neshta | dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8

Analysis

max time kernel
104s
max time network
82s
platform
windows10_x64
resource
win10-en-20210920
submitted
25-09-2021 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
Size

94KB
MD5

be56a866861c0cc91ff470f769d74d22
SHA1

87ee58769b0c3eb629434ba0c5f9d3cd65accd4d
SHA256

dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8
SHA512

5be5f4ae7eb08a5a54bfa5dc0d000b94c69843e88b7e792350b0716390228df67ec2b1bb618b701a58cfe75fbaa5dd800d6c7f40a2cb4ea1d7f0a5b8eaf97d38

Score

10^/10

neshta persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Public\Desktop\how_to_back_files.html

Ransom Note

Your personal ID ☠ Your files are encrypted! ☠ All your important data has been encrypted. To recover data you need decryptor. To get the decryptor you should: Send 1 test image or text file [email protected] or [email protected] . In the letter include your personal ID (look at the beginning of this document). We will give you the decrypted file and assign the price for decryption all files After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder. Only [email protected] and [email protected] can decrypt your files Do not trust anyone [email protected] and [email protected] Do not attempt to remove the program or run the anti-virus tools Attempts to self-decrypting files will result in the loss of your data Decoders other users are not compatible with your data, because each user's unique encryption key ��

Emails

[email protected]

Signatures

Detect Neshta Payload 14 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\DAD353~1.EXE	family_neshta
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	family_neshta
C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	family_neshta
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdate.exe	family_neshta
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe

pid process

2088 dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe

pid	process
2088	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ConvertToWrite.raw => C:\Users\Admin\Pictures\ConvertToWrite.raw.SATANA	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File renamed	C:\Users\Admin\Pictures\OpenExpand.raw => C:\Users\Admin\Pictures\OpenExpand.raw.SATANA	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File renamed	C:\Users\Admin\Pictures\OptimizeUninstall.raw => C:\Users\Admin\Pictures\OptimizeUninstall.raw.SATANA	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File renamed	C:\Users\Admin\Pictures\RevokeMove.raw => C:\Users\Admin\Pictures\RevokeMove.raw.SATANA	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File renamed	C:\Users\Admin\Pictures\AddRename.raw => C:\Users\Admin\Pictures\AddRename.raw.SATANA	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File renamed	C:\Users\Admin\Pictures\ApproveFormat.raw => C:\Users\Admin\Pictures\ApproveFormat.raw.SATANA	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Users\Admin\Pictures\DenyRequest.tiff	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File renamed	C:\Users\Admin\Pictures\DenyRequest.tiff => C:\Users\Admin\Pictures\DenyRequest.tiff.SATANA	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File renamed	C:\Users\Admin\Pictures\UnlockReceive.crw => C:\Users\Admin\Pictures\UnlockReceive.crw.SATANA	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 25 IoCs

Processes:

dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Users\Public\desktop.ini	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe

Drops file in Program Files directory 64 IoCs

Processes:

dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exedad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ja-jp\ui-strings.js	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\how_to_back_files.html	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\ui-strings.js	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\how_to_back_files.html	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\how_to_back_files.html	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-fr\how_to_back_files.html	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ru-ru\ui-strings.js	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\theme-2x.png	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\ui-strings.js	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ui-strings.js	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\how_to_back_files.html	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RDCNotificationClient.appx	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ru-ru\how_to_back_files.html	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\bun.png	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\main-selector.css	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\how_to_back_files.html	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\ui-strings.js	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\main.css	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\s_filter_18.svg	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\ui-strings.js	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\ui-strings.js	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\how_to_back_files.html	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\how_to_back_files.html	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\how_to_back_files.html	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\how_to_back_files.html	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-fr\how_to_back_files.html	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\de_get.svg	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\media_poster.jpg	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\en-gb\ui-strings.js	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\ui-strings.js	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pt-br\how_to_back_files.html	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\how_to_back_files.html	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pl-pl\how_to_back_files.html	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ja-jp\how_to_back_files.html	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\es-es\ui-strings.js	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ro-ro\ui-strings.js	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ro-ro\ui-strings.js	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-si\how_to_back_files.html	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_ml.dll	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\how_to_back_files.html	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\how_to_back_files.html	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\how_to_back_files.html	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-ae\ui-strings.js	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\core_icons_retina.png	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\s_thumbnailview_18.svg	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\core_icons.png	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\cloud_secured.png	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ca-es\ui-strings.js	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\rhp_world_icon_hover_2x.png	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-tw\how_to_back_files.html	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\ui-strings.js	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\ui-strings.js	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\how_to_back_files.html	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\how_to_back_files.html	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\how_to_back_files.html	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\how_to_back_files.html	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\ui-strings.js	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\mobile_fillsign_logo.svg	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pt-br\how_to_back_files.html	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe

Drops file in Windows directory 7 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exedad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\svchost.com	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exebrowser_broker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{C36DB8D4-EDE8-4058-9F0A-3B4ED4891AD3} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{E3EB1287-C224-4A2A-A891-7141BFC1AC34} = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000003b10aaf0131a298b0919ce971cc9e8406bb32b6e74009a6b60f5d9a6ee82e9d09896cc1b2c26dd8846148c192175a059a4ce9916ba4e9a2efe29226a45856a9abcae80dc447f21ec1c291c0bead6f31592ca4b90b7fa259e004738dc72cd4f0c71f7fd146f45cae404f76a57f40c5e3ee7475bdf0e23d68899ed19f4f879b312db103c87329879912d1e588d3c389c140fe6e57196e8dd1568bdbef2a7abebd0829b422a749836056e3e9039b278319e0445eb375b6b1a735a55a750cc8245cd1c37258a6f652122caf6a378aaed2f411e059ccde0caea58fc56a33b611ec27fe283773b081fe740a7e884df51b8beb1c6c6e3b82e279f56396143a8189fcf207b21465d52e62aa9cdb32ba328f7f02ddf2813af8ca0cef68e1423ec9724ffce0db09b2c33da05dcd2f7de9fc7cb5109bacb42f54d57e2ad681105f0cbcf0a02f4cf6fa75f1b26a9ee541e118d54778c9c4f01c5926a429903f633ed03bfaf5455209e3a25c9c719c86a1ed94fb3e41c4255fecb2bfb0213ab641bba4a143a926842428c07040d270ed948540106a5bd4d7b64b0c628a711338ee5e225dc246ea791f0161dc96623	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000f61198c7e0c005443820f4fd63be323f9eaf49f8f477bcb8e54aad4d134eafff7fd01b7c4ba5ae60e612dd3144362668f149cd1dbc6668f81ff8	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 926a44f5cbb1d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ab1d55f5cbb1d701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

pid process

2784 MicrosoftEdgeCP.exe
1884 MicrosoftEdgeCP.exe

pid	process
2784	MicrosoftEdgeCP.exe
1884	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	1508	MicrosoftEdge.exe
Token: SeDebugPrivilege	1508	MicrosoftEdge.exe
Token: SeDebugPrivilege	1508	MicrosoftEdge.exe
Token: SeDebugPrivilege	1508	MicrosoftEdge.exe
Token: SeDebugPrivilege	2768	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2768	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2768	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2768	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1508	MicrosoftEdge.exe
Token: SeDebugPrivilege	4240	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4240	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

1508 MicrosoftEdge.exe
2784 MicrosoftEdgeCP.exe
2784 MicrosoftEdgeCP.exe
4080 MicrosoftEdge.exe
1884 MicrosoftEdgeCP.exe
1884 MicrosoftEdgeCP.exe

pid	process
1508	MicrosoftEdge.exe
2784	MicrosoftEdgeCP.exe
2784	MicrosoftEdgeCP.exe
4080	MicrosoftEdge.exe
1884	MicrosoftEdgeCP.exe
1884	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 3936 wrote to memory of 2088	3936	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
PID 3936 wrote to memory of 2088	3936	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
PID 3936 wrote to memory of 2088	3936	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe	dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
PID 2784 wrote to memory of 2768	2784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2784 wrote to memory of 2768	2784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2784 wrote to memory of 2768	2784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2784 wrote to memory of 2768	2784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2784 wrote to memory of 2768	2784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2784 wrote to memory of 2768	2784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1884 wrote to memory of 3748	1884	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1884 wrote to memory of 3748	1884	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1884 wrote to memory of 3748	1884	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1884 wrote to memory of 3748	1884	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1884 wrote to memory of 3748	1884	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1884 wrote to memory of 3748	1884	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

C:\Users\Admin\AppData\Local\Temp\dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
"C:\Users\Admin\AppData\Local\Temp\dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3936

C:\Users\Admin\AppData\Local\Temp\3582-490\dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe"
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2088

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1508

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3696

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4080

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1748

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3748

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4364

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4488

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4688

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
MD5
52472cc768bd620a60b0783a4a7dfffb

SHA1
b5fcd14f573f8b7d34d718d8842db544eb49e3de

SHA256
e84318807085452544acea9955af1818b3c6a2818e7be705de895def25a2a167

SHA512
aebf786bf2f2b9d464c11c73878d18be454f799faf04992f6a9a511393592a1a0ba3fb3342e648377e29fcaea870147399453376428ec640309fcc4596e0be70

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe
MD5
62aca638924e900d6095eec634f7977c

SHA1
00373ea16fa792b48568fca113cd2bc8fb5d5763

SHA256
6d60dde9623b2a4d86cac1c427b5f5d446452565c58a4996f907de3c1fe0d451

SHA512
38be88f86921300a41eaf080fefd45d5240be10079f2704e467877fa36d8447d6f01e73a8b773aab31c0028f09c4a7308bb9942c1d3ebd0e7c35875f22718291

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
MD5
c08a13d72790de2aa2d06655b68c1999

SHA1
d81ac6618e8160f107c792855a2ebea28d0bb5b7

SHA256
0f1323980a9cb6815bbc34ead54e7f8df5f778140656cce36fff07fd49963aeb

SHA512
f2f8b84f6bdbe54e3663f3bbe6f8d98217344d2313af3ed1b248589a18e3c9d5a166f6edf2ffa7b11384775c49587ea0496ed724638b7ccad29d0aa8ad39f204

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe
MD5
54a7c805d9916525cd7fe79596283510

SHA1
0ea046c225eb27ac5186bc2e3aca9008de01ed98

SHA256
2b6290b66d04f6ff53973fbab88ea98ff899b2d2e378800949da4de9f8a9e619

SHA512
46cfad71581c5865305598c6c24c2dc2dafdec9b420bed17b2b36d55f81611de6edfcb965bef3e41532de15d899c95163a634bed1d7772513aaed3cea617a39d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
MD5
7c33e3f2855d637c5d2f56039450e148

SHA1
c0368501d273447ff6835f86d092c612a50c7379

SHA256
4d89fbee42c86972f543cc2798c8726aa58e01b1718f4b764aee317b2b5aea5e

SHA512
a31d766307048aa47a34021b23c65d90f36e71240cbb6ef239f6ff8d045f01686863ba98069c1c0f11b632f6902a330e28556a30ea2dc714e3a1f3912e83d132

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe
MD5
ebddd432e09c47684c9c94095051ed9e

SHA1
f06712a7e56154ede73e1aeabe6a1cce6bcdaedb

SHA256
acaeecfcd5c62ea84737bca25cd82c8ba6b8cf5e49d7558628fdafb3d1e9efe9

SHA512
6d1a1318fe570215b8010f142f767a001e6635917380d1b91c732684ef2a5977766854df39c1c9231a15f5bbf920c340dbf67ff5b2f49164c3d1037caa8e5f49

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
MD5
34635d7654c02ae9f39ef7b8c1a1fe7f

SHA1
fcb2073c93431dfbd2aea32507387e50a2a38f0d

SHA256
7e7e52b39b0a4736f87f0a67273708079b4041eb85c7fa8afa27ff77bd30b0bb

SHA512
13906d561acb0b15d1004c782a9c448a661c3cee81de15e6e810d9fb5904b8d7d0b3028eeca16c3449b7f95831d3b29d436c132fee2c13718e186b3568758cd5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe
MD5
2569fdf6a4d43a7500d721bf5dfd9123

SHA1
a8994373b68e7806dbef931ac2c0f0f89dbe84a6

SHA256
895a0aefef94601714c3afc99b8b8548014e23835cda5d4597036bd68443e3c8

SHA512
a272cf634f399058262f63ec7f57cb6b2f7dba27ade33599f3174d3f78219949720e75c3feb17396350a511aea8ebe7c7ccdde2f2478a104907bb1cdd4c0e554

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe
MD5
bf5ccdeaedf9b93ab1ba69ad86a8de34

SHA1
757c189d7e2eaef7acb228d6608b2932e04801b7

SHA256
dd39d05dbab747041db72eecbc1e73c2883383b228eab35f92c82dc4952b7be8

SHA512
5282ddd75106e6df5cee768754ce94abfb52d82f72b7d11cdb120d9656afad0858c9955287ee561748efc33811ef7b7286215c27b904c75df07a8d426f158b0b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe
MD5
151c69641051221c8806f53a5849c0b0

SHA1
4a4802066b8fbd08ea3d203ac4f9c6ed114a23fe

SHA256
6dbf6c0113cdcffb390a66727b0a93a39506533732ae15878b43914306eb5b10

SHA512
d5048af14d64825933af555e40b534670638931845765b8d303223619a250a15f269726f7b21586601247a56873b28973299de0b9f3b9799f6d9695997e5e2c3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe
MD5
f190f9c7e0afe8dcc661f77bab834eb4

SHA1
3622f312b0ebc413041380a3a86ad52630e9d63e

SHA256
bd1af772c767c584bb695a6ea9267795c9706cb82c8cff198881b19c534b97a8

SHA512
8c85dd340c923480769a9268855d438ca13a4a046ad2c5c3bc093f01082ac93f0edfddc9123b3f3db4e38a7425db4ef11c3f7f8674d8796c9467d3281821d4c2

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler.exe
MD5
37b1189498006936d083cffb38f8e9c0

SHA1
38c5add429f967d773b83056a8ab7d1eabf32613

SHA256
3a21ab1dd499b46d5a92c97df374da2f4001a6b2875b879862d3ee1c75b7aec8

SHA512
86de43d4c03496b13e4dd3960cfd30b11ceadadd407bceeb4602351d9e33f3aebc5f49d5f74443696bef0c12ea9e99aa667d5ba62d1a66257e1038e616f74db2

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler64.exe
MD5
46ff9c6348da4216935b5bd11e0320ab

SHA1
cf789b331c3b2867ce28f133237f740b40769e8c

SHA256
4a6e09b9fb1b2a68e40517ddfb6d8c10448eb31d94c9aa9b2bdca3c63e1b2815

SHA512
7a75e76f796cc3c818ec95aae51f686db5d9caede7f45735b5798431242f0f3038ecdf9f0986935961750b09db379dbbb632e9fa4dedbb902fad774cdd7087ea

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdate.exe
MD5
d9e43ed72891a0a801dddded9e8b4399

SHA1
37cfe47385380447be64e3d7fbff96707fcab5fc

SHA256
c2d816e2c87c6af16319423f617b57a460c10f61c833684320659a133d8ff099

SHA512
67cfa3db56dc4e2ad5b9b57b7fe62d1cc5910947b084b6fcb74f9fb1844fdc07b4dc4275b8754a4e54a2b443d2dc5cdf6395c6e2dc2df798f10a1d697701982f

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateBroker.exe
MD5
2088041bd3365e155a60b59026527156

SHA1
209038a7351bf5fb70d81d771d28b989dcf36b2b

SHA256
6961895332ae58821bfded70adb25ffc85b97232ff516ad0efca0fa9dcb33da7

SHA512
2da1e7d53a913473482f52b24ef9812d17a860718c8b4005242eb76cb70c3ad87ccc9b0ce467e4808140761a6c68c7997a6f1e37b364ee403aa0d11a3901acc4

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe
MD5
a14d748e9515d764bbbec3f95dd3ff07

SHA1
96020e432040e447c4f164cd42d6774f01f975c4

SHA256
0cebcd947b30aba95b043f072d5ceac85c5e20063ca7360a31269ae56ed5119b

SHA512
4781283e64199d00ea3c6ea9e0c5b73e82b79363aa4fa71a9adf13e85c5addfd8649eb1b32ab66f43126cf3f898cfd3be413c39063f34842c7f7781f09e403f6

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateCore.exe
MD5
7b7d862892781596c85780415d93981a

SHA1
90f059fe6d64834bf62910d7456b9c28bd7cf6a4

SHA256
64d4daf7ba2a638712d2837c19d6b4903576d1bd63d1d75ae62734ac05a6d819

SHA512
837adf400427a2509e8f5367487200b2fe1b513aba745e65fa16cd360474ed23e42e96fbaea9ac860c2a64ed37b74bf64c0298f50f3b308ed2fe9dce92e7bc1c

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe
MD5
0e813b949b55fe66ad57567f4687b744

SHA1
29c15240d6663bb7553ad213bb40924513e25a81

SHA256
672307101f89216c9bbc2c111a44e39810dbaab600c137e032bbadcc2908f635

SHA512
554f82674ee6622930b790c32805c2b27a28d903e89ccc9266883e1ff418a4ea6e504f12d0f6b09746e11d0982f0c1b293f9b9dcea5fe93fe24bfad0d2b07a02

Download Submit
C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe
MD5
6ad510e76df4a92e4cacfe2531c3dd43

SHA1
976e9a26a88528ed62be68432442c72b69b788dd

SHA256
bbd6adc695b9601755b8ecc4864891b23715eb49e5a2c76aba2fe95ed4b32386

SHA512
2a9e3eb443b3620ca3c04de19a97c8133c0d25aaa3ff6d2a7b4f3469d35a8c66ea3bb08d4cb937777ca88877c1b32ac48a26c8fcd6500ed0cd276b10da68b096

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe
MD5
0750aebadffeded2534b0a677bc43847

SHA1
55290b401c60fe9cd039428d804a3ead22a3f322

SHA256
7e6c0e45b6913bdb1b0ef736a274c34357e31284b7c8675afcfa4533c9b223a9

SHA512
64e90ac942b9352bb9f55212f904bd06f40757ed36031ac9cbab820b438270f4903450d8a99ece78b7ed62b8ce359716fa56fef03fa99e426b858367fec22c1b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
MD5
8b9e64be5d3afbc52abd508d21313181

SHA1
82bfd4a86c7cba2ca7033568783defce275e3547

SHA256
5fc4751273435c23838e12be10bf33a6e8d7213119420de4ce3c267ca2013d64

SHA512
83b30362c1355f8cf47bc94ca4a0387d1f3b28b4b38428bcfdee4e767ee5f5688e522de594666a92de73636f3e03b14a312cf3bfc1fcb101d5504f12a05327e8

Download Submit
C:\Users\Admin\AppData\Local\DAD353~1.EXE
MD5
be56a866861c0cc91ff470f769d74d22

SHA1
87ee58769b0c3eb629434ba0c5f9d3cd65accd4d

SHA256
dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8

SHA512
5be5f4ae7eb08a5a54bfa5dc0d000b94c69843e88b7e792350b0716390228df67ec2b1bb618b701a58cfe75fbaa5dd800d6c7f40a2cb4ea1d7f0a5b8eaf97d38

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk
MD5
c9b485534ce3a572794beb950deba948

SHA1
dc4274c201f5bd30261ff0c41254bbb1c7ab271f

SHA256
952264b2da12ae03616ce2fd358c5644a27c93cabceef22172e1c1aee4c77e7e

SHA512
1f913c9aff31664d70ecbbb27a37741c4615026449d654c7d0880281d036f26bf2fe7501ed5b4b13280fd4666fc848536afc5ca2a502439a7be46e9d31bfb3cd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!121\Microsoft\Windows\3720402701\2274612954.pri
MD5
0db264b38ac3c5f6c140ba120a7fe72f

SHA1
51aa2330c597e84ed3b0d64bf6b73bf6b15f9d74

SHA256
2f6955b0f5277a7904c59e461bfa6b06c54fece0d7c11f27408fa7a281a4556d

SHA512
3534c243516cef5cee0540d5efd5cde1f378e127e6013b5e309a2e0be8393417bfe458706564b4b955f92132a51e2772c67f9fd90441476cc3512a5d9f910d84

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log
MD5
d023913b02a1d1ae3e2df729b8472893

SHA1
ed35a5bd1f3c682be0500a2becc3d118cb3d8a58

SHA256
20ca23ccca702582ef56fef02540dde3fb32103fd7768242501eca26afbb7745

SHA512
c62ac328f49e3b33d4724d40e9d8b0e169bc385be6084264a1932001fd0d64f9b9774902d318deabe499ac5c2d53d3c92ffef2ad9c679312c3226759ecbb33d3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk
MD5
de445f9e37c424d1afb7dea35f28e8ae

SHA1
e2b311d9117ecd57336603ebd45efb682779a274

SHA256
c7164c79f3d0aac32289e8fe967ec1d38a69df5ef11262ffb76bbadfc63c2d6f

SHA512
11642c790131ab41699575bed112a5c30681837fe11eec8a228a836f0ccf33461c95a4d38211ba12aec497407d012df03cda720a5b051ecdbe0bd7db23882820

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb
MD5
2ae98ef01e79939ac7193c7308b73f0f

SHA1
054214cda334dac6e5044f6e1d06dd8565590602

SHA256
67e1488fc9b0a6518bbffddfc6c3ae199c722c6a930e45bae437268ae982d893

SHA512
0817924a8bf9999e41ecfe282777b73ed5c41a23b6d9ae30057b1060c134f0869062218812708d44baa5af6cb4b96e6f7a7281ccf5e09f5c122c425734ffc3e0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm
MD5
388b86af2abde6543deed0fac8c08d1a

SHA1
c71ddba93897459a27ea41ed99faae788671cac8

SHA256
b80eaf6ceaa6db3f841b4e59a50b75b53a7a172ef7f753e2579c2c8609819471

SHA512
3008fc6e88a1eb127bc57e9b970c43c49e3915c7f6fefee80ac25b9aff58c6ec2065a8ad911867fe9de6e3d09ded1f079297f5807dbe83dd58b3d5390151a29c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{C36DB8D4-EDE8-4058-9F0A-3B4ED4891AD3}.dat
MD5
f2bbf05aae4efb01301e21112afbd7f5

SHA1
2a75293e486d3e66f2a1d8d0e0c54fba78a30015

SHA256
e7f17c382c9265d833dae9e1ad37b486092fea19447975ee399fcbef35dfb526

SHA512
8c22901aee2b1ffb55c2f0a4242b849c47702c1f28597f22208120a95096d125db8ad8d9b54edacb0f5b3b33dc4000d3c17f322566a83cdae23777208ee875f6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{048983F6-5C58-4B52-B893-9A575ABD0091}.dat
MD5
a04bd23709be45d9c440888396ef8497

SHA1
e07a6652d6cee82aab6a72cc4be810c41f44e209

SHA256
11aa27a4a5a05d46814210bb3d08b10e4642abc21bff0c5e44401a97372757ff

SHA512
baf72677887cb87e36c98d8b55d2af34fb4b1ecd2be68118f28e1cc15b2e3dfc886d6f99924c38ea66bbd779cd52407fbcd3f2f175c90379500e9338e6641af7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\Microsoft\Windows\3720402701\2274612954.pri
MD5
0db264b38ac3c5f6c140ba120a7fe72f

SHA1
51aa2330c597e84ed3b0d64bf6b73bf6b15f9d74

SHA256
2f6955b0f5277a7904c59e461bfa6b06c54fece0d7c11f27408fa7a281a4556d

SHA512
3534c243516cef5cee0540d5efd5cde1f378e127e6013b5e309a2e0be8393417bfe458706564b4b955f92132a51e2772c67f9fd90441476cc3512a5d9f910d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
MD5
6850d4e316c45e8f7b718227fae08c04

SHA1
80650938e0feb289f38c92b158be451093b8c6ff

SHA256
8c1060b271d9bb1013d94c5fd13b59e60a96226104d002544e997257a03e0989

SHA512
1adce21b394e25999a3b870fdffce74dff66f80257956e603ee524b813497c340b968547af89f5c782ff54cc38a8a2c87e00e0865bb23b86b35246be95157294

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
MD5
6850d4e316c45e8f7b718227fae08c04

SHA1
80650938e0feb289f38c92b158be451093b8c6ff

SHA256
8c1060b271d9bb1013d94c5fd13b59e60a96226104d002544e997257a03e0989

SHA512
1adce21b394e25999a3b870fdffce74dff66f80257956e603ee524b813497c340b968547af89f5c782ff54cc38a8a2c87e00e0865bb23b86b35246be95157294

Download Submit
C:\Users\Public\Desktop\how_to_back_files.html
MD5
edb0f1029b1ab50f449bf8c13d5274c2

SHA1
08869b978c389924afc9d6e00f757494e0a582a9

SHA256
b42400fdebb2f2d2149654d3f3e053b862403c7bf431a9eca747b4499267c8b0

SHA512
9536325457694f3d7d24b0e77284309999b314bc2633943b07caa150eb7f59a8c657db21eb970b41b9d6d73f1c3f7a229b96e3b3d08d7da8843a9a7387cba8c4

Download Submit
memory/2088-115-0x0000000000000000-mapping.dmp

Download
memory/4080-122-0x0000022112320000-0x0000022112330000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads