Analysis
-
max time kernel
181s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
06-02-2022 08:19
Static task
static1
Behavioral task
behavioral1
Sample
d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
Resource
win7-en-20211208
General
-
Target
d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
-
Size
1.6MB
-
MD5
a7a8f0c74a61b2de071ed987a2903396
-
SHA1
1c8e5219542de15213a2c11f3333a09dce3ef4c8
-
SHA256
d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760
-
SHA512
f77188ff058e2e7513236eb081ea079c76aaf2df882829d362a1b40c6e5a6999cc75707587b81aba67906b5a38e194f8896b10c3d168c9d2230fe37f6e29279e
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 5 IoCs
Processes:
d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exesvchost.comsvchost.comADOBEA~1.EXEsvchost.compid process 2508 d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe 2320 svchost.com 2464 svchost.com 1964 ADOBEA~1.EXE 424 svchost.com -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exed97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exeADOBEA~1.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation ADOBEA~1.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Drops file in Program Files directory 64 IoCs
Processes:
svchost.comd97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exesvchost.comsvchost.comdescription ioc process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~2.EXE d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE svchost.com File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE svchost.com File opened for modification C:\PROGRA~3\Adobe\ARM\S\30292\ADOBEA~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe svchost.com File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~1.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MI391D~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MI9C33~1.EXE d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MIA062~1.EXE svchost.com File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe svchost.com File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe svchost.com File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~4.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~1.EXE d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe -
Drops file in Windows directory 11 IoCs
Processes:
svchost.comsvchost.commsiexec.exesvchost.comsvchost.exed97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exedescription ioc process File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File created C:\Windows\Installer\1d0b295.msp msiexec.exe File opened for modification C:\Windows\Installer\1d0b295.msp msiexec.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\svchost.com d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 47 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132887856448408523" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.384234" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3964" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4116" svchost.exe -
Modifies registry class 3 IoCs
Processes:
d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exed97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exeADOBEA~1.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings ADOBEA~1.EXE -
Processes:
d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exeADOBEA~1.EXEpid process 2508 d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe 2508 d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe 2508 d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe 2508 d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe 1964 ADOBEA~1.EXE 1964 ADOBEA~1.EXE 1964 ADOBEA~1.EXE 1964 ADOBEA~1.EXE 1964 ADOBEA~1.EXE 1964 ADOBEA~1.EXE 1964 ADOBEA~1.EXE 1964 ADOBEA~1.EXE -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
AdobeARM.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 1316 AdobeARM.exe Token: SeIncreaseQuotaPrivilege 1316 AdobeARM.exe Token: SeSecurityPrivilege 4016 msiexec.exe Token: SeCreateTokenPrivilege 1316 AdobeARM.exe Token: SeAssignPrimaryTokenPrivilege 1316 AdobeARM.exe Token: SeLockMemoryPrivilege 1316 AdobeARM.exe Token: SeIncreaseQuotaPrivilege 1316 AdobeARM.exe Token: SeMachineAccountPrivilege 1316 AdobeARM.exe Token: SeTcbPrivilege 1316 AdobeARM.exe Token: SeSecurityPrivilege 1316 AdobeARM.exe Token: SeTakeOwnershipPrivilege 1316 AdobeARM.exe Token: SeLoadDriverPrivilege 1316 AdobeARM.exe Token: SeSystemProfilePrivilege 1316 AdobeARM.exe Token: SeSystemtimePrivilege 1316 AdobeARM.exe Token: SeProfSingleProcessPrivilege 1316 AdobeARM.exe Token: SeIncBasePriorityPrivilege 1316 AdobeARM.exe Token: SeCreatePagefilePrivilege 1316 AdobeARM.exe Token: SeCreatePermanentPrivilege 1316 AdobeARM.exe Token: SeBackupPrivilege 1316 AdobeARM.exe Token: SeRestorePrivilege 1316 AdobeARM.exe Token: SeShutdownPrivilege 1316 AdobeARM.exe Token: SeDebugPrivilege 1316 AdobeARM.exe Token: SeAuditPrivilege 1316 AdobeARM.exe Token: SeSystemEnvironmentPrivilege 1316 AdobeARM.exe Token: SeChangeNotifyPrivilege 1316 AdobeARM.exe Token: SeRemoteShutdownPrivilege 1316 AdobeARM.exe Token: SeUndockPrivilege 1316 AdobeARM.exe Token: SeSyncAgentPrivilege 1316 AdobeARM.exe Token: SeEnableDelegationPrivilege 1316 AdobeARM.exe Token: SeManageVolumePrivilege 1316 AdobeARM.exe Token: SeImpersonatePrivilege 1316 AdobeARM.exe Token: SeCreateGlobalPrivilege 1316 AdobeARM.exe Token: SeRestorePrivilege 4016 msiexec.exe Token: SeTakeOwnershipPrivilege 4016 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
AdobeARM.exepid process 1316 AdobeARM.exe 1316 AdobeARM.exe 1316 AdobeARM.exe 1316 AdobeARM.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
AdobeARM.exepid process 1316 AdobeARM.exe 1316 AdobeARM.exe 1316 AdobeARM.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exeAdobeARM.exepid process 2508 d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe 1316 AdobeARM.exe 1316 AdobeARM.exe 1316 AdobeARM.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exed97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exesvchost.comsvchost.comADOBEA~1.EXEsvchost.comdescription pid process target process PID 336 wrote to memory of 2508 336 d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe PID 336 wrote to memory of 2508 336 d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe PID 336 wrote to memory of 2508 336 d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe PID 2508 wrote to memory of 2320 2508 d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe svchost.com PID 2508 wrote to memory of 2320 2508 d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe svchost.com PID 2508 wrote to memory of 2320 2508 d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe svchost.com PID 2320 wrote to memory of 2488 2320 svchost.com READER~1.EXE PID 2320 wrote to memory of 2488 2320 svchost.com READER~1.EXE PID 2320 wrote to memory of 2488 2320 svchost.com READER~1.EXE PID 2508 wrote to memory of 2464 2508 d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe svchost.com PID 2508 wrote to memory of 2464 2508 d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe svchost.com PID 2508 wrote to memory of 2464 2508 d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe svchost.com PID 2464 wrote to memory of 1964 2464 svchost.com ADOBEA~1.EXE PID 2464 wrote to memory of 1964 2464 svchost.com ADOBEA~1.EXE PID 2464 wrote to memory of 1964 2464 svchost.com ADOBEA~1.EXE PID 1964 wrote to memory of 424 1964 ADOBEA~1.EXE svchost.com PID 1964 wrote to memory of 424 1964 ADOBEA~1.EXE svchost.com PID 1964 wrote to memory of 424 1964 ADOBEA~1.EXE svchost.com PID 424 wrote to memory of 1316 424 svchost.com AdobeARM.exe PID 424 wrote to memory of 1316 424 svchost.com AdobeARM.exe PID 424 wrote to memory of 1316 424 svchost.com AdobeARM.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe"C:\Users\Admin\AppData\Local\Temp\d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Users\Admin\AppData\Local\Temp\3582-490\d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXEC:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE4⤵PID:2488
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\PROGRA~3\Adobe\ARM\S\30292\ADOBEA~1.EXE" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\30292" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\PROGRA~3\Adobe\ARM\S\30292\ADOBEA~1.EXEC:\PROGRA~3\Adobe\ARM\S\30292\ADOBEA~1.EXE /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\30292" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\30292" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:424 -
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exeC:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\30292" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU6⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1316
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1212
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1300
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4016
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXEMD5
4ab023aa6def7b300dec4fc7ef55dbe7
SHA1aa30491eb799fa5bdf79691f8fe5e087467463f1
SHA2568ca27077312716f79f39309156c905719a908e8ded4bf88c2ba6fa821e574673
SHA512000e33cc2399efa9dc56c06a42f91eb64b94f30b78cf260469f45f3b876f518d2d2b62e33d8f697660ae560d595e5bd5b7a5f847c316d5f97adeb3d8f9248ab5
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exeMD5
514972e16cdda8b53012ad8a14a26e60
SHA1aa082c2fbe0b3dd5c47952f9a285636412203559
SHA25649091e1e41980b39d8de055fe6c6a1dc69398f17817960d64743e7efb740efc4
SHA51298bbd6f06e3ff3e94aee3620f20f89e254dde157bc8129a64cf78fefe5cf9b13c7902128c2acbd54b3def527e09a039bd1f66ba64efb85f3f0404d894cabbee4
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exeMD5
66a77a65eea771304e524dd844c9846a
SHA1f7e3b403439b5f63927e8681a64f62caafe9a360
SHA2569a7391267ab83b45a47d9fcf1e0f76002ed6640ed6a574ba51373410b94812f6
SHA5123643ad1036075305d76dfd753b1ed29ae611b4b9f397b2520f95b1487e85155a111adc83578db8ca5d0fd1e9fe146d018e22f572c187ef468eab8d11d48fc7f4
-
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXEMD5
1b0841fe3786ef37affe9115404637a0
SHA1c3209520ae779f2fd2babe293e4b4fedb394aef9
SHA256e1a35f201df61ddcc4aa8ed88ecf5c46f376e39bfdee40a728083ae7f3431dcc
SHA512421e0ba5a08428ef2f1efd804b1c57de544a6f9128ed0f8fdbccb6c03fe08cb3128d2b0d99da22c38114183d7b538d560a889d6e4bfe9158e4e3678cc23dc569
-
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXEMD5
49e0f06c7b16d18fe5eb88415a5ef0e5
SHA192ba910d3690ac408383b8c6a72dd8e10eda258e
SHA2561e1bfc2bc77e13a88587a50a1bbbf7fd1ffbcab5e138da680ac0810c5c599171
SHA512feddde39c84a9716cf050aa0f1bbb870a8beb9d70323df7243660901c722d7bd4c6896fe04b52f1bcabea003d9de2ec497e7584ae28f188d1d4cfb5bb1b518e3
-
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXEMD5
d48d024c7bd52ae2efba247ef60fd47c
SHA1697f522ed8f76941b6cf3b6180adc98948588d78
SHA2569bb5cf4ecd864a988899aaa11f8dfaf98c7e8e8ab8d7ac912091fa1ed3ec1996
SHA512b5ae8b39f8ef3dfe151c01f82ea7a33a3722ae1661eb206e3a53ef2178c8582c8c9fbafc44d2b21107c8450700464164b6b87ba2549e38fc1251461f3fa3d851
-
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXEMD5
80d6e1a3e9a6b411caff8f067722b24a
SHA1074ef39d7415d5dd511048ac7522cd3bee23b4b1
SHA2563b6463ab5680735f5d09e399c3f3fa5f3abb773c0e3b5317142ee47e75d9e683
SHA51254242c17790b814d4b91282056fd1f228a092812ab632d7b64e664ca1fe81ef61bbe8efb08852d538249b8f33ebcd05ca4da3c0dd37a51556dfedcb7ac1613e4
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MI391D~1.EXEMD5
1fc3ca495a9f6aa7ab5ea0889970108e
SHA12b2f7204772ab8e09fce40d0c50e2298e516924a
SHA256d222485a43b5470e284d92bada83821703b64c28e2dc01a5f189b8062110f6ed
SHA512bd10b31396eb9f40baedd3afddcd76440b8d453da14f6ea7a8aca8f58129de76bb03081b62d27e5804eaa13fe7a4905095ecdac5304c5c9fd5e47c1ee2676625
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13153~1.55\MICROS~1.EXEMD5
955715af5d82d7a4406a37ef87f2a4ff
SHA1c8ad9197e2bc0cf9b3d507c5e956d039db3c8a0e
SHA25681c23be6a5e3db2afb0b2e8b7d23288fb3db2f14d334aacd7085b92e890e0cae
SHA512a270e7a8b997f2f74eb80639ddd4aea93d7244f40fa2f31e97d17c8f2ba035ca52472922928c254eca894957dcb7ba6e09d5ddde7b7992baaa08d05c6ef1908f
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXEMD5
ecda5b4161dbf34af2cd3bd4b4ca92a6
SHA1a76347d21e3bfc8d9a528097318e4b037d7b1351
SHA25698e7a35dd61a5eeea32ca5ff0f195b7e5931429e2e4b12d1e75ca09ddab3278f
SHA5123cd3d64e7670ab824d36a792faa5d16a61f080d52345e07b0ef8396b2a1481876a3b30fc702bf0018a1b02c7788c3c7f1b016590c5b31485a90e3a375f11dade
-
C:\PROGRA~3\Adobe\ARM\S\30292\ADOBEA~1.EXEMD5
522026a14d6bc781d2a15c665e454310
SHA19451a39108326ba578793b1feb62f23a02bce916
SHA256fd115ae8ebd2f37cf1ef72f75242206cf1331c7cb258305011302e981137ee5e
SHA5124e4eb2f582c8590899a0ada6133b705d13775f60818f1ff4f9bb35e40e09d6570af4f7ac4c80b525b445a03702ca0f3a9867a93080f90697d8be668e2abe2fe7
-
C:\PROGRA~3\Adobe\ARM\S\30292\ADOBEA~1.EXEMD5
1b0841fe3786ef37affe9115404637a0
SHA1c3209520ae779f2fd2babe293e4b4fedb394aef9
SHA256e1a35f201df61ddcc4aa8ed88ecf5c46f376e39bfdee40a728083ae7f3431dcc
SHA512421e0ba5a08428ef2f1efd804b1c57de544a6f9128ed0f8fdbccb6c03fe08cb3128d2b0d99da22c38114183d7b538d560a889d6e4bfe9158e4e3678cc23dc569
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeMD5
290bc201ea5ff9f21fe19d6379592fda
SHA16ee8169ebe3c918f433e03bfabb563c281e8eb1a
SHA256a9f1f27e87c4e8b6548697be4bd6112c7bbac9481a74ac0a6f5a91856734451b
SHA512452910ab15e934598282de4e2a199d94f9708b6292128ac879595e436c6c44fd35789220d0199d16a5b14bb05a67e2197ff5c2db4958651efa1add4c5e4e15ab
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrord32.exeMD5
6e596f12807d021e12b7c34f58e7d892
SHA1822efb0692579428ca44bb02e92da8c751dd2a7f
SHA256e0d385610db542df37631eff4b225db45e1854de8b7a7b4df46612b061d96300
SHA51258dbe74f24cc5881a96c177018112ddc06b7ead7b3b1061de84696fcc3b119c71fff5f494df0f6bceb4708195c7a5b514f5d7bf09671ed16c715547eaa889bf9
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeMD5
3ccfc6967bcfea597926999974eb0cf9
SHA16736e7886e848d41de098cd00b8279c9bc94d501
SHA256a89d3e2109a8e35e263da363d3551258ea320a99bfb84a4b13ad563008eda8d9
SHA512f550af4e053d89eff45c0fb00bb32e8d212645a155727d3536a3f12bb0b5550bed25516516334245b912fa4fc2e4e7c267e80da4f06d22ea128f20eb56ab4351
-
C:\ProgramData\Adobe\ARM\ArmReport.iniMD5
be5de913ebd0da179b690dd9e573d5d9
SHA1c54599eb4c461db802963bd30b3beb7d597e6ff6
SHA2564e6d915450eaaa7386d90f6db8d642ae51690a6727b533752c50faa85c534a0d
SHA5125337897f1f20d8cd35d90bb598cdc4416f4c3ca4e1c92bf704eeb4b0fc91f5f5b7ac8e469e816bfcb525c0156262912be5cc1abdb0081208b8a831af949e2654
-
C:\ProgramData\Adobe\ARM\Reader_19.010.20069\AcroRdrDCUpd1901020098.mspMD5
3404522672187ad49ad74aec689075c0
SHA1af6b91326f443b04088cd3718b93334a7247ce1a
SHA2560ef813051b890501283103fb2999aaa01438227b681dcf711d09c10c5846d72d
SHA51235d47d228977ae3e77b1510e67fc082da37a39f346a23d4d5f65d91ac46ae51581ccb3c507efe6b33a8ac26af11e58ee2128f98a16ba4b1f2bf9b14e70389f18
-
C:\ProgramData\Adobe\ARM\Reader_19.010.20069\ReaderDCManifest2.msiMD5
6f014505b038aa70695dc6557662df8b
SHA125607777270af2b0a38da97d8d98ab9bc7926980
SHA25652040d7492e91856c658e4779bdc2de38a81f47e5136d9a772f4559178fbe7fc
SHA51225c53e4b7c273b3699be727e5a6688dbfad7b6633d78d29e753bc3446b8e2b5e8c752a8842870264fe10a2b3a0246c335bea7457daa289faec67f7ca7c2aaac0
-
C:\ProgramData\Adobe\ARM\S\30292\AdobeARM.msiMD5
5c256b8910abfa6fb390b6b6986fbdc8
SHA1f106a3257f64ff9be9314f099deae3cef5a75d52
SHA256f0baf945e8ccda8d7ad3a5f76aa952c5b6ee1a8ce05c5e0eede9384d7b3f1bcc
SHA512d6bae8fe0b0707a49bc54d62b508024fee0c25c2150483ba5f2608b9c4d9f75c2b3b9eea1d8feb08921cc5ff38488adc97e4d2ab167bdbd26706d562aff775af
-
C:\ProgramData\Adobe\ARM\S\30292\AdobeARMHelper.exeMD5
522026a14d6bc781d2a15c665e454310
SHA19451a39108326ba578793b1feb62f23a02bce916
SHA256fd115ae8ebd2f37cf1ef72f75242206cf1331c7cb258305011302e981137ee5e
SHA5124e4eb2f582c8590899a0ada6133b705d13775f60818f1ff4f9bb35e40e09d6570af4f7ac4c80b525b445a03702ca0f3a9867a93080f90697d8be668e2abe2fe7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44DMD5
8a21927f1f2dddd3d0e9f766cf260516
SHA1f130c2e4a313cd1e56f030a713565b80fd501f58
SHA25644f5f2cf1e19ab46df2059837eff5516e1027db22ea5ce15fcd7280a5a24ab17
SHA5128eec11691c0e4f273e1a322829bac6daa7b6c88578f68a352ef3284f9ccb182d90803d56f4c5446a1a6547b8353caad9ab6639ddec408c94e708cea5710031ba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_0CA0B6A0FC061704366CD7F8CEED0190MD5
217991f26973322de1d10f6e3515b0a3
SHA1a48490e9fef67432cbaf722fc6ceac102d427bcc
SHA25668d9170d1af16274cebfc06130913a8530aa6547a56300c57ca657404c0f17ce
SHA512a415dda189aa4ea57b277a576b80956514d5d535cfe06623252723a397296b77deab59df9af300c8b8fc543a322190818b1bae9818fab79c3d0778e4713be0a5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEACMD5
5c35411b0b7334d0ad4197b7fbd259d3
SHA1ef2b68cc738c32e64c68c061f11c3fd3c9a27d06
SHA25671e070163f34499dafbbcdfcbd8126bfbf570cd153c3e095019cab219b2bb41b
SHA5125ca7a8869dc1036ce28c727ecad56e014f93d8bf359e406c0405ef8ad7ee57834bbc56b11419a5837b4c24e2fd3aedd699b81b0bf6d586aecd5b4878346066f8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44DMD5
cfa7c385eb125c61aa612fe2891b8e2a
SHA1ded4be59976c00d76fb78bc2ab268cf9c2c253c9
SHA2562bc80e908a7539e174848741a33786ceffc29294556b491d7e6d7e9dbd3f99fe
SHA5124bbcfe77d11977fc3c18ddfb7ed698fd0aa6b1731934aa7def658b52a43ae57ff344e1a2df915f42d4241a2fb0eb6a3300f40ea317e6380c70921284f0b886b1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_0CA0B6A0FC061704366CD7F8CEED0190MD5
abfbc309873659864ece5cd8b60f081c
SHA19ca147ca982088bc6f81ddad013d8600f7a934ca
SHA256e7fcd9822070b4f99ccb4ee9207e47e511588b54e8edff06ac5229fc680b49ea
SHA5128bd59b0f5c6b964a39256751a6236f5efcce7e5e14bcac82c681f5921911024ac93137f7b1c8ecfcc280db2d412159a91b6be2893c791bc50505ce80c9e8291d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEACMD5
bc860036d06de698efcc896c036ac223
SHA1e10b5e877b3f07afcb761b3d45446e017484447c
SHA256113e6dcddb9c4399fb2bc2b1a2fe56b5992844ee7773af6762e90c40c88684e2
SHA512a5aa68fa3db792c1c3195114406de7be799482275fcdacb3e01947ac887f8599fbde7190a224f73666e2f5c69c7fadbe57ab2831ee4268e07f0212a0a7285608
-
C:\Users\Admin\AppData\Local\Temp\3582-490\d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exeMD5
be185db3d2d448396fcce062b1048dbe
SHA1072a8872cf5240a7f96e899dce0c215a6df67dc6
SHA25651f3d2110604755ad75b646a46f79b759389e4dba17498d83de9bbf4d3100b1b
SHA512a07ba5873cb9e57885f81ab683d06a13caef06572dfcc3310d4f9daefc94ee36f0116d31f784ce043008e4bcbcb9075a809a6c9e152447782eb1bf3d8d6a159f
-
C:\Users\Admin\AppData\Local\Temp\3582-490\d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exeMD5
be185db3d2d448396fcce062b1048dbe
SHA1072a8872cf5240a7f96e899dce0c215a6df67dc6
SHA25651f3d2110604755ad75b646a46f79b759389e4dba17498d83de9bbf4d3100b1b
SHA512a07ba5873cb9e57885f81ab683d06a13caef06572dfcc3310d4f9daefc94ee36f0116d31f784ce043008e4bcbcb9075a809a6c9e152447782eb1bf3d8d6a159f
-
C:\Users\Admin\AppData\Local\Temp\AdobeARM.logMD5
ac850c3469eb70d92bfb81aae04613e6
SHA1a8ad9b9d4b666596ad07e83a123551bce444059e
SHA25623ecb1127d724d519c524ba208010c1ba2b52ce7ff1f3172525513ac7e5b721a
SHA512a46e4d8052d31646b236f5082e1332ddcc389653e9ad5b8f74ac6f82fff0fa4cf8729e1f4a8e29923522a9d98c1d50d19e4ac213ddb3a8c67a79ad2477175cc6
-
C:\Windows\directx.sysMD5
d42665fe4c19ecbfc88da79cdcbc26c4
SHA1b59f1eb45d90e17ba2307b590c7ed3eb8c935058
SHA256bef09518776e758ceb41a25894cf38c6c21d4884e2f7be75bfe17572fa58e584
SHA5122c14951146123bd5cc020132625fea08ca67ddfdfc6060e44ff46cf9609469a8040988215b6e734e3c4319a630736d0e8770a2f7da59d92ed4447ff279d8998e
-
C:\Windows\directx.sysMD5
96fab7f269baad08fb0ff5707c608f04
SHA1721925e246dade64896caae2a38fc8fdeee01d3b
SHA256779a6133896fab628b9dcff2be7e1eb52e7deb202ba369d7ab33138f9ad1489c
SHA5121276e3a27ba74c6617cb16f342487b1c125b1a3e91956e1affb2cc6e10e8ada4abb6d548df1d6f4782cde700dac559f92ed9ea3806cc3e5ef5fd4f0a312d3890
-
C:\Windows\svchost.comMD5
371c1e8a04fc1255cd38141e8d1c4e9d
SHA1a08212115f726e91f5f82ecb0711fe68d392f1c7
SHA2563109e6a23edb277172fab39ade7be67a2a1ffef6ae37a31e69cc4c5fc2ca62e3
SHA512f969b3ab18d1bb4ac04e8136cdf89945335907fa6426c5190ea21d79817448592828652d5d32181c060f6562cae85688313a49e20f50f6e1120aa8a72da48966
-
C:\Windows\svchost.comMD5
371c1e8a04fc1255cd38141e8d1c4e9d
SHA1a08212115f726e91f5f82ecb0711fe68d392f1c7
SHA2563109e6a23edb277172fab39ade7be67a2a1ffef6ae37a31e69cc4c5fc2ca62e3
SHA512f969b3ab18d1bb4ac04e8136cdf89945335907fa6426c5190ea21d79817448592828652d5d32181c060f6562cae85688313a49e20f50f6e1120aa8a72da48966
-
C:\Windows\svchost.comMD5
371c1e8a04fc1255cd38141e8d1c4e9d
SHA1a08212115f726e91f5f82ecb0711fe68d392f1c7
SHA2563109e6a23edb277172fab39ade7be67a2a1ffef6ae37a31e69cc4c5fc2ca62e3
SHA512f969b3ab18d1bb4ac04e8136cdf89945335907fa6426c5190ea21d79817448592828652d5d32181c060f6562cae85688313a49e20f50f6e1120aa8a72da48966
-
C:\Windows\svchost.comMD5
371c1e8a04fc1255cd38141e8d1c4e9d
SHA1a08212115f726e91f5f82ecb0711fe68d392f1c7
SHA2563109e6a23edb277172fab39ade7be67a2a1ffef6ae37a31e69cc4c5fc2ca62e3
SHA512f969b3ab18d1bb4ac04e8136cdf89945335907fa6426c5190ea21d79817448592828652d5d32181c060f6562cae85688313a49e20f50f6e1120aa8a72da48966
-
C:\odt\OFFICE~1.EXEMD5
2e47c96f947db7a8be51985ccc0de0ab
SHA1174897a0254dc90c23c8636cfdf0d49515c4b627
SHA25693a0e5763816fa35707b8c651178e93fd235f13ab517be76a0c91f0f81335a59
SHA5123fdce195c9d9223ad90c089ace36d1a2a6775761f2fb30ad0f813ac6c107031bc793b742048de5975564061f487def41f1fedd7718ba3dade7739ba223d8cbbb