Analysis
-
max time kernel
112s -
max time network
105s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
26-05-2024 22:24
Static task
static1
Behavioral task
behavioral1
Sample
crypted.exe
Resource
win10-20240404-en
General
-
Target
crypted.exe
-
Size
519KB
-
MD5
1b1c7e6e96667a6a758b22d444de57a7
-
SHA1
3eafd122d0814ee5aeb35a9bce975805a8cf6744
-
SHA256
e03518acef8a2fecee311fac04e11943e8b219815f02224a4ae30d5ecccf0f90
-
SHA512
2ed665526ec20b8c3d8a6854e25bcf44755e4bfd8f34b3770c3694e4b9cd8b2ad85d130830cb298aa18521f30038ef47e5d93225a5eb14039670f5ef626f91f7
-
SSDEEP
12288:ar9mi27cWO4AEcI9cCHEAJtv9QXmuP16k:6mfemcCflO1
Malware Config
Extracted
lumma
https://employhabragaomlsp.shop/api
https://museumtespaceorsp.shop/api
https://buttockdecarderwiso.shop/api
https://averageaattractiionsl.shop/api
https://femininiespywageg.shop/api
https://stalfbaclcalorieeis.shop/api
https://civilianurinedtsraov.shop/api
https://roomabolishsnifftwk.shop/api
Signatures
-
Sets file execution options in registry 2 TTPs 16 IoCs
Processes:
msiexec.exeMsiExec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe\DisableExceptionChainValidation = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe\MitigationOptions = "256" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe\DisableExceptionChainValidation = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe\MitigationOptions = "256" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe\DisableExceptionChainValidation = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe\DisableExceptionChainValidation = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe\MitigationOptions = "256" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe\MitigationOptions = "256" MsiExec.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RdrCEF.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation RdrCEF.exe -
Executes dropped EXE 8 IoCs
Processes:
RdrServicesUpdater.exeAcroRd32.exeRdrCEF.exeRdrCEF.exeRdrCEF.exeRdrCEF.exeRdrCEF.exeRdrCEF.exepid process 5532 RdrServicesUpdater.exe 5104 AcroRd32.exe 3244 RdrCEF.exe 4444 RdrCEF.exe 4944 RdrCEF.exe 4440 RdrCEF.exe 4676 RdrCEF.exe 4228 RdrCEF.exe -
Loads dropped DLL 64 IoCs
Processes:
MsiExec.exeMsiExec.exeAcroRd32.exeRdrCEF.exeRdrCEF.exeRdrCEF.exepid process 5208 MsiExec.exe 5208 MsiExec.exe 5208 MsiExec.exe 5208 MsiExec.exe 5208 MsiExec.exe 5208 MsiExec.exe 5208 MsiExec.exe 5208 MsiExec.exe 5208 MsiExec.exe 5208 MsiExec.exe 5208 MsiExec.exe 5208 MsiExec.exe 5208 MsiExec.exe 5208 MsiExec.exe 5208 MsiExec.exe 5920 MsiExec.exe 5920 MsiExec.exe 5920 MsiExec.exe 5920 MsiExec.exe 5920 MsiExec.exe 5920 MsiExec.exe 5920 MsiExec.exe 5920 MsiExec.exe 5920 MsiExec.exe 5920 MsiExec.exe 5920 MsiExec.exe 5920 MsiExec.exe 5920 MsiExec.exe 5920 MsiExec.exe 5920 MsiExec.exe 5920 MsiExec.exe 5920 MsiExec.exe 5920 MsiExec.exe 5920 MsiExec.exe 5920 MsiExec.exe 5920 MsiExec.exe 5920 MsiExec.exe 5920 MsiExec.exe 5208 MsiExec.exe 5208 MsiExec.exe 5208 MsiExec.exe 5208 MsiExec.exe 5104 AcroRd32.exe 5104 AcroRd32.exe 5104 AcroRd32.exe 5104 AcroRd32.exe 5104 AcroRd32.exe 5104 AcroRd32.exe 5104 AcroRd32.exe 3244 RdrCEF.exe 3244 RdrCEF.exe 5104 AcroRd32.exe 5104 AcroRd32.exe 5104 AcroRd32.exe 3244 RdrCEF.exe 3244 RdrCEF.exe 4444 RdrCEF.exe 4444 RdrCEF.exe 4444 RdrCEF.exe 4444 RdrCEF.exe 4944 RdrCEF.exe 4944 RdrCEF.exe 4944 RdrCEF.exe 4944 RdrCEF.exe -
Registers COM server for autorun 1 TTPs 6 IoCs
Processes:
MsiExec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF64.dll" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl64.dll" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\InprocServer32 MsiExec.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in System32 directory 6 IoCs
Processes:
msiexec.exeMsiExec.exedescription ioc process File opened for modification C:\Windows\SysWOW64\msvcr100.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\msvcp100.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\msvcr110.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\msvcp110.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\vccorlib110.dll msiexec.exe File created C:\Windows\SysWOW64\Elevation.tmp MsiExec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
crypted.exedescription pid process target process PID 3328 set thread context of 164 3328 crypted.exe RegAsm.exe -
Drops file in Program Files directory 64 IoCs
Processes:
RdrServicesUpdater.exemsiexec.exedescription ioc process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\walk-through\images\cross.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\home\images\themes\dark\icons_ie8.gif RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\js\nls\eu-es\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\task-handler\js\nls\da-dk\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_ko_135x40.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\send-for-sign\css\main-selector.css RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\exportpdfupsell-app\js\nls\ui-strings.js RdrServicesUpdater.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp msiexec.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\ob-preview\images\themeless\edit_pdf_poster.jpg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_folder-focus_32.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_folder-focus_32.svg RdrServicesUpdater.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\MoreTools.aapp msiexec.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\hi_contrast\core_icons__retina_hiContrast_bow.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\images\themes\dark\download-btn.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\img\core_icons_retina.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\win8-scrollbar\themes\dark\arrow-right.gif RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\ui-strings.js RdrServicesUpdater.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif msiexec.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\sendforsignature.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\walk-through\images\themeless\S_ThumbDownOutline_22_N1.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\pages-app\images\rhp_world_icon_hover_2x.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\sign-services-auth\js\nls\fi-fi\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\js\nls\ko-kr\ui-strings.js RdrServicesUpdater.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_asym.dll msiexec.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\images\icons_ie8.gif RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\img\tools\@1x\[email protected] RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\win8-scrollbar\themes\dark\arrow-down.gif RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon_hover_2x.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_filter-hover_32.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\send-for-sign\images\core_icons.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\app-center\js\nls\uk-ua\ui-strings.js RdrServicesUpdater.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt58.dll msiexec.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_nothumbnail_34.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\AppStore_icon.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\S_IlluEmptyStateDCFiles_280x192.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\send-for-sign\js\nls\sl-sl\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\activity-badge\js\nls\sl-sl\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\walk-through\images\info.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\walk-through\images\close-2.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\pages-app\js\nls\pt-br\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_fi_135x40.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_fr_135x40.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\file_types\remove.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\activity-badge\js\nls\sk-sk\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\combinepdf\js\nls\fr-fr\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\walk-through\js\nls\nl-nl\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\file_types\fillandsign.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\add-account\js\nls\ko-kr\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_export_18.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\themes\dark\s_empty_folder_state.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_nb_135x40.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\sample-files\js\nls\ru-ru\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\js\nls\da-dk\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\js\nls\nl-nl\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\signatures\js\nls\ca-es\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer-select\js\nls\fr-fr\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\js\nls\sl-sl\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\js\nls\da-dk\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_auditreport_18.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_sortedby_selected_18.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\js\nls\pl-pl\ui-strings.js RdrServicesUpdater.exe -
Drops file in Windows directory 64 IoCs
Processes:
msiexec.exetaskmgr.exetaskmgr.exetaskmgr.exedescription ioc process File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\XFDFFile_8.ico msiexec.exe File opened for modification C:\Windows\Installer\MSIED35.tmp msiexec.exe File opened for modification C:\Windows\Installer\e58c0df.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58c0e4.HDR msiexec.exe File created C:\Windows\Installer\e58c0ec.HDR msiexec.exe File created C:\Windows\Installer\e58c0f4.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58c0f5.HDR msiexec.exe File created C:\Windows\Installer\e58c0fe.HDR msiexec.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\FDFFile_8.ico msiexec.exe File opened for modification C:\Windows\Installer\MSIEB26.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIECC6.tmp msiexec.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\APIFile_8.ico msiexec.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\PDXFile_8.ico msiexec.exe File opened for modification C:\Windows\Installer\e58c0e5.HDR msiexec.exe File created C:\Windows\Installer\e58c0e8.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58c0ed.HDR msiexec.exe File created C:\Windows\Installer\e58c0fc.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58c0fe.HDR msiexec.exe File created C:\Windows\Installer\e58c10b.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSIEB67.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEB78.tmp msiexec.exe File created C:\Windows\Installer\e58c0fb.HDR msiexec.exe File created C:\Windows\Installer\e58c102.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSICA6E.tmp msiexec.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\XDPFile_8.ico msiexec.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\PDFFile_8.ico msiexec.exe File opened for modification C:\Windows\Installer\MSID7A9.tmp msiexec.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe File opened for modification C:\Windows\Installer\MSIC0DF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC598.tmp msiexec.exe File created C:\Windows\Installer\e58c0f0.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58c0f3.HDR msiexec.exe File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\Installer\e58c0e3.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58c0f8.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSID788.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEB56.tmp msiexec.exe File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\Installer\e58c0e1.HDR msiexec.exe File created C:\Windows\Installer\e58c0e4.HDR msiexec.exe File created C:\Windows\Installer\e58c105.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58c10b.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58c10c.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58c0f6.HDR msiexec.exe File created C:\Windows\Installer\e58c108.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58c108.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSID827.tmp msiexec.exe File opened for modification C:\Windows\Installer\e58c103.HDR msiexec.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SC_Reader.ico msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e58c0dc.HDR msiexec.exe File created C:\Windows\Installer\e58c0de.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58c0ec.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58c0ee.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58c0fd.HDR msiexec.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SC_Reader.ico msiexec.exe File opened for modification C:\Windows\Installer\MSID70A.tmp msiexec.exe File created C:\Windows\Installer\e58c107.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58c10f.HDR msiexec.exe File created C:\Windows\Installer\e58c0e2.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58c0e2.HDR msiexec.exe File created C:\Windows\Installer\e58c0e7.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58c0f0.HDR msiexec.exe File created C:\Windows\Installer\e58c0f2.HDR msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exetaskmgr.exetaskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exeAcroRd32.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Processes:
msiexec.exeAcroRd32.exeMsiExec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578} msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\Policy = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\AppName = "AdobeCollabSync.exe" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\AppName = "AcroBroker.exe" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\Policy = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\Policy = "3" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\AppName = "AcroRd32.exe" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\ msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\AppName = "RdrCEF.exe" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\Policy = "3" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4} msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\Compatibility Flags = "1024" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3} msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\Policy = "3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy MsiExec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\AppName = "AcroRd32.exe" msiexec.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
msiexec.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b msiexec.exe -
Modifies registry class 64 IoCs
Processes:
msiexec.exeMsiExec.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\DataFormats\GetSet\5 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08A9E040-9A9C-4F42-B5F5-2029B8F17E1D}\TypeLib\ = "{E64169B3-3592-47D2-816E-602C5C13F328}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D3F22039-E3CF-4FC4-9A30-426A46056B8C}\TypeLib\Version = "1.0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.adobe.pdfxml\Extension = ".pdfxml" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\AcroExch.pdfxml\CurVer msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\MiscStatus\ = "0" MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\AcroExch.XFDFDoc\DefaultIcon msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\ProxyStubClsid msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\DataFormats\GetSet\7 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\EnableFullPage\.xfd\ msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\DataFormats\GetSet\1\ = "14,1,64,1" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\EnableFullPage\.xdp msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3E9-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2DEA7885-1846-411F-A41E-017A8FD778FF}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pdfxml\Content Type = "application/vnd.adobe.pdfxml" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3E6-4981-101B-9CA8-9240CE2738AE}\ = "CAcroApp" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\LocalServer32\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AcroBroker.EXE\AppID = "{F2383816-917A-46CC-AD2A-5013BED3800F}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{BDE0D630-7801-47cd-984E-1F0AFBC5ACBF}\ProgID msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3EE-4981-101B-9CA8-9240CE2738AE} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\MIME\Database\Content Type\application/vnd.adobe.pdfxml msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\Programmable MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithList\ msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3E9-4981-101B-9CA8-9240CE2738AE}\TypeLib\Version = "1.1" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\VersionIndependentProgID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\MiscStatus\ = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{62776AC3-A015-4BA5-A1C7-DCD765881249}\NumMethods msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE79C475-D632-4A57-91B3-DA044FA27CDA}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D} MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{673E8454-7646-11D1-B90B-00A0C9259304}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{671B6145-4169-4ADD-9AF3-E6990EB2B325}\InProcServer32\ = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\adoberfp.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\acrobat\shell\open\ddeexec\ = "[HandleAcroURL(\"%1\")]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\ProgID\ = "PDFPrevHndlr.PDFPreviewHandler.1" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\PDXFileType\DefaultIcon msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5AAABB05-F91B-4bce-AB18-D8319DEDABA8}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\VersionIndependentProgID\ = "AcroPDF.PDF" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Document.DC\BrowseInPlace = "1" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F1E6C7A4-6B15-4C06-B1EF-88A4F2A886CB}\ProxyStubClsid32\ = "{671B6145-4169-4ADD-9AF3-E6990EB2B325}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\AppID\PDFPrevHndlr.DLL msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{566A7BC7-B295-41B7-A818-12F9E5CA46CA}\NumMethods\ = "10" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.dll, 102" MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\DataFormats\GetSet\4 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.pdfxml\OpenWithProgids\AcroExch.pdfxml = "0" MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\AcroExch.acrobatsecuritysettings.1 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3E6-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\DataFormats\GetSet\6\ = "3, 1, 32, 1" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3F1-4981-101B-9CA8-9240CE2738AE}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{12BA069D-0FC6-4577-97C6-5DF634CE6E84}\NumMethods\ = "6" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler.1\ = "Adobe PDF Preview Handler for Vista" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "{DC6EFB56-9CFA-464D-8880-44885D7DC193}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}\InProcServer32\ThreadingModel = "Both" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\MiscStatus MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgIds\ msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.acrobatsecuritysettings.1\Insertable\ msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA7DA73301B744CAF070E41400\Patches\Patches = 3600380041004200360037004300410037004400410037003000300030003000350032003000350043004100330031004100300045003400350036003000300000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{41C5FFFE-36DD-415D-9ED0-2976A342A1C8}\1.0\HELPDIR msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C52A2CC-66F1-4B2B-A9E4-9723791F0BBD}\ProxyStubClsid32\ = "{671B6145-4169-4ADD-9AF3-E6990EB2B325}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.acrobatsecuritysettings\BrowseInPlace = "1" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\AcroExch.Document.DC\Shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} msiexec.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes:
taskmgr.exetaskmgr.exeMsiExec.exetaskmgr.exepid process 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 5920 MsiExec.exe 5920 MsiExec.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5920 MsiExec.exe 5920 MsiExec.exe 5920 MsiExec.exe 5920 MsiExec.exe 5920 MsiExec.exe 5920 MsiExec.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskmgr.exetaskmgr.exefirefox.exemsiexec.exeMsiExec.exedescription pid process Token: SeDebugPrivilege 2036 taskmgr.exe Token: SeSystemProfilePrivilege 2036 taskmgr.exe Token: SeCreateGlobalPrivilege 2036 taskmgr.exe Token: 33 2036 taskmgr.exe Token: SeIncBasePriorityPrivilege 2036 taskmgr.exe Token: SeDebugPrivilege 436 taskmgr.exe Token: SeSystemProfilePrivilege 436 taskmgr.exe Token: SeCreateGlobalPrivilege 436 taskmgr.exe Token: 33 436 taskmgr.exe Token: SeIncBasePriorityPrivilege 436 taskmgr.exe Token: SeDebugPrivilege 1480 firefox.exe Token: SeDebugPrivilege 1480 firefox.exe Token: SeSecurityPrivilege 5136 msiexec.exe Token: SeRestorePrivilege 5136 msiexec.exe Token: SeTakeOwnershipPrivilege 5136 msiexec.exe Token: SeRestorePrivilege 5136 msiexec.exe Token: SeTakeOwnershipPrivilege 5136 msiexec.exe Token: SeRestorePrivilege 5136 msiexec.exe Token: SeTakeOwnershipPrivilege 5136 msiexec.exe Token: SeRestorePrivilege 5136 msiexec.exe Token: SeTakeOwnershipPrivilege 5136 msiexec.exe Token: SeRestorePrivilege 5136 msiexec.exe Token: SeTakeOwnershipPrivilege 5136 msiexec.exe Token: SeRestorePrivilege 5136 msiexec.exe Token: SeTakeOwnershipPrivilege 5136 msiexec.exe Token: SeRestorePrivilege 5136 msiexec.exe Token: SeTakeOwnershipPrivilege 5136 msiexec.exe Token: SeRestorePrivilege 5136 msiexec.exe Token: SeTakeOwnershipPrivilege 5136 msiexec.exe Token: SeDebugPrivilege 5208 MsiExec.exe Token: SeRestorePrivilege 5136 msiexec.exe Token: SeTakeOwnershipPrivilege 5136 msiexec.exe Token: SeRestorePrivilege 5136 msiexec.exe Token: SeTakeOwnershipPrivilege 5136 msiexec.exe Token: SeRestorePrivilege 5136 msiexec.exe Token: SeTakeOwnershipPrivilege 5136 msiexec.exe Token: SeRestorePrivilege 5136 msiexec.exe Token: SeTakeOwnershipPrivilege 5136 msiexec.exe Token: SeRestorePrivilege 5136 msiexec.exe Token: SeTakeOwnershipPrivilege 5136 msiexec.exe Token: SeRestorePrivilege 5136 msiexec.exe Token: SeTakeOwnershipPrivilege 5136 msiexec.exe Token: SeRestorePrivilege 5136 msiexec.exe Token: SeTakeOwnershipPrivilege 5136 msiexec.exe Token: SeRestorePrivilege 5136 msiexec.exe Token: SeTakeOwnershipPrivilege 5136 msiexec.exe Token: SeRestorePrivilege 5136 msiexec.exe Token: SeTakeOwnershipPrivilege 5136 msiexec.exe Token: SeRestorePrivilege 5136 msiexec.exe Token: SeTakeOwnershipPrivilege 5136 msiexec.exe Token: SeRestorePrivilege 5136 msiexec.exe Token: SeTakeOwnershipPrivilege 5136 msiexec.exe Token: SeRestorePrivilege 5136 msiexec.exe Token: SeTakeOwnershipPrivilege 5136 msiexec.exe Token: SeRestorePrivilege 5136 msiexec.exe Token: SeTakeOwnershipPrivilege 5136 msiexec.exe Token: SeRestorePrivilege 5136 msiexec.exe Token: SeTakeOwnershipPrivilege 5136 msiexec.exe Token: SeRestorePrivilege 5136 msiexec.exe Token: SeTakeOwnershipPrivilege 5136 msiexec.exe Token: SeRestorePrivilege 5136 msiexec.exe Token: SeTakeOwnershipPrivilege 5136 msiexec.exe Token: SeRestorePrivilege 5136 msiexec.exe Token: SeTakeOwnershipPrivilege 5136 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exetaskmgr.exefirefox.exepid process 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 1480 firefox.exe 1480 firefox.exe 1480 firefox.exe 1480 firefox.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exetaskmgr.exefirefox.exepid process 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 2036 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 436 taskmgr.exe 1480 firefox.exe 1480 firefox.exe 1480 firefox.exe 1480 firefox.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
firefox.exefirefox.exeAcroRd32.exepid process 1480 firefox.exe 1480 firefox.exe 1480 firefox.exe 1480 firefox.exe 1480 firefox.exe 1480 firefox.exe 1480 firefox.exe 1480 firefox.exe 1480 firefox.exe 1480 firefox.exe 1480 firefox.exe 1480 firefox.exe 1480 firefox.exe 3920 firefox.exe 5104 AcroRd32.exe 5104 AcroRd32.exe 5104 AcroRd32.exe 5104 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
crypted.exefirefox.exefirefox.exedescription pid process target process PID 3328 wrote to memory of 524 3328 crypted.exe RegAsm.exe PID 3328 wrote to memory of 524 3328 crypted.exe RegAsm.exe PID 3328 wrote to memory of 524 3328 crypted.exe RegAsm.exe PID 3328 wrote to memory of 164 3328 crypted.exe RegAsm.exe PID 3328 wrote to memory of 164 3328 crypted.exe RegAsm.exe PID 3328 wrote to memory of 164 3328 crypted.exe RegAsm.exe PID 3328 wrote to memory of 164 3328 crypted.exe RegAsm.exe PID 3328 wrote to memory of 164 3328 crypted.exe RegAsm.exe PID 3328 wrote to memory of 164 3328 crypted.exe RegAsm.exe PID 3328 wrote to memory of 164 3328 crypted.exe RegAsm.exe PID 3328 wrote to memory of 164 3328 crypted.exe RegAsm.exe PID 3328 wrote to memory of 164 3328 crypted.exe RegAsm.exe PID 2588 wrote to memory of 1480 2588 firefox.exe firefox.exe PID 2588 wrote to memory of 1480 2588 firefox.exe firefox.exe PID 2588 wrote to memory of 1480 2588 firefox.exe firefox.exe PID 2588 wrote to memory of 1480 2588 firefox.exe firefox.exe PID 2588 wrote to memory of 1480 2588 firefox.exe firefox.exe PID 2588 wrote to memory of 1480 2588 firefox.exe firefox.exe PID 2588 wrote to memory of 1480 2588 firefox.exe firefox.exe PID 2588 wrote to memory of 1480 2588 firefox.exe firefox.exe PID 2588 wrote to memory of 1480 2588 firefox.exe firefox.exe PID 2588 wrote to memory of 1480 2588 firefox.exe firefox.exe PID 2588 wrote to memory of 1480 2588 firefox.exe firefox.exe PID 1480 wrote to memory of 4304 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 4304 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe PID 1480 wrote to memory of 1788 1480 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\crypted.exe"C:\Users\Admin\AppData\Local\Temp\crypted.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:524
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:164
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2036
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:436
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1480.0.963613259\2076520931" -parentBuildID 20221007134813 -prefsHandle 1680 -prefMapHandle 1676 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3b25755-eedc-4369-bc16-b82a8e88291f} 1480 "\\.\pipe\gecko-crash-server-pipe.1480" 1812 1b24a1f7758 gpu3⤵PID:4304
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1480.1.1133174133\982348749" -parentBuildID 20221007134813 -prefsHandle 2132 -prefMapHandle 2128 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {befb9303-fec8-454b-a4d2-f9aa572009f8} 1480 "\\.\pipe\gecko-crash-server-pipe.1480" 2168 1b23e072e58 socket3⤵
- Checks processor information in registry
PID:1788 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1480.2.368729061\1007970452" -childID 1 -isForBrowser -prefsHandle 2804 -prefMapHandle 2800 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a4e5fcd-f3f5-43b9-b876-7c25484ddb20} 1480 "\\.\pipe\gecko-crash-server-pipe.1480" 3012 1b24eea4258 tab3⤵PID:4528
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1480.3.1405964630\785374239" -childID 2 -isForBrowser -prefsHandle 3472 -prefMapHandle 3068 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bc785a9-3843-49e1-923a-48c608623513} 1480 "\\.\pipe\gecko-crash-server-pipe.1480" 3484 1b23e068458 tab3⤵PID:4920
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1480.4.1111117808\2127177722" -childID 3 -isForBrowser -prefsHandle 4088 -prefMapHandle 4080 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {107c898e-5877-4e28-9e0c-85d234ca4589} 1480 "\\.\pipe\gecko-crash-server-pipe.1480" 4108 1b250664d58 tab3⤵PID:3704
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1480.5.1641109609\1148858598" -childID 4 -isForBrowser -prefsHandle 4780 -prefMapHandle 4728 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbe956b7-1adc-440e-840a-c91f618da8c1} 1480 "\\.\pipe\gecko-crash-server-pipe.1480" 4884 1b250666558 tab3⤵PID:3700
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1480.6.670010728\2063994385" -childID 5 -isForBrowser -prefsHandle 5020 -prefMapHandle 5024 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {586ccbb4-e48f-45a9-9d9e-a91b991acf08} 1480 "\\.\pipe\gecko-crash-server-pipe.1480" 5012 1b250f11958 tab3⤵PID:1108
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1480.7.1667589548\1078082603" -childID 6 -isForBrowser -prefsHandle 5220 -prefMapHandle 5224 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {704294aa-1063-46e8-85a8-076cbfc8ab47} 1480 "\\.\pipe\gecko-crash-server-pipe.1480" 5212 1b250fe8a58 tab3⤵PID:4068
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Sets file execution options in registry
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5136 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 12597BC28C384D6939C705DBA0CB5C7E2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5208 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1BDEA54149C415AC5AFCD09B52B3F052 E Global\MSI00002⤵
- Sets file execution options in registry
- Loads dropped DLL
- Registers COM server for autorun
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5920 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe" 19.010.20069 19.010.20069.02⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5532
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:5784
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:2044
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:3920 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3920.0.1668671709\1045158495" -parentBuildID 20221007134813 -prefsHandle 1580 -prefMapHandle 1576 -prefsLen 21012 -prefMapSize 233480 -appDir "C:\Program Files\Mozilla Firefox\browser" - {65a19404-a31c-426c-8130-a2d79d26b4c0} 3920 "\\.\pipe\gecko-crash-server-pipe.3920" 1652 1b4430e3558 gpu3⤵PID:424
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3920.1.421997796\1326532073" -parentBuildID 20221007134813 -prefsHandle 1984 -prefMapHandle 1980 -prefsLen 21057 -prefMapSize 233480 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c3f10d7-9806-4c9d-a5a5-f62af02c2636} 3920 "\\.\pipe\gecko-crash-server-pipe.3920" 2004 1b4372dc458 socket3⤵PID:656
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3920.2.589321422\794176010" -childID 1 -isForBrowser -prefsHandle 2844 -prefMapHandle 2840 -prefsLen 21453 -prefMapSize 233480 -jsInitHandle 996 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {96022a4e-ea4d-4f6f-a13d-3fdd0ae0170c} 3920 "\\.\pipe\gecko-crash-server-pipe.3920" 2856 1b4387ac858 tab3⤵PID:2320
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3920.3.971924174\1716607096" -childID 2 -isForBrowser -prefsHandle 3308 -prefMapHandle 3276 -prefsLen 26696 -prefMapSize 233480 -jsInitHandle 996 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {410a226a-8acb-4c24-b460-911b5c9e242b} 3920 "\\.\pipe\gecko-crash-server-pipe.3920" 3324 1b44698f558 tab3⤵PID:4464
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3920.4.1455931102\802711576" -childID 3 -isForBrowser -prefsHandle 4536 -prefMapHandle 4532 -prefsLen 26755 -prefMapSize 233480 -jsInitHandle 996 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {71e423fc-140c-41a0-bdee-442909451764} 3920 "\\.\pipe\gecko-crash-server-pipe.3920" 4468 1b448bef458 tab3⤵PID:4252
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3920.5.2063675400\1289149589" -childID 4 -isForBrowser -prefsHandle 4776 -prefMapHandle 4580 -prefsLen 26755 -prefMapSize 233480 -jsInitHandle 996 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1be35d25-93f9-4dd8-8ef3-4b3d808b8873} 3920 "\\.\pipe\gecko-crash-server-pipe.3920" 4828 1b448bf1858 tab3⤵PID:6140
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3920.6.453041046\148603558" -childID 5 -isForBrowser -prefsHandle 4968 -prefMapHandle 4972 -prefsLen 26755 -prefMapSize 233480 -jsInitHandle 996 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbd9d973-b5a5-4959-aa0a-ef3307c0ad1c} 3920 "\\.\pipe\gecko-crash-server-pipe.3920" 4956 1b449020958 tab3⤵PID:4144
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3920.7.366682460\1475595851" -childID 6 -isForBrowser -prefsHandle 5160 -prefMapHandle 5164 -prefsLen 26755 -prefMapSize 233480 -jsInitHandle 996 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {37ef7c8f-e803-4d60-a38d-5856e30bdb04} 3920 "\\.\pipe\gecko-crash-server-pipe.3920" 5244 1b449021b58 tab3⤵PID:4620
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5104 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3244 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C98D9BB3313C461580B6D73ACE255186 --mojo-platform-channel-handle=1612 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4444 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BC91710F7E24E73BC4E0DC22E70A2DFC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BC91710F7E24E73BC4E0DC22E70A2DFC --renderer-client-id=2 --mojo-platform-channel-handle=1624 --allow-no-sandbox-job /prefetch:13⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4944 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=94358DD5CEAC3F31A711E913DDF09769 --mojo-platform-channel-handle=2200 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- Executes dropped EXE
PID:4440 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=983AEEF28DA8D4D5E940104CC5662103 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- Executes dropped EXE
PID:4676 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7A50A80903FD096CE1C4F77461EBF57B --mojo-platform-channel-handle=2392 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- Executes dropped EXE
PID:4228
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
632KB
MD5330c475a41704421b0a1553fd2552413
SHA1fee51a5de4c9c3ecb63e9270defba97cda4b0aa8
SHA2565884cc7e0591e39febc459f6ac754dd6838f13c09c057546dbd02859326cf598
SHA512fd20e58a8c7aeb07b956c0a2d4ddccd55c2f7e9c0f20552f55ffa1eeb2b1eb0c9acdfb5a55c8a765681ef2a3cfb85edd336ae7b8be07404a79e6049e384afe56
-
Filesize
24.8MB
MD51248c72c9c64a59abaa6b7c3d23f90a9
SHA1b4c3778574c39f7e64bcc3b7b0e42c577e937504
SHA256efe7823887f5366e78a53b1992e65afca89f4c0149c54d5e4c0d746c6d4c8ab9
SHA5126e3001c2f282b00430d15d8359be1ee1d3541b49c1fcdc02f0dc433ea0b470b52387772866f08ebad854f28b6ff1123e9015d25916ba91aea014fb96821e6b3e
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_remove_18.svg
Filesize711B
MD58bb62cfad37334a15129a0da2091d472
SHA1a9f223eb2bd355c8cbf7d17db501db834f39cb6c
SHA25694f76b160568e3705f1e0d2d6ff3ee6927bd812032498d373bbcc516af2864f7
SHA512da08c15accffeca9c1ec985899ebf234aa881546dfb80862c72bfe206dfbf92772582ff87c0636ca0a4cdeeb03635de7a24aecacba86e22683a1d689724d6dab
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\rhp_world_icon.png
Filesize445B
MD5ed537606a39879a091a8c085cf95ff38
SHA186c73d85094efbfdcd80abf119f03b64a71cbd0f
SHA25642c312aa2a038ca54e9a6fe4bad8c9c044c35b4c5f421496f289c00c957d7591
SHA512fc331c2e1ec84a6a83b51f365484033b3069d73c5987094cf526c45a92c3297df22fe2a35ec20382ed4d563ee604ecbdbdf17fb735f7e0118ab444b4d5db8e9d
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\rhp_world_icon_2x.png
Filesize611B
MD537d179c947c13f64b7b6356f57441032
SHA19d1c1bd0c370336c229baeb2cd7f80d7b3cf4d0a
SHA25671039e6370f68913e67cb8451d3127c22d3e1045ca644e4dc9821e9f6f6899aa
SHA5123034a8b9694bbde20be0f7fa2596fbca8fd3f1e45810b15a5cb1a2bc6f4ef852afc36639a56f82a4e582d74684724d5c4ee43cbf5e33c94c6cf00b3c059757bf
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\rhp_world_icon_hover.png
Filesize388B
MD56d8f7e9751f955452a9ceeb815456035
SHA1e6903b2ec0f2c5632d4288f88d993d4a41f04527
SHA2568bcf53efcb1b630087d4cfcedf5e48a7abaa9c71dd13745eedfd2c7cfa6827f5
SHA512c869a94a224bce8ed553f5a86ffdea6d8a279e06a1c060b311cc52e4538b89e07fc0a4a76f85a28e2f62e8629a7c67101e990cc12bef2d0e2d6d7d3c1d4d7d90
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\rhp_world_icon_hover_2x.png
Filesize552B
MD5f364ee8508831e375004ac82b924efd5
SHA1b04bc510ef53760bdd22ce0dd9d2e2f248c16df7
SHA25687da831caa04bd303918a32265830ff97648dc8adc18881ba14d1cc1d28cde85
SHA512399b2da615c0373214e3cf421f502fd0de02bdb9473da644e9f23df9ea7fc792da7d36bde61a456c2451276f74877232c8bedbe55e57098c1ffd13719206bac3
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon.png
Filesize388B
MD539be6b8bd8dce3ff5a1c20ac41ba993f
SHA1a49d8a0c769601bf922c8aa1673bfd3a92d67855
SHA256854a09f1f875a3a2e6566c593af465c9c8a3aa9b9112eb755bb09cee76224a63
SHA5129fd5d4f02aa9d24ce9591ac0542d0abadf2b26208c3043220d2a0f036298199131ad804f9be20c6cc67f39e2921eebec65efb3a1e435ee7318fd8591fcc2fa2a
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_2x.png
Filesize552B
MD5b34c8c3b8117b038839beefa0df5a7ce
SHA1c8d1e8eb4c71d5aa02e36fe3b7365374a9e4e32b
SHA256bfef65c62bfc309f698e8e0b999edfc06ad272b87d805f183551c43f08d704a9
SHA51289fa9f31f62c6e119e6280dbc475c35dd7bb37c27457732a0b1cb04809a35fec44a12ccb6a3a626586d596a0636d754a9ff79ecd9ed739c5c6edea50738a60d7
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_hover.png
Filesize388B
MD52ca9f57d61ed45337ec4e6565480367f
SHA1fa06ed14d72ad8ced6ad98a4e223bc80cccc5e75
SHA256a584379ebf9aa0d3c0239edb7e1f114f01a9865f01c68494d5f28d410ba8d873
SHA51283a172f2f304b2f634c313e248b62c11b7798f416872929ef233134bfc4ad8f44b1b4dfa123e8378a233417e1298a73088258f5671ace96ff677d1f26447de87
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_hover_2x.png
Filesize552B
MD574af10749d7f19d15c8dca65a7453415
SHA1dc96d9dbffe472600548dc64c724055e62620d8d
SHA2560e0084df79ab98e5df48ed1e01987f7ac3fcf4a038dd5453708d868f73a073a8
SHA51283d190bf6f9cb77894e7aaf84029c40a2a0335e43d08062ca2275a2cb7a784a29b3b7b8be820c7dfb2f1458ab0528fcdfe45f05491be673b30495e1ed916999e
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\icons.png
Filesize7KB
MD5d3963e6fe853dbd9d22f794d5ece4c48
SHA1db35a3e565d0b6dca7ad243443a5560a1247eb33
SHA256a870c4e9ff6c433b5583a8f09fcdfbe712241c7e7d64cd59a10c2ad592f64fe5
SHA512fe60a1b2a20d3c11152df2d6fbee05c3d6b80c89486d258dd6d318c3f89deef3e91a116c502c117d79a5020489e394194310f5c7a7ea3d4b7d284ca5a3e43ca7
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\themes\dark\icons_ie8.gif
Filesize7KB
MD5d4585d0ccf35ae69b1246339cfb46b90
SHA11fffc3492684a5db89e949d2d8b612eabb38994b
SHA256d6707a7a393687bccd92de05cecbd746be791f3a670cb4fc106252f49d2a0a2a
SHA512a85560cabd3ce3dd21177948884a921385c0325b431dd281edda61d3585a69ceef28cb339c5a88d167597451ce22d54828b03d69823b5737bf3e253bd9bda9f6
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\themes\dark\icons_retina.png
Filesize15KB
MD57045217d47de04c1d72eea7413b780c4
SHA104c73e38fa17d35a1f684577cc79d77615c09e02
SHA2568c659d0904687a97d9c6b649e4b74e99b286265e92252908824efcd07f956b66
SHA512abe433cb154598ad2c0de6070d6e75bb70274a58ce92007ce200201f788553517bb579b0df5cbde3b4f2bebdca1243f0e54836d125d72ea206b3ccba1d15a385
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\themes\dark\new_icons.png
Filesize8KB
MD50e366a48bdf6a3b140508e56eed0bf0f
SHA1bcd76a4a537fc00d8c468b9496d3d5b5dd6a2a7e
SHA256a311b5a78e1b856505337b90e53edb4ba380160234e1b4e8801c231ba8d590a5
SHA5121830e3e260a50f79553673bec5775c0ba623284d233c25a2da016f273e67e218f5d2f49bed5f9e68842c7dc14b852e979fbfc7ed336f9a34dafd04a48742f827
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\themes\dark\new_icons_retina.png
Filesize17KB
MD528a435033f504be69def6f9d52efd2b8
SHA16f50318e05b79851a445f98d4b3ae3d65feb22ad
SHA256f84c7c93947e86e2a499117d4c55910de9fbaefb6d703a8d0f90f4867c69c182
SHA512a2b410bb6bb328eb1e3af794259bacce7918f44698c8145fa530af9be6bfc22a064c1f0ee5d7ce289f4a60a50fce9b56a720793d19ec477340b1d7ef158df6b0
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\images\bg_pattern_RHP.png
Filesize179B
MD5117ec36a5cc6d82e63e8b3beae4a3099
SHA14c692192be53827f8ec8015ceb129f6e0f89e923
SHA256041917c06c638a1b1accaf0d2f0b2a6dd335dea629de602e104553024d822ea4
SHA512abb02a02a9161ece12464020676e880f1eed96b43a9dfd4f7ca06dc203fe633b0a712da5f151d36a5644d65aad7b2880c135df0bc42d7c1e61b44006807a8c9d
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\images\illustrations_retina.png
Filesize19KB
MD5ff84cb8f89545b86e32abd27a9694e1e
SHA13cde537531f8689772bc9eb39a12c687da5d5225
SHA2568b32854c17056ea617a680cd26ea91015e77d68260f656758984583eb6895a87
SHA5122690d712ba02fbaa769689d0eae380d0988721c6fcb710e04e1e2aba56496cb58f5d4168fe75540139afce179b1250c2ceb11fc4c3d589a3615ad20dccacc8f1
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\images\themes\dark\bg_patterns_header.png
Filesize703B
MD5ccc8d470e94b3441e41521572ba86ccd
SHA1d294d7e78b596fefcc8084fab7917c54d3043e27
SHA256a7cdf870b0b1b8459e94ed25a29daa87f5e9050294bf6cdff3bc72f93b928f94
SHA512f3b2ca4d3160a089f6959b7c8e3e6c213c0facb2733f7948a7222196d3bd8c7350015602569df2cdc7408e38b0ff6700306d7e3439f0892b4d13d9f2d5329e42
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\images\themes\dark\illustrations.png
Filesize8KB
MD5f6e318123e7ad5933a49669eb035c737
SHA1ed8938fa3c13af75978bbd0bcdd3e8bd40a02004
SHA25619f68990146444907956056019aaee514c522c3c00ae00604da44a1bec2f8f51
SHA512b2506a283dbdcf40ba0cac63b4fd0249463218cc9511ce52cae5ab8c36706090fc1f1942f1082204dcdad5d80e7b655d9e12326c820ac21f64a508999e130743
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\js\nls\ui-strings.js
Filesize1KB
MD5d59d8ff7aaa17ee875adbe48b7a77e78
SHA17405acc07f6137b7fd9575f99a2b4354135956ef
SHA256d74c0782682efde01c1c30e46814256f7d16d7df00a7167d90f2bd55ebaab626
SHA51263fc8bef9e8ef833e45d99f954a9eb99d6bbcae39b2eca8a7000ac11b976cdd0ce0581e5e5e6b2f1bb2bdc911e31690e503dad945f0a3ea702dfe404896eded8
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\pages-app\images\example_icons.png
Filesize683B
MD5a0522ef468697e74b90c444ceb4aa17a
SHA131fa5bb9b4ada150c9001b6e9f3213644117187f
SHA25657804748e775c08ae188b4d860f31e4482ab99b44ed1d8489780daa6756fb11c
SHA512bbb91f8b3c204c4c04da2ad635eb18e9f224f73395dac509c438c0a645316162b6ff78e03e7af76d5da2d9e84cd0c4b5e9db1d4dc08bc3f524bcc55c1f4dbbd3
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\pages-app\images\example_icons2x.png
Filesize1KB
MD599a1fefa123aa745b30727cc5ad50126
SHA1c48f74cee78f8ed8463634d80c4112f3e12bd566
SHA2567a610114be56ff131462bc67f9a23bcd4fde4fdd0158691448ab9e4a3eb2ca3b
SHA512504800f03a4aa57c1cfa15b28542382728b5f3dd85309fe12ebfd711980d78d15d8241d5f54956ee41da2cd65203b7764ab7b15119457b74ebc07fcf8e55a742
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\search-summary\js\nls\ui-strings.js
Filesize1KB
MD53dde11f8594519f004ded2687db9b90e
SHA1fcf1854df851616a25d7cf1439a9120b16902420
SHA256196c132938d324c62184ddc85bdb1cd642af830712e0fbf0fb3230978316d510
SHA512adc2cb3a37dbf5fe2ae79f5752c0d38d2427a95e333e848ffa113046f630eaa967b3cb29c049dcdd9b921d57e23392562d779c24207f770aba6e92392064f17b
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\task-handler\js\nls\fi-fi\ui-strings.js
Filesize823B
MD55e884e2f05ac036b7a6cded3efc2ea2d
SHA1807c1cf1bf0943404601b6241bf4bcf9fcc29c9e
SHA256b333de3a4a7be7749b82302085ed26ad868f0f8eccd09d2a8bb8840414e624d6
SHA5126665aa6fa35e05d01a4a2312a93faf52d6b39409bfaa861c187b0cc2fc51e74aa253ebf56061872d548cb6d3d7bbf1f7c2568de81e5287e0a1d6591c1e780f15
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\css\home-selector.css
Filesize802B
MD5bfeb063e064c71e44ce75898e79c61bc
SHA1c4dcb4b6814cbee53b415a2a5df02fa500510ef3
SHA256af439ebb0d55750003f7dbec517e7b0b26a6a0506b21e3b74d800cd1c7faa004
SHA5120835ebe63867fba6d69a25c83dca767ffd9c57907ba76d9c71012be18510e2145a358d37c1cf4e4ad35d1cdd4f67ffd5928e70e18a376db607d8482356f12219
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png
Filesize2KB
MD54c27ad089d04cfefd979d56f2a67b172
SHA163289f9198ee4553759b07de7a4229ad370fa976
SHA256e34bcd5b8436d3bc45f98dd913d41f185c6b06326b66937d6e0d5c6434b16fe7
SHA51223f9283f769fd310dcac26cac00d2eb033763d73bd45b0d148ea1ec3a3c75b073572c9fa9234699372a7e1caad7fcde7629d004815536df1d39d291f2d2d96a9
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png
Filesize2KB
MD561bd39ed095fa82ffd334fbd7982616c
SHA151af9c2cd42743c5cf81200e0fba3cfaff801885
SHA256237a70fe0388ce6884f5424692c460625691ef7acb0bf80403ec6b25f348b94a
SHA51254dd8e1a5c19a9d51892a12e9501b7f6f69e09e0c446ec36f7ddfd9ad0d9cef52604ab2f8071c71ce63989510a703f1cfd5492e1ac20c8b37258ba21f8952400
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png
Filesize4KB
MD5543415ad8ba14db1b75a93a551a4abfc
SHA13d4737451e899240fe19daa07f3c58ce9a623631
SHA25603bcfd7fcbd98e48b1954f912ecd66ce0bd5c181da0c2408beed01486ed23804
SHA5127c4bd1cf6fc8d7aeedb1c666ca45c95615927fe76cad3d3c4f4dafc987f4ac04f527ecaebb3103f593eb080302e768fcd77739ce8344ff2e7ec10efdd1113cd0
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png
Filesize385B
MD5c789d387908d7b7f21c6474a86e84019
SHA11c36fc6954178c43d9249a5ff3c7246057c6aead
SHA256223f32512aec50c1c00fafc476d8e4ce61e79aa748c67b72fe55514882a31a5a
SHA5121cab85dff119b591046049b69b6208283ca5e009d95129bb407df2768c82da30fd2af8debf6f1bbd91f37518538f3ba6bcda32b63d1d278b56fdd1f5f93439ca
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png
Filesize1003B
MD5c5aab3d175e0a3753ed2c3bbd7b929c1
SHA13ebee0101ad62449a67f506df9c8e7dacc39f877
SHA2562e187b74e926afe70eafe0648c7125817e99f5586eee3e2e05446e360d4cc1bd
SHA512e967020462477c3e9465e3383c544cf468dd89f4da084193634f5bcdc001b90f5bad3f4f6dda9e95ebe068108986daf41504e02331f4922ea25e7ffee1f27040
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png
Filesize1KB
MD5808971f45b803583d9d1f812803d81b7
SHA10f6aaecba7c976ed8c2f53782b3d3148f41b2905
SHA256c25d9409ddf9645c2731ec785cacbb7568005bfc78fe0aec7df3ae3c4d30e333
SHA512121e6b01125f9e9d4894f7d498bb4d39ce676ce51e29cbcd148e0c1feed46fbc58267cea7d5f66654be831dc479e4643be8b28b005467309b7df5cc7fbcd0dbe
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png
Filesize2KB
MD5ad68c0b141ea1dbfcadb540c1817289f
SHA1548a46167f7f5193c5a1335753bc208bf92aa504
SHA256537ac64cd204d7ef82cfe41c932deb9cb1ae738b2156eff4dbf73208384c0a13
SHA512269ae39458a9f30351166f304825b777f3ff143b7914b98e83e01600fa04c7790e6e813466c2a1c5396ce13cd2199792905cf0baba1cd28a420440efce0843e8
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\dd_arrow_small.png
Filesize289B
MD536503740756a442b7be294947462be83
SHA1a1203ae869deb46f59a3273f6d130e7457bf5321
SHA256d188ab283c552eee50677129f3b0ffd8d97828c4e7007bea258174c9a2200e87
SHA5126ff98b15c7d757dd351bf50a1c4ac759a73fdafe03d5fad506478550987d0ec016ba9e617c099e6bf7b0263846eddc4eb32cb70fb1fbbc1189791defe556967a
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js
Filesize840B
MD532147da1c647161e45a1004eb1b16349
SHA1a953c222cce91729ebab36bddd43bd5a795a69cc
SHA256434731fdc6d2f5115c5f7786ac989fedef7d0f60cd2ad4385cc98f6d2160566c
SHA5128c825f8d38519cdac2a49e4ee8a9564ae72839199562ce9acfe72b4fbb94f8946775054782cf26a9566eaf8cf944a26e42b7b372c4e7349b33a8e17dcd13df94
-
Filesize
171KB
MD530ec43ce86e297c1ee42df6209f5b18f
SHA1fe0a5ea6566502081cb23b2f0e91a3ab166aeed6
SHA2568ccddf0c77743a42067782bc7782321330406a752f58fb15fb1cd446e1ef0ee4
SHA51219e5a7197a92eeef0482142cfe0fb46f16ddfb5bf6d64e372e7258fa6d01cf9a1fac9f7258fd2fd73c0f8a064b8d79b51a1ec6d29bbb9b04cdbd926352388bae
-
Filesize
2KB
MD5b8da5aac926bbaec818b15f56bb5d7f6
SHA12b5bf97cd59e82c7ea96c31cf9998fbbf4884dc5
SHA2565be5216ae1d0aed64986299528f4d4fe629067d5f4097b8e4b9d1c6bcf4f3086
SHA512c39a28d58fb03f4f491bf9122a86a5cbe7677ec2856cf588f6263fa1f84f9ffc1e21b9bcaa60d290356f9018fb84375db532c8b678cf95cc0a2cc6ed8da89436
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin
Filesize5KB
MD55385b37a68b03ed7a1f8ffc0fc53aeda
SHA1afded2441d2f6bc9b69045b8426550dead118ef3
SHA256b06ac9a7b72ba7f33505afd8ed4da6a9d869e65abf35120f03dc029361336d0c
SHA5129db946c132768f7846d261854c43d4343d126f7ae1e235bd71d030f7be6417bb1e1094abf2aedd49091a50ae3b601ecbd077d622ac69e91d4031c9db6ec545db
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD527c9a88fe68202cb7f0a03a434ffd781
SHA1dd7b2adc07167e06bbfb14485949b6ebef8ab7a0
SHA2568d66268b7b9950e4a71d99d7d5e27d7795c827751d36ec386fa53b5ee9ae2c57
SHA512f3e5e5d39b047d872c279fe9c754cee0ba910888d5757f0c0a8c9860d0ef52d1b60dd993e9bbe482bfc3dc91d9e157d8ce0d44cea70396e1a9b1628be34346af
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\2608c388-3026-4e9d-87ea-e5d7b26e52f4
Filesize9KB
MD54f3904509ed37b570ed6e1d90dbad998
SHA18f4dae2ea012884ea8194ca8e478755781278a4b
SHA2568cec12dc2fa95a64fd2b319bbc20c032b70bced38d7273b4be54c7ea61bff0ec
SHA512ef4c2bd9da141d4650e0938119bda193602bc4e44f031ef9e3275d1a2f7835c4b24f992728b397d1736829dc130f8bed863105c742f93a8e8b27b261793ed302
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\b3c5055e-eea1-4f79-b6ee-1c0b1523997a
Filesize746B
MD5d7531f13dc1ce206a9bb58d319d4df81
SHA1884beafbf30afd03d34bf3c8e9599e6851166f20
SHA256a868f5e8154f00e7d9f25ab4647ce41fbe87c92c4e1f0d7880eb5a4b645248e1
SHA512a7dbd76c07eeb53fc0dc95a58432324932456c26f175cc80b5b86d1f01030a020acd02090f51787db08028f0e49c78277f153e507d1ef1877908d89afbe6eeea
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\f52e0eff-0c2d-4dbc-ba5f-fec1c9300372
Filesize657B
MD571739972813a0db09722df6d8e94626c
SHA184785052e98dcda69d1877724354edbd6bd06651
SHA2562443336826cca3b979f6d32e2a4865f9e0e535a5756adf71d2088437f30dff56
SHA51219426d05466c8af9bc3efb02f7908b63b222200a2e16b7888acccfdf22c178ebe89d3e783fc3e0896b77561ead98c939f9ff56eb7e1063005394716483f0a1a3
-
Filesize
6KB
MD5aad5ea54662cd3ae87d343f74d12425e
SHA1628199f37ebb7a7cc9af6745bdc12543fa04e636
SHA256ed5afb78059674dbf99c25cca74fe799994a93bb72853de640f720297d40a30b
SHA512c40008dbfedc50060b35a34970f7215919ab65322369b30f2bff4edfad22a624046be05c59d9f5863a18e0b302e3bf4e7abcc847f35eb662dde91fbce2f201d3
-
Filesize
6KB
MD5be94c58def37325b7e468a6e7ffd0760
SHA1fb81d4560c0dc88d03301f231213d16f16c43473
SHA256f940099e19fc2dfbec6c2aa8a13a95e3bf2165699f1ef5a414bfb0d54fbb651b
SHA51242dcb8b2fbed58e85f7273853f3898bdc04eb1fc0c86fa205ddba0ba43acbc97d4e066265355075ee4cdf74a19ec8fb779218fdf98bd41a08366d62f0f0ee541
-
Filesize
6KB
MD5200a240ac0b4aa9df6da99c01929a496
SHA198faac9198e432c3269d663b26dcdee1916e8fe0
SHA2567e7c0740fed5bd517d8148a80219c9f1cb61315ba89275f141b2953888d4e5cc
SHA5129ce96368c9c7c570be65e27454499fd3eef5c5b51f7add55508b476222cfd5e9f4c890dd64cdee364f7c41c9e66937093fc2fe5001866f324dc94ed2479a9e6f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionCheckpoints.json.tmp
Filesize90B
MD5c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA15942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA25600ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA51271ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionCheckpoints.json.tmp
Filesize53B
MD5ea8b62857dfdbd3d0be7d7e4a954ec9a
SHA1b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a
SHA256792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da
SHA512076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionCheckpoints.json.tmp
Filesize259B
MD5c8dc58eff0c029d381a67f5dca34a913
SHA13576807e793473bcbd3cf7d664b83948e3ec8f2d
SHA2564c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17
SHA512b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1005B
MD59005e7aa8f22a57a741eb6f637e72856
SHA142bb385e055d7e5d80b2e67ee102e4f07f76ded9
SHA25669786ce73f15c5a79059605b0ecd4a57eac64774109c49f880177c24c5170f9f
SHA5121d9997441da990b7e58ceea87285ecd9efc1ca07a8e4cb0adac885f0dab27159efd5687d6164fe51f28bc07d5eb3eb372cd5f25a876cff71c046a9465f92ff7d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD59dd81ed538121f8729e9327cdbd1d33c
SHA14458e812fe27bd31d344fbb8bd41fe054eacbdfa
SHA2564ca3320d5f048fbcaf2ac46a9707dcf503c0b7a3d5770e4b52230936847e6109
SHA5120dc5fdab8c4ad68a1159e25c269bf0b2dbb66c77af964fb93b7c95dbfd0928224f0059630fefa3cb723412a4d0af470eeab318ba13f7cbfbc3b0ddbb709b1d9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5c053c6b98095aae2ffb6481992e6cac0
SHA193bb1fdc82f41318826ed75eb212ea8ef2e3ae74
SHA25614281e0f5f36077612ef1b9274e6620e96dd0af513a2a3f9ce8288cf91a521e9
SHA512e3e363397d096c805b322a943498fdcaeb0e4af7f1ee4d60a0e2537c78189f4fd0627770adbc19a3552722ad744fd0cc981060c6ab4815eba6971bd971d8e179
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore.jsonlz4
Filesize4KB
MD5d7e39a0d342eb550e03aca28a460ca29
SHA1c1bd88e2977b4a7e78b75766e7dc2ed13132197d
SHA256b448b657f8ec472199da51679551bf90b9932a6248351ed6d5f6812f5615d2f5
SHA5126ee64dde59919eacb74d77083dad332433c0fd81cb363209567bf1fb84eebea8b1dc0db665f164f4ab73c290db0b22aab3e2d6bb5599e9dcfe90388e9d17369c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD50ed2663971e8051b2bcb574926400fa8
SHA1467756bf41c377bdb07c8be10d5391f1df1d80a7
SHA2560c44c9887ebd30506041e4f483422673660df0b74c7468b0cab2c69bee1f4e8c
SHA512e521f02d0a4dc70e3bb33747c5113c76f18f15b4370826ef13700c4f559c8b158ed1d8ef79d7d88794bfea61496a75d653237391f2f8b5e53d8574a21f113898
-
Filesize
57KB
MD5c23d4d5a87e08f8a822ad5a8dbd69592
SHA1317df555bc309dace46ae5c5589bec53ea8f137e
SHA2566d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27
SHA512fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b
-
Filesize
418KB
MD567f23a38c85856e8a20e815c548cd424
SHA116e8959c52f983e83f688f4cce3487364b1ffd10
SHA256f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA51241fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d
-
Filesize
148KB
MD5be0b6bea2e4e12bf5d966c6f74fa79b5
SHA18468ec23f0a30065eee6913bf8eba62dd79651ec
SHA2566bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b
-
Filesize
209KB
MD50e91605ee2395145d077adb643609085
SHA1303263aa6889013ce889bd4ea0324acdf35f29f2
SHA2565472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b
SHA5123712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be
-
Filesize
340KB
MD5d07cea5fbf17f2ffa4fdcb38e395dbaf
SHA1c0218a4f53428d71f19f1121b8532b3fe0d178b9
SHA256c5ba5c23decaa64a9176f20f8b18a8c89b42ed54f55f3285bd400fd74051e37e
SHA51298ad990280e9db23ee91e23ee5d0ebc8e289eed7923cd07bb31b845af28ebe0a09bc49f9de2c7e81a49a041d9f87f089a4a67402e1182c41e0d41a3e47264d4f
-
Filesize
271KB
MD5f88c6a79abbb5680ae8628fbc7a6915c
SHA16e1eb7906cdae149c6472f394fa8fe8dc274a556
SHA2565ded99991217600ebd0b48f21c4cd946f3c7858f07d712fcfb93f743faa635ed
SHA51233e150822331356e1cdcbff824b897ca5bf2bed0345d2fa39cf9b1f36a77201167819761b1cc3b6cb02a87625e0b6b85a8505281ccc575ca6b73af68e1e90361