neshta | 8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd

Analysis

max time kernel
162s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
06-02-2022 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
Size

1.6MB
MD5

4449cc7ad90f075b4e9446a9d3b39050
SHA1

9710ebc074b53abaf2ed5b4c0794c223ec659c5d
SHA256

8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd
SHA512

619e50550a9f405826f609c3c8ab13dd0496820b71546f6823a6e8ed116a7c7f8cde7b9ff2356defbd7e4ecebc4644f018fd43a388dd926eb8ebc530ad11f777

Score

10^/10

neshta evasion persistence spyware trojan

Malware Config

Signatures

Detect Neshta Payload 9 IoCs

Processes:

resource	yara_rule
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrord32.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 5 IoCs

Processes:

8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exesvchost.comsvchost.comADOBEA~1.EXEsvchost.com

pid process

4484 8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
2324 svchost.com
1472 svchost.com
2768 ADOBEA~1.EXE
3860 svchost.com

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exeADOBEA~1.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	ADOBEA~1.EXE

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe

Drops file in Program Files directory 30 IoCs

Processes:

svchost.comsvchost.com8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exesvchost.com

description	ioc	process
File opened for modification	C:\PROGRA~3\Adobe\ARM\S\18065\ADOBEA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	svchost.com

Drops file in Windows directory 12 IoCs

Processes:

8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exesvchost.comsvchost.exesvchost.comsvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 3 IoCs

Processes:

8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exeADOBEA~1.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	ADOBEA~1.EXE

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exeADOBEA~1.EXE

pid	process
4484	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
4484	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
4484	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
4484	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
2768	ADOBEA~1.EXE
2768	ADOBEA~1.EXE
2768	ADOBEA~1.EXE
2768	ADOBEA~1.EXE
2768	ADOBEA~1.EXE
2768	ADOBEA~1.EXE
2768	ADOBEA~1.EXE
2768	ADOBEA~1.EXE
2768	ADOBEA~1.EXE
2768	ADOBEA~1.EXE

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

AdobeARM.exesvchost.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1464	AdobeARM.exe
Token: SeIncreaseQuotaPrivilege	1464	AdobeARM.exe
Token: SeShutdownPrivilege	3348	svchost.exe
Token: SeCreatePagefilePrivilege	3348	svchost.exe
Token: SeShutdownPrivilege	3348	svchost.exe
Token: SeCreatePagefilePrivilege	3348	svchost.exe
Token: SeShutdownPrivilege	3348	svchost.exe
Token: SeCreatePagefilePrivilege	3348	svchost.exe
Token: SeSecurityPrivilege	2576	msiexec.exe
Token: SeCreateTokenPrivilege	1464	AdobeARM.exe
Token: SeAssignPrimaryTokenPrivilege	1464	AdobeARM.exe
Token: SeLockMemoryPrivilege	1464	AdobeARM.exe
Token: SeIncreaseQuotaPrivilege	1464	AdobeARM.exe
Token: SeMachineAccountPrivilege	1464	AdobeARM.exe
Token: SeTcbPrivilege	1464	AdobeARM.exe
Token: SeSecurityPrivilege	1464	AdobeARM.exe
Token: SeTakeOwnershipPrivilege	1464	AdobeARM.exe
Token: SeLoadDriverPrivilege	1464	AdobeARM.exe
Token: SeSystemProfilePrivilege	1464	AdobeARM.exe
Token: SeSystemtimePrivilege	1464	AdobeARM.exe
Token: SeProfSingleProcessPrivilege	1464	AdobeARM.exe
Token: SeIncBasePriorityPrivilege	1464	AdobeARM.exe
Token: SeCreatePagefilePrivilege	1464	AdobeARM.exe
Token: SeCreatePermanentPrivilege	1464	AdobeARM.exe
Token: SeBackupPrivilege	1464	AdobeARM.exe
Token: SeRestorePrivilege	1464	AdobeARM.exe
Token: SeShutdownPrivilege	1464	AdobeARM.exe
Token: SeDebugPrivilege	1464	AdobeARM.exe
Token: SeAuditPrivilege	1464	AdobeARM.exe
Token: SeSystemEnvironmentPrivilege	1464	AdobeARM.exe
Token: SeChangeNotifyPrivilege	1464	AdobeARM.exe
Token: SeRemoteShutdownPrivilege	1464	AdobeARM.exe
Token: SeUndockPrivilege	1464	AdobeARM.exe
Token: SeSyncAgentPrivilege	1464	AdobeARM.exe
Token: SeEnableDelegationPrivilege	1464	AdobeARM.exe
Token: SeManageVolumePrivilege	1464	AdobeARM.exe
Token: SeImpersonatePrivilege	1464	AdobeARM.exe
Token: SeCreateGlobalPrivilege	1464	AdobeARM.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

AdobeARM.exe

pid process

1464 AdobeARM.exe
1464 AdobeARM.exe
1464 AdobeARM.exe
1464 AdobeARM.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AdobeARM.exe

pid process

1464 AdobeARM.exe
1464 AdobeARM.exe
1464 AdobeARM.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exeAdobeARM.exe

pid process

4484 8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
1464 AdobeARM.exe
1464 AdobeARM.exe
1464 AdobeARM.exe

pid	process
1464	AdobeARM.exe
1464	AdobeARM.exe
1464	AdobeARM.exe
1464	AdobeARM.exe

pid	process
1464	AdobeARM.exe
1464	AdobeARM.exe
1464	AdobeARM.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exesvchost.comsvchost.comADOBEA~1.EXEsvchost.com

description	pid	process	target process
PID 4928 wrote to memory of 4484	4928	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
PID 4928 wrote to memory of 4484	4928	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
PID 4928 wrote to memory of 4484	4928	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
PID 4484 wrote to memory of 2324	4484	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe	svchost.com
PID 4484 wrote to memory of 2324	4484	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe	svchost.com
PID 4484 wrote to memory of 2324	4484	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe	svchost.com
PID 2324 wrote to memory of 1888	2324	svchost.com	READER~1.EXE
PID 2324 wrote to memory of 1888	2324	svchost.com	READER~1.EXE
PID 2324 wrote to memory of 1888	2324	svchost.com	READER~1.EXE
PID 4484 wrote to memory of 1472	4484	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe	svchost.com
PID 4484 wrote to memory of 1472	4484	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe	svchost.com
PID 4484 wrote to memory of 1472	4484	8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe	svchost.com
PID 1472 wrote to memory of 2768	1472	svchost.com	ADOBEA~1.EXE
PID 1472 wrote to memory of 2768	1472	svchost.com	ADOBEA~1.EXE
PID 1472 wrote to memory of 2768	1472	svchost.com	ADOBEA~1.EXE
PID 2768 wrote to memory of 3860	2768	ADOBEA~1.EXE	svchost.com
PID 2768 wrote to memory of 3860	2768	ADOBEA~1.EXE	svchost.com
PID 2768 wrote to memory of 3860	2768	ADOBEA~1.EXE	svchost.com
PID 3860 wrote to memory of 1464	3860	svchost.com	AdobeARM.exe
PID 3860 wrote to memory of 1464	3860	svchost.com	AdobeARM.exe
PID 3860 wrote to memory of 1464	3860	svchost.com	AdobeARM.exe

C:\Users\Admin\AppData\Local\Temp\8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
"C:\Users\Admin\AppData\Local\Temp\8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4928

C:\Users\Admin\AppData\Local\Temp\3582-490\8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2324

C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE
4⤵
PID:1888

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\PROGRA~3\Adobe\ARM\S\18065\ADOBEA~1.EXE" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\18065" /MODE:3 /UpdateSelection:1 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1472

C:\PROGRA~3\Adobe\ARM\S\18065\ADOBEA~1.EXE
C:\PROGRA~3\Adobe\ARM\S\18065\ADOBEA~1.EXE /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\18065" /MODE:3 /UpdateSelection:1 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\18065" /MODE:3 /UpdateSelection:1 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3860

C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\18065" /MODE:3 /UpdateSelection:1 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU
6⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3348

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\PROGRA~3\Adobe\ARM\S\18065\ADOBEA~1.EXE
MD5
522026a14d6bc781d2a15c665e454310

SHA1
9451a39108326ba578793b1feb62f23a02bce916

SHA256
fd115ae8ebd2f37cf1ef72f75242206cf1331c7cb258305011302e981137ee5e

SHA512
4e4eb2f582c8590899a0ada6133b705d13775f60818f1ff4f9bb35e40e09d6570af4f7ac4c80b525b445a03702ca0f3a9867a93080f90697d8be668e2abe2fe7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
MD5
4b2192864374f21ee6cb90b81c8b98a9

SHA1
131c29e7354fe6e32153d5dcf4d52c8f9c9d3091

SHA256
b29d2b87e91f82d764ee7ab5947dbf9f3e2b9dc473e571ef1b67622d35cb9b9a

SHA512
2361cfb375b597f6100dd0c84340c34041db4da2ca0bd72e1aba7782e73c43c9ef920c83e367eb16bf213ecb3518e97c6417a5f666a298deefd23f4260b52f2b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrord32.exe
MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe
MD5
92dc0a5b61c98ac6ca3c9e09711e0a5d

SHA1
f809f50cfdfbc469561bced921d0bad343a0d7b4

SHA256
3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc

SHA512
d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

Download Submit
C:\ProgramData\Adobe\ARM\ArmReport.ini
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\Adobe\ARM\Reader_19.010.20069\AcroRdrDCUpd1901020098.msp
MD5
3404522672187ad49ad74aec689075c0

SHA1
af6b91326f443b04088cd3718b93334a7247ce1a

SHA256
0ef813051b890501283103fb2999aaa01438227b681dcf711d09c10c5846d72d

SHA512
35d47d228977ae3e77b1510e67fc082da37a39f346a23d4d5f65d91ac46ae51581ccb3c507efe6b33a8ac26af11e58ee2128f98a16ba4b1f2bf9b14e70389f18

Download Submit
C:\ProgramData\Adobe\ARM\Reader_19.010.20069\ReaderDCManifest2.msi
MD5
6f014505b038aa70695dc6557662df8b

SHA1
25607777270af2b0a38da97d8d98ab9bc7926980

SHA256
52040d7492e91856c658e4779bdc2de38a81f47e5136d9a772f4559178fbe7fc

SHA512
25c53e4b7c273b3699be727e5a6688dbfad7b6633d78d29e753bc3446b8e2b5e8c752a8842870264fe10a2b3a0246c335bea7457daa289faec67f7ca7c2aaac0

Download Submit
C:\ProgramData\Adobe\ARM\S\18065\AdobeARM.msi
MD5
5c256b8910abfa6fb390b6b6986fbdc8

SHA1
f106a3257f64ff9be9314f099deae3cef5a75d52

SHA256
f0baf945e8ccda8d7ad3a5f76aa952c5b6ee1a8ce05c5e0eede9384d7b3f1bcc

SHA512
d6bae8fe0b0707a49bc54d62b508024fee0c25c2150483ba5f2608b9c4d9f75c2b3b9eea1d8feb08921cc5ff38488adc97e4d2ab167bdbd26706d562aff775af

Download Submit
C:\ProgramData\Adobe\ARM\S\18065\AdobeARMHelper.exe
MD5
522026a14d6bc781d2a15c665e454310

SHA1
9451a39108326ba578793b1feb62f23a02bce916

SHA256
fd115ae8ebd2f37cf1ef72f75242206cf1331c7cb258305011302e981137ee5e

SHA512
4e4eb2f582c8590899a0ada6133b705d13775f60818f1ff4f9bb35e40e09d6570af4f7ac4c80b525b445a03702ca0f3a9867a93080f90697d8be668e2abe2fe7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
8a21927f1f2dddd3d0e9f766cf260516

SHA1
f130c2e4a313cd1e56f030a713565b80fd501f58

SHA256
44f5f2cf1e19ab46df2059837eff5516e1027db22ea5ce15fcd7280a5a24ab17

SHA512
8eec11691c0e4f273e1a322829bac6daa7b6c88578f68a352ef3284f9ccb182d90803d56f4c5446a1a6547b8353caad9ab6639ddec408c94e708cea5710031ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_0CA0B6A0FC061704366CD7F8CEED0190
MD5
217991f26973322de1d10f6e3515b0a3

SHA1
a48490e9fef67432cbaf722fc6ceac102d427bcc

SHA256
68d9170d1af16274cebfc06130913a8530aa6547a56300c57ca657404c0f17ce

SHA512
a415dda189aa4ea57b277a576b80956514d5d535cfe06623252723a397296b77deab59df9af300c8b8fc543a322190818b1bae9818fab79c3d0778e4713be0a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC
MD5
5c35411b0b7334d0ad4197b7fbd259d3

SHA1
ef2b68cc738c32e64c68c061f11c3fd3c9a27d06

SHA256
71e070163f34499dafbbcdfcbd8126bfbf570cd153c3e095019cab219b2bb41b

SHA512
5ca7a8869dc1036ce28c727ecad56e014f93d8bf359e406c0405ef8ad7ee57834bbc56b11419a5837b4c24e2fd3aedd699b81b0bf6d586aecd5b4878346066f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
b438c25790e58d475591f3915a2c364f

SHA1
e31ed7253af26b40fc5848c4def8b8b28d8f4628

SHA256
b664e12ec528dbbdfea468f9c872299ba066f6a68633f63cece40c8a52f8a253

SHA512
853f898325aaa2ebfc4df5a6e2c0f11960f3d0ea743c255515a92afdbc3ade4a3724c8b0a320220ef70765721e7475e29b1d48100468badf968e8c8dd35bbaef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_0CA0B6A0FC061704366CD7F8CEED0190
MD5
b05d55000c452180c0c8c281b298036f

SHA1
79e1fb34fea010544d7a0894d102c5d59a441303

SHA256
6fa282827c4dd008f48664752350193bd8b7bf7b3888662b0b5dd38f9885d1f1

SHA512
861d858788f79a65d5688c5c206c1e8d5604df119ecf1b3acad3f0938f78ca6fe6f98b9d39abee2324d59ca85fc2301c97e94a08c5b93bccfe74e327f6f817d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC
MD5
0dbce7525712ab1e36305a2623a23c57

SHA1
089804fe05e1cfcf3eedafd94eda3df7f714353b

SHA256
88ed4b0aa1baac9e5fdc4ae608dd689f77553a0f080e644976cae133c26e550f

SHA512
3af387d71192583203a77acc86d2073dd73218670c639fc1b90a376e41007ea6166280eeeba52627541afc1b5aa6b74be86f26e80f7945943679436c8238c315

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
MD5
4a60f093981b168277164ef32599916f

SHA1
4aefbc825ee1183ac9d0096341b6fe7246226023

SHA256
dab394e56119f23ee7b217c888bf268045c08a801aaa4cba92beb3190cfcf722

SHA512
fc3b94e23c3a850ca40b792b9634eb83574682f7b71bab1fb82c4a3431bb3a49a066089e7a4f88c52daf1a2349cd957eee29ed6b3a40d00cf6bd9734700bf695

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\8a7a78044fbec282f0666ebc5c6b926e237fa0250577aae11a3c639b3144d4bd.exe
MD5
4a60f093981b168277164ef32599916f

SHA1
4aefbc825ee1183ac9d0096341b6fe7246226023

SHA256
dab394e56119f23ee7b217c888bf268045c08a801aaa4cba92beb3190cfcf722

SHA512
fc3b94e23c3a850ca40b792b9634eb83574682f7b71bab1fb82c4a3431bb3a49a066089e7a4f88c52daf1a2349cd957eee29ed6b3a40d00cf6bd9734700bf695

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeARM.log
MD5
4cc8773684417e73bbc2b090b3d892f5

SHA1
96f5432292feeabbf27e65975addf8be69764f46

SHA256
55dddd2c1c26b98c8eb501391008ed3fc89950623e5ee46e44e236cc6b753c2f

SHA512
bb17417131355442f84f9bf80a3435ac541f0584364f125f824f30dbd1e4ea52d8177be440c869888ad2ade18878733c877bf3bc8ef20a5d1d5be3716eb94fef

Download Submit
C:\Windows\directx.sys
MD5
d39e1162b4bd4a4368f59c48b22bb991

SHA1
55798bd43c20e38b2abcfcd10def92d2b932cd06

SHA256
a3e1fa73e0da797abae97b90301b311db043e078305cc876cf11197dfe1a7d37

SHA512
bff245fa419b7863f6ea06e9ee388c4f911d3cbf44ce06592a7a19b3e7240544382d51326fb22787d03f820ce2e62ff794546844a4d213f111d9885f42d62a80

Download Submit
C:\Windows\directx.sys
MD5
d39e1162b4bd4a4368f59c48b22bb991

SHA1
55798bd43c20e38b2abcfcd10def92d2b932cd06

SHA256
a3e1fa73e0da797abae97b90301b311db043e078305cc876cf11197dfe1a7d37

SHA512
bff245fa419b7863f6ea06e9ee388c4f911d3cbf44ce06592a7a19b3e7240544382d51326fb22787d03f820ce2e62ff794546844a4d213f111d9885f42d62a80

Download Submit
C:\Windows\svchost.com
MD5
dd0acc6db6b63eb5b58be13f9ce95cb8

SHA1
d83499fd061b8551bef37970e20784fbd036fad4

SHA256
14909d746de948a969b2969a0c16288050e751c611ab96e0eee20a582385a1c2

SHA512
af9704bdf95b49a1af6d77c91550aa939d8eda18faa3dee60a81dd53c2a7f445a113d697e87c7ad03c9504d973ae403f010bbcd5b7336210e31416f081dad08a

Download Submit
C:\Windows\svchost.com
MD5
dd0acc6db6b63eb5b58be13f9ce95cb8

SHA1
d83499fd061b8551bef37970e20784fbd036fad4

SHA256
14909d746de948a969b2969a0c16288050e751c611ab96e0eee20a582385a1c2

SHA512
af9704bdf95b49a1af6d77c91550aa939d8eda18faa3dee60a81dd53c2a7f445a113d697e87c7ad03c9504d973ae403f010bbcd5b7336210e31416f081dad08a

Download Submit
C:\Windows\svchost.com
MD5
dd0acc6db6b63eb5b58be13f9ce95cb8

SHA1
d83499fd061b8551bef37970e20784fbd036fad4

SHA256
14909d746de948a969b2969a0c16288050e751c611ab96e0eee20a582385a1c2

SHA512
af9704bdf95b49a1af6d77c91550aa939d8eda18faa3dee60a81dd53c2a7f445a113d697e87c7ad03c9504d973ae403f010bbcd5b7336210e31416f081dad08a

Download Submit
C:\Windows\svchost.com
MD5
dd0acc6db6b63eb5b58be13f9ce95cb8

SHA1
d83499fd061b8551bef37970e20784fbd036fad4

SHA256
14909d746de948a969b2969a0c16288050e751c611ab96e0eee20a582385a1c2

SHA512
af9704bdf95b49a1af6d77c91550aa939d8eda18faa3dee60a81dd53c2a7f445a113d697e87c7ad03c9504d973ae403f010bbcd5b7336210e31416f081dad08a

Download Submit
C:\odt\OFFICE~1.EXE
MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/3348-311-0x000002DA59D70000-0x000002DA59D80000-memory.dmp

Filesize
64KB

Download
memory/3348-312-0x000002DA5A4E0000-0x000002DA5A4F0000-memory.dmp

Filesize
64KB

Download
memory/3348-317-0x000002DA5C9F0000-0x000002DA5C9F4000-memory.dmp

Filesize
16KB

Download