740ab602f4f95a8010c04fc04ce33c9c503d733232f

Download Submit
C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe
Filesize
100KB

MD5
35863ef4d1f320b6b9e74371f27615a5

SHA1
236f55f4462859528225f6198ddb22b5a1e14cdb

SHA256
bb74b30efa0fcae915d0e09da93c53620e1ff68b07db81d1c6c4ff8ea1581ee8

SHA512
ce2d7c131b9c0fdeae007134139a4159b4bbf0788bab0acaae3d0ee91afbbabce1d5ad5a115ab0c7f376b131eaeff88096ab6e43bbe18fc609f71a43b60a562d

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe
Filesize
130KB

MD5
b639c57bbe4c959037646f075ccc8734

SHA1
5495bd2d5edc42590a24768e2086a0763501df65

SHA256
3dacb82dd5e01cf0d80fa98f8370c33d4b08b427ec5f0bbd678e6484d6ed7003

SHA512
3b099a6ef57e8c053a405e2ef28d91c7cc684001640547aaa12a0fd97443f69f16019045ed5348b08b2c9160c34592e2760e2af19f855ecdaea5318bc4af4946

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe
Filesize
3.2MB

MD5
7c207706cac247b1f9342af52edf8b28

SHA1
50f70cb6b7728b000ef242cae910543aa8aeb6ce

SHA256
1c727ae9f3c0460324151d7119748e01e25a753e8d5106edd1a39e9d53d8c35b

SHA512
cdf4ca0976720aa8582ef30611f179fb23175d78376acac70df610fa7092ec9588893c06c8bb96b70a29c718e89a974a215a1319cd9528ca855c92210a0c8e08

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE
Filesize
859KB

MD5
8110c78af76836805c0ec7121d4c2ad0

SHA1
5099967cb35145bbd0bca3c9f723a3675f0e052a

SHA256
04192ff04ccd2943294b50d7e33d9feab11da88748ca073191fc4666fd4ec8c9

SHA512
e4c2d9e002ae6860c06e1d42de395655d7d3eebb6826f7a436ef3824759f8a5fc16d54c07b942aa098fd9b6ac6e9dbd18970be8572f6cb40e2c3d128e81d95e9

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE
Filesize
547KB

MD5
b70e12a99078046b5137685709b549ab

SHA1
05a8ca2e6bb4769b81f99d197a26d33201c1f726

SHA256
472490b5d497151edb0ce65fec9f236a262a39a17f5340d2f94de49e2d2c4a24

SHA512
76059ab7a263a13d2fb44d1eaaf42c6b5d6cbc6f3617f9d8aa1f304e43a9e8e8e287f7d5c32284165e32ff3c22bae06e7ac25174161490063120ea27628d67c2

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE
Filesize
571KB

MD5
aabda1120d4cb6cf7df6c74c3ebc7803

SHA1
cc00c59b8d770334eef07bbe4984532a0794483c

SHA256
7abb5ed592746e8bca6b3a0d69fea5560075376d57434648c62c469f2c16d8a0

SHA512
cc46ca780411d8eab2a795d6a4b27c11fbd2f1c7db312bfe34a34d89b9cacc7167e4f9c429a2ad05b3340b37ca199f5d1927a76a221bcd5ed723bb2265f84d8d

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE
Filesize
157KB

MD5
a24fbb149eddf7a0fe981bd06a4c5051

SHA1
fce5bb381a0c449efad3d01bbd02c78743c45093

SHA256
5d13230eae7cd9b4869145c3280f7208788a8e68c9930a5c9aa3e822684a963d

SHA512
1c73b762c340a8d7ea580985ba034a404c859d814690390a6e0b6786575c219db9ca20880ea20313bb244560e36cf24e4dda90229b3084d770495f4ceedfd5de

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE
Filesize
229KB

MD5
74566c21f0efe213d438964b3289c89f

SHA1
d604912b106418e03397966a3511f47a4acf36f7

SHA256
7ac4029ec946af909ec5c8b3981ef1e7c77e9e93a095eeb41f755f7962375d96

SHA512
50d73caea309d87ac16e9b7b9053e32f11349952cde483b5cfec76b93d2241742b03dcae9c0bdfce05eb6d27b69653dfb2f27573ed6595aa63d76e10d82d87db

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE
Filesize
503KB

MD5
6a9923c8c67b4465b580b943f8b4bda4

SHA1
6e0aea882778d0951d13d7142ee74af5bf399828

SHA256
e81e33c42c06a473d56fb42d47b615fe26cd51df523ae0b4323f0018d6b8a0a9

SHA512
c2af649221b1905f54a0d1cd2abb2190a0fa1a61c3bdf0ef26a81e20e3890def8cf36121e1b361c86d7149243088d0afcf0b34a4f25fbdd90a3850777b475d3f

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE
Filesize
153KB

MD5
31f86806bc6b3a572acd3026177423c9

SHA1
04120856da3311bba44f74d8b2ab5d3af61af700

SHA256
17636bb3ad6745beb6fcec16e8f30870a17493a04b0f32fa8be5fd6e4ca55d4e

SHA512
8229dc8c6bab17f7e195ef45f7838c13dd289648ece1ac01dfc09e08dd081af8a0117291d7c4405601ce4948896574ac4233d88e21b5c5a2c81f71161277f07c

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe
Filesize
205KB

MD5
b546740b0db37565ae9d7a40975a759c

SHA1
8de20279c0f84703c203f85b09ada3729c638de7

SHA256
ec497740ded5f7f7a251fb183eca5253b98c63a0a318ad5d827db3b2b609c244

SHA512
f82f472527c45f786df840c5175ef3753409c98cff8ce04a1d2029c4a5364163f05442ccc25c5593e193e28f97566dcb9c6a8bc559f0cbb2bbdece9ddd1252a1

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe
Filesize
539KB

MD5
60f6a975a53a542fd1f6e617f3906d86

SHA1
2be1ae6fffb3045fd67ed028fe6b22e235a3d089

SHA256
be23688697af7b859d62519807414565308e79a6ecac221350cd502d6bf54733

SHA512
360872d256ef91ea3debfb9b3efa22ee80859af9df29e0687c8e1b3c386d88ff1dc5635b86e714fbf1a7d4d6bc3d791efa31a9d9d13e0f79547b631bddb5108d

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe
Filesize
1.1MB

MD5
938f9e69d0acb3caa3400e75f4965541

SHA1
47dd55e000f73de19ecfbfb77ca79c7a8c9f2599

SHA256
7a29fc2dafd0456a5fd5fe8a90c3d7054d954868e4f89facdc31ef6d63f38f1d

SHA512
4f63bc1c507500b48f94c1f2b2487301c12bafd4fb62516cfd508a11c6e6d63bff7dea5c4f653395e807378547d76d6c1b94adcf93cfead3405f55a22ce138dd

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe
Filesize
1.2MB

MD5
2ca22feab6b7cb9348f890e54c7ab082

SHA1
d8471bcac34ebbf3293aae2084e37660017c7cd1

SHA256
6b3aa3a3e0b0138aeb50ccd3f1061800f5171bf58f174bfdf7a206ab98d6839f

SHA512
3787edff0196fb62e91bc19470dfe8070b2f7ebfbadfc13da719117e13510d922bf9cf3147093f7356b614d49c2cb9bc23d85248e90671370eef957d524dc43b

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
125KB

MD5
726e7d645e2657dd9fe0ccaac4177a0c

SHA1
2405e0d02856b6d133d3c2389d16790d372c73c6

SHA256
d9df21997b3223df407e322cce1044bd705d776da0f38eae6de18c9ff0748a57

SHA512
e5fdbb7d201862bb9f03c6d3bb3bc0bbab06a05de86e4ba1870ffb04485145452ea6c59c2c89254d994ee45b138fb090c20e005fa3607b7916178607ec8c33a9

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe
Filesize
342KB

MD5
11b808a636ca2514df18d3b8a4e0e6f9

SHA1
77e101fa15da2fc0032a9fb7c4f3e8aa8d426295

SHA256
eadb833ae0dc8e459473e17769228508d0cd2099c9468ddbd7ea18fb2bbf8360

SHA512
664748827ba087b851861f65e7013910fd56347e3b5018891d633d43e4ccbce954267304ad6c952350ffbfcb3f6bce1aff2f38d7dd95d500efc34fc41d566fb1

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe
Filesize
439KB

MD5
d7ec8fa051fd1a84482d8c75fd4874b9

SHA1
5feeb949ea637dc6119075a99395dd1264195140

SHA256
119289acb5bb1aaac9b7de849cb67b8019d36a4b863e34043eae264eb578c558

SHA512
a914cdc117f60d3f663a17338f1701caf76481e46d1ded5752d096aea9534bb2a22086976adadd54773dbd6deaacaaca52ade243a15472c317ad25352d7f4a1a

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe
Filesize
207KB

MD5
6c5966ced4c238ddc9d9df81c8c006b3

SHA1
473184992814479ab0729b85837ce7984fb15b71

SHA256
7a6844baaa17ab9f80ee9a6a5a615e4d3e8987ae91c4b4877fddda6bfdee9eff

SHA512
99053cf1fa86743b8dc2298008eaba8495d4b7a7eb85a773f1f5923d2cf85f488f31a62545413679d95c8124e30309353242ab8655897ac76f3274e540a6e029

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe
Filesize
155KB

MD5
96a14f39834c93363eebf40ae941242c

SHA1
5a3a676403d4e6ad0a51d0f0e2bbdd636ae5d6fc

SHA256
8ee4aa23eb92c4aba9a46b18ac249a5fa11c5abb7e2c1ca82cd5196401db790a

SHA512
fbf307a8053e9478a52cfdf8e8bad3d7c6664c893458786ae6ee4fffc6fe93006e99a2a60c97fb62dad1addd5247621517f4edee5d9545717c4587a272cef9a2

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe
Filesize
230KB

MD5
ea605a6af7d7304d83b21619cb33ee6e

SHA1
5eebc2494214a8a22229630c77469bd9bf8c9157

SHA256
fa1ae4ef51e2ed75f7ad56cc553ece61a84ec415242200d66b1200ef8d40bac2

SHA512
4868ed87dd1cafa808469233bf01d5faf29c3dc94b31f6a46959b5b9eab1158af0137a8a649eaf1c3b855fc7a9b2ae860838209eee4e53a937e01cbb0e8066f1

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
265KB

MD5
25e165d6a9c6c0c77ee1f94c9e58754b

SHA1
9b614c1280c75d058508bba2a468f376444b10c1

SHA256
8bbe59987228dd9ab297f9ea34143ea1e926bfb19f3d81c2904ab877f31e1217

SHA512
7d55c7d86ccabb6e9769ebca44764f4d89e221d5756e5c5d211e52c271e3ce222df90bc9938248e2e210d6695f30f6280d929d19ef41c09d3ea31688ae24d4bf

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe
Filesize
155KB

MD5
1b9cc7e46765f3a07113568a76fa2f1f

SHA1
6c7b7494d4cd17c8f2fa99313a0ddadd45bdd471

SHA256
ae5b8d19cc48f20ba8c466e0122ed37279e9ba335d751e9f7bf6e3f5aab608b8

SHA512
fcb61565b91f3d58a207a7893be8ce808bf6d6f582ee353e74de2d284ce81248904b7f7eabc179666764704c386219786599fae61651c071f063a6bd9b5c9746

Download Submit
C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe
Filesize
207KB

MD5
6393e803f97c7fca713d899cb9886d18

SHA1
9172e7ae4f35a478cd416ece868cf308d303c3ab

SHA256
e7fe1ff96b2dcb1512bc530e2ac86ded63c495618d18aaf3c3db52e6ea3e2b0b

SHA512
de53203ad785d523124aeea4f5ede064dfa635d13b99db991728976bef4af2fa9afdc17f27a31c2b854a38cd2f37edd2343a2bc14581141217d09495dcac9970

Download Submit
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml
Filesize
964B

MD5
0fb569bd35d44c9ffa7d4728af4e734f

SHA1
b41945703b8efdabbb18c60ccd93d2115ceb78fa

SHA256
788ddb3f7716950d0d204e6cad9fe3cc1dddb6140f615cb1c76bea0541722c20

SHA512
b94c1fd2dd103b19b5fbac6c76d3166be91b01d659e1c912a26ccc48664a153c62cbbbf15ab3869aef08fdc8bb3918e4ce83bb97a1a428f55ce12793d50ee646

Download Submit
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml
Filesize
961B

MD5
5360b12f6a07af7be93437d215f72fca

SHA1
fe12fecaca49a131167d88817c4941514ea408e1

SHA256
a0cffb66ffbe1d4701a3aa75ae66af7ca178b45f5c722de3d9021a543129f80a

SHA512
a0b23b148cd30b1d4a41e81aca63179eda341bac1d1c3bf83924d0bef90a47e11f2de08b4cbb879331d507184ec1df9b59c18951e740b94247ef726b15fcc410

Download Submit
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml
Filesize
962B

MD5
c3c9945cae188df73afd04c6251ba98d

SHA1
4327d33b49b3c7046cdff83bdd31c724bdbf4118

SHA256
a2a40bb99c6a44d49eeb216549045620e8cb9fb90fb165eff71f846f30264096

SHA512
a674c78678624d59cff6386381c0e4e459836484aca4e617fec26729878743d2ffa5dd4a3bab0a0f0f27d60095739cf4ee0a6b0f4a5d79d31b43a7ecdbba02a2

Download Submit
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml
Filesize
960B

MD5
e2b1e53f26985bc0bc2a99c7d107a1d1

SHA1
b0b9bccd847f973baaed9790a33f3f77d2d1db1c

SHA256
3dc463a76fc170607c07b104c3cb531362ce7d6e10c1a34e0c0f370aeae08ce8

SHA512
0c53d4208a6b0cc0e6959d7eafc24012efd854316ac3830267861fd02f1da0246a268e75a7549b8b5ede05d08798f22f87c7bc305b62dbf76632cdff107ff718

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14691_.GIF
Filesize
185B

MD5
6f6b5e30af6a9e64b7b6a19c39de7e0c

SHA1
f4e37133cd52efd2967e90d645332c44a56b6832

SHA256
babd6f664158d665504571b169a1e81ef75470cdca4fdd7d95be6cdb7826136d

SHA512
4521a9829f60e2f4af33d4f72dbeedac048fcec352554b449ca36bcc32b64b65151bb7fcec78b389c37ed5819acd4c7f61e9ec08591408dd2400cf78ab5d67ed

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21434_.GIF
Filesize
177B

MD5
81e4bf29a6552cb0df60980b937ed4a3

SHA1
ca18e846361c6f84ae934ac108d5df987e977925

SHA256
8d84ef2aa665b1d6e1a15112d9c53eab04b68a09a088de5392ee63d51060db81

SHA512
ff58938f4d4c80baba6b15d20744b9762757cfc6834d8a5023b209f07914793881361ab457eed2fb0d17e28a8c99c541a142809f19715d0350c4487e78846ed2

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21505_.GIF
Filesize
175B

MD5
6790430bcb39e961b83668cbaa1573dc

SHA1
9f01e584f766dfbb5e49d6e32f7dc51fea2d0d91

SHA256
5514e3463923ca8257bc073bf34413d0426a6b45bf569b5a5b74c7c5298c57a7

SHA512
6fe6a31054dc68ee8c59da7de683ce56963f27b6a3e8ed634184c5ac99b6cb4dfdc2ab7980b4acb1f9b2a44ed61cd363ebb388b44cf466c736789d9bda98573e

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115836.GIF
Filesize
173B

MD5
4df019b7bb2ba1e54ed725a85be04261

SHA1
f40905a7a7dd1623fa8f075715c862f6b944e961

SHA256
33c35642a71ce7d31f92ebe614045d206968f058cb345c7df4ab397a2655f16d

SHA512
654f35be8431fb1e9995a75ea93b9fb04fa12e7ed94923df34ec99bf8052c46effb28ea46417357e1a6ce6f9a8663525d5ad48cd74942968df2a178396024ac1

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115842.GIF
Filesize
176B

MD5
5dc32f41bef844b95b3a8d79e9633c42

SHA1
50cf558caa78030567cf4e265f7c9cba3a2d904b

SHA256
86d2cf5b090f43ee54d8f7c1dcf746a853951191457ff6dac96269a9d24860b9

SHA512
99e7e8bbb58a6727ddbfa71f9dbb7d02658a11d7e735367ead3cea004ed3edba9cca8997117745fb40733672879b5f466a7e39cd5684729eb413bce49c2019ec

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_OFF.GIF
Filesize
341B

MD5
c2dc578691371996eab94eb37f6896e4

SHA1
9c09715d6b50b203e161cfb59bbbfaa7837532c4

SHA256
9f3a97071dc41574af5b54e44945fabef8d5da339d179476a78dbd624a60033e

SHA512
a3778926bde4b74eb0dbda8c7857f2f05c6abfc39222f80332bfdcf7fcfd4db9b81ddca44c45a1155244e667f98f07c7211c25a29c68a62d89b8637e8ae05e70

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_ON.GIF
Filesize
222B

MD5
3e586cd8128ba5d03ccbc121909e7421

SHA1
140dc52658e2eeee3fdc4d471cce84fec7253fe3

SHA256
1207fbf437a6d60bad608c9c4a7397194c4f3768142a32c7e5f3a1415452a992

SHA512
f1759159e90975a7baf3c666e402f9063909bb11f47371c9472ae40315ba13454f0ff4aa418c7d0079eebc09909268b5d2d39ef871f0e5850544b1442f9d6f1d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Main.gif
Filesize
1KB

MD5
79b9e09ca5f8f8ebd840da4c96afeccc

SHA1
efd9e4cb4eb7a896db0cd0de5138eb5be50864db

SHA256
318e9e1df845c4135ab519baf8e2c9e617df90e2b3020741ab5d926bb0d4cc93

SHA512
2df29a7c367151d76b4adab7002e0e90337c1ee07f935545cf30cb729ae91171bceeec0e2611e50d91d097797bc221ff63f949e225629f23a0dc5de3dae851da

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK
Filesize
114B

MD5
301657e2669b4c76979a15f801cc2adf

SHA1
f7430efc590e79b847ab97b6e429cd07ef886726

SHA256
802bbf1167e97e336bc7e1d1574466db744c7021efe0f0ff01ff7e352c44f56b

SHA512
e94480d20b6665599c4ed1bc3fc6949c9be332fd91a14cef14b3e263ab1000666e706b51869bc93b4f479bb6389351674e707e79562020510c1b6dfe4b90cc51

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK
Filesize
113B

MD5
b9205d5c0a413e022f6c36d4bdfa0750

SHA1
f16acd929b52b77b7dad02dbceff25992f4ba95e

SHA256
951b1c95584b91fd8776e1d26b25d745ad5d508f6337686b9f7131d7c2f7096a

SHA512
0e67910bcf0f9ccde5464c63b9c850a12a759227d16b040d98986d54253f9f34322318e56b8feb86c5fb2270ed87f31252f7f68493ee759743909bd75e4bb544

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE
Filesize
85KB

MD5
685db5d235444f435b5b47a5551e0204

SHA1
99689188f71829cc9c4542761a62ee4946c031ff

SHA256
fde30bfdd34c7187d02eabe49f2386b4661321534b50032a838b179a21737411

SHA512
a06d711574fbe32f07d20e1d82b7664addd664bf4a7ee07a8f98889172afe3653f324b5915968950b18e76bbfc5217a29704057fd0676611629aa9eb888af54a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE
Filesize
1.4MB

MD5
5609f1f48a601631146002fc642c5338

SHA1
0a2111f648b62c4673e6a876c492cabb8025c19b

SHA256
151dd4949daf9d7b81d59bbaf2dcc2b8918ac6d9262db88f348fdacc3abec05f

SHA512
55793b21574dd01529f495eba67aad57d6c6ed6aa1012799607bff530a0ac905d84d032d15f5aabf5821029827092c47119e73c16aa95157d32b0b5ade0d6089

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSOSEC.XML
Filesize
179B

MD5
bec4473fc43b77e28e60f89da4e29c00

SHA1
d5dbc7c6642a8a23da14f952a0f64fe874e8191b

SHA256
5e06bfa9ebccfa3d8759270620b6860f0b92be9d69ef7d7802b78ee5b5f07f96

SHA512
ff2c101c1172e64481be5e98b2216d5eba93b81210a1a67adecfe05bcf37c3d965c06b368ddc1ffb7e4187cda0373720f6a27476f036a41517762d5cb3729aea

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
Filesize
129KB

MD5
b1e0da67a985533914394e6b8ac58205

SHA1
5a65e6076f592f9ea03af582d19d2407351ba6b6

SHA256
67629b025fed676bd607094fa7f21550e18c861495ba664ee0d2b215a4717d7f

SHA512
188ebb9a58565ca7ed81a46967a66d583f7dea43a2fc1fe8076a79ef4a83119ccaa22f948a944abae8f64b3a4b219f5184260eff7201eb660c321f6c0d1eba22

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE
Filesize
246KB

MD5
6180bfc8a67fd42e977375c0cb644a6e

SHA1
1ca669f62d9f6637783be37bb6b3dfb41d2810aa

SHA256
d29d3d783b82422a1fd426cf891ed386bec1ce6fc8e094c33530d8299bac9029

SHA512
6c3af53faf366d41bc3a7917eb13b6e5767e1bc7581dd3779930bf919b5f5d25db53b9a8c1129a20fd768c50da36ebccdad4cefb717ed05569daa267c63d63f6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE
Filesize
188KB

MD5
a7aa0336e62c816116e998046085935d

SHA1
d71d0ad204b1a8165d260ff9ed978bcb8eba75f2

SHA256
ee0d2c64243e6ab4c23271dd79c5ebd62de4ba00a3590e1cdb9f5647c9903e9b

SHA512
63c4a2ad43cd16df38eab65a66732d16ea885fa486c91751c3b3f5e216fdf06fe4d6306d79e82eedbaebb88b5bbed376c61025a3d67efa0340436831ef842f87

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLSTL.ICO
Filesize
1KB

MD5
8722af8683c6dedfa35cf708f04e507a

SHA1
e411318d7904624a56946cec0059e380b0a4bd0f

SHA256
a338f849bbccace695e284ab83c0cecc84876fdb292078f1186b31e9b6a07127

SHA512
1341ce0453aeae411696a7343f2f6a6fa991fbd483433841cfd4b202ad476d77ba62b66ff547baf4e29a5bd38e7c1f2f78ead201ed1bb8ec50b98eb763bb11da

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLSTS.ICO
Filesize
2KB

MD5
d4a7e4b0851785143ecd98f019ace3c9

SHA1
99d3d7b7167a9ce2fe67a0d296bfdf60ba7a8a8e

SHA256
ea3a2d1ae34d98f545d82a53ff2d1c6e5334ab4a0a4cd902e3fcd0fb697bf32d

SHA512
cfaa3e8c5f61f0b662c6e04296ae67b83d81fe96eed7872bc503c131cdf47576777d1857d0575ca309652f63f5de2a8ad6fe072bd3c3127eda3d353e61260c2a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE
Filesize
4.9MB

MD5
0331c5bbb62748785b64fdc324be2aeb

SHA1
0d3f7fc0de180279ca5e3a41e0b2419b6df023b5

SHA256
b98e4998f26ddd63dc31d11d3722ad2ab66c2d83752683fc09d32aa3eaf42366

SHA512
70f8acec7517aab035b70adc8f2c78d65c323d6ae0f56891854023b5bc1c69763f56c6d6e33163f327328fb6f02cf30de18379515c5181168cf9f5adb5e78714

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE
Filesize
962KB

MD5
a8d6186f02c35cab83ebedaae12b4843

SHA1
76c2504bddf77de324a0f7ce53a1727a7f9c786a

SHA256
2ef43165fe34716221e217319534ce922802e5773202c0e84a34c21be0de23fd

SHA512
f76b1ee2e939269b919d7149b0c2189cc4f4fcc9b6ef73e805a332abbb4d5264bb6e1fce7e0324e849aaaffc8fd23d949bf3a8097001702c06f79595e0eef71a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\StopIconMask.bmp
Filesize
2KB

MD5
cc084392f2514a4337b42f4865e2cc83

SHA1
79ff391fe2ea7244cdb5a1e1e5bc68ee0cc1c17a

SHA256
3bff857daf1c246b3ba79bff08805f403b65b0e2a5cffb40b078a383eb861514

SHA512
9c19d048cc3c0b34e8191368b9d243a4a9a25bdf4c55b3d51da4e97a679ca8507dd7368fe3ba22cb32451d433533d215549a276271462f8d1d1c2a9ff37ab68e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\TAB_OFF.GIF
Filesize
462B

MD5
9cb5fb90f42219febcadbc6eb57257f6

SHA1
c948b86625804155f9ac9478a07cae11d8021563

SHA256
1093af6901915021573eb2e3bcb49af7f1eb79df351806d325b80f1baedaa185

SHA512
9c9031770c5c67f40b93dc7dac91822f3b5eabe1deb83eceb2a878afc810a810ce0521f966e68fa49aa1973cec342cd3ef6096ebaaa191b885a542e4a178ca5a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\SAVE.GIF
Filesize
621B

MD5
59bcafcabdd1f16e7b9889ee10dec858

SHA1
116cf3bc4321fa20352d009e1d0cea588a9b61e0

SHA256
006f8885e892963b3d4a0b53141f888ef5d0b36770d43b82296bcbf800a89d13

SHA512
2d0fe70022c2bd7397b94c78b27d6c3d2426a644a1601b6381084941e9b1dca913d0e0787d8e463d69d7730031233f5b85ec76b480b736ced324fbd45727dfad

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\VIEW.ICO
Filesize
318B

MD5
385592b8ece89d5bb6c8ff79b132c562

SHA1
bc14ffc7e1686ee066f445f1ab95714ad631b9e3

SHA256
b57536fb8401facf2e6aed14ed0f15e42a4f38b1e05eebc1a8be1613909c5165

SHA512
62ad043d2e28c8e5eddfb9d46edbacd40ac092b3fcc0e5bca70ac0d07d9d4b80cbf194f99803bbac70f3b963f9a3e7ae2ba29ecf3d71535ea3ab257115862bc1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF
Filesize
496B

MD5
ab58d658c2dfe0393df78f57740dcdb8

SHA1
096427e4fce6a16c49a01f645139172fbf077ba5

SHA256
882993b55cc0c527f0a6059b69b3faf4ef3ccb9cecd3d8847ca0e49a1444debe

SHA512
bfbad9a939371aa29f4ed8c5bcad0d0299766bbe6dc1d9d6233ae0c060a394c0b8bf665b11a28c3713d434340dda690cabb578ecf3e2a4a462d797f0b3f30df2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF
Filesize
1KB

MD5
0ad4cf7b35f62b8ff9c73f481594fbdd

SHA1
08b895c85051d99477cdf56d80c4006c262048ef

SHA256
c55b90509b8cb9bac53fbdddfc93d4e572685c509f1218423c43a5d6013bbd48

SHA512
697f1c0117c89ea0486b5b8e9dded787eafcfd710251cef4cf5cc275b1572a5cf9d499e44fa672aca8a77521a33b2e5040cf69c7cc3947fec2cd75d2296edecf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif
Filesize
233B

MD5
64321e9c7da09049fe84bd0613726226

SHA1
c2bed2099ce617f1cc035701de5186f0d43e3064

SHA256
e43fe96a7f7ec0a38984f78c064638b2daa75e261ab409bbbe2d3e590265ec7b

SHA512
4f56b895d0ab27f71ad4f5e54309538ab3052955c319ca5f718e6b8f8fbed1bd5f51f036eff7cd82d4403ad4b93395ddf75dc8621041ef5c5ca916c1113104c7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF
Filesize
364B

MD5
9d1101f2c45ce53f2ead40247bc2629f

SHA1
c7c2770645e7611ae33bd7a0b3ed948d39f17c06

SHA256
47f0149b43961165c5fa224dbd2d1e956cf0a26b86d15ee3e12652c2a6e013ca

SHA512
91ae75b332bb98b6116352147701514db0426f710600bcbd1bdfe31f20ab83c2c21c794244055372e5d11ee177f8dedfd31a1d9a744b84be0f57b580a8464ec1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIconsMask.bmp
Filesize
1KB

MD5
79f7ca0fba179cb0bc93eb2f178e4ace

SHA1
a529d3822d5bbe18f6c3acfe44b19f0449e76f9f

SHA256
86a618c687c518ca93f7151a26391ef0e19101986d30f7eeefa420b0574fc5ec

SHA512
3924f19e1a9e1b9b9eac515c1d5dffff2aafde9745ad8d20b0d71dfede631875c611b58b2624fef0273830341b497fe7b554710d18bdfedd57c36ac0a764947f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\SAVE.GIF
Filesize
615B

MD5
9c1b2a47c87f33de47ccfcdc098e1806

SHA1
4ea8f90ce4f6569e41788252674776594ca668f8

SHA256
8d77e83b50a81c442acd64cf5a57ee30906256da88e661e87cba51320f2cdda9

SHA512
b317fc3bea365325bc928e347d081bf019c0dd35e764172ed105212e86ab4ab303b92bd1bb0752cc27c0a7d46548e199df353fb84873e812a744878d9d34bd30

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_right.gif
Filesize
369B

MD5
697538917066fbdc54bb7922e0f2eef8

SHA1
21cf57e715733ecaadd17747a6956fea5dfcc3e9

SHA256
1270be94b76ac32534581f51fecec7ce90ed9e0f3693f310058fba0c6ca8aaa7

SHA512
26806e433c67cbcf7bff91a47e214a312929f279739bdf2ca0b5d26f04e40f76f6350161c7aaa44de48fe70aa6bb67293d9736aaac526f1f794e94f135538be1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_right_over.gif
Filesize
580B

MD5
bd38f281632881248ac7f09eef8a6319

SHA1
5a40ad5f3ec39d2ad991e0b94683a0ce987d5066

SHA256
b92428daaf38be6775a2b1ce78f5c8ce213b90c6e6fbd95bae56458ab90f7437

SHA512
1e102e101b9c679ff5bbb874806650bc12a69dbab6fd446617e392c99620c81e35c2233a745934692b2e4f20b46a7cf5e90cf38a97b87ea588d525ce356b6099

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif
Filesize
847B

MD5
ccd9d8aa4c9fbad1069e4dd2c4982652

SHA1
58cc653eba0694d39e7615ee7e049c8441fe6600

SHA256
35e1150f8a8236fd8c2be2c6da618b5f5366caabb763b7453201f5c430441aae

SHA512
7530335f5f01da26479349321531093d3da8a1cefd4e916496dd254273076df9ef5eb91ecde1221e37a2525e76a8578a6859ec79a15ddb0a69e2e39578afb8f0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\OnLineIdle.ico
Filesize
3KB

MD5
175b6d3035eaaf10bcc78b54ab021ecf

SHA1
480f5c00b285f824d6eec209d6937e05c34d1805

SHA256
868d0516a42b8340eba07ffaa00f5928e1d6a7daf2a3c4d96c1b86b80e2e3e81

SHA512
eb0b26da872e4e957415ca60d0114903a3b62dfc6f4b02db745004a32ce55d791baf8d550284be03157a59a433fdc9e39a3129155cc0a73cef87febc51fb2f6b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\PersonalContact.ico
Filesize
1KB

MD5
d33c6324366941b3c100293e79426478

SHA1
afd047c1461a2ce36b775cc94392672eb43f1463

SHA256
d2a2840f1282913c2678160f13f3204616a9c302ae3b8f47bf17783ef3323aa7

SHA512
7cffef992a6008d2d5b1cd768ae722d533a7e2a637b421ab67f16175328ffc9f3a4cd72ed5db695796d335371aad94c4bf9003fe685c3833b7687b59bbb6b940

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\messageboxinfo.ico
Filesize
2KB

MD5
46b109680d8e37a25b4ca79ff35e270f

SHA1
e1d4ca57aa3114a7931c7a5bbc8be1ecd8bd7882

SHA256
54a918ed71329a2e6af831153825cb69b8cd45938a352d3b0882c92969a353dd

SHA512
7533cfb7af8b272d23734efddd2eba7524a746ac0664621ba3c05f139417f6e68bdf6e38c57ea16e8552d0b491a37f320f8f95d7b9e39e3c171a28f81643197c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe
Filesize
605KB

MD5
7edab6d619b457241241ef62ddf90f73

SHA1
6c1ddbe90cdd79759c11a471e2373085440ffbca

SHA256
715f27fadb7a11200fcfc52ddc90197b4ad3e5b3dce31ba63775902894af52ef

SHA512
c0ac06b8052db4811c34edc28b0fda61edeb686d05f1788a4fe212cee32181aa81ad151d7a9829bd5a47f06c29e326a558fd798cfa434036c976cc8953ae3591

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE
Filesize
2.4MB

MD5
088158b1d858ec57898f3e2b51e24b83

SHA1
fd2071c218305bfecc8b06f2ee32f72024fa0770

SHA256
c976b6c78b53b0fe8429648ab13b76336d4ebf43de3dab7b2243415c90a71d89

SHA512
6721dfbbe145104a2776dd4fd21334bd895e987b5be70b431081088ef64636700726df52a19ddfde3c5338a03605017cc1e79a67df68ac46fc872dc9dcc7c0a2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE
Filesize
109KB

MD5
cae066fa2cef1dddf17a314dc4339357

SHA1
6548207f4e6430a7953b3a49fbf43d717bd2e459

SHA256
c0a60957b1c3ff4c0482eb05a16a37325c0ba1454d59474af269f23f2184db5a

SHA512
c5f242a288ee6176e4d2be587d895fe43cc55d880cdecbdec7e97a316e4f7474d45743e44bdb39ddcf7ceb5dff4c6efeddede0c9b6880722e0565dd236471351

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
Filesize
741KB

MD5
5d2fd8de43da81187b030d6357ab75ce

SHA1
327122ef6afaffc61a86193fbe3d1cbabb75407e

SHA256
4d117648525a468532da011f0fc051e49bf472bbcb3e9c4696955bd398b9205f

SHA512
9f7470978346746b4e3366f9a6b277aa747cc45f13d36886fc16303221565d23348195b72ac25f7b1711789cd7cb925d7ceea91e384ef4f904a4e49b4e06d9b2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE
Filesize
392KB

MD5
6b53560b0d6081aafa69ee8687f3f169

SHA1
e7e7a0fe35e4524c1e97f7c4648e87e7bb0381b4

SHA256
820e94d494329c2b5c4c8abebbf0c413af0c18f2b02693cbc2dba587fffb2cc3

SHA512
11369b380a51575148826d945f14a087e2062a52978b2739140bc2d584aea7a98e683303d59eefc8e8181bb5122023b1d21cf2f45e73e2cd3e3257ae848a381c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE
Filesize
694KB

MD5
7a4edc8fb7114d0ea3fdce1ea05b0d81

SHA1
02ecc30dbfab67b623530ec04220f87b312b9f6b

SHA256
ff16fdc703e55ddfe5ee867f343f3b20b496e7199c6c4b646335a01026f74550

SHA512
39519685b1dd872008abfa967f79fd3b7a5e6f6ee1b9c3de891aae64490b2d0feb56bcd3f5dab4527d2c6d07646db5966028df153f38a1c09ee88a1ba9a1ef44

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE
Filesize
726KB

MD5
7727ddbded4ba205b69965dd7771efeb

SHA1
b8d2d6cfb58c89e34745d6da921663f6db381d4b

SHA256
5ebcc7be4a23b0017b99136770837e404d0b9bc988b44910d6a24519fe8ba3e9

SHA512
f9e9c1449abbe513a9256c295381a0126804a13cb3afa57a5b788593a9ba69cbf64bcc916f1b9e193802d70348d39bf0b70a269c89b0e0f802693eedf167fd9b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE
Filesize
144KB

MD5
d69c90688436599c02adcae443d5066e

SHA1
db630b4b8ea4b1f398f489bf63a24ef718013c00

SHA256
ff2476e26f6fe1ba615d7c3b4f9dd96a1d944c45569be1a22529ee48cfd6a891

SHA512
53e55fcfc0946a172d9d30a8f953c978735e39eb6ded62d4df073d49c958e389054560678a6db0629bc53e41c7aa65646a8c9d8ce146b73b7918033460a662c4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE
Filesize
127KB

MD5
871d63b651881da72ba1d81b4f1c23bb

SHA1
0792e23e8831aad7bf2524ec3b825fd12beef262

SHA256
e944575e070184af5e9870c1f4984e10b3de361f75683377c74c5022153e7521

SHA512
c40e14c2af28aa9aa3d6db6aa3f45233f53abef6d00d4437c59d29e36955d3237f32ec22e06ee18db04fbc27cb3f79d75df1f646ccb55500fec429509d1f4809

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE
Filesize
308KB

MD5
a42dad802d28bb23964c726b6df4a7e3

SHA1
e781e9120dad101caab3c21aa3e236feaf898b2b

SHA256
e48cdc6c411889025c285a3b2d2bb70a6a4e9c9a67c47618970db964ebf058a3

SHA512
d28512cbbb97eacd754f3c30755a008ccb88a47704b2f6d7f7fe69184250bd754af4fbc5839970576a6f8d37724a910ea25111152fe445bd2950fd53b6194d92

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE
Filesize
2.4MB

MD5
101bfb38c27bbe9b50fa01ecf0ad5673

SHA1
440b04b7b40934b45d2acc09e81c8861f611195f

SHA256
2e8640a9e59801e7d230af76367cd41d0d3ce730b1a58c48fa6154df74674944

SHA512
10cb5d2284ce20666e655c8688b75770d20d29d44c2c635d48204c2d0ac2b27e3c9b86e65d44d989a1ad77b80962911cbc80c18ec86cf959b6a2660ffb765d87

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
Filesize
262KB

MD5
0c567b63dbd294c74b2af44ac55bae60

SHA1
3bb524c6c6c5981a36ea7018c2319e1441462006

SHA256
9749bef3ff4ef9f4c9aa4a4991c3c6e943b2443c0e24efab2f33315c7bbd7b8c

SHA512
1c504d5383a0f50dfaa2852c549b4e4b6196daccd9c625d9cfb098a247d35b33ca5f5536fe3bc34ff6e77e6685b49f5c0abc2c19b579b60e9196333c5a85d87d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\BTOPENWORLD.COM.XML
Filesize
807B

MD5
b024a04198ed894b334178e411856122

SHA1
ca7552399eca0ceec6a3dbf393396fade2f5f550

SHA256
cadbea407cb411d2ed1c47c77536b622eb7d53d4fd3ee3b9897d554298683fe3

SHA512
466ef38a6bd49fc816e208b408e5bcc7d366dc7eb9072600ab21510b6e1417894bffeee5ec96f5a0a535d8e541fd505ae3450f2233e5a128bb073394c530e879

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\WANS.NET.XML
Filesize
806B

MD5
b4052c951a5d5df0482bec08dcd1a1d9

SHA1
99f3e0929eabf972e94c276c6423499860202f65

SHA256
f860ea6cfbfe8ddb3862a09c1b443f3273dac1a4757ce9e7a3b34d46f971ff10

SHA512
c26450d504e58cdbba0ded009158837855dadd8040b0c05845ee25b540567758c650df3d6b28c3571adff47e39d8ef99b30144250477524a19ab172d0870ef82

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.UK.XML
Filesize
810B

MD5
938fcac2676e99d92efee069eacacc37

SHA1
575b35480aab9ada77d22f922bc57cb49a7580a6

SHA256
9b8747ddedfdcb06f34ca5161281e28aafe3bec2e4b21aa731e17bb46dabc6c1

SHA512
515074b8b8c14986ab86913a659ffa007cab07db5c6798ef6a4e12279ad3bf68262ac42ce991ed20a06825a8e5b8d0efc48aca38dad5503178d1dce0ef68c33c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.AR.XML
Filesize
812B

MD5
dc5794fd7e35debdd2e25f3e22761cce

SHA1
348034e08eaa9434bcf5713e9880f60bfd33ba78

SHA256
15dfcf446deb114d465215cf49907aa5efc5fb8531f97607d50148cb4b680288

SHA512
6a9b27a6702e40ef03367ce611716816cc4debac9086983148ff75c4e8656f10ff5edf73e95e18efe9e0ef7b721350e86a20919061d0ce1266258384ef98b1d2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.IT.XML
Filesize
804B

MD5
0b0d4b77b1494ca873f4311cc88a9fde

SHA1
e88f8c3100290bbcdc224f4db05a77811726fe90

SHA256
60107be66c9efe4d6aa0a3864f71d60b3800c8d6400daa36c05609d099b5f891

SHA512
0a2410540f096ebd0464f16681b7375152fe8844ad2fed5fe86b352a61d6c65695051c82a36b77156a79ac633943463739752163d48b26abedf2db2c49ba794d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
Filesize
2.9MB

MD5
086b46156a85ba0815e579b50f928b90

SHA1
b92833f4ab149ba63a9c1d46b7de709ac9a73295

SHA256
b697eab4fd05cc29aae628c524521c1872fc5fce3d6ea51886c5710c5db03e0d

SHA512
ad8e989c1fe5de536155799fc8888ecf12e21fdba6deda119e2f34ba961fa199bae85c9176d14fa60e584c1d470a9aed46de6aeaddd7e194576873aa4763a388

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE
Filesize
4.4MB

MD5
432b905f73c0ea980f48843ed0661a5e

SHA1
0c7de0aa00de32d267847076559dbd145944a8e5

SHA256
3b18534f5a5ee9bc20dc6819e89bae7589f932e33dfb9a403ee0b9126c0a551c

SHA512
2184190218e0b6ba12c2b85e9c54016eee66c37452c306dfbfdef83e6f3ddd9b669311211c71e00a50b3033054b19680c70b9653dc1f4e90e3599e4a782160cb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\MSN MoneyCentral Investor Currency Rates.iqy
Filesize
205B

MD5
0ec3bbc188caf04134280e5a95f00446

SHA1
bd398b51e76ebec0b43d756e04548a1907e8d2ba

SHA256
97779f7cae716a4243ac78cdd8c051cfbefdd111d26740978dd0f4c962c2aa7d

SHA512
e67b8b8f0a30a663360fbac820bfe536abb5534db6e0475424ad3dfd526793663ba5e7d866ebea85f67c9154d6bbda2d38789255f83567be05848cc0d7c1934c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE
Filesize
549KB

MD5
ca97b2675ee3f211d85d8ea1ab401e34

SHA1
b7eda9164d6a9962f4d649f6f2920f3bc62b5536

SHA256
faf84a290ff03a2f598baecaa63de2bf0d369747c04a83d033c28be2c45a630d

SHA512
4822b020cddb445c61aaf4d1ed35f33eec15283810110b47b598abbbc7961f93f105f1c4fc6503366b6a68f2cbefc87d461f33defa19f773227b4c2d7e15fc39

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE
Filesize
606KB

MD5
9b1c9f74ac985eab6f8e5b27441a757b

SHA1
9a2cf7d2518c5f5db405e5bd8d37bf62dcaf34f5

SHA256
2a189b995a7283b503bb5864dd9ca57976b3812a6a34aaf89a7551336c43bc24

SHA512
d72e83aeaf1d34627a6c6aa469821af8a8d464a72c764fbb064484adea509a8c1d3628e2166859286e84daae8ebdf4f800693ce203984a8c313b1f2263e101c4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\misc.exe
Filesize
598KB

MD5
02e02577a83a1856dc838f9e2f24e8d2

SHA1
2ab44e2072a3598fc7092b2ccb9aff3a2c5d4ced

SHA256
3b6ca9d9fcbb0c1677fe4caeef03e4db326f70166f030b5f9fa9f2856031d4fc

SHA512
a95d454a4f9e5271bc52e6c245c7840a92b8331b84260b2556432ac66dd07bec1b2c3dcf41282d6d8ae581a152f3147e75dc673ce0c7ecbb653dcc61bc1d1bd8

Download Submit
C:\ProgramData\Microsoft Help\MS.MSOUC.14.1033.hxn
Filesize
350B

MD5
80bda6f948a1289beefa36d2ba38194d

SHA1
948905d56e776f1efa1e026b309c6669b089a2fa

SHA256
9cb5d05f0db60b9e0d1b76af229fd2a705903d6a1278d4b815faa536a60c118d

SHA512
ebbc2ac06f50c65430f2d3df2dd94434a6bb0e431a48e5929d57b944882f66e488f6abb668535f0bdd5007b92d18d2c4b726ccbc547c60c6adb3c8f5b7f4e586

Download Submit
C:\ProgramData\Microsoft Help\MS.WINWORD.14.1033.hxn
Filesize
362B

MD5
565aba2aa486212bffe024fefb3a8ba0

SHA1
13f8e2befaf22d391595db2f5bb2efd761cb41ac

SHA256
891c1644d5e29e33e5bb88666853f9531b93a3d6fbbd4a8b01e4e8701f836bea

SHA512
a7a9610937383b8b9feeacacbda08f5d05692cd1550b238caac7a94d17399d689bc95e5afbd7a378e4cb2524d59c3bc3591e975a6aad65bcb6f6cd2e65cbe8ea

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MValidator.Lck
Filesize
4B

MD5
f1d3ff8443297732862df21dc4e57262

SHA1
9069ca78e7450a285173431b3e52c5c25299e473

SHA256
df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119

SHA512
ec2d57691d9b2d40182ac565032054b7d784ba96b18bcb5be0bb4e70e3fb041eff582c8af66ee50256539f2181d7f9e53627c0189da7e75a4d5ef10ea93b20b3

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.000
Filesize
240B

MD5
cea67ffae620e6410ed0590dc6ec9b92

SHA1
de0e7c9e496fdd650fd8ab826e84b256eeb85812

SHA256
2dfba633817046c7f559ed4b93076048435f7e1a90f14eb8035c04b9ebae2537

SHA512
ba21e55aa88dc8b12e13ebff9e67570177db6aacfb606658650397e6423937d882b1e1c93ed62d12de0dfd59791d78c6a73d68e55f343cfa1f85235daf3b89ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index
Filesize
24B

MD5
1681ffc6e046c7af98c9e6c232a3fe0a

SHA1
d3399b7262fb56cb9ed053d68db9291c410839c4

SHA256
9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0

SHA512
11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT
Filesize
16B

MD5
4ae71336e44bf9bf79d2752e234818a5

SHA1
e129f27c5103bc5cc44bcdf0a15e160d445066ff

SHA256
374708fff7719dd5979ec875d56cd2286f6d3cf7ec317a3b25632aab28ec37bb

SHA512
0b6cbac838dfe7f47ea1bd0df00ec282fdf45510c92161072ccfb84035390c4da743d9c3b954eaa1b0f86fc9861b23cc6c8667ab232c11c686432ebb5c8c3f27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\32.png
Filesize
890B

MD5
251a7e1401487e69a415fde9d5128b27

SHA1
9bb2d9b5d93e8f9dfe5337014008bce57b3cdb18

SHA256
d1db33e3ae5c6779e11ecc0ddf3962bf0559582980b5e5a92fd5caf91cb1bff2

SHA512
b572720338c60d4c27870e563145269d62470bd32cfb6ba4dbecc881632273189946d813fb6c6f4ea0539f9f0a6975c89b1bcf7fe7c297a005a4b15d8a4eccd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\MANIFEST-000004
Filesize
50B

MD5
871bdd96b159c14d15c8d97d9111e9c8

SHA1
8cd537a621659c289f0707bad94719b5782ddb1f

SHA256
cc2786e1f9910a9d811400edcddaf7075195f7a16b216dcbefba3bc7c4f2ae51

SHA512
e116d2d486bc802e99d5ffe83a666d5e324887a65965c7e0d90b238a4ee1db97e28f59aed23e6f968868902d762df06146833be62064c4a74d7c9384dfb0c7f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Browser
Filesize
106B

MD5
f536fbf78e26387affb82ee89943b870

SHA1
3ac8e44a9491c16bcd86dab6781acc4f7e1f76a7

SHA256
34dbd6bf55d0d075d666181d9278b8387482a8b5804e44e1ddaafe6876dadc15

SHA512
d9ad640884f40495b4255bd221f0902ff64f84e3136053d03abee7ca417d32a1d72f24a75cb67bc50629e102bdb2f81c0bb087e0eb5cb82fa3d67c4fa5d92450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QE6QYUAB\desktop.ini
Filesize
67B

MD5
53553242d57214aaa5726a09b05fe7bc

SHA1
931613845dd0e72f1b1a5ba0c89f1c34e5cc089d

SHA256
1be2b3990b410ca4fb38d1f79019c4018cd8820b69618646c81d22dfcbddc802

SHA512
dd0a0b9213182c99444bb7fb2eba5b28f521a768880be2539706730693ed9ea462feb4fd46b1deb5e7d4f31a284f2803b476209b451c9dc4d6ed056d71736d64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3D507084-FE51-11EE-BDA8-6EB0E89E4FD1}.dat
Filesize
3KB

MD5
b4202f7fe985b9648b4676e6f70832bd

SHA1
d37c2b3927946ed617455b3c5913fcab0bc1af52

SHA256
6cf1b57d59e7111bc218dfb01dda93ac0f776715599a1c69f89035bd20c16a10

SHA512
447ea3de41bc400836a5a3df01efe61c2b3d5d646e9310f399c4842c5268d96042d8432d85fde19dcc8f43a2243626e9de850c9ce37d46fe0d0dd0fe5b2b6a88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.htm
Filesize
255B

MD5
6df9012b2b7cb3c55963499a26309bba

SHA1
6d7aaa7d2bcca4a8758b398ab7617839203c828a

SHA256
80bd5cb5a9ca35dcdea1d59b5f1778f4114f6215af38004a02a99a1d37383648

SHA512
32aa05aca47a17b6afdbadabe83e929e5a55777c5f5ddb0c854ae78ef403a2baeda46e7f1f1fd7de5237749f43d5f8ce0c95e260ef25e27e20cbdffde41bcaf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001.log
Filesize
2KB

MD5
c3eef41f29629d2c7796d9c3ee638df3

SHA1
65c07cdd1c2108cb27649aad8690f2643d018e41

SHA256
04893027370077030b48fd90535706dedb3b2d31e4f6ce5bfbcd1c8578017383

SHA512
96898187fe2e319b120c3026a300b06109bc1c9720660a30d8a3705d7cf58f37162d61e904f64b798c4368e4716c3adbbbdb8d047dae4822c131f4526d5b331b

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
d2a70550489de356a2cd6bfc40711204

SHA1
02ec1f60b2e76741dd9848ac432057ff9d58d750

SHA256
e80232b4d18d0bb7e794be263ba937626f383f9917d4b8a737ba893a8f752293

SHA512
2a2d76973c1c539839def62ba4f09319efa246ddc6cad4deb48b506a23f0b5ddbc083913d462836a6eff2db752609655f0d444d4478497ab4e66c69d1ef54b5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Filesize
174B

MD5
897208d5df122e307ab837d982b2c085

SHA1
cf4ca14a7adcbc197cd84c1997efdd076911d608

SHA256
eaae98aa73fe0b561c8b02607a524fb4853bbe81c6de8c3d8a9b7449366809d4

SHA512
b0aa03063c42515de12fbf6d89924a3ae7d8bdd64d7c9bae94c75d571c939655253f3e87368fcd96f5784b2aee8fedac8f66200b8672ab47cc8b37c57a9ad334

Download Submit
C:\Users\Admin\Downloads\desktop.ini
Filesize
282B

MD5
65fe580cf845ed035c4e57ad02a987cf

SHA1
6a7fc08e53675bd325b0e6426eec4ce52db7f2a6

SHA256
4afd6e7f6ef862c727cf5780abfde2094eb56e93383b6e9d4cb7fae81dd17cd1

SHA512
bbc34c4f8892aaae0831e02cdc146ffca22efff5e70601bafa084bb0824e88c87fd20988e602fdcf649ba0322ea1d74cdd5bc7805525987c4115096173e33b76

Download Submit
C:\Users\Admin\Favorites\Links for United States\desktop.ini
Filesize
224B

MD5
59763dea4943fa0a7ec51296d5f2c7b3

SHA1
c3b3795c396c3f64ac68d9304f97b34adfdbf206

SHA256
6eb69e26de2a26eda48af77d4cec893aa0cf4748a64cbefcfe11a22c1e680ad9

SHA512
92c41f07d1aad07acbe943f36731f4739b5bd84822f660459e464262d45f4970203210180655683feb51868735d9deaaf37fb8308d415376bc631ce887b94fdd

Download Submit
C:\Users\Admin\Favorites\Microsoft Websites\Microsoft At Work.url
Filesize
133B

MD5
b85026155b964b6f3a883c9a8b62dfe3

SHA1
5c38290813cd155c68773c19b0dd5371b7b1c337

SHA256
57ffc9ca3beb6ee6226c28248ab9c77b2076ef6acffba839cec21fac28a8fd1f

SHA512
c6953aea1f31da67d3ac33171617e01252672932a6e6eae0382e68fa9048b0e78871b68467945c6b940f1ea6e815231e0c95fbe97090b53bf2181681ecf6c2dd

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk
Filesize
1KB

MD5
1477fccb6f5105178b8a4959217a35a0

SHA1
c66fa5d6d133a7cb7247edd1b32fc6b82dec3dd9

SHA256
118980fc1bef9a9da8a06e2a864d3f5f5573b37786bac8709746a8ca26a12523

SHA512
1715a141037d97e12c98f91a62bd44e76364af02e8ad5024699e9dc3951d005eb3471de1bde3569a61af8e5127883cc1133b6274928bde3c5ad5840e36ee764a

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Run.lnk
Filesize
262B

MD5
25a495be8250cc90b02a483e82df99c6

SHA1
0f8ca0d9fa83bb38a8a400a893185e589a968742

SHA256
ba1d859d62b101dc263d6834aaa81378941736dfab33b15243a4bf3b45691735

SHA512
6926347d0da33ecdf2af9d5ef5966f2108da941447c4e33ca90eeebf82a4171a1439bb3b285c31387e08b5fbd964851fd98d4c352975802de74ce02b03b7bd0d

Download Submit
C:\Users\Public\Desktop\info.hta
Filesize
6KB

MD5
3a742589205cfee4a1d4196f4090f017

SHA1
6e20926f4edb7b2f05920bd4d2bfb78bec1e8d99

SHA256
9e500fd27f2d4c286badf411f4bdb609d22e18d90e1cbf888388c1eef8eeb2d4

SHA512
00ecd63f3dda3d8aec08ed9beddea55ee465f5965e0c0a583139a69c79346d468356f4317cdac585b7b7699fb6274dfb399d35a1d95c69530d814a84edf8f049

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
Filesize
58KB

MD5
9b949b041cfe8391d65657156c2cf4d4

SHA1
1a421a968ce61d0d5ab4c968602298979193c006

SHA256
eaf933e9cadc5a4f777a463ee9f73769aad85bef8d72359895a0c773526a6b04

SHA512
2317ff650d9ac22823e68ea6085e7b0c251eb09b30e1c6341765fdccf42e697bf1d6e1eeacae8ba117fce350cbcc581c96033df08eae163db7e5abdc2d78f7f3

Download Submit
memory/2936-13891-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2936-1517-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2936-8800-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

pid	process
2540	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe
2704	2024-06-22_8d4fc2fab29b53848f56f876cc33b6ed_neshta_phobos.exe

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads