Analysis
-
max time kernel
104s -
max time network
82s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
25-09-2021 05:10
Static task
static1
Behavioral task
behavioral1
Sample
dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
Resource
win10-en-20210920
General
-
Target
dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe
-
Size
94KB
-
MD5
be56a866861c0cc91ff470f769d74d22
-
SHA1
87ee58769b0c3eb629434ba0c5f9d3cd65accd4d
-
SHA256
dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8
-
SHA512
5be5f4ae7eb08a5a54bfa5dc0d000b94c69843e88b7e792350b0716390228df67ec2b1bb618b701a58cfe75fbaa5dd800d6c7f40a2cb4ea1d7f0a5b8eaf97d38
Malware Config
Extracted
C:\Users\Public\Desktop\how_to_back_files.html
Signatures
-
Detect Neshta Payload 14 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\DAD353~1.EXE family_neshta C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe family_neshta C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe family_neshta C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdate.exe family_neshta C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe family_neshta C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe family_neshta C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe family_neshta C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe family_neshta C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe family_neshta C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe family_neshta C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe family_neshta C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe family_neshta C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe family_neshta C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exepid process 2088 dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe -
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConvertToWrite.raw => C:\Users\Admin\Pictures\ConvertToWrite.raw.SATANA dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File renamed C:\Users\Admin\Pictures\OpenExpand.raw => C:\Users\Admin\Pictures\OpenExpand.raw.SATANA dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File renamed C:\Users\Admin\Pictures\OptimizeUninstall.raw => C:\Users\Admin\Pictures\OptimizeUninstall.raw.SATANA dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File renamed C:\Users\Admin\Pictures\RevokeMove.raw => C:\Users\Admin\Pictures\RevokeMove.raw.SATANA dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File renamed C:\Users\Admin\Pictures\AddRename.raw => C:\Users\Admin\Pictures\AddRename.raw.SATANA dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File renamed C:\Users\Admin\Pictures\ApproveFormat.raw => C:\Users\Admin\Pictures\ApproveFormat.raw.SATANA dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Users\Admin\Pictures\DenyRequest.tiff dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File renamed C:\Users\Admin\Pictures\DenyRequest.tiff => C:\Users\Admin\Pictures\DenyRequest.tiff.SATANA dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File renamed C:\Users\Admin\Pictures\UnlockReceive.crw => C:\Users\Admin\Pictures\UnlockReceive.crw.SATANA dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 25 IoCs
Processes:
dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exedescription ioc process File opened for modification C:\Users\Admin\Saved Games\desktop.ini dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Users\Public\Videos\desktop.ini dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Users\Public\Downloads\desktop.ini dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Users\Public\Music\desktop.ini dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Users\Public\Libraries\desktop.ini dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Users\Public\Documents\desktop.ini dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Users\Public\Desktop\desktop.ini dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Users\Admin\Music\desktop.ini dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Users\Public\desktop.ini dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Users\Public\Pictures\desktop.ini dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Users\Admin\Links\desktop.ini dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Users\Admin\Videos\desktop.ini dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Users\Admin\Searches\desktop.ini dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Users\Admin\Documents\desktop.ini dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\desktop.ini dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe -
Drops file in Program Files directory 64 IoCs
Processes:
dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exedad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ja-jp\ui-strings.js dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\how_to_back_files.html dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\ui-strings.js dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\how_to_back_files.html dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\how_to_back_files.html dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-fr\how_to_back_files.html dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ru-ru\ui-strings.js dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\theme-2x.png dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\ui-strings.js dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ui-strings.js dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\how_to_back_files.html dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RDCNotificationClient.appx dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ru-ru\how_to_back_files.html dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\bun.png dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\main-selector.css dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\how_to_back_files.html dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\ui-strings.js dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\main.css dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\s_filter_18.svg dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\ui-strings.js dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\ui-strings.js dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\how_to_back_files.html dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\how_to_back_files.html dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\how_to_back_files.html dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\how_to_back_files.html dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-fr\how_to_back_files.html dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\de_get.svg dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\media_poster.jpg dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\en-gb\ui-strings.js dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\ui-strings.js dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pt-br\how_to_back_files.html dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\how_to_back_files.html dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pl-pl\how_to_back_files.html dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ja-jp\how_to_back_files.html dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\es-es\ui-strings.js dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ro-ro\ui-strings.js dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ro-ro\ui-strings.js dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-si\how_to_back_files.html dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_ml.dll dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\how_to_back_files.html dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\how_to_back_files.html dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\how_to_back_files.html dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-ae\ui-strings.js dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\core_icons_retina.png dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\s_thumbnailview_18.svg dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\core_icons.png dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\cloud_secured.png dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ca-es\ui-strings.js dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\rhp_world_icon_hover_2x.png dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-tw\how_to_back_files.html dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\ui-strings.js dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\ui-strings.js dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\how_to_back_files.html dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\how_to_back_files.html dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\how_to_back_files.html dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\how_to_back_files.html dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\ui-strings.js dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\mobile_fillsign_logo.svg dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pt-br\how_to_back_files.html dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe -
Drops file in Windows directory 7 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exedad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exeMicrosoftEdge.exeMicrosoftEdgeCP.exedescription ioc process File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\svchost.com dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exebrowser_broker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{C36DB8D4-EDE8-4058-9F0A-3B4ED4891AD3} = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{E3EB1287-C224-4A2A-A891-7141BFC1AC34} = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000003b10aaf0131a298b0919ce971cc9e8406bb32b6e74009a6b60f5d9a6ee82e9d09896cc1b2c26dd8846148c192175a059a4ce9916ba4e9a2efe29226a45856a9abcae80dc447f21ec1c291c0bead6f31592ca4b90b7fa259e004738dc72cd4f0c71f7fd146f45cae404f76a57f40c5e3ee7475bdf0e23d68899ed19f4f879b312db103c87329879912d1e588d3c389c140fe6e57196e8dd1568bdbef2a7abebd0829b422a749836056e3e9039b278319e0445eb375b6b1a735a55a750cc8245cd1c37258a6f652122caf6a378aaed2f411e059ccde0caea58fc56a33b611ec27fe283773b081fe740a7e884df51b8beb1c6c6e3b82e279f56396143a8189fcf207b21465d52e62aa9cdb32ba328f7f02ddf2813af8ca0cef68e1423ec9724ffce0db09b2c33da05dcd2f7de9fc7cb5109bacb42f54d57e2ad681105f0cbcf0a02f4cf6fa75f1b26a9ee541e118d54778c9c4f01c5926a429903f633ed03bfaf5455209e3a25c9c719c86a1ed94fb3e41c4255fecb2bfb0213ab641bba4a143a926842428c07040d270ed948540106a5bd4d7b64b0c628a711338ee5e225dc246ea791f0161dc96623 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000f61198c7e0c005443820f4fd63be323f9eaf49f8f477bcb8e54aad4d134eafff7fd01b7c4ba5ae60e612dd3144362668f149cd1dbc6668f81ff8 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 926a44f5cbb1d701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ab1d55f5cbb1d701 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI MicrosoftEdge.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
MicrosoftEdgeCP.exeMicrosoftEdgeCP.exepid process 2784 MicrosoftEdgeCP.exe 1884 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription pid process Token: SeDebugPrivilege 1508 MicrosoftEdge.exe Token: SeDebugPrivilege 1508 MicrosoftEdge.exe Token: SeDebugPrivilege 1508 MicrosoftEdge.exe Token: SeDebugPrivilege 1508 MicrosoftEdge.exe Token: SeDebugPrivilege 2768 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2768 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2768 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2768 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1508 MicrosoftEdge.exe Token: SeDebugPrivilege 4240 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4240 MicrosoftEdgeCP.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exepid process 1508 MicrosoftEdge.exe 2784 MicrosoftEdgeCP.exe 2784 MicrosoftEdgeCP.exe 4080 MicrosoftEdge.exe 1884 MicrosoftEdgeCP.exe 1884 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription pid process target process PID 3936 wrote to memory of 2088 3936 dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe PID 3936 wrote to memory of 2088 3936 dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe PID 3936 wrote to memory of 2088 3936 dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe PID 2784 wrote to memory of 2768 2784 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 2784 wrote to memory of 2768 2784 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 2784 wrote to memory of 2768 2784 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 2784 wrote to memory of 2768 2784 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 2784 wrote to memory of 2768 2784 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 2784 wrote to memory of 2768 2784 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1884 wrote to memory of 3748 1884 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1884 wrote to memory of 3748 1884 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1884 wrote to memory of 3748 1884 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1884 wrote to memory of 3748 1884 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1884 wrote to memory of 3748 1884 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1884 wrote to memory of 3748 1884 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe"C:\Users\Admin\AppData\Local\Temp\dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\3582-490\dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2088
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1508
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:3696
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4080
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:1748
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1884
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3748
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4240
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:4364
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:4488
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:4688
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeMD5
52472cc768bd620a60b0783a4a7dfffb
SHA1b5fcd14f573f8b7d34d718d8842db544eb49e3de
SHA256e84318807085452544acea9955af1818b3c6a2818e7be705de895def25a2a167
SHA512aebf786bf2f2b9d464c11c73878d18be454f799faf04992f6a9a511393592a1a0ba3fb3342e648377e29fcaea870147399453376428ec640309fcc4596e0be70
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeMD5
62aca638924e900d6095eec634f7977c
SHA100373ea16fa792b48568fca113cd2bc8fb5d5763
SHA2566d60dde9623b2a4d86cac1c427b5f5d446452565c58a4996f907de3c1fe0d451
SHA51238be88f86921300a41eaf080fefd45d5240be10079f2704e467877fa36d8447d6f01e73a8b773aab31c0028f09c4a7308bb9942c1d3ebd0e7c35875f22718291
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeMD5
c08a13d72790de2aa2d06655b68c1999
SHA1d81ac6618e8160f107c792855a2ebea28d0bb5b7
SHA2560f1323980a9cb6815bbc34ead54e7f8df5f778140656cce36fff07fd49963aeb
SHA512f2f8b84f6bdbe54e3663f3bbe6f8d98217344d2313af3ed1b248589a18e3c9d5a166f6edf2ffa7b11384775c49587ea0496ed724638b7ccad29d0aa8ad39f204
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeMD5
54a7c805d9916525cd7fe79596283510
SHA10ea046c225eb27ac5186bc2e3aca9008de01ed98
SHA2562b6290b66d04f6ff53973fbab88ea98ff899b2d2e378800949da4de9f8a9e619
SHA51246cfad71581c5865305598c6c24c2dc2dafdec9b420bed17b2b36d55f81611de6edfcb965bef3e41532de15d899c95163a634bed1d7772513aaed3cea617a39d
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeMD5
7c33e3f2855d637c5d2f56039450e148
SHA1c0368501d273447ff6835f86d092c612a50c7379
SHA2564d89fbee42c86972f543cc2798c8726aa58e01b1718f4b764aee317b2b5aea5e
SHA512a31d766307048aa47a34021b23c65d90f36e71240cbb6ef239f6ff8d045f01686863ba98069c1c0f11b632f6902a330e28556a30ea2dc714e3a1f3912e83d132
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeMD5
ebddd432e09c47684c9c94095051ed9e
SHA1f06712a7e56154ede73e1aeabe6a1cce6bcdaedb
SHA256acaeecfcd5c62ea84737bca25cd82c8ba6b8cf5e49d7558628fdafb3d1e9efe9
SHA5126d1a1318fe570215b8010f142f767a001e6635917380d1b91c732684ef2a5977766854df39c1c9231a15f5bbf920c340dbf67ff5b2f49164c3d1037caa8e5f49
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeMD5
34635d7654c02ae9f39ef7b8c1a1fe7f
SHA1fcb2073c93431dfbd2aea32507387e50a2a38f0d
SHA2567e7e52b39b0a4736f87f0a67273708079b4041eb85c7fa8afa27ff77bd30b0bb
SHA51213906d561acb0b15d1004c782a9c448a661c3cee81de15e6e810d9fb5904b8d7d0b3028eeca16c3449b7f95831d3b29d436c132fee2c13718e186b3568758cd5
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeMD5
2569fdf6a4d43a7500d721bf5dfd9123
SHA1a8994373b68e7806dbef931ac2c0f0f89dbe84a6
SHA256895a0aefef94601714c3afc99b8b8548014e23835cda5d4597036bd68443e3c8
SHA512a272cf634f399058262f63ec7f57cb6b2f7dba27ade33599f3174d3f78219949720e75c3feb17396350a511aea8ebe7c7ccdde2f2478a104907bb1cdd4c0e554
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeMD5
bf5ccdeaedf9b93ab1ba69ad86a8de34
SHA1757c189d7e2eaef7acb228d6608b2932e04801b7
SHA256dd39d05dbab747041db72eecbc1e73c2883383b228eab35f92c82dc4952b7be8
SHA5125282ddd75106e6df5cee768754ce94abfb52d82f72b7d11cdb120d9656afad0858c9955287ee561748efc33811ef7b7286215c27b904c75df07a8d426f158b0b
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeMD5
151c69641051221c8806f53a5849c0b0
SHA14a4802066b8fbd08ea3d203ac4f9c6ed114a23fe
SHA2566dbf6c0113cdcffb390a66727b0a93a39506533732ae15878b43914306eb5b10
SHA512d5048af14d64825933af555e40b534670638931845765b8d303223619a250a15f269726f7b21586601247a56873b28973299de0b9f3b9799f6d9695997e5e2c3
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeMD5
f190f9c7e0afe8dcc661f77bab834eb4
SHA13622f312b0ebc413041380a3a86ad52630e9d63e
SHA256bd1af772c767c584bb695a6ea9267795c9706cb82c8cff198881b19c534b97a8
SHA5128c85dd340c923480769a9268855d438ca13a4a046ad2c5c3bc093f01082ac93f0edfddc9123b3f3db4e38a7425db4ef11c3f7f8674d8796c9467d3281821d4c2
-
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler.exeMD5
37b1189498006936d083cffb38f8e9c0
SHA138c5add429f967d773b83056a8ab7d1eabf32613
SHA2563a21ab1dd499b46d5a92c97df374da2f4001a6b2875b879862d3ee1c75b7aec8
SHA51286de43d4c03496b13e4dd3960cfd30b11ceadadd407bceeb4602351d9e33f3aebc5f49d5f74443696bef0c12ea9e99aa667d5ba62d1a66257e1038e616f74db2
-
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler64.exeMD5
46ff9c6348da4216935b5bd11e0320ab
SHA1cf789b331c3b2867ce28f133237f740b40769e8c
SHA2564a6e09b9fb1b2a68e40517ddfb6d8c10448eb31d94c9aa9b2bdca3c63e1b2815
SHA5127a75e76f796cc3c818ec95aae51f686db5d9caede7f45735b5798431242f0f3038ecdf9f0986935961750b09db379dbbb632e9fa4dedbb902fad774cdd7087ea
-
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdate.exeMD5
d9e43ed72891a0a801dddded9e8b4399
SHA137cfe47385380447be64e3d7fbff96707fcab5fc
SHA256c2d816e2c87c6af16319423f617b57a460c10f61c833684320659a133d8ff099
SHA51267cfa3db56dc4e2ad5b9b57b7fe62d1cc5910947b084b6fcb74f9fb1844fdc07b4dc4275b8754a4e54a2b443d2dc5cdf6395c6e2dc2df798f10a1d697701982f
-
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateBroker.exeMD5
2088041bd3365e155a60b59026527156
SHA1209038a7351bf5fb70d81d771d28b989dcf36b2b
SHA2566961895332ae58821bfded70adb25ffc85b97232ff516ad0efca0fa9dcb33da7
SHA5122da1e7d53a913473482f52b24ef9812d17a860718c8b4005242eb76cb70c3ad87ccc9b0ce467e4808140761a6c68c7997a6f1e37b364ee403aa0d11a3901acc4
-
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exeMD5
a14d748e9515d764bbbec3f95dd3ff07
SHA196020e432040e447c4f164cd42d6774f01f975c4
SHA2560cebcd947b30aba95b043f072d5ceac85c5e20063ca7360a31269ae56ed5119b
SHA5124781283e64199d00ea3c6ea9e0c5b73e82b79363aa4fa71a9adf13e85c5addfd8649eb1b32ab66f43126cf3f898cfd3be413c39063f34842c7f7781f09e403f6
-
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateCore.exeMD5
7b7d862892781596c85780415d93981a
SHA190f059fe6d64834bf62910d7456b9c28bd7cf6a4
SHA25664d4daf7ba2a638712d2837c19d6b4903576d1bd63d1d75ae62734ac05a6d819
SHA512837adf400427a2509e8f5367487200b2fe1b513aba745e65fa16cd360474ed23e42e96fbaea9ac860c2a64ed37b74bf64c0298f50f3b308ed2fe9dce92e7bc1c
-
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exeMD5
0e813b949b55fe66ad57567f4687b744
SHA129c15240d6663bb7553ad213bb40924513e25a81
SHA256672307101f89216c9bbc2c111a44e39810dbaab600c137e032bbadcc2908f635
SHA512554f82674ee6622930b790c32805c2b27a28d903e89ccc9266883e1ff418a4ea6e504f12d0f6b09746e11d0982f0c1b293f9b9dcea5fe93fe24bfad0d2b07a02
-
C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exeMD5
6ad510e76df4a92e4cacfe2531c3dd43
SHA1976e9a26a88528ed62be68432442c72b69b788dd
SHA256bbd6adc695b9601755b8ecc4864891b23715eb49e5a2c76aba2fe95ed4b32386
SHA5122a9e3eb443b3620ca3c04de19a97c8133c0d25aaa3ff6d2a7b4f3469d35a8c66ea3bb08d4cb937777ca88877c1b32ac48a26c8fcd6500ed0cd276b10da68b096
-
C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exeMD5
0750aebadffeded2534b0a677bc43847
SHA155290b401c60fe9cd039428d804a3ead22a3f322
SHA2567e6c0e45b6913bdb1b0ef736a274c34357e31284b7c8675afcfa4533c9b223a9
SHA51264e90ac942b9352bb9f55212f904bd06f40757ed36031ac9cbab820b438270f4903450d8a99ece78b7ed62b8ce359716fa56fef03fa99e426b858367fec22c1b
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeMD5
8b9e64be5d3afbc52abd508d21313181
SHA182bfd4a86c7cba2ca7033568783defce275e3547
SHA2565fc4751273435c23838e12be10bf33a6e8d7213119420de4ce3c267ca2013d64
SHA51283b30362c1355f8cf47bc94ca4a0387d1f3b28b4b38428bcfdee4e767ee5f5688e522de594666a92de73636f3e03b14a312cf3bfc1fcb101d5504f12a05327e8
-
C:\Users\Admin\AppData\Local\DAD353~1.EXEMD5
be56a866861c0cc91ff470f769d74d22
SHA187ee58769b0c3eb629434ba0c5f9d3cd65accd4d
SHA256dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8
SHA5125be5f4ae7eb08a5a54bfa5dc0d000b94c69843e88b7e792350b0716390228df67ec2b1bb618b701a58cfe75fbaa5dd800d6c7f40a2cb4ea1d7f0a5b8eaf97d38
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chkMD5
c9b485534ce3a572794beb950deba948
SHA1dc4274c201f5bd30261ff0c41254bbb1c7ab271f
SHA256952264b2da12ae03616ce2fd358c5644a27c93cabceef22172e1c1aee4c77e7e
SHA5121f913c9aff31664d70ecbbb27a37741c4615026449d654c7d0880281d036f26bf2fe7501ed5b4b13280fd4666fc848536afc5ca2a502439a7be46e9d31bfb3cd
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!121\Microsoft\Windows\3720402701\2274612954.priMD5
0db264b38ac3c5f6c140ba120a7fe72f
SHA151aa2330c597e84ed3b0d64bf6b73bf6b15f9d74
SHA2562f6955b0f5277a7904c59e461bfa6b06c54fece0d7c11f27408fa7a281a4556d
SHA5123534c243516cef5cee0540d5efd5cde1f378e127e6013b5e309a2e0be8393417bfe458706564b4b955f92132a51e2772c67f9fd90441476cc3512a5d9f910d84
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.logMD5
d023913b02a1d1ae3e2df729b8472893
SHA1ed35a5bd1f3c682be0500a2becc3d118cb3d8a58
SHA25620ca23ccca702582ef56fef02540dde3fb32103fd7768242501eca26afbb7745
SHA512c62ac328f49e3b33d4724d40e9d8b0e169bc385be6084264a1932001fd0d64f9b9774902d318deabe499ac5c2d53d3c92ffef2ad9c679312c3226759ecbb33d3
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chkMD5
de445f9e37c424d1afb7dea35f28e8ae
SHA1e2b311d9117ecd57336603ebd45efb682779a274
SHA256c7164c79f3d0aac32289e8fe967ec1d38a69df5ef11262ffb76bbadfc63c2d6f
SHA51211642c790131ab41699575bed112a5c30681837fe11eec8a228a836f0ccf33461c95a4d38211ba12aec497407d012df03cda720a5b051ecdbe0bd7db23882820
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edbMD5
2ae98ef01e79939ac7193c7308b73f0f
SHA1054214cda334dac6e5044f6e1d06dd8565590602
SHA25667e1488fc9b0a6518bbffddfc6c3ae199c722c6a930e45bae437268ae982d893
SHA5120817924a8bf9999e41ecfe282777b73ed5c41a23b6d9ae30057b1060c134f0869062218812708d44baa5af6cb4b96e6f7a7281ccf5e09f5c122c425734ffc3e0
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfmMD5
388b86af2abde6543deed0fac8c08d1a
SHA1c71ddba93897459a27ea41ed99faae788671cac8
SHA256b80eaf6ceaa6db3f841b4e59a50b75b53a7a172ef7f753e2579c2c8609819471
SHA5123008fc6e88a1eb127bc57e9b970c43c49e3915c7f6fefee80ac25b9aff58c6ec2065a8ad911867fe9de6e3d09ded1f079297f5807dbe83dd58b3d5390151a29c
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{C36DB8D4-EDE8-4058-9F0A-3B4ED4891AD3}.datMD5
f2bbf05aae4efb01301e21112afbd7f5
SHA12a75293e486d3e66f2a1d8d0e0c54fba78a30015
SHA256e7f17c382c9265d833dae9e1ad37b486092fea19447975ee399fcbef35dfb526
SHA5128c22901aee2b1ffb55c2f0a4242b849c47702c1f28597f22208120a95096d125db8ad8d9b54edacb0f5b3b33dc4000d3c17f322566a83cdae23777208ee875f6
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{048983F6-5C58-4B52-B893-9A575ABD0091}.datMD5
a04bd23709be45d9c440888396ef8497
SHA1e07a6652d6cee82aab6a72cc4be810c41f44e209
SHA25611aa27a4a5a05d46814210bb3d08b10e4642abc21bff0c5e44401a97372757ff
SHA512baf72677887cb87e36c98d8b55d2af34fb4b1ecd2be68118f28e1cc15b2e3dfc886d6f99924c38ea66bbd779cd52407fbcd3f2f175c90379500e9338e6641af7
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\Microsoft\Windows\3720402701\2274612954.priMD5
0db264b38ac3c5f6c140ba120a7fe72f
SHA151aa2330c597e84ed3b0d64bf6b73bf6b15f9d74
SHA2562f6955b0f5277a7904c59e461bfa6b06c54fece0d7c11f27408fa7a281a4556d
SHA5123534c243516cef5cee0540d5efd5cde1f378e127e6013b5e309a2e0be8393417bfe458706564b4b955f92132a51e2772c67f9fd90441476cc3512a5d9f910d84
-
C:\Users\Admin\AppData\Local\Temp\3582-490\dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exeMD5
6850d4e316c45e8f7b718227fae08c04
SHA180650938e0feb289f38c92b158be451093b8c6ff
SHA2568c1060b271d9bb1013d94c5fd13b59e60a96226104d002544e997257a03e0989
SHA5121adce21b394e25999a3b870fdffce74dff66f80257956e603ee524b813497c340b968547af89f5c782ff54cc38a8a2c87e00e0865bb23b86b35246be95157294
-
C:\Users\Admin\AppData\Local\Temp\3582-490\dad35352c33a0357188ac5d9c32934fe0b8dd5c1ee639e5bc9100f85dd9b85a8.exeMD5
6850d4e316c45e8f7b718227fae08c04
SHA180650938e0feb289f38c92b158be451093b8c6ff
SHA2568c1060b271d9bb1013d94c5fd13b59e60a96226104d002544e997257a03e0989
SHA5121adce21b394e25999a3b870fdffce74dff66f80257956e603ee524b813497c340b968547af89f5c782ff54cc38a8a2c87e00e0865bb23b86b35246be95157294
-
C:\Users\Public\Desktop\how_to_back_files.htmlMD5
edb0f1029b1ab50f449bf8c13d5274c2
SHA108869b978c389924afc9d6e00f757494e0a582a9
SHA256b42400fdebb2f2d2149654d3f3e053b862403c7bf431a9eca747b4499267c8b0
SHA5129536325457694f3d7d24b0e77284309999b314bc2633943b07caa150eb7f59a8c657db21eb970b41b9d6d73f1c3f7a229b96e3b3d08d7da8843a9a7387cba8c4
-
memory/2088-115-0x0000000000000000-mapping.dmp
-
memory/4080-122-0x0000022112320000-0x0000022112330000-memory.dmpFilesize
64KB