neshta | d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29

Analysis

max time kernel
171s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
06-02-2022 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
Size

1.6MB
MD5

bb398bb273b9b2b20f982893bdf89b27
SHA1

c964fa17f985841cdaaf0b4b8b3377d205b94964
SHA256

d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29
SHA512

bd93727a866a46aa91ff8c3a92b0e66894e5c6a661c91dd3bb28f97c077180904f590fa1ad00916585260167c05aa98b1071e56b605fcc038e62ec185fcbe9d1

Score

10^/10

neshta evasion persistence spyware trojan

Malware Config

Signatures

Detect Neshta Payload 21 IoCs

Processes:

resource	yara_rule
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\ELEVAT~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\PWAHEL~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~2.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrord32.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 6 IoCs

Processes:

d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exesvchost.comsvchost.comADOBEA~1.EXEsvchost.comAdobeARM.exe

pid	process
3344	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
1876	svchost.com
1308	svchost.com
1180	ADOBEA~1.EXE
4352	svchost.com
5056	AdobeARM.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exed70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exeADOBEA~1.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	ADOBEA~1.EXE

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe

Drops file in Program Files directory 64 IoCs

Processes:

d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exesvchost.comsvchost.comsvchost.com

description	ioc	process
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MI391D~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\PWAHEL~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MIA062~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~3.EXE	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Install\{A9F77~1\EDGEMI~1.TMP\setup.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\NOTIFI~1.EXE	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\IDENTI~1.EXE	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\msedge.exe	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~2.EXE	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\MSEDGE~3.EXE	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\MSEDGE~2.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\NOTIFI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~4.EXE	svchost.com

Drops file in Windows directory 13 IoCs

Processes:

svchost.comsvchost.comsvchost.comsvchost.exed70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\svchost.com	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 3 IoCs

Processes:

d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exed70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exeADOBEA~1.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	ADOBEA~1.EXE

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exeADOBEA~1.EXE

pid	process
3344	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
3344	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
3344	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
3344	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
1180	ADOBEA~1.EXE
1180	ADOBEA~1.EXE
1180	ADOBEA~1.EXE
1180	ADOBEA~1.EXE
1180	ADOBEA~1.EXE
1180	ADOBEA~1.EXE
1180	ADOBEA~1.EXE
1180	ADOBEA~1.EXE
1180	ADOBEA~1.EXE
1180	ADOBEA~1.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	456	svchost.exe
Token: SeCreatePagefilePrivilege	456	svchost.exe
Token: SeShutdownPrivilege	456	svchost.exe
Token: SeCreatePagefilePrivilege	456	svchost.exe
Token: SeShutdownPrivilege	456	svchost.exe
Token: SeCreatePagefilePrivilege	456	svchost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AdobeARM.exe

pid process

5056 AdobeARM.exe
5056 AdobeARM.exe
5056 AdobeARM.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

AdobeARM.exe

pid process

5056 AdobeARM.exe
5056 AdobeARM.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exeAdobeARM.exe

pid process

3344 d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
5056 AdobeARM.exe
5056 AdobeARM.exe
5056 AdobeARM.exe

pid	process
5056	AdobeARM.exe
5056	AdobeARM.exe
5056	AdobeARM.exe

pid	process
5056	AdobeARM.exe
5056	AdobeARM.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exed70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exesvchost.comsvchost.comADOBEA~1.EXEsvchost.com

description	pid	process	target process
PID 3652 wrote to memory of 3344	3652	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
PID 3652 wrote to memory of 3344	3652	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
PID 3652 wrote to memory of 3344	3652	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
PID 3344 wrote to memory of 1876	3344	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe	svchost.com
PID 3344 wrote to memory of 1876	3344	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe	svchost.com
PID 3344 wrote to memory of 1876	3344	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe	svchost.com
PID 1876 wrote to memory of 2164	1876	svchost.com	READER~1.EXE
PID 1876 wrote to memory of 2164	1876	svchost.com	READER~1.EXE
PID 1876 wrote to memory of 2164	1876	svchost.com	READER~1.EXE
PID 3344 wrote to memory of 1308	3344	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe	svchost.com
PID 3344 wrote to memory of 1308	3344	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe	svchost.com
PID 3344 wrote to memory of 1308	3344	d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe	svchost.com
PID 1308 wrote to memory of 1180	1308	svchost.com	ADOBEA~1.EXE
PID 1308 wrote to memory of 1180	1308	svchost.com	ADOBEA~1.EXE
PID 1308 wrote to memory of 1180	1308	svchost.com	ADOBEA~1.EXE
PID 1180 wrote to memory of 4352	1180	ADOBEA~1.EXE	svchost.com
PID 1180 wrote to memory of 4352	1180	ADOBEA~1.EXE	svchost.com
PID 1180 wrote to memory of 4352	1180	ADOBEA~1.EXE	svchost.com
PID 4352 wrote to memory of 5056	4352	svchost.com	AdobeARM.exe
PID 4352 wrote to memory of 5056	4352	svchost.com	AdobeARM.exe
PID 4352 wrote to memory of 5056	4352	svchost.com	AdobeARM.exe

C:\Users\Admin\AppData\Local\Temp\d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
"C:\Users\Admin\AppData\Local\Temp\d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3652

C:\Users\Admin\AppData\Local\Temp\3582-490\d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1876

C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE
4⤵
PID:2164

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\PROGRA~3\Adobe\ARM\S\19712\ADOBEA~1.EXE" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\19712" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1308

C:\PROGRA~3\Adobe\ARM\S\19712\ADOBEA~1.EXE
C:\PROGRA~3\Adobe\ARM\S\19712\ADOBEA~1.EXE /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\19712" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\19712" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4352

C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\19712" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU
6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe
MD5
322302633e36360a24252f6291cdfc91

SHA1
238ed62353776c646957efefc0174c545c2afa3d

SHA256
31da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c

SHA512
5a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
MD5
316cf123fc3021e85e4a3cb3d703e83e

SHA1
0bc76376a2ee11616aacfe6284acb94bcb23c62d

SHA256
9b5ffbf037621537fe7769e01d0faffd042010b2019ce657b2d2419fd0e1db8e

SHA512
ed0b5a4201d8f32e37a67477327996fc45ebd806057d3873012a2683e6f2170e50439f5ef5edcd15d1600d8313b70964d3a39f1151af32391bdac48da875278a

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE
MD5
f89440ce4ff5c1295c1799339a530303

SHA1
b3cdd4410c3b3315713a24cd547664a220e7ec0d

SHA256
5fac23766b327e314ff6ccfefa8c5db37aafa58814277a0e16ab1b78dad3beb2

SHA512
8b8c3181b591e40d6e3802a65dd47ffd00e4d59950ec29433db5f484e71ef3a91fd22d5e372b08f4f3ab27a6cc7045e11e181fb112b27d8daa6d260a506d5beb

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE
MD5
bcd0f32f28d3c2ba8f53d1052d05252d

SHA1
c29b4591df930dabc1a4bd0fa2c0ad91500eafb2

SHA256
bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb

SHA512
79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe
MD5
d47ed8961782d9e27f359447fa86c266

SHA1
d37d3f962c8d302b18ec468b4abe94f792f72a3b

SHA256
b1ec065f71cc40f400e006586d370997102860504fd643b235e8ed9f5607262a

SHA512
3e33f2cdf35024868b183449019de9278035e7966b342ba320a6c601b5629792cbb98a19850d4ca80b906c85d10e8503b0193794d1f1efa849fa33d26cff0669

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe
MD5
bd7ae0affbb3a6fd52d956a5694c8073

SHA1
4abb30acd9c8fc94f72b280856e868612fd476e0

SHA256
03b39c1e40731161ff527db03926e07485c051bb4c0694ab4bf16fcc212cc124

SHA512
6f9e387a6d29729d2836f23e8eaf331945c7472a957cb7b98611a94f0bb31890c9b0c4da46956c1140f7ae411f0ee445008825c666a55617ff77aa43166386cb

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE
MD5
dd5586c90fad3d0acb402c1aab8f6642

SHA1
3440cd9e78d4e4b3c2f5ba31435cedaa559e5c7f

SHA256
fba2b9270ade0ce80e8dfc5e3279db683324502f6103e451cd090c69da56415e

SHA512
e56f6d6b446411ba4ed24f0d113953d9c9e874b2ac4511d33e5c5b85dddd81216579695e35c34b6054c187b00ee214d5648594dad498297f487f2fd47f040a4d

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~1.EXE
MD5
5fc9e1bb8fe39f312cb74937e99667e6

SHA1
39922c3314cd6fcf1eb0b8eed7165691d181416c

SHA256
6a9a69255ca32099fdf0550e52ce9b434999bc8266cd8eeb2ef5d1ac174222fc

SHA512
3eaa304ed81f1860c10383610ccd76bed04f82255195523ed280227f506db17ff847721a3d33ca5aa26d095c6809f4141d80519bbba449ae142911581a7e04ea

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~2.EXE
MD5
acfde0b862751276292916c992a9c290

SHA1
f0637571315267be2e87ad914226f1ffc42c7d35

SHA256
f435012f0496602491252ee16f36ca7637b579935fbfc1490f08fe9f95b8ac39

SHA512
3bcaba5fc737875de4ab6095b3a89b3d7fe05eed5ee266a0be5bf632cd46b1a618b14e909ff14304e615c90c04c82bbf2492d7fd0408e97172dd2f2fd31c2515

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe
MD5
df815caf3c78a6c7e1518cc6882b01bf

SHA1
6c3cad126a72a4710bfc859c9efe2c8eebbb56f6

SHA256
5625af665b7bbafeb056558d4efd469f9a46a2e8c9709ce78bc8706cf551db91

SHA512
e35348fea48f8d4c7954ad4a5e4e22ab0846979334de4b81759ef1aa92b6ae20751b6a3d079a0d33361df16d3bd8fe4bc7503825a0d8f597abbb4ad8ba8274c7

Download Submit
C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\ELEVAT~1.EXE
MD5
e1a9b87dc03d10de64e01399b3305065

SHA1
05a43f57e7db0ae90848aafc7ed00e07d452429b

SHA256
0f5f162eeb0ed987a3d947a89fc281263ebd46bf12c9f1ecfdd28826371bf1ba

SHA512
cfb869aca9cc318a17d6581cff70e95258b95de3b288cb71cca462ae64f4b525c8507f55c6c8abc42c55382a1f30065dde820f535545308401000a2a17b14c6f

Download Submit
C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\PWAHEL~1.EXE
MD5
315596301b2dd3d1aacbfba6d86fee6e

SHA1
aef3814996008a2af416350620e5a2119f9ccd68

SHA256
beffd49beb79b2802af3726ab4fcad688cf7c64c5a073517a4279dc5f2191b4c

SHA512
70405f0d447670645a57dd73b10b78189f0c037eda55aaead7dcf38ef1b8225bd3eda342b46b554f0e334d28e69c311cffde4e05f9d9775994e5d39773b6f08a

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE
MD5
a5d9eaa7d52bffc494a5f58203c6c1b5

SHA1
97928ba7b61b46a1a77a38445679d040ffca7cc8

SHA256
34b8662d38e7d3d6394fa6c965d943d2c82ea06ba9d7a0af4f8e0571fb5a9c48

SHA512
b6fdc8389bb4d736d608600469be6a4b0452aa3ea082f9a0791022a14c02b8fb7dcd62df133b0518e91283094eaba2be9318316f72d2c4aae6286d3e8686e787

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE
MD5
11486d1d22eaacf01580e3e650f1da3f

SHA1
a47a721efec08ade8456a6918c3de413a2f8c7a2

SHA256
5e1b1daa9968ca19a58714617b7e691b6b6f34bfacaf0dcf4792c48888b1a5d3

SHA512
5bd54e1c1308e04a769e089ab37bd9236ab97343b486b85a018f2c8ad060503c97e8bc51f911a63f9b96dd734eb7d21e0a5c447951246d972b05fafeef4633da

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE
MD5
5c78384d8eb1f6cb8cb23d515cfe7c98

SHA1
b732ab6c3fbf2ded8a4d6c8962554d119f59082e

SHA256
9abd7f0aa942ee6b263cdc4b32a4110ddb95e43ad411190f0ea48c0064884564

SHA512
99324af5f8fb70a9d01f97d845a4c6999053d6567ba5b80830a843a1634b02eaf3c0c04ced924cf1b1be9b4d1dbbcb95538385f7f85ad84d3eaaa6dcdebcc8a6

Download Submit
C:\PROGRA~3\Adobe\ARM\S\19712\ADOBEA~1.EXE
MD5
522026a14d6bc781d2a15c665e454310

SHA1
9451a39108326ba578793b1feb62f23a02bce916

SHA256
fd115ae8ebd2f37cf1ef72f75242206cf1331c7cb258305011302e981137ee5e

SHA512
4e4eb2f582c8590899a0ada6133b705d13775f60818f1ff4f9bb35e40e09d6570af4f7ac4c80b525b445a03702ca0f3a9867a93080f90697d8be668e2abe2fe7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrord32.exe
MD5
316cf123fc3021e85e4a3cb3d703e83e

SHA1
0bc76376a2ee11616aacfe6284acb94bcb23c62d

SHA256
9b5ffbf037621537fe7769e01d0faffd042010b2019ce657b2d2419fd0e1db8e

SHA512
ed0b5a4201d8f32e37a67477327996fc45ebd806057d3873012a2683e6f2170e50439f5ef5edcd15d1600d8313b70964d3a39f1151af32391bdac48da875278a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe
MD5
92dc0a5b61c98ac6ca3c9e09711e0a5d

SHA1
f809f50cfdfbc469561bced921d0bad343a0d7b4

SHA256
3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc

SHA512
d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
MD5
bd7ae0affbb3a6fd52d956a5694c8073

SHA1
4abb30acd9c8fc94f72b280856e868612fd476e0

SHA256
03b39c1e40731161ff527db03926e07485c051bb4c0694ab4bf16fcc212cc124

SHA512
6f9e387a6d29729d2836f23e8eaf331945c7472a957cb7b98611a94f0bb31890c9b0c4da46956c1140f7ae411f0ee445008825c666a55617ff77aa43166386cb

Download Submit
C:\ProgramData\Adobe\ARM\ArmReport.ini
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\Adobe\ARM\Reader_19.010.20069\AcroRdrDCUpd1901020098.msp
MD5
3404522672187ad49ad74aec689075c0

SHA1
af6b91326f443b04088cd3718b93334a7247ce1a

SHA256
0ef813051b890501283103fb2999aaa01438227b681dcf711d09c10c5846d72d

SHA512
35d47d228977ae3e77b1510e67fc082da37a39f346a23d4d5f65d91ac46ae51581ccb3c507efe6b33a8ac26af11e58ee2128f98a16ba4b1f2bf9b14e70389f18

Download Submit
C:\ProgramData\Adobe\ARM\Reader_19.010.20069\ReaderDCManifest2.msi
MD5
6f014505b038aa70695dc6557662df8b

SHA1
25607777270af2b0a38da97d8d98ab9bc7926980

SHA256
52040d7492e91856c658e4779bdc2de38a81f47e5136d9a772f4559178fbe7fc

SHA512
25c53e4b7c273b3699be727e5a6688dbfad7b6633d78d29e753bc3446b8e2b5e8c752a8842870264fe10a2b3a0246c335bea7457daa289faec67f7ca7c2aaac0

Download Submit
C:\ProgramData\Adobe\ARM\S\19712\AdobeARM.msi
MD5
5c256b8910abfa6fb390b6b6986fbdc8

SHA1
f106a3257f64ff9be9314f099deae3cef5a75d52

SHA256
f0baf945e8ccda8d7ad3a5f76aa952c5b6ee1a8ce05c5e0eede9384d7b3f1bcc

SHA512
d6bae8fe0b0707a49bc54d62b508024fee0c25c2150483ba5f2608b9c4d9f75c2b3b9eea1d8feb08921cc5ff38488adc97e4d2ab167bdbd26706d562aff775af

Download Submit
C:\ProgramData\Adobe\ARM\S\19712\AdobeARMHelper.exe
MD5
522026a14d6bc781d2a15c665e454310

SHA1
9451a39108326ba578793b1feb62f23a02bce916

SHA256
fd115ae8ebd2f37cf1ef72f75242206cf1331c7cb258305011302e981137ee5e

SHA512
4e4eb2f582c8590899a0ada6133b705d13775f60818f1ff4f9bb35e40e09d6570af4f7ac4c80b525b445a03702ca0f3a9867a93080f90697d8be668e2abe2fe7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
8a21927f1f2dddd3d0e9f766cf260516

SHA1
f130c2e4a313cd1e56f030a713565b80fd501f58

SHA256
44f5f2cf1e19ab46df2059837eff5516e1027db22ea5ce15fcd7280a5a24ab17

SHA512
8eec11691c0e4f273e1a322829bac6daa7b6c88578f68a352ef3284f9ccb182d90803d56f4c5446a1a6547b8353caad9ab6639ddec408c94e708cea5710031ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_0CA0B6A0FC061704366CD7F8CEED0190
MD5
217991f26973322de1d10f6e3515b0a3

SHA1
a48490e9fef67432cbaf722fc6ceac102d427bcc

SHA256
68d9170d1af16274cebfc06130913a8530aa6547a56300c57ca657404c0f17ce

SHA512
a415dda189aa4ea57b277a576b80956514d5d535cfe06623252723a397296b77deab59df9af300c8b8fc543a322190818b1bae9818fab79c3d0778e4713be0a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC
MD5
5c35411b0b7334d0ad4197b7fbd259d3

SHA1
ef2b68cc738c32e64c68c061f11c3fd3c9a27d06

SHA256
71e070163f34499dafbbcdfcbd8126bfbf570cd153c3e095019cab219b2bb41b

SHA512
5ca7a8869dc1036ce28c727ecad56e014f93d8bf359e406c0405ef8ad7ee57834bbc56b11419a5837b4c24e2fd3aedd699b81b0bf6d586aecd5b4878346066f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
fd1413961b5ab3f67d760590d231dc36

SHA1
c566dadc4dca6486d28a324f35a14ed88ee566a0

SHA256
894ae5474484ed1fe44d8d48a7e7ad71b1b82c1fa52c45ff49a9f6f24a132ee0

SHA512
c3cbcbbf8360bfb6c536b87c44d933b07ea6bc99dd0949d63356bad7bf5248faed212bedad0543e6ece52877ba85c451925687c3a5ca6298be4d4a4fcc2672fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_0CA0B6A0FC061704366CD7F8CEED0190
MD5
e5d438c82ebda04cb8a891a100ad1f1d

SHA1
dcadb2a18934499c3813b48cfb55b26cb2d03992

SHA256
8100caca2cb8dfcc37c2f2f885c1541bbe7e42076dc1f81b6528d57172969e74

SHA512
83677a3c5f8ba19597524a4036abf1ef803ddcc6a57fe85565d35728610fc6bbaed62cfe963c32f3fdf42c1f1dc7ecc87ab3c122d65c95326254b4d86fcbf14b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC
MD5
5f16228be52e4e231adf59bfa66965f6

SHA1
f0648b401ab156ed1fc3df8a12583919226bd700

SHA256
1a3511b684f76c518e56ec9fbcbf34fe3e24448adb5c431932f0d5358d588c84

SHA512
5e22096d49199f69a2d5e59a27af3ce2a9dd2a81e55e72ba4cf2588c614a792d77d43ca816d4b0c18c020686045322cb8875b2723c3336a8c14dff409bbd3a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
MD5
8f9a1733d2a9aea90186f7f2899fb9db

SHA1
cf6b567610932fac8a104a2efccebd7bc732d749

SHA256
5682fc04d2034c28ad7882a207407022f541e3efe80337a447ca5a3b457002af

SHA512
bb8079624a61975b1d540a85f1bf4fa5474dad32b54f9ca916548c9dcbccc7a6fdedcc5ba29f7fc6aeba01c0f41a5386f892c6b767828e016c4eb51b3ca9d69c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d70a884cdb18fb76a38b3f258e831f93d79590e6bf19543ec1443c42b3eeab29.exe
MD5
8f9a1733d2a9aea90186f7f2899fb9db

SHA1
cf6b567610932fac8a104a2efccebd7bc732d749

SHA256
5682fc04d2034c28ad7882a207407022f541e3efe80337a447ca5a3b457002af

SHA512
bb8079624a61975b1d540a85f1bf4fa5474dad32b54f9ca916548c9dcbccc7a6fdedcc5ba29f7fc6aeba01c0f41a5386f892c6b767828e016c4eb51b3ca9d69c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeARM.log
MD5
4f45f6f637bfdd92b0afdf1d28747f63

SHA1
60ebaa87c276f784d42f869558dcbe1807ea3d43

SHA256
d34524a702b44f44c6f11d68dac48edd4a2045e8f7e217eb3f3009d8a6053969

SHA512
cf309dd68dcfc3d96b8b8654abc98abc5b0465aa889f16d2821cc46bb74dc531bec0647e8b96b55c85df491895621cb32c21b7e9fd2f6575e26404f6eee4d687

Download Submit
C:\Windows\directx.sys
MD5
e211068b57aeb2765ad66810b60bc49c

SHA1
0a06a57eea1e196fdeb1d94743d9ce768951eca4

SHA256
122a2425e59d2c401a7778f06b6c03bcb470fdc5091a9c656050ad6bbcfe5427

SHA512
7c49f1aa94c420aa916402688d8c7a3ecd8a40d229ffaf4aff66ebdb3f78285d80a5bc4c5358e8c72d45e8994dc016ef4540672de7adcd02b666805220803a42

Download Submit
C:\Windows\directx.sys
MD5
e1eedb6310c11628d018a81b2e40685d

SHA1
4b4ceb6e1ae1b0d0691c3777390ec0bcef914ace

SHA256
c072b663b90f8988952108799c4f06bbfe2157f74c7c2e115ca33598ca74aa3b

SHA512
b2700190496dee6a82a189c2f692bf47b974a3479171a80a570839d56a14bb0810ef5b2fbe69dd9a59b49579a9831cbe86126bee3742179dbf39d6407d6c7874

Download Submit
C:\Windows\svchost.com
MD5
d1bb9002f9b41f1dd503b9b2d238e961

SHA1
12a1b2dca6a63dc395d327b7e4efe72c01869584

SHA256
b97b7dc1081d71bebacc15c20a2546e9029ec2c68294a78f29f0cce57ce49520

SHA512
40c33e27d80876b0326913f77dc70055f2e1cd89675eb7cec2e9a0c96182fdc16136009176d41be6ed959927bf4aac839586badfcb65622914a5ecce9398d860

Download Submit
C:\Windows\svchost.com
MD5
d1bb9002f9b41f1dd503b9b2d238e961

SHA1
12a1b2dca6a63dc395d327b7e4efe72c01869584

SHA256
b97b7dc1081d71bebacc15c20a2546e9029ec2c68294a78f29f0cce57ce49520

SHA512
40c33e27d80876b0326913f77dc70055f2e1cd89675eb7cec2e9a0c96182fdc16136009176d41be6ed959927bf4aac839586badfcb65622914a5ecce9398d860

Download Submit
C:\Windows\svchost.com
MD5
d1bb9002f9b41f1dd503b9b2d238e961

SHA1
12a1b2dca6a63dc395d327b7e4efe72c01869584

SHA256
b97b7dc1081d71bebacc15c20a2546e9029ec2c68294a78f29f0cce57ce49520

SHA512
40c33e27d80876b0326913f77dc70055f2e1cd89675eb7cec2e9a0c96182fdc16136009176d41be6ed959927bf4aac839586badfcb65622914a5ecce9398d860

Download Submit
C:\Windows\svchost.com
MD5
d1bb9002f9b41f1dd503b9b2d238e961

SHA1
12a1b2dca6a63dc395d327b7e4efe72c01869584

SHA256
b97b7dc1081d71bebacc15c20a2546e9029ec2c68294a78f29f0cce57ce49520

SHA512
40c33e27d80876b0326913f77dc70055f2e1cd89675eb7cec2e9a0c96182fdc16136009176d41be6ed959927bf4aac839586badfcb65622914a5ecce9398d860

Download Submit
C:\odt\OFFICE~1.EXE
MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/456-223-0x000001BA8F490000-0x000001BA8F494000-memory.dmp

Filesize
16KB

Download
memory/456-221-0x000001BA8C730000-0x000001BA8C740000-memory.dmp

Filesize
64KB

Download
memory/456-222-0x000001BA8C790000-0x000001BA8C7A0000-memory.dmp

Filesize
64KB

Download