neshta | f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-01-2025 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
Size

473KB
MD5

a2e4cfc601699cefb26f67410286dcde
SHA1

c9a0b105c932796c7d2c3259eadf58c4d06be514
SHA256

f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86
SHA512

4ee517b0ffe411a51eeedaf22026bb38cbe5a4e4c19c8efda3bc706d105630333e42e4fe9a10ac80c8365895f7b98e22f531590b45f2f35ee0e20841116148b0
SSDEEP

12288:LLZ/P5ccF9lF0w6yfx+UjtOZGEn+FpNncUrOuF:vZ/R79/DTRdFrcU5

Score

10^/10

neshta defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\Program Files\#HowToRecover.txt

Ransom Note

<?> What happend? All your files are encrypted and stolen. We recover your files in exchange for money. <?> What guarantees? You can contact us and send us an unimportant file less than 1 MG, We decrypt it as guarantee. If we do not send you the decryption software or delete stolen data, no one will pay us in future so we will keep our promise. <?> How we can contact you? [1] Email: You can write to us by email. Write your unique id in the subject. - [email protected] - [email protected] >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>> Your ID: D96B9344BB800A9735F23CACB380621A <<<<<<<<<< >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> <!> Warnings: - Do not go to recovery companies. They secretly negotiate with us to decrypt a test file and use it to gain your trust and after you pay, they take the money and scam you. - Do not use third-party tools. They might damage your files and cause permanent data loss.

Emails

[email protected]

Signatures

Detect Neshta payload 52 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010314-12.dat	family_neshta
behavioral1/files/0x00070000000192f0-13.dat	family_neshta
behavioral1/memory/2928-29-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2612-45-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2844-37-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x0001000000010312-20.dat	family_neshta
behavioral1/files/0x0013000000010321-19.dat	family_neshta
behavioral1/files/0x005e000000010323-18.dat	family_neshta
behavioral1/memory/1924-55-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x000100000000f7d7-78.dat	family_neshta
behavioral1/memory/1192-76-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2512-65-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2416-96-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x000100000000f7e5-86.dat	family_neshta
behavioral1/files/0x000100000000f82c-102.dat	family_neshta
behavioral1/files/0x000100000000f871-115.dat	family_neshta
behavioral1/memory/1640-113-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x0001000000010f30-136.dat	family_neshta
behavioral1/files/0x0001000000010c12-132.dat	family_neshta
behavioral1/memory/1752-130-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x00010000000118e3-141.dat	family_neshta
behavioral1/files/0x000100000000f702-99.dat	family_neshta
behavioral1/memory/2900-177-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3060-160-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/468-163-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x00010000000108f6-179.dat	family_neshta
behavioral1/memory/2656-204-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x0003000000012144-187.dat	family_neshta
behavioral1/files/0x0003000000012180-203.dat	family_neshta
behavioral1/files/0x0003000000012143-182.dat	family_neshta
behavioral1/memory/2852-214-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2040-224-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x0001000000010692-226.dat	family_neshta
behavioral1/files/0x000200000001180f-229.dat	family_neshta
behavioral1/memory/764-239-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x0001000000010b0d-244.dat	family_neshta
behavioral1/files/0x0002000000010c93-247.dat	family_neshta
behavioral1/files/0x0001000000011448-246.dat	family_neshta
behavioral1/memory/2824-260-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x00010000000115f9-251.dat	family_neshta
behavioral1/memory/2904-273-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2772-309-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2440-318-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/976-291-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/292-10537-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2828-11768-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1192-16077-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/292-16078-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2828-16080-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/292-16084-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2828-16083-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/4872-16101-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\D96B9344BB800A9735F23CACB380621A.exe	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\D96B9344BB800A9735F23CACB380621A.exe	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe

Executes dropped EXE 25 IoCs

pid	Process
2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
2828	svchost.com
2928	svchost.com
2844	svchost.com
2612	svchost.com
1924	svchost.com
2512	svchost.com
1192	svchost.com
2416	svchost.com
1640	svchost.com
1752	svchost.com
468	svchost.com
3060	svchost.com
2900	svchost.com
2656	svchost.com
2852	svchost.com
2040	svchost.com
764	svchost.com
2824	svchost.com
2904	svchost.com
976	svchost.com
2772	svchost.com
2440	svchost.com
1192	svchost.com
4872	svchost.com

Loads dropped DLL 7 IoCs

pid	Process
292	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
2828	svchost.com
292	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
2828	svchost.com
2828	svchost.com
292	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
2828	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 36 IoCs

description	ioc	Process
File opened for modification	C:\users\admin\saved games\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\users\admin\searches\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\users\admin\videos\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\users\public\pictures\sample pictures\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\users\public\videos\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\microsoft games\purble place\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\microsoft games\solitaire\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\users\admin\favorites\links\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\users\public\videos\sample videos\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\microsoft games\mahjong\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\users\admin\downloads\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\users\public\music\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\users\public\recorded tv\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\microsoft games\hearts\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\users\public\documents\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\users\admin\documents\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\users\public\recorded tv\sample media\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\microsoft games\chess\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\users\admin\desktop\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\users\public\libraries\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\users\admin\favorites\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\users\admin\links\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\users\public\desktop\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\users\public\downloads\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\microsoft games\freecell\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\users\admin\contacts\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\users\admin\music\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\users\admin\pictures\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\users\public\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\users\public\music\sample music\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\users\public\pictures\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\microsoft games\spidersolitaire\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\1033\dataservices\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\users\admin\favorites\links for united states\desktop.ini	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened (read-only)	\??\E:	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened (read-only)	\??\R:	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened (read-only)	\??\U:	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened (read-only)	\??\P:	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened (read-only)	\??\A:	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened (read-only)	\??\S:	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened (read-only)	\??\H:	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened (read-only)	\??\Z:	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened (read-only)	\??\Q:	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened (read-only)	\??\T:	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened (read-only)	\??\G:	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened (read-only)	\??\K:	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened (read-only)	\??\B:	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened (read-only)	\??\F:	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened (read-only)	\??\Y:	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened (read-only)	\??\O:	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened (read-only)	\??\J:	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened (read-only)	\??\V:	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened (read-only)	\??\N:	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened (read-only)	\??\W:	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened (read-only)	\??\I:	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened (read-only)	\??\X:	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened (read-only)	\??\M:	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\D96B9344BB800A9735F23CACB380621A.bmp"	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000019273-2.dat	upx
behavioral1/memory/292-4-0x0000000002D60000-0x0000000002E88000-memory.dmp	upx
behavioral1/memory/2000-10-0x0000000000D60000-0x0000000000E88000-memory.dmp	upx
behavioral1/memory/2000-9229-0x0000000000D60000-0x0000000000E88000-memory.dmp	upx
behavioral1/memory/2000-10538-0x0000000000D60000-0x0000000000E88000-memory.dmp	upx
behavioral1/memory/2000-16079-0x0000000000D60000-0x0000000000E88000-memory.dmp	upx
behavioral1/memory/2000-16085-0x0000000000D60000-0x0000000000E88000-memory.dmp	upx
behavioral1/memory/2000-16100-0x0000000000D60000-0x0000000000E88000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\program files (x86)\windows sidebar\gadgets\currency.gadget\de-de\css\#HowToRecover.txt	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\undocked_black_moon-first-quarter.png	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\visualvm\profiler\config\modules\org-netbeans-modules-profiler-selector-ui.xml	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\config\modules\com-sun-tools-visualvm-host-remote.xml	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\java\jre7\lib\zi\est5edt	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\videolan\vlc\locale\ps\lc_messages\vlc.mo	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\microsoft office\media\office14\autoshap\bd18219_.wmf	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\currency.gadget\es-es\js\library.js	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\java\jre7\lib\zi\pacific\guadalcanal	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\microsoft office\media\cagcat10\j0222019.wmf	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\clock.gadget\images\settings_right_disabled.png	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\cpu.gadget\images\back_lrg.png	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\fd01193_.wmf	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\microsoft office\templates\1033\blog.dotx	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\tn00687_.wmf	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\1033\pubspapr\pdir36b.gif	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\weather.gadget\ja-jp\css\settings.css	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\7-zip\lang\ga.txt	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\dvd maker\shared\dvdstyles\shatter\navigationup_selectionsubpicture.png	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\windows sidebar\gadgets\clock.gadget\es-es\js\settings.js	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\windows sidebar\gadgets\weather.gadget\images\46.png	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\na00238_.wmf	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\america\thule	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File created	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\#HowToRecover.txt	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File created	C:\program files\java\jre7\lib\images\cursors\#HowToRecover.txt	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\publisher\backgrounds\j0143746.gif	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\7-zip\lang\de.txt	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\windows sidebar\gadgets\slideshow.gadget\ja-jp\js\slideshow.js	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\windows sidebar\gadgets\weather.gadget\images\docked_black_windy.png	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\j0160590.wmf	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\pubwiz\dgrepfrm.dpv	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\microsoft office\media\office14\autoshap\bd18247_.wmf	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\1033\pubspapr\zpdir29f.gif	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\rtf_choosecolor.gif	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\america\argentina\san_juan	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\america\indiana\petersburg	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\windows sidebar\gadgets\clock.gadget\en-us\settings.html	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\1033\outlbar.inf	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File created	C:\program files (x86)\windows sidebar\gadgets\rssfeeds.gadget\it-it\#HowToRecover.txt	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File created	C:\program files\dvd maker\shared\dvdstyles\babygirl\#HowToRecover.txt	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\europe\zurich	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File created	C:\program files (x86)\microsoft office\document themes 14\theme fonts\#HowToRecover.txt	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\pubwiz\news.dpv	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\picturepuzzle.gadget\images\glow.png	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File created	C:\program files (x86)\windows sidebar\gadgets\rssfeeds.gadget\es-es\css\#HowToRecover.txt	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\java\jre7\lib\currency.data	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\windows sidebar\gadgets\mediacenter.gadget\images\button_play.png	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\adobe\reader 9.0\reader\vdk150.dll	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\microsoft office\clipart\pub60cor\na02066_.wmf	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\microsoft office\document themes 14\theme colors\foundry.xml	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\formsstyles\desert\header.gif	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\currency.gadget\it-it\js\localizedstrings.js	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\ext\localedata.jar	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\america\miquelon	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\asia\jakarta	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File created	C:\program files\microsoft games\multiplayer\backgammon\es-es\#HowToRecover.txt	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\1033\pubftscm\scheme44.css	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files (x86)\microsoft office\office14\1033\pubspapr\pdir35f.gif	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\dvd maker\shared\dvdstyles\babyboy\babyboymaintonotesbackground_pal.wmv	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\dvd maker\shared\dvdstyles\sports\scenebuttonsubpicture.png	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.properties	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe

Drops file in Windows directory 49 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4484	cmd.exe
3840	PING.EXE
4872	svchost.com

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2248	vssadmin.exe

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\WallpaperStyle = "2"	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\TileWallpaper = "0"	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vx2\DefaultIcon	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vx2	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vx2\DefaultIcon\ = "C:\\ProgramData\\D96B9344BB800A9735F23CACB380621A.ico"	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3840	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
Token: SeTakeOwnershipPrivilege	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
Token: SeBackupPrivilege	1416	vssvc.exe
Token: SeRestorePrivilege	1416	vssvc.exe
Token: SeAuditPrivilege	1416	vssvc.exe
Token: SeIncreaseQuotaPrivilege	800	WMIC.exe
Token: SeSecurityPrivilege	800	WMIC.exe
Token: SeTakeOwnershipPrivilege	800	WMIC.exe
Token: SeLoadDriverPrivilege	800	WMIC.exe
Token: SeSystemProfilePrivilege	800	WMIC.exe
Token: SeSystemtimePrivilege	800	WMIC.exe
Token: SeProfSingleProcessPrivilege	800	WMIC.exe
Token: SeIncBasePriorityPrivilege	800	WMIC.exe
Token: SeCreatePagefilePrivilege	800	WMIC.exe
Token: SeBackupPrivilege	800	WMIC.exe
Token: SeRestorePrivilege	800	WMIC.exe
Token: SeShutdownPrivilege	800	WMIC.exe
Token: SeDebugPrivilege	800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	800	WMIC.exe
Token: SeRemoteShutdownPrivilege	800	WMIC.exe
Token: SeUndockPrivilege	800	WMIC.exe
Token: SeManageVolumePrivilege	800	WMIC.exe
Token: 33	800	WMIC.exe
Token: 34	800	WMIC.exe
Token: 35	800	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1248	WMIC.exe
Token: SeSecurityPrivilege	1248	WMIC.exe
Token: SeTakeOwnershipPrivilege	1248	WMIC.exe
Token: SeLoadDriverPrivilege	1248	WMIC.exe
Token: SeSystemProfilePrivilege	1248	WMIC.exe
Token: SeSystemtimePrivilege	1248	WMIC.exe
Token: SeProfSingleProcessPrivilege	1248	WMIC.exe
Token: SeIncBasePriorityPrivilege	1248	WMIC.exe
Token: SeCreatePagefilePrivilege	1248	WMIC.exe
Token: SeBackupPrivilege	1248	WMIC.exe
Token: SeRestorePrivilege	1248	WMIC.exe
Token: SeShutdownPrivilege	1248	WMIC.exe
Token: SeDebugPrivilege	1248	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1248	WMIC.exe
Token: SeRemoteShutdownPrivilege	1248	WMIC.exe
Token: SeUndockPrivilege	1248	WMIC.exe
Token: SeManageVolumePrivilege	1248	WMIC.exe
Token: 33	1248	WMIC.exe
Token: 34	1248	WMIC.exe
Token: 35	1248	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1520	WMIC.exe
Token: SeSecurityPrivilege	1520	WMIC.exe
Token: SeTakeOwnershipPrivilege	1520	WMIC.exe
Token: SeLoadDriverPrivilege	1520	WMIC.exe
Token: SeSystemProfilePrivilege	1520	WMIC.exe
Token: SeSystemtimePrivilege	1520	WMIC.exe
Token: SeProfSingleProcessPrivilege	1520	WMIC.exe
Token: SeIncBasePriorityPrivilege	1520	WMIC.exe
Token: SeCreatePagefilePrivilege	1520	WMIC.exe
Token: SeBackupPrivilege	1520	WMIC.exe
Token: SeRestorePrivilege	1520	WMIC.exe
Token: SeShutdownPrivilege	1520	WMIC.exe
Token: SeDebugPrivilege	1520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1520	WMIC.exe
Token: SeRemoteShutdownPrivilege	1520	WMIC.exe
Token: SeUndockPrivilege	1520	WMIC.exe
Token: SeManageVolumePrivilege	1520	WMIC.exe
Token: 33	1520	WMIC.exe
Token: 34	1520	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 292 wrote to memory of 2000	292	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	30
PID 292 wrote to memory of 2000	292	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	30
PID 292 wrote to memory of 2000	292	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	30
PID 292 wrote to memory of 2000	292	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	30
PID 2000 wrote to memory of 2828	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	32
PID 2000 wrote to memory of 2828	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	32
PID 2000 wrote to memory of 2828	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	32
PID 2000 wrote to memory of 2828	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	32
PID 2828 wrote to memory of 2768	2828	svchost.com	86
PID 2828 wrote to memory of 2768	2828	svchost.com	86
PID 2828 wrote to memory of 2768	2828	svchost.com	86
PID 2828 wrote to memory of 2768	2828	svchost.com	86
PID 2000 wrote to memory of 2928	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	34
PID 2000 wrote to memory of 2928	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	34
PID 2000 wrote to memory of 2928	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	34
PID 2000 wrote to memory of 2928	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	34
PID 2928 wrote to memory of 2224	2928	svchost.com	81
PID 2928 wrote to memory of 2224	2928	svchost.com	81
PID 2928 wrote to memory of 2224	2928	svchost.com	81
PID 2928 wrote to memory of 2224	2928	svchost.com	81
PID 2000 wrote to memory of 2844	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	37
PID 2000 wrote to memory of 2844	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	37
PID 2000 wrote to memory of 2844	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	37
PID 2000 wrote to memory of 2844	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	37
PID 2844 wrote to memory of 2780	2844	svchost.com	39
PID 2844 wrote to memory of 2780	2844	svchost.com	39
PID 2844 wrote to memory of 2780	2844	svchost.com	39
PID 2844 wrote to memory of 2780	2844	svchost.com	39
PID 2000 wrote to memory of 2612	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	41
PID 2000 wrote to memory of 2612	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	41
PID 2000 wrote to memory of 2612	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	41
PID 2000 wrote to memory of 2612	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	41
PID 2612 wrote to memory of 2228	2612	svchost.com	42
PID 2612 wrote to memory of 2228	2612	svchost.com	42
PID 2612 wrote to memory of 2228	2612	svchost.com	42
PID 2612 wrote to memory of 2228	2612	svchost.com	42
PID 2768 wrote to memory of 2248	2768	cmd.exe	43
PID 2768 wrote to memory of 2248	2768	cmd.exe	43
PID 2768 wrote to memory of 2248	2768	cmd.exe	43
PID 2768 wrote to memory of 2248	2768	cmd.exe	43
PID 2228 wrote to memory of 800	2228	cmd.exe	46
PID 2228 wrote to memory of 800	2228	cmd.exe	46
PID 2228 wrote to memory of 800	2228	cmd.exe	46
PID 2228 wrote to memory of 800	2228	cmd.exe	46
PID 2000 wrote to memory of 1924	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	49
PID 2000 wrote to memory of 1924	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	49
PID 2000 wrote to memory of 1924	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	49
PID 2000 wrote to memory of 1924	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	49
PID 1924 wrote to memory of 1128	1924	svchost.com	50
PID 1924 wrote to memory of 1128	1924	svchost.com	50
PID 1924 wrote to memory of 1128	1924	svchost.com	50
PID 1924 wrote to memory of 1128	1924	svchost.com	50
PID 2000 wrote to memory of 2512	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	52
PID 2000 wrote to memory of 2512	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	52
PID 2000 wrote to memory of 2512	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	52
PID 2000 wrote to memory of 2512	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	52
PID 1128 wrote to memory of 1248	1128	cmd.exe	53
PID 1128 wrote to memory of 1248	1128	cmd.exe	53
PID 1128 wrote to memory of 1248	1128	cmd.exe	53
PID 1128 wrote to memory of 1248	1128	cmd.exe	53
PID 2000 wrote to memory of 1192	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	54
PID 2000 wrote to memory of 1192	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	54
PID 2000 wrote to memory of 1192	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	54
PID 2000 wrote to memory of 1192	2000	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe	54

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Your computer is encrypted"	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "We encrypted and stolen all of your files.\r\r\nOpen #HowToRecover.txt and follow the instructions to recover your files.\r\r\nYour ID: D96B9344BB800A9735F23CACB380621A"	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
"C:\Users\Admin\AppData\Local\Temp\f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:292
- C:\Users\Admin\AppData\Local\Temp\3582-490\f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2000
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c vssadmin Delete Shadows /All /Quiet
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin Delete Shadows /All /Quiet
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin Delete Shadows /All /Quiet
        5⤵
        System Location Discovery: System Language Discovery
        Interacts with shadow copies
        
        PID:2248
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c bcdedit /set {default} recoveryenabled No
      4⤵
      System Location Discovery: System Language Discovery
      PID:2224
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      System Location Discovery: System Language Discovery
      PID:2780
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY /nointeractive
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c wmic SHADOWCOPY /nointeractive
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2228
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic SHADOWCOPY /nointeractive
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9800B8D-983B-4491-83EB-BC22ED1D7E93}'" delete
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{A9800B8D-983B-4491-83EB-BC22ED1D7E93}' delete
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1128
    - - C:\Windows\SysWOW64\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{A9800B8D-983B-4491-83EB-BC22ED1D7E93}' delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0258A7D5-130D-4CEA-8D31-0A38600E987E}'" delete
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{0258A7D5-130D-4CEA-8D31-0A38600E987E}' delete
      4⤵
      System Location Discovery: System Language Discovery
      PID:2204
    - - C:\Windows\SysWOW64\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{0258A7D5-130D-4CEA-8D31-0A38600E987E}' delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CBD34A1A-FA88-4E7E-A5A0-7415768215FC}'" delete
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{CBD34A1A-FA88-4E7E-A5A0-7415768215FC}' delete
      4⤵
      System Location Discovery: System Language Discovery
      PID:1820
    - - C:\Windows\SysWOW64\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{CBD34A1A-FA88-4E7E-A5A0-7415768215FC}' delete
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F032DFF2-FB08-49DC-99C2-BA1882C8466B}'" delete
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{F032DFF2-FB08-49DC-99C2-BA1882C8466B}' delete
      4⤵
      System Location Discovery: System Language Discovery
      PID:1920
    - - C:\Windows\SysWOW64\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{F032DFF2-FB08-49DC-99C2-BA1882C8466B}' delete
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1636
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4F647B4F-234F-4F59-8149-D5612EB25E04}'" delete
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{4F647B4F-234F-4F59-8149-D5612EB25E04}' delete
      4⤵
      System Location Discovery: System Language Discovery
      PID:1968
    - - C:\Windows\SysWOW64\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{4F647B4F-234F-4F59-8149-D5612EB25E04}' delete
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{814F300D-1DFB-4141-A4B1-F0C7DC24F64C}'" delete
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1752
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{814F300D-1DFB-4141-A4B1-F0C7DC24F64C}' delete
      4⤵
      PID:1652
    - - C:\Windows\SysWOW64\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{814F300D-1DFB-4141-A4B1-F0C7DC24F64C}' delete
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{71352CEE-A1E7-4E76-A2EE-AB294FC63308}'" delete
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:468
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{71352CEE-A1E7-4E76-A2EE-AB294FC63308}' delete
      4⤵
      System Location Discovery: System Language Discovery
      PID:2812
    - - C:\Windows\SysWOW64\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{71352CEE-A1E7-4E76-A2EE-AB294FC63308}' delete
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1032
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2C78D0B4-0EE8-4DC4-A696-41D961370EDB}'" delete
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{2C78D0B4-0EE8-4DC4-A696-41D961370EDB}' delete
      4⤵
      System Location Discovery: System Language Discovery
      PID:2736
    - - C:\Windows\SysWOW64\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{2C78D0B4-0EE8-4DC4-A696-41D961370EDB}' delete
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2620
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{96473345-74F0-447B-9986-43110DAB7ED6}'" delete
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{96473345-74F0-447B-9986-43110DAB7ED6}' delete
      4⤵
      System Location Discovery: System Language Discovery
      PID:2224
    - - C:\Windows\SysWOW64\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{96473345-74F0-447B-9986-43110DAB7ED6}' delete
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C9837082-6FCE-4E80-AA8D-ECE00C540F2D}'" delete
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{C9837082-6FCE-4E80-AA8D-ECE00C540F2D}' delete
      4⤵
      PID:636
    - - C:\Windows\SysWOW64\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{C9837082-6FCE-4E80-AA8D-ECE00C540F2D}' delete
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{615D6C20-911B-43F1-8086-28A4E25F3116}'" delete
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{615D6C20-911B-43F1-8086-28A4E25F3116}' delete
      4⤵
      System Location Discovery: System Language Discovery
      PID:2104
    - - C:\Windows\SysWOW64\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{615D6C20-911B-43F1-8086-28A4E25F3116}' delete
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1268
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2ACD8735-6BFA-491F-B9B3-523827A0A950}'" delete
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{2ACD8735-6BFA-491F-B9B3-523827A0A950}' delete
      4⤵
      System Location Discovery: System Language Discovery
      PID:3032
    - - C:\Windows\SysWOW64\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{2ACD8735-6BFA-491F-B9B3-523827A0A950}' delete
        5⤵
        
        PID:2088
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9D827368-593F-47D0-A898-A10D320A44F2}'" delete
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{9D827368-593F-47D0-A898-A10D320A44F2}' delete
      4⤵
      System Location Discovery: System Language Discovery
      PID:1028
    - - C:\Windows\SysWOW64\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{9D827368-593F-47D0-A898-A10D320A44F2}' delete
        5⤵
        
        PID:2344
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{63BA5C73-453B-455D-9F8B-30A376C62F07}'" delete
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{63BA5C73-453B-455D-9F8B-30A376C62F07}' delete
      4⤵
      System Location Discovery: System Language Discovery
      PID:2700
    - - C:\Windows\SysWOW64\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{63BA5C73-453B-455D-9F8B-30A376C62F07}' delete
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B19070AF-F105-4C66-8407-2799A5DA875D}'" delete
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{B19070AF-F105-4C66-8407-2799A5DA875D}' delete
      4⤵
      PID:1564
    - - C:\Windows\SysWOW64\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{B19070AF-F105-4C66-8407-2799A5DA875D}' delete
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1492
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B76C57CE-8743-4023-8A0B-EDC2BA9DC6F6}'" delete
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{B76C57CE-8743-4023-8A0B-EDC2BA9DC6F6}' delete
      4⤵
      System Location Discovery: System Language Discovery
      PID:988
    - - C:\Windows\SysWOW64\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{B76C57CE-8743-4023-8A0B-EDC2BA9DC6F6}' delete
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4F0CB2E9-6400-4596-B4A3-2778D67044BA}'" delete
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{4F0CB2E9-6400-4596-B4A3-2778D67044BA}' delete
      4⤵
      System Location Discovery: System Language Discovery
      PID:1152
    - - C:\Windows\SysWOW64\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{4F0CB2E9-6400-4596-B4A3-2778D67044BA}' delete
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40113DEC-5436-4294-A9B9-58D2A3592CC4}'" delete
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{40113DEC-5436-4294-A9B9-58D2A3592CC4}' delete
      4⤵
      System Location Discovery: System Language Discovery
      PID:1376
    - - C:\Windows\SysWOW64\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID='{40113DEC-5436-4294-A9B9-58D2A3592CC4}' delete
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c for /F "tokens = *" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c for /F tokens = * %1 in ('wevtutil.exe el') DO wevtutil.exe cl %1
      4⤵
      System Location Discovery: System Language Discovery
      PID:1688
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" (/c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\3582-490\f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe (/c ping 127.0.0.1 -n 5 > nul & del C:\Users\Admin\AppData\Local\Temp\3582-490\f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:4484
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 5
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3840

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE

Filesize
354KB

MD5
c7021f05bd12860e1d3350f0a444f99a

SHA1
747241c3429076691338dceb1672080829b662e7

SHA256
db106d65f64f3cff8d79fba4b7aff6436ed8d4972bae7a7be19d4b6fbc5db92a

SHA512
de937f0c8e8ad97aa3528314f0cc1406808a5b3ef9f0b32cb7554adb1e0a15ca1e6ec7cd40bfeea9772cb87bb9716b4cc8d9cdf94a0dd696dcc3648f5795afa0

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe

Filesize
137KB

MD5
e1833678885f02b5e3cf1b3953456557

SHA1
c197e763500002bc76a8d503933f1f6082a8507a

SHA256
bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14

SHA512
fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe

Filesize
414KB

MD5
6e0d99426707169ce01f273709a1e912

SHA1
414bc3073049cbb7677897b99059e6c5e42a2331

SHA256
fe778f8c1f6f8e044a89dd7da498c8dfec51deb520eb9c187f40c0e3be5c9bab

SHA512
5866e1eccc9dde7d8c55949b6b18682ec4b0266c3ac70620e76cb102fd0effbb7bef475b9ef3e2d0a504362116887bd069ed5cede9489685df5619dc9b25d890

Download Submit
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE

Filesize
100KB

MD5
6a091285d13370abb4536604b5f2a043

SHA1
8bb4aad8cadbd3894c889de85e7d186369cf6ff1

SHA256
909205de592f50532f01b4ac7b573b891f7e6e596b44ff94187b1ba4bcc296bb

SHA512
9696e4f60a5b1166535ca8ca3fb495d718086463d1a12fa1facc08219ad5b918208ddd2a102f7955e29153b081e05985c4ae6e4302ab36d548bb62991a47db18

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE

Filesize
171KB

MD5
74b2a0f7b9638b356fd6d016f1d26e9d

SHA1
e7de80ef91c4072e68ec6560b84da68809b440e8

SHA256
05ddd7ecdde93e8d5f067a85e99b622f3c0431e367b3761a83f988a59871f0fb

SHA512
e6c07f15ee29250948c2b6767cf1e91416f1d3ee87e6e169b9f6d5b9303314aefd1857ab07f934d75ea2674ab674c32d247de5c5b38cfb792d26432734f3f8e1

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE

Filesize
157KB

MD5
a24fbb149eddf7a0fe981bd06a4c5051

SHA1
fce5bb381a0c449efad3d01bbd02c78743c45093

SHA256
5d13230eae7cd9b4869145c3280f7208788a8e68c9930a5c9aa3e822684a963d

SHA512
1c73b762c340a8d7ea580985ba034a404c859d814690390a6e0b6786575c219db9ca20880ea20313bb244560e36cf24e4dda90229b3084d770495f4ceedfd5de

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE

Filesize
543KB

MD5
62f45c5ec18ac85b8a015d5cd597a587

SHA1
7e8436990e9b2b39f7c39849b65e29e375cf9b1c

SHA256
bb10f9800ccd5cdade599f7bc36f4addadb2bbb01509be3167fe3074fc01bfe7

SHA512
a37225931ed6c243fbb0e92deede53ae0856b9589c23c2d9492dff894e490b466779cc604a5519bd5f71ee818033f02e1611e17507f81aa81874f69dd76b1066

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe

Filesize
205KB

MD5
da31170e6de3cf8bd6cf7346d9ef5235

SHA1
e2c9602f5c7778f9614672884638efd5dd2aee92

SHA256
7737ab500cbbd5d507881d481eef9bd91cf6650bf8d2b41b47b1a8c5f2789858

SHA512
2759d938d6ad963e0bf63481a700f7c503d06011a60bcfc1071b511e38afa87d903deb36f9cbfa0b3fd08f1ecb88d2c0bddf0d3b5f2dea2a0cca1a80471669f3

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

Filesize
125KB

MD5
46e43f94482a27df61e1df44d764826b

SHA1
8b4eab017e85f8103c60932c5efe8dff12dc5429

SHA256
dc6658dec5bf89f65f2d4b9bdb27634bac0bf5354c792bc8970a2b39f535facd

SHA512
ce5bdd3f9a2394ffda83c93fc5604d972f90bd72e6aded357bdf27a2b21a0469f6ac71ce40d9fb4ed8c845468c4171a3c5b4501edbae79447c4f4e08342d4560

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE

Filesize
271KB

MD5
eadb2e7c90f5deabad2e2757622ddadd

SHA1
947a77f92ae3fcbdac42229f69ac5c4dcc3cf74e

SHA256
437dbdb218902cbf3bd4f1d5cfad46e2b0435ba7ae7d9de21d14bdd9206acbd2

SHA512
eecf366b56eb4c9d18cabed5ecf70c7541469537a96540fccc8277c44d94294a9195ced436c51faf70f6c2f51e81367a29032282beab55d2c55db030c92dcc43

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE

Filesize
439KB

MD5
400836f307cf7dbfb469cefd3b0391e7

SHA1
7af3cbb12d3b2d8b5d9553c687c6129d1dd90a10

SHA256
cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a

SHA512
aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE

Filesize
207KB

MD5
3b0e91f9bb6c1f38f7b058c91300e582

SHA1
6e2e650941b1a96bb0bb19ff26a5d304bb09df5f

SHA256
57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d

SHA512
a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f

Download Submit
C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE

Filesize
85KB

MD5
685db5d235444f435b5b47a5551e0204

SHA1
99689188f71829cc9c4542761a62ee4946c031ff

SHA256
fde30bfdd34c7187d02eabe49f2386b4661321534b50032a838b179a21737411

SHA512
a06d711574fbe32f07d20e1d82b7664addd664bf4a7ee07a8f98889172afe3653f324b5915968950b18e76bbfc5217a29704057fd0676611629aa9eb888af54a

Download Submit
C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe

Filesize
129KB

MD5
b1e0da67a985533914394e6b8ac58205

SHA1
5a65e6076f592f9ea03af582d19d2407351ba6b6

SHA256
67629b025fed676bd607094fa7f21550e18c861495ba664ee0d2b215a4717d7f

SHA512
188ebb9a58565ca7ed81a46967a66d583f7dea43a2fc1fe8076a79ef4a83119ccaa22f948a944abae8f64b3a4b219f5184260eff7201eb660c321f6c0d1eba22

Download Submit
C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE

Filesize
188KB

MD5
92ee5c55aca684cd07ed37b62348cd4e

SHA1
6534d1bc8552659f19bcc0faaa273af54a7ae54b

SHA256
bee98e2150e02ad6259184a35e02e75df96291960032b3085535fb0f1f282531

SHA512
fc9f4569a5f3de81d6a490f0fff4765698cdc891933979a3ce661a6291b606630a0c2b15647fc661109fcea466c7a78552b9cfbca6c5b2079ea1632a9f1b6e22

Download Submit
C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE

Filesize
4.1MB

MD5
56f047ff489e52768039ce7017bdc06e

SHA1
3f249d6a9e79c2706ed2e0e12f7e76ebd5e568fc

SHA256
62d6c979d708efe21c9618a18232fd2c74e85bb9560daa298025ab9af784202d

SHA512
a2eae7eae6548d325480560dcca83283a022f00f7d9bd19c0ae801a7acec133a33c5c5eb79432d47c8258d153cadea988217845d58eb4e8aa8070a068befe5e8

Download Submit
C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE

Filesize
605KB

MD5
8acc19705a625e2d4fa8b65214d7070a

SHA1
ad16e49369c76c6826a18d136bf9618e8e99ec12

SHA256
3fb179a3ae88a3d14db48de29d4b9d43243b80b2118b578b8117ad776ce47f12

SHA512
92e22275194b5a73d825e1e7ad5a5cb5649d3679f545f88328aa72e39c161c4d797b7b3462e590edf546ddbd53c1508a49056f50fa63b113134e1bdc7d977dec

Download Submit
C:\Program Files\#HowToRecover.txt

Filesize
1KB

MD5
142aa958f730f4fa280af0111cffedc0

SHA1
787b1b11f06a7234aa044e65274b44af2904c787

SHA256
ef35186d475600575391a888153c9047651fb264d7366452512f2bd257a276f4

SHA512
03ac8445bb70b3a62ecdb7c873337598bcebc646ee41403c4d4f90dc3cfabc0f0c3ac7f3d888787250ff5c1342a5d8662b6049a1ab6bf4e94098f1f7bec827d2

Download Submit
C:\Windows\directx.sys

Filesize
59B

MD5
db5326a537675f807e3a58256572ddd1

SHA1
a528c84b7e3743e1b744e3ebd79383d4d0a5804e

SHA256
9baa6311e0e7f2b502057471e1454de591d5bbaf017c47d046967f257544f32c

SHA512
c283e9ab9d975f15be6ac0d6301923010431e18d8b10288aa202b7cba3dda49f071d86e14dd53e1cb502e99345cb58fd4f3366fe8b5a848a69e5eeda4369b17f

Download Submit
C:\Windows\directx.sys

Filesize
142B

MD5
a2e5afd9e13cf25f67cb83d2ab3a976d

SHA1
5a09fe3f097dfcec24018505c3d2e4a9cc9f4a2a

SHA256
70ec8215d1ce38b9ab1bf983be85570b68f9b1ecc27b3cdb2eb60e73afd19295

SHA512
869e88927cea833b042603ed5b3f7861f7c9579cf13447b2028354fbbcf63579cf8297e254ec66f86a14a21a991e50b2e961c6b6a7a2b443046303b3efe35ef5

Download Submit
C:\Windows\directx.sys

Filesize
29B

MD5
8e966011732995cd7680a1caa974fd57

SHA1
2b22d69074bfa790179858cc700a7cbfd01ca557

SHA256
97d597793ec8307b71f3cfb8a6754be45bf4c548914367f4dc9af315c3a93d9b

SHA512
892da55e0f4b3ff983019c11d58809fdcb8695d79c617ddc6251791308ee013bf097d1b4a7541140f7a01c56038a804974a4f154cc1b26e80e5cf5c07adf227c

Download Submit
C:\Windows\directx.sys

Filesize
64B

MD5
813266423b3dbe8c6a95cdfd2e764c8e

SHA1
bd955a71797768c5c926df1aec147ac98144d724

SHA256
1c2aa4dc038e22dd4285602698ed3288d6dcd3a13fc0be07dea75f97edf0ab78

SHA512
48fed117a8092c83898dc233dbf4b10662992ab5c636ea37cf17c92f161ced505b10280b95de6edd3837ce84eaf182d9c97b1e8f387a8772a5297111b3360287

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE

Filesize
246KB

MD5
4f8fc8dc93d8171d0980edc8ad833b12

SHA1
dc2493a4d3a7cb460baed69edec4a89365dc401f

SHA256
1505f3721dd3d7062dadde1633d17e4ee80caf29fd5b6aa6e6a0c481324ffd4e

SHA512
bdc3f83d7428418516daf23a9c2d00571cbaa3755391dfd8c500b6df7f621a67ad8e27775bcdaa20b159cd77d08bcdaf81a0cb7fffdd812978888d43512113a6

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\f6a9d3e7add82c21ad66f2a0fbe8ce31330e2a284fabb69700ae5afd7188ac86.exe

Filesize
433KB

MD5
1d14c901f4c5189c227162bb9c7179d6

SHA1
45f2fed081dbbfc23423cd5f0782716490a61337

SHA256
b7c4af67691e52145984af71e0f39d6fb592a9701733c839032c5213fa0d1b89

SHA512
52ba89bf1bb7a51a9851d4347dc78b43f33c6688006d63b9246823f006d2f42539527ed745691e4a914681b7c6504c521ca7ae7b22bc1b3949353648e544d8fb

Download Submit
memory/292-334-0x0000000002D60000-0x0000000002E88000-memory.dmp

Filesize
1.2MB

Download
memory/292-4-0x0000000002D60000-0x0000000002E88000-memory.dmp

Filesize
1.2MB

Download
memory/292-16084-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/292-16078-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/292-12241-0x0000000002D60000-0x0000000002E88000-memory.dmp

Filesize
1.2MB

Download
memory/292-10537-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/468-163-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/764-239-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/976-291-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1192-76-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1192-16077-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1640-113-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1752-130-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1924-55-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2000-16079-0x0000000000D60000-0x0000000000E88000-memory.dmp

Filesize
1.2MB

Download
memory/2000-16085-0x0000000000D60000-0x0000000000E88000-memory.dmp

Filesize
1.2MB

Download
memory/2000-10-0x0000000000D60000-0x0000000000E88000-memory.dmp

Filesize
1.2MB

Download
memory/2000-10538-0x0000000000D60000-0x0000000000E88000-memory.dmp

Filesize
1.2MB

Download
memory/2000-16100-0x0000000000D60000-0x0000000000E88000-memory.dmp

Filesize
1.2MB

Download
memory/2000-9229-0x0000000000D60000-0x0000000000E88000-memory.dmp

Filesize
1.2MB

Download
memory/2040-224-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2416-96-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2440-318-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2512-65-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2612-45-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2656-204-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2772-309-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2824-260-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2828-12242-0x0000000002050000-0x0000000002178000-memory.dmp

Filesize
1.2MB

Download
memory/2828-11768-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2828-335-0x0000000002050000-0x0000000002178000-memory.dmp

Filesize
1.2MB

Download
memory/2828-16080-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2828-16083-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2844-37-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2852-214-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2900-177-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2904-273-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2928-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3060-160-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4872-16101-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download