neshta | d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760

Analysis

max time kernel
181s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
06-02-2022 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
Size

1.6MB
MD5

a7a8f0c74a61b2de071ed987a2903396
SHA1

1c8e5219542de15213a2c11f3333a09dce3ef4c8
SHA256

d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760
SHA512

f77188ff058e2e7513236eb081ea079c76aaf2df882829d362a1b40c6e5a6999cc75707587b81aba67906b5a38e194f8896b10c3d168c9d2230fe37f6e29279e

Score

10^/10

neshta evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 5 IoCs

Processes:

d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exesvchost.comsvchost.comADOBEA~1.EXEsvchost.com

pid process

2508 d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
2320 svchost.com
2464 svchost.com
1964 ADOBEA~1.EXE
424 svchost.com

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exed97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exeADOBEA~1.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	ADOBEA~1.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

svchost.comd97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exesvchost.comsvchost.com

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~2.EXE	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\Adobe\ARM\S\30292\ADOBEA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MI391D~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MI9C33~1.EXE	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MIA062~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~4.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~1.EXE	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe

Drops file in Windows directory 11 IoCs

Processes:

svchost.comsvchost.commsiexec.exesvchost.comsvchost.exed97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe

description	ioc	process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File created	C:\Windows\Installer\1d0b295.msp	msiexec.exe
File opened for modification	C:\Windows\Installer\1d0b295.msp	msiexec.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe
File opened for modification	C:\Windows\svchost.com	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Modifies data under HKEY_USERS 47 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132887856448408523"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.384234"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3964"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4116"	svchost.exe

Modifies registry class 3 IoCs

Processes:

d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exed97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exeADOBEA~1.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings	ADOBEA~1.EXE

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exeADOBEA~1.EXE

pid	process
2508	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
2508	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
2508	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
2508	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
1964	ADOBEA~1.EXE
1964	ADOBEA~1.EXE
1964	ADOBEA~1.EXE
1964	ADOBEA~1.EXE
1964	ADOBEA~1.EXE
1964	ADOBEA~1.EXE
1964	ADOBEA~1.EXE
1964	ADOBEA~1.EXE

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

AdobeARM.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1316	AdobeARM.exe
Token: SeIncreaseQuotaPrivilege	1316	AdobeARM.exe
Token: SeSecurityPrivilege	4016	msiexec.exe
Token: SeCreateTokenPrivilege	1316	AdobeARM.exe
Token: SeAssignPrimaryTokenPrivilege	1316	AdobeARM.exe
Token: SeLockMemoryPrivilege	1316	AdobeARM.exe
Token: SeIncreaseQuotaPrivilege	1316	AdobeARM.exe
Token: SeMachineAccountPrivilege	1316	AdobeARM.exe
Token: SeTcbPrivilege	1316	AdobeARM.exe
Token: SeSecurityPrivilege	1316	AdobeARM.exe
Token: SeTakeOwnershipPrivilege	1316	AdobeARM.exe
Token: SeLoadDriverPrivilege	1316	AdobeARM.exe
Token: SeSystemProfilePrivilege	1316	AdobeARM.exe
Token: SeSystemtimePrivilege	1316	AdobeARM.exe
Token: SeProfSingleProcessPrivilege	1316	AdobeARM.exe
Token: SeIncBasePriorityPrivilege	1316	AdobeARM.exe
Token: SeCreatePagefilePrivilege	1316	AdobeARM.exe
Token: SeCreatePermanentPrivilege	1316	AdobeARM.exe
Token: SeBackupPrivilege	1316	AdobeARM.exe
Token: SeRestorePrivilege	1316	AdobeARM.exe
Token: SeShutdownPrivilege	1316	AdobeARM.exe
Token: SeDebugPrivilege	1316	AdobeARM.exe
Token: SeAuditPrivilege	1316	AdobeARM.exe
Token: SeSystemEnvironmentPrivilege	1316	AdobeARM.exe
Token: SeChangeNotifyPrivilege	1316	AdobeARM.exe
Token: SeRemoteShutdownPrivilege	1316	AdobeARM.exe
Token: SeUndockPrivilege	1316	AdobeARM.exe
Token: SeSyncAgentPrivilege	1316	AdobeARM.exe
Token: SeEnableDelegationPrivilege	1316	AdobeARM.exe
Token: SeManageVolumePrivilege	1316	AdobeARM.exe
Token: SeImpersonatePrivilege	1316	AdobeARM.exe
Token: SeCreateGlobalPrivilege	1316	AdobeARM.exe
Token: SeRestorePrivilege	4016	msiexec.exe
Token: SeTakeOwnershipPrivilege	4016	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

AdobeARM.exe

pid process

1316 AdobeARM.exe
1316 AdobeARM.exe
1316 AdobeARM.exe
1316 AdobeARM.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AdobeARM.exe

pid process

1316 AdobeARM.exe
1316 AdobeARM.exe
1316 AdobeARM.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exeAdobeARM.exe

pid process

2508 d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
1316 AdobeARM.exe
1316 AdobeARM.exe
1316 AdobeARM.exe

pid	process
1316	AdobeARM.exe
1316	AdobeARM.exe
1316	AdobeARM.exe
1316	AdobeARM.exe

pid	process
1316	AdobeARM.exe
1316	AdobeARM.exe
1316	AdobeARM.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exed97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exesvchost.comsvchost.comADOBEA~1.EXEsvchost.com

description	pid	process	target process
PID 336 wrote to memory of 2508	336	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
PID 336 wrote to memory of 2508	336	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
PID 336 wrote to memory of 2508	336	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
PID 2508 wrote to memory of 2320	2508	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe	svchost.com
PID 2508 wrote to memory of 2320	2508	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe	svchost.com
PID 2508 wrote to memory of 2320	2508	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe	svchost.com
PID 2320 wrote to memory of 2488	2320	svchost.com	READER~1.EXE
PID 2320 wrote to memory of 2488	2320	svchost.com	READER~1.EXE
PID 2320 wrote to memory of 2488	2320	svchost.com	READER~1.EXE
PID 2508 wrote to memory of 2464	2508	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe	svchost.com
PID 2508 wrote to memory of 2464	2508	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe	svchost.com
PID 2508 wrote to memory of 2464	2508	d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe	svchost.com
PID 2464 wrote to memory of 1964	2464	svchost.com	ADOBEA~1.EXE
PID 2464 wrote to memory of 1964	2464	svchost.com	ADOBEA~1.EXE
PID 2464 wrote to memory of 1964	2464	svchost.com	ADOBEA~1.EXE
PID 1964 wrote to memory of 424	1964	ADOBEA~1.EXE	svchost.com
PID 1964 wrote to memory of 424	1964	ADOBEA~1.EXE	svchost.com
PID 1964 wrote to memory of 424	1964	ADOBEA~1.EXE	svchost.com
PID 424 wrote to memory of 1316	424	svchost.com	AdobeARM.exe
PID 424 wrote to memory of 1316	424	svchost.com	AdobeARM.exe
PID 424 wrote to memory of 1316	424	svchost.com	AdobeARM.exe

C:\Users\Admin\AppData\Local\Temp\d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
"C:\Users\Admin\AppData\Local\Temp\d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:336

C:\Users\Admin\AppData\Local\Temp\3582-490\d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2320

C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE
4⤵
PID:2488

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\PROGRA~3\Adobe\ARM\S\30292\ADOBEA~1.EXE" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\30292" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2464

C:\PROGRA~3\Adobe\ARM\S\30292\ADOBEA~1.EXE
C:\PROGRA~3\Adobe\ARM\S\30292\ADOBEA~1.EXE /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\30292" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\30292" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:424

C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\30292" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU
6⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1316

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:1212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1300

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE
MD5
4ab023aa6def7b300dec4fc7ef55dbe7

SHA1
aa30491eb799fa5bdf79691f8fe5e087467463f1

SHA256
8ca27077312716f79f39309156c905719a908e8ded4bf88c2ba6fa821e574673

SHA512
000e33cc2399efa9dc56c06a42f91eb64b94f30b78cf260469f45f3b876f518d2d2b62e33d8f697660ae560d595e5bd5b7a5f847c316d5f97adeb3d8f9248ab5

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe
MD5
514972e16cdda8b53012ad8a14a26e60

SHA1
aa082c2fbe0b3dd5c47952f9a285636412203559

SHA256
49091e1e41980b39d8de055fe6c6a1dc69398f17817960d64743e7efb740efc4

SHA512
98bbd6f06e3ff3e94aee3620f20f89e254dde157bc8129a64cf78fefe5cf9b13c7902128c2acbd54b3def527e09a039bd1f66ba64efb85f3f0404d894cabbee4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe
MD5
66a77a65eea771304e524dd844c9846a

SHA1
f7e3b403439b5f63927e8681a64f62caafe9a360

SHA256
9a7391267ab83b45a47d9fcf1e0f76002ed6640ed6a574ba51373410b94812f6

SHA512
3643ad1036075305d76dfd753b1ed29ae611b4b9f397b2520f95b1487e85155a111adc83578db8ca5d0fd1e9fe146d018e22f572c187ef468eab8d11d48fc7f4

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE
MD5
1b0841fe3786ef37affe9115404637a0

SHA1
c3209520ae779f2fd2babe293e4b4fedb394aef9

SHA256
e1a35f201df61ddcc4aa8ed88ecf5c46f376e39bfdee40a728083ae7f3431dcc

SHA512
421e0ba5a08428ef2f1efd804b1c57de544a6f9128ed0f8fdbccb6c03fe08cb3128d2b0d99da22c38114183d7b538d560a889d6e4bfe9158e4e3678cc23dc569

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE
MD5
49e0f06c7b16d18fe5eb88415a5ef0e5

SHA1
92ba910d3690ac408383b8c6a72dd8e10eda258e

SHA256
1e1bfc2bc77e13a88587a50a1bbbf7fd1ffbcab5e138da680ac0810c5c599171

SHA512
feddde39c84a9716cf050aa0f1bbb870a8beb9d70323df7243660901c722d7bd4c6896fe04b52f1bcabea003d9de2ec497e7584ae28f188d1d4cfb5bb1b518e3

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE
MD5
d48d024c7bd52ae2efba247ef60fd47c

SHA1
697f522ed8f76941b6cf3b6180adc98948588d78

SHA256
9bb5cf4ecd864a988899aaa11f8dfaf98c7e8e8ab8d7ac912091fa1ed3ec1996

SHA512
b5ae8b39f8ef3dfe151c01f82ea7a33a3722ae1661eb206e3a53ef2178c8582c8c9fbafc44d2b21107c8450700464164b6b87ba2549e38fc1251461f3fa3d851

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE
MD5
80d6e1a3e9a6b411caff8f067722b24a

SHA1
074ef39d7415d5dd511048ac7522cd3bee23b4b1

SHA256
3b6463ab5680735f5d09e399c3f3fa5f3abb773c0e3b5317142ee47e75d9e683

SHA512
54242c17790b814d4b91282056fd1f228a092812ab632d7b64e664ca1fe81ef61bbe8efb08852d538249b8f33ebcd05ca4da3c0dd37a51556dfedcb7ac1613e4

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MI391D~1.EXE
MD5
1fc3ca495a9f6aa7ab5ea0889970108e

SHA1
2b2f7204772ab8e09fce40d0c50e2298e516924a

SHA256
d222485a43b5470e284d92bada83821703b64c28e2dc01a5f189b8062110f6ed

SHA512
bd10b31396eb9f40baedd3afddcd76440b8d453da14f6ea7a8aca8f58129de76bb03081b62d27e5804eaa13fe7a4905095ecdac5304c5c9fd5e47c1ee2676625

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13153~1.55\MICROS~1.EXE
MD5
955715af5d82d7a4406a37ef87f2a4ff

SHA1
c8ad9197e2bc0cf9b3d507c5e956d039db3c8a0e

SHA256
81c23be6a5e3db2afb0b2e8b7d23288fb3db2f14d334aacd7085b92e890e0cae

SHA512
a270e7a8b997f2f74eb80639ddd4aea93d7244f40fa2f31e97d17c8f2ba035ca52472922928c254eca894957dcb7ba6e09d5ddde7b7992baaa08d05c6ef1908f

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE
MD5
ecda5b4161dbf34af2cd3bd4b4ca92a6

SHA1
a76347d21e3bfc8d9a528097318e4b037d7b1351

SHA256
98e7a35dd61a5eeea32ca5ff0f195b7e5931429e2e4b12d1e75ca09ddab3278f

SHA512
3cd3d64e7670ab824d36a792faa5d16a61f080d52345e07b0ef8396b2a1481876a3b30fc702bf0018a1b02c7788c3c7f1b016590c5b31485a90e3a375f11dade

Download Submit
C:\PROGRA~3\Adobe\ARM\S\30292\ADOBEA~1.EXE
MD5
522026a14d6bc781d2a15c665e454310

SHA1
9451a39108326ba578793b1feb62f23a02bce916

SHA256
fd115ae8ebd2f37cf1ef72f75242206cf1331c7cb258305011302e981137ee5e

SHA512
4e4eb2f582c8590899a0ada6133b705d13775f60818f1ff4f9bb35e40e09d6570af4f7ac4c80b525b445a03702ca0f3a9867a93080f90697d8be668e2abe2fe7

Download Submit
C:\PROGRA~3\Adobe\ARM\S\30292\ADOBEA~1.EXE
MD5
1b0841fe3786ef37affe9115404637a0

SHA1
c3209520ae779f2fd2babe293e4b4fedb394aef9

SHA256
e1a35f201df61ddcc4aa8ed88ecf5c46f376e39bfdee40a728083ae7f3431dcc

SHA512
421e0ba5a08428ef2f1efd804b1c57de544a6f9128ed0f8fdbccb6c03fe08cb3128d2b0d99da22c38114183d7b538d560a889d6e4bfe9158e4e3678cc23dc569

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
MD5
290bc201ea5ff9f21fe19d6379592fda

SHA1
6ee8169ebe3c918f433e03bfabb563c281e8eb1a

SHA256
a9f1f27e87c4e8b6548697be4bd6112c7bbac9481a74ac0a6f5a91856734451b

SHA512
452910ab15e934598282de4e2a199d94f9708b6292128ac879595e436c6c44fd35789220d0199d16a5b14bb05a67e2197ff5c2db4958651efa1add4c5e4e15ab

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrord32.exe
MD5
6e596f12807d021e12b7c34f58e7d892

SHA1
822efb0692579428ca44bb02e92da8c751dd2a7f

SHA256
e0d385610db542df37631eff4b225db45e1854de8b7a7b4df46612b061d96300

SHA512
58dbe74f24cc5881a96c177018112ddc06b7ead7b3b1061de84696fcc3b119c71fff5f494df0f6bceb4708195c7a5b514f5d7bf09671ed16c715547eaa889bf9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe
MD5
3ccfc6967bcfea597926999974eb0cf9

SHA1
6736e7886e848d41de098cd00b8279c9bc94d501

SHA256
a89d3e2109a8e35e263da363d3551258ea320a99bfb84a4b13ad563008eda8d9

SHA512
f550af4e053d89eff45c0fb00bb32e8d212645a155727d3536a3f12bb0b5550bed25516516334245b912fa4fc2e4e7c267e80da4f06d22ea128f20eb56ab4351

Download Submit
C:\ProgramData\Adobe\ARM\ArmReport.ini
MD5
be5de913ebd0da179b690dd9e573d5d9

SHA1
c54599eb4c461db802963bd30b3beb7d597e6ff6

SHA256
4e6d915450eaaa7386d90f6db8d642ae51690a6727b533752c50faa85c534a0d

SHA512
5337897f1f20d8cd35d90bb598cdc4416f4c3ca4e1c92bf704eeb4b0fc91f5f5b7ac8e469e816bfcb525c0156262912be5cc1abdb0081208b8a831af949e2654

Download Submit
C:\ProgramData\Adobe\ARM\Reader_19.010.20069\AcroRdrDCUpd1901020098.msp
MD5
3404522672187ad49ad74aec689075c0

SHA1
af6b91326f443b04088cd3718b93334a7247ce1a

SHA256
0ef813051b890501283103fb2999aaa01438227b681dcf711d09c10c5846d72d

SHA512
35d47d228977ae3e77b1510e67fc082da37a39f346a23d4d5f65d91ac46ae51581ccb3c507efe6b33a8ac26af11e58ee2128f98a16ba4b1f2bf9b14e70389f18

Download Submit
C:\ProgramData\Adobe\ARM\Reader_19.010.20069\ReaderDCManifest2.msi
MD5
6f014505b038aa70695dc6557662df8b

SHA1
25607777270af2b0a38da97d8d98ab9bc7926980

SHA256
52040d7492e91856c658e4779bdc2de38a81f47e5136d9a772f4559178fbe7fc

SHA512
25c53e4b7c273b3699be727e5a6688dbfad7b6633d78d29e753bc3446b8e2b5e8c752a8842870264fe10a2b3a0246c335bea7457daa289faec67f7ca7c2aaac0

Download Submit
C:\ProgramData\Adobe\ARM\S\30292\AdobeARM.msi
MD5
5c256b8910abfa6fb390b6b6986fbdc8

SHA1
f106a3257f64ff9be9314f099deae3cef5a75d52

SHA256
f0baf945e8ccda8d7ad3a5f76aa952c5b6ee1a8ce05c5e0eede9384d7b3f1bcc

SHA512
d6bae8fe0b0707a49bc54d62b508024fee0c25c2150483ba5f2608b9c4d9f75c2b3b9eea1d8feb08921cc5ff38488adc97e4d2ab167bdbd26706d562aff775af

Download Submit
C:\ProgramData\Adobe\ARM\S\30292\AdobeARMHelper.exe
MD5
522026a14d6bc781d2a15c665e454310

SHA1
9451a39108326ba578793b1feb62f23a02bce916

SHA256
fd115ae8ebd2f37cf1ef72f75242206cf1331c7cb258305011302e981137ee5e

SHA512
4e4eb2f582c8590899a0ada6133b705d13775f60818f1ff4f9bb35e40e09d6570af4f7ac4c80b525b445a03702ca0f3a9867a93080f90697d8be668e2abe2fe7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
8a21927f1f2dddd3d0e9f766cf260516

SHA1
f130c2e4a313cd1e56f030a713565b80fd501f58

SHA256
44f5f2cf1e19ab46df2059837eff5516e1027db22ea5ce15fcd7280a5a24ab17

SHA512
8eec11691c0e4f273e1a322829bac6daa7b6c88578f68a352ef3284f9ccb182d90803d56f4c5446a1a6547b8353caad9ab6639ddec408c94e708cea5710031ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_0CA0B6A0FC061704366CD7F8CEED0190
MD5
217991f26973322de1d10f6e3515b0a3

SHA1
a48490e9fef67432cbaf722fc6ceac102d427bcc

SHA256
68d9170d1af16274cebfc06130913a8530aa6547a56300c57ca657404c0f17ce

SHA512
a415dda189aa4ea57b277a576b80956514d5d535cfe06623252723a397296b77deab59df9af300c8b8fc543a322190818b1bae9818fab79c3d0778e4713be0a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC
MD5
5c35411b0b7334d0ad4197b7fbd259d3

SHA1
ef2b68cc738c32e64c68c061f11c3fd3c9a27d06

SHA256
71e070163f34499dafbbcdfcbd8126bfbf570cd153c3e095019cab219b2bb41b

SHA512
5ca7a8869dc1036ce28c727ecad56e014f93d8bf359e406c0405ef8ad7ee57834bbc56b11419a5837b4c24e2fd3aedd699b81b0bf6d586aecd5b4878346066f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
cfa7c385eb125c61aa612fe2891b8e2a

SHA1
ded4be59976c00d76fb78bc2ab268cf9c2c253c9

SHA256
2bc80e908a7539e174848741a33786ceffc29294556b491d7e6d7e9dbd3f99fe

SHA512
4bbcfe77d11977fc3c18ddfb7ed698fd0aa6b1731934aa7def658b52a43ae57ff344e1a2df915f42d4241a2fb0eb6a3300f40ea317e6380c70921284f0b886b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_0CA0B6A0FC061704366CD7F8CEED0190
MD5
abfbc309873659864ece5cd8b60f081c

SHA1
9ca147ca982088bc6f81ddad013d8600f7a934ca

SHA256
e7fcd9822070b4f99ccb4ee9207e47e511588b54e8edff06ac5229fc680b49ea

SHA512
8bd59b0f5c6b964a39256751a6236f5efcce7e5e14bcac82c681f5921911024ac93137f7b1c8ecfcc280db2d412159a91b6be2893c791bc50505ce80c9e8291d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC
MD5
bc860036d06de698efcc896c036ac223

SHA1
e10b5e877b3f07afcb761b3d45446e017484447c

SHA256
113e6dcddb9c4399fb2bc2b1a2fe56b5992844ee7773af6762e90c40c88684e2

SHA512
a5aa68fa3db792c1c3195114406de7be799482275fcdacb3e01947ac887f8599fbde7190a224f73666e2f5c69c7fadbe57ab2831ee4268e07f0212a0a7285608

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
MD5
be185db3d2d448396fcce062b1048dbe

SHA1
072a8872cf5240a7f96e899dce0c215a6df67dc6

SHA256
51f3d2110604755ad75b646a46f79b759389e4dba17498d83de9bbf4d3100b1b

SHA512
a07ba5873cb9e57885f81ab683d06a13caef06572dfcc3310d4f9daefc94ee36f0116d31f784ce043008e4bcbcb9075a809a6c9e152447782eb1bf3d8d6a159f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d97d82d15bca1f31193596a1f32ae16563b50d14e7f73b18c909c9086bd37760.exe
MD5
be185db3d2d448396fcce062b1048dbe

SHA1
072a8872cf5240a7f96e899dce0c215a6df67dc6

SHA256
51f3d2110604755ad75b646a46f79b759389e4dba17498d83de9bbf4d3100b1b

SHA512
a07ba5873cb9e57885f81ab683d06a13caef06572dfcc3310d4f9daefc94ee36f0116d31f784ce043008e4bcbcb9075a809a6c9e152447782eb1bf3d8d6a159f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeARM.log
MD5
ac850c3469eb70d92bfb81aae04613e6

SHA1
a8ad9b9d4b666596ad07e83a123551bce444059e

SHA256
23ecb1127d724d519c524ba208010c1ba2b52ce7ff1f3172525513ac7e5b721a

SHA512
a46e4d8052d31646b236f5082e1332ddcc389653e9ad5b8f74ac6f82fff0fa4cf8729e1f4a8e29923522a9d98c1d50d19e4ac213ddb3a8c67a79ad2477175cc6

Download Submit
C:\Windows\directx.sys
MD5
d42665fe4c19ecbfc88da79cdcbc26c4

SHA1
b59f1eb45d90e17ba2307b590c7ed3eb8c935058

SHA256
bef09518776e758ceb41a25894cf38c6c21d4884e2f7be75bfe17572fa58e584

SHA512
2c14951146123bd5cc020132625fea08ca67ddfdfc6060e44ff46cf9609469a8040988215b6e734e3c4319a630736d0e8770a2f7da59d92ed4447ff279d8998e

Download Submit
C:\Windows\directx.sys
MD5
96fab7f269baad08fb0ff5707c608f04

SHA1
721925e246dade64896caae2a38fc8fdeee01d3b

SHA256
779a6133896fab628b9dcff2be7e1eb52e7deb202ba369d7ab33138f9ad1489c

SHA512
1276e3a27ba74c6617cb16f342487b1c125b1a3e91956e1affb2cc6e10e8ada4abb6d548df1d6f4782cde700dac559f92ed9ea3806cc3e5ef5fd4f0a312d3890

Download Submit
C:\Windows\svchost.com
MD5
371c1e8a04fc1255cd38141e8d1c4e9d

SHA1
a08212115f726e91f5f82ecb0711fe68d392f1c7

SHA256
3109e6a23edb277172fab39ade7be67a2a1ffef6ae37a31e69cc4c5fc2ca62e3

SHA512
f969b3ab18d1bb4ac04e8136cdf89945335907fa6426c5190ea21d79817448592828652d5d32181c060f6562cae85688313a49e20f50f6e1120aa8a72da48966

Download Submit
C:\Windows\svchost.com
MD5
371c1e8a04fc1255cd38141e8d1c4e9d

SHA1
a08212115f726e91f5f82ecb0711fe68d392f1c7

SHA256
3109e6a23edb277172fab39ade7be67a2a1ffef6ae37a31e69cc4c5fc2ca62e3

SHA512
f969b3ab18d1bb4ac04e8136cdf89945335907fa6426c5190ea21d79817448592828652d5d32181c060f6562cae85688313a49e20f50f6e1120aa8a72da48966

Download Submit
C:\Windows\svchost.com
MD5
371c1e8a04fc1255cd38141e8d1c4e9d

SHA1
a08212115f726e91f5f82ecb0711fe68d392f1c7

SHA256
3109e6a23edb277172fab39ade7be67a2a1ffef6ae37a31e69cc4c5fc2ca62e3

SHA512
f969b3ab18d1bb4ac04e8136cdf89945335907fa6426c5190ea21d79817448592828652d5d32181c060f6562cae85688313a49e20f50f6e1120aa8a72da48966

Download Submit
C:\Windows\svchost.com
MD5
371c1e8a04fc1255cd38141e8d1c4e9d

SHA1
a08212115f726e91f5f82ecb0711fe68d392f1c7

SHA256
3109e6a23edb277172fab39ade7be67a2a1ffef6ae37a31e69cc4c5fc2ca62e3

SHA512
f969b3ab18d1bb4ac04e8136cdf89945335907fa6426c5190ea21d79817448592828652d5d32181c060f6562cae85688313a49e20f50f6e1120aa8a72da48966

Download Submit
C:\odt\OFFICE~1.EXE
MD5
2e47c96f947db7a8be51985ccc0de0ab

SHA1
174897a0254dc90c23c8636cfdf0d49515c4b627

SHA256
93a0e5763816fa35707b8c651178e93fd235f13ab517be76a0c91f0f81335a59

SHA512
3fdce195c9d9223ad90c089ace36d1a2a6775761f2fb30ad0f813ac6c107031bc793b742048de5975564061f487def41f1fedd7718ba3dade7739ba223d8cbbb

Download Submit