Malware Analysis Report

2025-08-10 20:05

Sample ID 250704-n8a65ahj31
Target 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader
SHA256 7bae64350701e2655b9e5b854d016704755550ae40d5040463bcb26aaefda3e0
Tags
discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7bae64350701e2655b9e5b854d016704755550ae40d5040463bcb26aaefda3e0

Threat Level: Shows suspicious behavior

The file 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

NTFS ADS

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 12:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 12:03

Reported

2025-07-04 12:06

Platform

win10v2004-20250502-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\905c0769f9a06c95a24ddf945\patcher.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" C:\905c0769f9a06c95a24ddf945\patcher.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Windows\SysWOW64\:\autorun.inf C:\905c0769f9a06c95a24ddf945\patcher.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\:\autorun.inf C:\905c0769f9a06c95a24ddf945\patcher.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge_proxy.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoev.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\createdump.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe$ C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe$ C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateSetup.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpconfig.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\createdump.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\fmui.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\schemagen.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoasb.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe$$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe$ C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateCore.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdateOnDemand.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE$ C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\notification_helper.exe$ C:\905c0769f9a06c95a24ddf945\patcher.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\policytool.exe C:\905c0769f9a06c95a24ddf945\patcher.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\905c0769f9a06c95a24ddf945\patcher.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3340 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\905c0769f9a06c95a24ddf945\patcher.exe
PID 3340 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\905c0769f9a06c95a24ddf945\patcher.exe
PID 3340 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\905c0769f9a06c95a24ddf945\patcher.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe

C:\905c0769f9a06c95a24ddf945\patcher.exe

C:\905c0769f9a06c95a24ddf945\patcher.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/3968-0-0x0000000000400000-0x000000000040D000-memory.dmp

C:\905c0769f9a06c95a24ddf945\patcher.exe

MD5 8bb50c13f25fb5dc1e9db00d794e7b31
SHA1 1608ddbe1fa02c45b7b0f8d4a6eb87b8d4f5f5a3
SHA256 7bae64350701e2655b9e5b854d016704755550ae40d5040463bcb26aaefda3e0
SHA512 28f0a6a81207bb46a460a54d0fb9c6d262c4d6ef59fb6c1485b7b9e2dcbae1aa2d1c49fe52041277984b387e34b8e8bc3033036edf6c5c10fd561eb6be5f6009

memory/2920-8-0x0000000000400000-0x000000000040D000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 7dfc00e92627c9eaa5a74e1a658812ec
SHA1 5bcb51da8a278605f51b1d24f2356c7f9f4c2107
SHA256 f14ef943f5656a0a235477d1d7e65a5f9881373158faf311a04ac4b6cbe2201e
SHA512 e90f9ad37151ee51f9e7a3637184fb5686c7d59c2adff6d99f46eae8cf2a2efaec211f92d35507f0e8861a15017100cd4a69265ff1799155f6bbc423e87b195e

C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE

MD5 d5b5fe36823384c4407d6d0f23cd939f
SHA1 e43fc12bf4e359b4185a89be299d20bb5b3298de
SHA256 9142b7899599ea65fd26856f6a18d26d8461c0621999891d8d5897053afdb6d0
SHA512 b6670cefc1f78278ed3371fe729e2686b477e7869070fd5e5fd602eeb11312b77b8e28331afebe5f158f55f00703d71d0d3758ada756c3848c9cbd8981320e1e

C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe

MD5 71c7c53214c916c6863eaae33bd94c01
SHA1 454a46146d5ef711345c0e8a5107225a691efaee
SHA256 73278017f56e5c3094d23729b9793d6e25f51df7694641641f60bf7744de905d
SHA512 27eeaf249b3ac119295939b323348e0149824ba7a9214d017c16a1ec3957418a81d358b9b52d19c6f416e04a99df3746618ecc94aa064bec9bcf59a3a1edabe3

C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe$

MD5 cc6b60d058a44a518a3e131d36c805f1
SHA1 51cce02a6522d1c902b4a63fdf53d408a093b0bf
SHA256 6c42c0821c3378900284e50c7d0d40a26826666a331a10c2452143765575f22e
SHA512 896897642e00d155c8f732690a998b842979e20897db71c8bcd84559697ff0e6f3530efb95a04ca3f7cec152c3040a43fb944eb9795072f6a1bdab8c1cb423ce

C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe

MD5 7221bb4b18de1bc920104a76614e6d78
SHA1 cf722ef133870a00ee744bcd8fd0f6c455340c8d
SHA256 fdb35ea8a9e13ad1d5a33049b3ff8397345b5a645e9a764e6e2c1d348a9657bf
SHA512 386229868781c42476b6b82382933fc1c87781604b266cf08b0bdc41283174551c0617f9f9eb7a38017cbce5b54eda0ce3217483954b76eeab3168cf0b845922

C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe$

MD5 4befd370c846b845446dcc456a9af5b5
SHA1 564d915ae7e569d6f663299f845f918683508ef3
SHA256 dd899aefcf73adaffdd4cdf56035b1e0dbf3732bf3bfa97c6208033a69b0e2ca
SHA512 6fa9d927c187cee34666a068896562eb69abab3a896f0e609eea541a19eb9b6d7f647ad32ae2e735216c0172d01c2e189399e96d7bc71e43c6f5036f83e9b3e1

memory/3968-1609-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2920-1610-0x0000000000400000-0x000000000040D000-memory.dmp

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe$

MD5 04779aad969ab7df99f5fc925a5f1eb2
SHA1 22328401bd4111530f0d55c7f9fed716f300d15f
SHA256 9f9403f00ef4004e6a57de53cd1312378f125269090935405a0e83dc76297f99
SHA512 b9b9db1a33a416178f2ad89d7514f5bef4bb7d7948e54d439b385feb1007e1c830bcb564ffa0d5221d12619514adb56683658e874beb6070e0d428c1ba2b8273