Analysis
-
max time kernel
171s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
06-02-2022 08:26
Static task
static1
Behavioral task
behavioral1
Sample
d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
Resource
win10v2004-en-20220113
General
-
Target
d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
-
Size
1.6MB
-
MD5
bb398bb273b9b2b20f982893bdf89b27
-
SHA1
c964fa17f985841cdaaf0b4b8b3377d205b94964
-
SHA256
d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29
-
SHA512
bd93727a866a46aa91ff8c3a92b0e66894e5c6a661c91dd3bb28f97c077180904f590fa1ad00916585260167c05aa98b1071e56b605fcc038e62ec185fcbe9d1
Malware Config
Signatures
-
Detect Neshta Payload 21 IoCs
Processes:
resource yara_rule C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\odt\OFFICE~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE family_neshta C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE family_neshta C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE family_neshta C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\ELEVAT~1.EXE family_neshta C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\PWAHEL~1.EXE family_neshta C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~1.EXE family_neshta C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~2.EXE family_neshta C:\Windows\svchost.com family_neshta C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe family_neshta C:\Windows\svchost.com family_neshta C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrord32.exe family_neshta C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 6 IoCs
Processes:
d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exesvchost.comsvchost.comADOBEA~1.EXEsvchost.comAdobeARM.exepid process 3344 d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe 1876 svchost.com 1308 svchost.com 1180 ADOBEA~1.EXE 4352 svchost.com 5056 AdobeARM.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exed70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exeADOBEA~1.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation ADOBEA~1.EXE -
Processes:
d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe -
Drops file in Program Files directory 64 IoCs
Processes:
d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exesvchost.comsvchost.comsvchost.comdescription ioc process File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MI391D~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe svchost.com File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\PWAHEL~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MIA062~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~3.EXE d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Install\{A9F77~1\EDGEMI~1.TMP\setup.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\NOTIFI~1.EXE d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\IDENTI~1.EXE d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\msedge.exe svchost.com File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~2.EXE d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\MSEDGE~3.EXE d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\MSEDGE~2.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\NOTIFI~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~4.EXE svchost.com -
Drops file in Windows directory 13 IoCs
Processes:
svchost.comsvchost.comsvchost.comsvchost.exed70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exedescription ioc process File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\svchost.com d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 3 IoCs
Processes:
d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exed70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exeADOBEA~1.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings ADOBEA~1.EXE -
Processes:
d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exeADOBEA~1.EXEpid process 3344 d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe 3344 d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe 3344 d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe 3344 d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe 1180 ADOBEA~1.EXE 1180 ADOBEA~1.EXE 1180 ADOBEA~1.EXE 1180 ADOBEA~1.EXE 1180 ADOBEA~1.EXE 1180 ADOBEA~1.EXE 1180 ADOBEA~1.EXE 1180 ADOBEA~1.EXE 1180 ADOBEA~1.EXE 1180 ADOBEA~1.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
svchost.exedescription pid process Token: SeShutdownPrivilege 456 svchost.exe Token: SeCreatePagefilePrivilege 456 svchost.exe Token: SeShutdownPrivilege 456 svchost.exe Token: SeCreatePagefilePrivilege 456 svchost.exe Token: SeShutdownPrivilege 456 svchost.exe Token: SeCreatePagefilePrivilege 456 svchost.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
AdobeARM.exepid process 5056 AdobeARM.exe 5056 AdobeARM.exe 5056 AdobeARM.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
AdobeARM.exepid process 5056 AdobeARM.exe 5056 AdobeARM.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exeAdobeARM.exepid process 3344 d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe 5056 AdobeARM.exe 5056 AdobeARM.exe 5056 AdobeARM.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exed70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exesvchost.comsvchost.comADOBEA~1.EXEsvchost.comdescription pid process target process PID 3652 wrote to memory of 3344 3652 d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe PID 3652 wrote to memory of 3344 3652 d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe PID 3652 wrote to memory of 3344 3652 d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe PID 3344 wrote to memory of 1876 3344 d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe svchost.com PID 3344 wrote to memory of 1876 3344 d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe svchost.com PID 3344 wrote to memory of 1876 3344 d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe svchost.com PID 1876 wrote to memory of 2164 1876 svchost.com READER~1.EXE PID 1876 wrote to memory of 2164 1876 svchost.com READER~1.EXE PID 1876 wrote to memory of 2164 1876 svchost.com READER~1.EXE PID 3344 wrote to memory of 1308 3344 d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe svchost.com PID 3344 wrote to memory of 1308 3344 d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe svchost.com PID 3344 wrote to memory of 1308 3344 d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe svchost.com PID 1308 wrote to memory of 1180 1308 svchost.com ADOBEA~1.EXE PID 1308 wrote to memory of 1180 1308 svchost.com ADOBEA~1.EXE PID 1308 wrote to memory of 1180 1308 svchost.com ADOBEA~1.EXE PID 1180 wrote to memory of 4352 1180 ADOBEA~1.EXE svchost.com PID 1180 wrote to memory of 4352 1180 ADOBEA~1.EXE svchost.com PID 1180 wrote to memory of 4352 1180 ADOBEA~1.EXE svchost.com PID 4352 wrote to memory of 5056 4352 svchost.com AdobeARM.exe PID 4352 wrote to memory of 5056 4352 svchost.com AdobeARM.exe PID 4352 wrote to memory of 5056 4352 svchost.com AdobeARM.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe"C:\Users\Admin\AppData\Local\Temp\d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Users\Admin\AppData\Local\Temp\3582-490\d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXEC:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE4⤵PID:2164
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\PROGRA~3\Adobe\ARM\S\19712\ADOBEA~1.EXE" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\19712" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\PROGRA~3\Adobe\ARM\S\19712\ADOBEA~1.EXEC:\PROGRA~3\Adobe\ARM\S\19712\ADOBEA~1.EXE /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\19712" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\19712" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exeC:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\19712" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5056
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:456
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exeMD5
322302633e36360a24252f6291cdfc91
SHA1238ed62353776c646957efefc0174c545c2afa3d
SHA25631da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c
SHA5125a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exeMD5
316cf123fc3021e85e4a3cb3d703e83e
SHA10bc76376a2ee11616aacfe6284acb94bcb23c62d
SHA2569b5ffbf037621537fe7769e01d0faffd042010b2019ce657b2d2419fd0e1db8e
SHA512ed0b5a4201d8f32e37a67477327996fc45ebd806057d3873012a2683e6f2170e50439f5ef5edcd15d1600d8313b70964d3a39f1151af32391bdac48da875278a
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXEMD5
f89440ce4ff5c1295c1799339a530303
SHA1b3cdd4410c3b3315713a24cd547664a220e7ec0d
SHA2565fac23766b327e314ff6ccfefa8c5db37aafa58814277a0e16ab1b78dad3beb2
SHA5128b8c3181b591e40d6e3802a65dd47ffd00e4d59950ec29433db5f484e71ef3a91fd22d5e372b08f4f3ab27a6cc7045e11e181fb112b27d8daa6d260a506d5beb
-
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXEMD5
bcd0f32f28d3c2ba8f53d1052d05252d
SHA1c29b4591df930dabc1a4bd0fa2c0ad91500eafb2
SHA256bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb
SHA51279f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10
-
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exeMD5
d47ed8961782d9e27f359447fa86c266
SHA1d37d3f962c8d302b18ec468b4abe94f792f72a3b
SHA256b1ec065f71cc40f400e006586d370997102860504fd643b235e8ed9f5607262a
SHA5123e33f2cdf35024868b183449019de9278035e7966b342ba320a6c601b5629792cbb98a19850d4ca80b906c85d10e8503b0193794d1f1efa849fa33d26cff0669
-
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exeMD5
bd7ae0affbb3a6fd52d956a5694c8073
SHA14abb30acd9c8fc94f72b280856e868612fd476e0
SHA25603b39c1e40731161ff527db03926e07485c051bb4c0694ab4bf16fcc212cc124
SHA5126f9e387a6d29729d2836f23e8eaf331945c7472a957cb7b98611a94f0bb31890c9b0c4da46956c1140f7ae411f0ee445008825c666a55617ff77aa43166386cb
-
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXEMD5
dd5586c90fad3d0acb402c1aab8f6642
SHA13440cd9e78d4e4b3c2f5ba31435cedaa559e5c7f
SHA256fba2b9270ade0ce80e8dfc5e3279db683324502f6103e451cd090c69da56415e
SHA512e56f6d6b446411ba4ed24f0d113953d9c9e874b2ac4511d33e5c5b85dddd81216579695e35c34b6054c187b00ee214d5648594dad498297f487f2fd47f040a4d
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~1.EXEMD5
5fc9e1bb8fe39f312cb74937e99667e6
SHA139922c3314cd6fcf1eb0b8eed7165691d181416c
SHA2566a9a69255ca32099fdf0550e52ce9b434999bc8266cd8eeb2ef5d1ac174222fc
SHA5123eaa304ed81f1860c10383610ccd76bed04f82255195523ed280227f506db17ff847721a3d33ca5aa26d095c6809f4141d80519bbba449ae142911581a7e04ea
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~2.EXEMD5
acfde0b862751276292916c992a9c290
SHA1f0637571315267be2e87ad914226f1ffc42c7d35
SHA256f435012f0496602491252ee16f36ca7637b579935fbfc1490f08fe9f95b8ac39
SHA5123bcaba5fc737875de4ab6095b3a89b3d7fe05eed5ee266a0be5bf632cd46b1a618b14e909ff14304e615c90c04c82bbf2492d7fd0408e97172dd2f2fd31c2515
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exeMD5
df815caf3c78a6c7e1518cc6882b01bf
SHA16c3cad126a72a4710bfc859c9efe2c8eebbb56f6
SHA2565625af665b7bbafeb056558d4efd469f9a46a2e8c9709ce78bc8706cf551db91
SHA512e35348fea48f8d4c7954ad4a5e4e22ab0846979334de4b81759ef1aa92b6ae20751b6a3d079a0d33361df16d3bd8fe4bc7503825a0d8f597abbb4ad8ba8274c7
-
C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\ELEVAT~1.EXEMD5
e1a9b87dc03d10de64e01399b3305065
SHA105a43f57e7db0ae90848aafc7ed00e07d452429b
SHA2560f5f162eeb0ed987a3d947a89fc281263ebd46bf12c9f1ecfdd28826371bf1ba
SHA512cfb869aca9cc318a17d6581cff70e95258b95de3b288cb71cca462ae64f4b525c8507f55c6c8abc42c55382a1f30065dde820f535545308401000a2a17b14c6f
-
C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\PWAHEL~1.EXEMD5
315596301b2dd3d1aacbfba6d86fee6e
SHA1aef3814996008a2af416350620e5a2119f9ccd68
SHA256beffd49beb79b2802af3726ab4fcad688cf7c64c5a073517a4279dc5f2191b4c
SHA51270405f0d447670645a57dd73b10b78189f0c037eda55aaead7dcf38ef1b8225bd3eda342b46b554f0e334d28e69c311cffde4e05f9d9775994e5d39773b6f08a
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXEMD5
a5d9eaa7d52bffc494a5f58203c6c1b5
SHA197928ba7b61b46a1a77a38445679d040ffca7cc8
SHA25634b8662d38e7d3d6394fa6c965d943d2c82ea06ba9d7a0af4f8e0571fb5a9c48
SHA512b6fdc8389bb4d736d608600469be6a4b0452aa3ea082f9a0791022a14c02b8fb7dcd62df133b0518e91283094eaba2be9318316f72d2c4aae6286d3e8686e787
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXEMD5
11486d1d22eaacf01580e3e650f1da3f
SHA1a47a721efec08ade8456a6918c3de413a2f8c7a2
SHA2565e1b1daa9968ca19a58714617b7e691b6b6f34bfacaf0dcf4792c48888b1a5d3
SHA5125bd54e1c1308e04a769e089ab37bd9236ab97343b486b85a018f2c8ad060503c97e8bc51f911a63f9b96dd734eb7d21e0a5c447951246d972b05fafeef4633da
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXEMD5
5c78384d8eb1f6cb8cb23d515cfe7c98
SHA1b732ab6c3fbf2ded8a4d6c8962554d119f59082e
SHA2569abd7f0aa942ee6b263cdc4b32a4110ddb95e43ad411190f0ea48c0064884564
SHA51299324af5f8fb70a9d01f97d845a4c6999053d6567ba5b80830a843a1634b02eaf3c0c04ced924cf1b1be9b4d1dbbcb95538385f7f85ad84d3eaaa6dcdebcc8a6
-
C:\PROGRA~3\Adobe\ARM\S\19712\ADOBEA~1.EXEMD5
522026a14d6bc781d2a15c665e454310
SHA19451a39108326ba578793b1feb62f23a02bce916
SHA256fd115ae8ebd2f37cf1ef72f75242206cf1331c7cb258305011302e981137ee5e
SHA5124e4eb2f582c8590899a0ada6133b705d13775f60818f1ff4f9bb35e40e09d6570af4f7ac4c80b525b445a03702ca0f3a9867a93080f90697d8be668e2abe2fe7
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrord32.exeMD5
316cf123fc3021e85e4a3cb3d703e83e
SHA10bc76376a2ee11616aacfe6284acb94bcb23c62d
SHA2569b5ffbf037621537fe7769e01d0faffd042010b2019ce657b2d2419fd0e1db8e
SHA512ed0b5a4201d8f32e37a67477327996fc45ebd806057d3873012a2683e6f2170e50439f5ef5edcd15d1600d8313b70964d3a39f1151af32391bdac48da875278a
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeMD5
92dc0a5b61c98ac6ca3c9e09711e0a5d
SHA1f809f50cfdfbc469561bced921d0bad343a0d7b4
SHA2563e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc
SHA512d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeMD5
bd7ae0affbb3a6fd52d956a5694c8073
SHA14abb30acd9c8fc94f72b280856e868612fd476e0
SHA25603b39c1e40731161ff527db03926e07485c051bb4c0694ab4bf16fcc212cc124
SHA5126f9e387a6d29729d2836f23e8eaf331945c7472a957cb7b98611a94f0bb31890c9b0c4da46956c1140f7ae411f0ee445008825c666a55617ff77aa43166386cb
-
C:\ProgramData\Adobe\ARM\ArmReport.iniMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\Adobe\ARM\Reader_19.010.20069\AcroRdrDCUpd1901020098.mspMD5
3404522672187ad49ad74aec689075c0
SHA1af6b91326f443b04088cd3718b93334a7247ce1a
SHA2560ef813051b890501283103fb2999aaa01438227b681dcf711d09c10c5846d72d
SHA51235d47d228977ae3e77b1510e67fc082da37a39f346a23d4d5f65d91ac46ae51581ccb3c507efe6b33a8ac26af11e58ee2128f98a16ba4b1f2bf9b14e70389f18
-
C:\ProgramData\Adobe\ARM\Reader_19.010.20069\ReaderDCManifest2.msiMD5
6f014505b038aa70695dc6557662df8b
SHA125607777270af2b0a38da97d8d98ab9bc7926980
SHA25652040d7492e91856c658e4779bdc2de38a81f47e5136d9a772f4559178fbe7fc
SHA51225c53e4b7c273b3699be727e5a6688dbfad7b6633d78d29e753bc3446b8e2b5e8c752a8842870264fe10a2b3a0246c335bea7457daa289faec67f7ca7c2aaac0
-
C:\ProgramData\Adobe\ARM\S\19712\AdobeARM.msiMD5
5c256b8910abfa6fb390b6b6986fbdc8
SHA1f106a3257f64ff9be9314f099deae3cef5a75d52
SHA256f0baf945e8ccda8d7ad3a5f76aa952c5b6ee1a8ce05c5e0eede9384d7b3f1bcc
SHA512d6bae8fe0b0707a49bc54d62b508024fee0c25c2150483ba5f2608b9c4d9f75c2b3b9eea1d8feb08921cc5ff38488adc97e4d2ab167bdbd26706d562aff775af
-
C:\ProgramData\Adobe\ARM\S\19712\AdobeARMHelper.exeMD5
522026a14d6bc781d2a15c665e454310
SHA19451a39108326ba578793b1feb62f23a02bce916
SHA256fd115ae8ebd2f37cf1ef72f75242206cf1331c7cb258305011302e981137ee5e
SHA5124e4eb2f582c8590899a0ada6133b705d13775f60818f1ff4f9bb35e40e09d6570af4f7ac4c80b525b445a03702ca0f3a9867a93080f90697d8be668e2abe2fe7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44DMD5
8a21927f1f2dddd3d0e9f766cf260516
SHA1f130c2e4a313cd1e56f030a713565b80fd501f58
SHA25644f5f2cf1e19ab46df2059837eff5516e1027db22ea5ce15fcd7280a5a24ab17
SHA5128eec11691c0e4f273e1a322829bac6daa7b6c88578f68a352ef3284f9ccb182d90803d56f4c5446a1a6547b8353caad9ab6639ddec408c94e708cea5710031ba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_0CA0B6A0FC061704366CD7F8CEED0190MD5
217991f26973322de1d10f6e3515b0a3
SHA1a48490e9fef67432cbaf722fc6ceac102d427bcc
SHA25668d9170d1af16274cebfc06130913a8530aa6547a56300c57ca657404c0f17ce
SHA512a415dda189aa4ea57b277a576b80956514d5d535cfe06623252723a397296b77deab59df9af300c8b8fc543a322190818b1bae9818fab79c3d0778e4713be0a5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEACMD5
5c35411b0b7334d0ad4197b7fbd259d3
SHA1ef2b68cc738c32e64c68c061f11c3fd3c9a27d06
SHA25671e070163f34499dafbbcdfcbd8126bfbf570cd153c3e095019cab219b2bb41b
SHA5125ca7a8869dc1036ce28c727ecad56e014f93d8bf359e406c0405ef8ad7ee57834bbc56b11419a5837b4c24e2fd3aedd699b81b0bf6d586aecd5b4878346066f8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44DMD5
fd1413961b5ab3f67d760590d231dc36
SHA1c566dadc4dca6486d28a324f35a14ed88ee566a0
SHA256894ae5474484ed1fe44d8d48a7e7ad71b1b82c1fa52c45ff49a9f6f24a132ee0
SHA512c3cbcbbf8360bfb6c536b87c44d933b07ea6bc99dd0949d63356bad7bf5248faed212bedad0543e6ece52877ba85c451925687c3a5ca6298be4d4a4fcc2672fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_0CA0B6A0FC061704366CD7F8CEED0190MD5
e5d438c82ebda04cb8a891a100ad1f1d
SHA1dcadb2a18934499c3813b48cfb55b26cb2d03992
SHA2568100caca2cb8dfcc37c2f2f885c1541bbe7e42076dc1f81b6528d57172969e74
SHA51283677a3c5f8ba19597524a4036abf1ef803ddcc6a57fe85565d35728610fc6bbaed62cfe963c32f3fdf42c1f1dc7ecc87ab3c122d65c95326254b4d86fcbf14b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEACMD5
5f16228be52e4e231adf59bfa66965f6
SHA1f0648b401ab156ed1fc3df8a12583919226bd700
SHA2561a3511b684f76c518e56ec9fbcbf34fe3e24448adb5c431932f0d5358d588c84
SHA5125e22096d49199f69a2d5e59a27af3ce2a9dd2a81e55e72ba4cf2588c614a792d77d43ca816d4b0c18c020686045322cb8875b2723c3336a8c14dff409bbd3a24
-
C:\Users\Admin\AppData\Local\Temp\3582-490\d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exeMD5
8f9a1733d2a9aea90186f7f2899fb9db
SHA1cf6b567610932fac8a104a2efccebd7bc732d749
SHA2565682fc04d2034c28ad7882a207407022f541e3efe80337a447ca5a3b457002af
SHA512bb8079624a61975b1d540a85f1bf4fa5474dad32b54f9ca916548c9dcbccc7a6fdedcc5ba29f7fc6aeba01c0f41a5386f892c6b767828e016c4eb51b3ca9d69c
-
C:\Users\Admin\AppData\Local\Temp\3582-490\d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exeMD5
8f9a1733d2a9aea90186f7f2899fb9db
SHA1cf6b567610932fac8a104a2efccebd7bc732d749
SHA2565682fc04d2034c28ad7882a207407022f541e3efe80337a447ca5a3b457002af
SHA512bb8079624a61975b1d540a85f1bf4fa5474dad32b54f9ca916548c9dcbccc7a6fdedcc5ba29f7fc6aeba01c0f41a5386f892c6b767828e016c4eb51b3ca9d69c
-
C:\Users\Admin\AppData\Local\Temp\AdobeARM.logMD5
4f45f6f637bfdd92b0afdf1d28747f63
SHA160ebaa87c276f784d42f869558dcbe1807ea3d43
SHA256d34524a702b44f44c6f11d68dac48edd4a2045e8f7e217eb3f3009d8a6053969
SHA512cf309dd68dcfc3d96b8b8654abc98abc5b0465aa889f16d2821cc46bb74dc531bec0647e8b96b55c85df491895621cb32c21b7e9fd2f6575e26404f6eee4d687
-
C:\Windows\directx.sysMD5
e211068b57aeb2765ad66810b60bc49c
SHA10a06a57eea1e196fdeb1d94743d9ce768951eca4
SHA256122a2425e59d2c401a7778f06b6c03bcb470fdc5091a9c656050ad6bbcfe5427
SHA5127c49f1aa94c420aa916402688d8c7a3ecd8a40d229ffaf4aff66ebdb3f78285d80a5bc4c5358e8c72d45e8994dc016ef4540672de7adcd02b666805220803a42
-
C:\Windows\directx.sysMD5
e1eedb6310c11628d018a81b2e40685d
SHA14b4ceb6e1ae1b0d0691c3777390ec0bcef914ace
SHA256c072b663b90f8988952108799c4f06bbfe2157f74c7c2e115ca33598ca74aa3b
SHA512b2700190496dee6a82a189c2f692bf47b974a3479171a80a570839d56a14bb0810ef5b2fbe69dd9a59b49579a9831cbe86126bee3742179dbf39d6407d6c7874
-
C:\Windows\svchost.comMD5
d1bb9002f9b41f1dd503b9b2d238e961
SHA112a1b2dca6a63dc395d327b7e4efe72c01869584
SHA256b97b7dc1081d71bebacc15c20a2546e9029ec2c68294a78f29f0cce57ce49520
SHA51240c33e27d80876b0326913f77dc70055f2e1cd89675eb7cec2e9a0c96182fdc16136009176d41be6ed959927bf4aac839586badfcb65622914a5ecce9398d860
-
C:\Windows\svchost.comMD5
d1bb9002f9b41f1dd503b9b2d238e961
SHA112a1b2dca6a63dc395d327b7e4efe72c01869584
SHA256b97b7dc1081d71bebacc15c20a2546e9029ec2c68294a78f29f0cce57ce49520
SHA51240c33e27d80876b0326913f77dc70055f2e1cd89675eb7cec2e9a0c96182fdc16136009176d41be6ed959927bf4aac839586badfcb65622914a5ecce9398d860
-
C:\Windows\svchost.comMD5
d1bb9002f9b41f1dd503b9b2d238e961
SHA112a1b2dca6a63dc395d327b7e4efe72c01869584
SHA256b97b7dc1081d71bebacc15c20a2546e9029ec2c68294a78f29f0cce57ce49520
SHA51240c33e27d80876b0326913f77dc70055f2e1cd89675eb7cec2e9a0c96182fdc16136009176d41be6ed959927bf4aac839586badfcb65622914a5ecce9398d860
-
C:\Windows\svchost.comMD5
d1bb9002f9b41f1dd503b9b2d238e961
SHA112a1b2dca6a63dc395d327b7e4efe72c01869584
SHA256b97b7dc1081d71bebacc15c20a2546e9029ec2c68294a78f29f0cce57ce49520
SHA51240c33e27d80876b0326913f77dc70055f2e1cd89675eb7cec2e9a0c96182fdc16136009176d41be6ed959927bf4aac839586badfcb65622914a5ecce9398d860
-
C:\odt\OFFICE~1.EXEMD5
02c3d242fe142b0eabec69211b34bc55
SHA1ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e
SHA2562a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842
SHA5120efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099
-
memory/456-223-0x000001BA8F490000-0x000001BA8F494000-memory.dmpFilesize
16KB
-
memory/456-221-0x000001BA8C730000-0x000001BA8C740000-memory.dmpFilesize
64KB
-
memory/456-222-0x000001BA8C790000-0x000001BA8C7A0000-memory.dmpFilesize
64KB