a16e466bed46fcf9c0a771ca0e41bc42a1ac13e66717354e4824f61d1695dbb1

Analysis

max time kernel
151s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
28-02-2022 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EUA 27034_FS for Vaccination Providers-Full EUA PI_Final_4.6.2021.pdf
Size

1.1MB
MD5

237afde9fad4619889d9cde8e80a5180
SHA1

b0b53f8cae545c2961b662941652390ccad02700
SHA256

8ceea84eccec373701f4ed54703beb6381d05be2bdbb93ae58d78726fdca6807
SHA512

86de2d6c65bfe241d13a06dbdae1727021d93ba11f3e5db8eda9a899ebbb56b646ff041755803caaa5ae4cb10bef1e9d941267a1e0188c32138c45382021b2f8

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

AdobeARMHelper.exearmsvc.exe

pid process

1852 AdobeARMHelper.exe
3696 armsvc.exe
Loads dropped DLL 3 IoCs

Processes:

MsiExec.exeMsiExec.exe

pid process

3528 MsiExec.exe
4832 MsiExec.exe
4832 MsiExec.exe

pid	process
1852	AdobeARMHelper.exe
3696	armsvc.exe

pid	process
3528	MsiExec.exe
4832	MsiExec.exe
4832	MsiExec.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in Program Files directory 9 IoCs

Processes:

AdobeARMHelper.exemsiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Cache\Arm_001824311644_204336287314678463627513344701223395859.msi	AdobeARMHelper.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Backup\AdobeARM.exe	AdobeARMHelper.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Backup\AdobeARM.exe	AdobeARMHelper.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\1cf694d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI718B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-0804-1033-1959-001824311644}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\1cf6953.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7313.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI73DF.tmp	msiexec.exe
File created	C:\Windows\Installer\1cf694d.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6D25.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{AC76BA86-0804-1033-1959-001824311644}	msiexec.exe
File created	C:\Windows\Installer\{AC76BA86-0804-1033-1959-001824311644}\ARPPRODUCTICON.exe	msiexec.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\Policy = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\AppPath = "C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\AppName = "AdobeARM.exe"	msiexec.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA408033019195008142136144\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA408033019195008142136144\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\66EDAE6A408000009195000000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\66EDAE6A408000009195000000000000\68AB67CA408033019195008142136144	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA408033019195008142136144\SourceList\PackageName = "Arm_001824311644_204336287314678463627513344701223395859.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA408033019195008142136144\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA408033019195008142136144\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA408033019195008142136144	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA408033019195008142136144\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA408033019195008142136144\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA408033019195008142136144\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA408033019195008142136144\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA408033019195008142136144\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA408033019195008142136144\ProductName = "Adobe Refresh Manager"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA408033019195008142136144\PackageCode = "B0A5578B0FA001A4FA7B7DF74D684442"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA408033019195008142136144\ProductIcon = "C:\\Windows\\Installer\\{AC76BA86-0804-1033-1959-001824311644}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA408033019195008142136144\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA408033019195008142136144\SourceList\LastUsedSource = "n;1;C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\Cache\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\68AB67CA408033019195008142136144	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\68AB67CA408033019195008142136144\ARM	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA408033019195008142136144\Version = "17301504"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA408033019195008142136144\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA408033019195008142136144\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA408033019195008142136144\SourceList\Net\1 = "C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\Cache\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

AcroRd32.exeAdobeARM.exeAdobeARMHelper.exe

pid	process
2924	AcroRd32.exe
2924	AcroRd32.exe
2924	AcroRd32.exe
2924	AcroRd32.exe
2924	AcroRd32.exe
2924	AcroRd32.exe
2924	AcroRd32.exe
2924	AcroRd32.exe
2924	AcroRd32.exe
2924	AcroRd32.exe
2924	AcroRd32.exe
2924	AcroRd32.exe
2924	AcroRd32.exe
2924	AcroRd32.exe
2924	AcroRd32.exe
2924	AcroRd32.exe
2924	AcroRd32.exe
2924	AcroRd32.exe
2924	AcroRd32.exe
2924	AcroRd32.exe
3656	AdobeARM.exe
3656	AdobeARM.exe
1852	AdobeARMHelper.exe
1852	AdobeARMHelper.exe
1852	AdobeARMHelper.exe
1852	AdobeARMHelper.exe
1852	AdobeARMHelper.exe
1852	AdobeARMHelper.exe
1852	AdobeARMHelper.exe
1852	AdobeARMHelper.exe
1852	AdobeARMHelper.exe
1852	AdobeARMHelper.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AdobeARMHelper.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1852	AdobeARMHelper.exe
Token: SeIncreaseQuotaPrivilege	1852	AdobeARMHelper.exe
Token: SeSecurityPrivilege	3548	msiexec.exe
Token: SeCreateTokenPrivilege	1852	AdobeARMHelper.exe
Token: SeAssignPrimaryTokenPrivilege	1852	AdobeARMHelper.exe
Token: SeLockMemoryPrivilege	1852	AdobeARMHelper.exe
Token: SeIncreaseQuotaPrivilege	1852	AdobeARMHelper.exe
Token: SeMachineAccountPrivilege	1852	AdobeARMHelper.exe
Token: SeTcbPrivilege	1852	AdobeARMHelper.exe
Token: SeSecurityPrivilege	1852	AdobeARMHelper.exe
Token: SeTakeOwnershipPrivilege	1852	AdobeARMHelper.exe
Token: SeLoadDriverPrivilege	1852	AdobeARMHelper.exe
Token: SeSystemProfilePrivilege	1852	AdobeARMHelper.exe
Token: SeSystemtimePrivilege	1852	AdobeARMHelper.exe
Token: SeProfSingleProcessPrivilege	1852	AdobeARMHelper.exe
Token: SeIncBasePriorityPrivilege	1852	AdobeARMHelper.exe
Token: SeCreatePagefilePrivilege	1852	AdobeARMHelper.exe
Token: SeCreatePermanentPrivilege	1852	AdobeARMHelper.exe
Token: SeBackupPrivilege	1852	AdobeARMHelper.exe
Token: SeRestorePrivilege	1852	AdobeARMHelper.exe
Token: SeShutdownPrivilege	1852	AdobeARMHelper.exe
Token: SeDebugPrivilege	1852	AdobeARMHelper.exe
Token: SeAuditPrivilege	1852	AdobeARMHelper.exe
Token: SeSystemEnvironmentPrivilege	1852	AdobeARMHelper.exe
Token: SeChangeNotifyPrivilege	1852	AdobeARMHelper.exe
Token: SeRemoteShutdownPrivilege	1852	AdobeARMHelper.exe
Token: SeUndockPrivilege	1852	AdobeARMHelper.exe
Token: SeSyncAgentPrivilege	1852	AdobeARMHelper.exe
Token: SeEnableDelegationPrivilege	1852	AdobeARMHelper.exe
Token: SeManageVolumePrivilege	1852	AdobeARMHelper.exe
Token: SeImpersonatePrivilege	1852	AdobeARMHelper.exe
Token: SeCreateGlobalPrivilege	1852	AdobeARMHelper.exe
Token: SeRestorePrivilege	3548	msiexec.exe
Token: SeTakeOwnershipPrivilege	3548	msiexec.exe
Token: SeRestorePrivilege	3548	msiexec.exe
Token: SeTakeOwnershipPrivilege	3548	msiexec.exe
Token: SeRestorePrivilege	3548	msiexec.exe
Token: SeTakeOwnershipPrivilege	3548	msiexec.exe
Token: SeRestorePrivilege	3548	msiexec.exe
Token: SeTakeOwnershipPrivilege	3548	msiexec.exe
Token: SeRestorePrivilege	3548	msiexec.exe
Token: SeTakeOwnershipPrivilege	3548	msiexec.exe
Token: SeRestorePrivilege	3548	msiexec.exe
Token: SeTakeOwnershipPrivilege	3548	msiexec.exe
Token: SeSecurityPrivilege	3548	msiexec.exe
Token: SeRestorePrivilege	3548	msiexec.exe
Token: SeTakeOwnershipPrivilege	3548	msiexec.exe
Token: SeRestorePrivilege	3548	msiexec.exe
Token: SeTakeOwnershipPrivilege	3548	msiexec.exe
Token: SeRestorePrivilege	3548	msiexec.exe
Token: SeTakeOwnershipPrivilege	3548	msiexec.exe
Token: SeRestorePrivilege	3548	msiexec.exe
Token: SeTakeOwnershipPrivilege	3548	msiexec.exe
Token: SeRestorePrivilege	3548	msiexec.exe
Token: SeTakeOwnershipPrivilege	3548	msiexec.exe
Token: SeRestorePrivilege	3548	msiexec.exe
Token: SeTakeOwnershipPrivilege	3548	msiexec.exe
Token: SeRestorePrivilege	3548	msiexec.exe
Token: SeTakeOwnershipPrivilege	3548	msiexec.exe
Token: SeRestorePrivilege	3548	msiexec.exe
Token: SeTakeOwnershipPrivilege	3548	msiexec.exe
Token: SeRestorePrivilege	3548	msiexec.exe
Token: SeTakeOwnershipPrivilege	3548	msiexec.exe
Token: SeRestorePrivilege	3548	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

2924 AcroRd32.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

AcroRd32.exeAdobeARM.exe

pid process

2924 AcroRd32.exe
2924 AcroRd32.exe
2924 AcroRd32.exe
2924 AcroRd32.exe
2924 AcroRd32.exe
2924 AcroRd32.exe
2924 AcroRd32.exe
3656 AdobeARM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2924 wrote to memory of 4888	2924	AcroRd32.exe	RdrCEF.exe
PID 2924 wrote to memory of 4888	2924	AcroRd32.exe	RdrCEF.exe
PID 2924 wrote to memory of 4888	2924	AcroRd32.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 3492	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 1292	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 1292	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 1292	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 1292	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 1292	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 1292	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 1292	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 1292	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 1292	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 1292	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 1292	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 1292	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 1292	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 1292	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 1292	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 1292	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 1292	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 1292	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 1292	4888	RdrCEF.exe	RdrCEF.exe
PID 4888 wrote to memory of 1292	4888	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\EUA 27034_FS for Vaccination Providers-Full EUA PI_Final_4.6.2021.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:4888

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2978B4267F6627C27A8E8AF217AABCF7 --mojo-platform-channel-handle=1632 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3492

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8522744564F1A8049F6A932621E6F2E1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8522744564F1A8049F6A932621E6F2E1 --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1292

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4E37571D8D87069E1F484A440D285FF0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4E37571D8D87069E1F484A440D285FF0 --renderer-client-id=4 --mojo-platform-channel-handle=2172 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1656

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5AF7A300E3C325C59736445BC1C84AFF --mojo-platform-channel-handle=2284 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4296

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4BE52E23DE670144DB33FAD15D93562A --mojo-platform-channel-handle=2556 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4724

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=114CFF2ABE434F36F634E2D5E4CC2E7F --mojo-platform-channel-handle=2348 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4800

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A2A82D339E0FDF8E2CCA471AD46BE4E9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A2A82D339E0FDF8E2CCA471AD46BE4E9 --renderer-client-id=10 --mojo-platform-channel-handle=2528 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4528

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3656

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
3⤵
PID:3476

C:\ProgramData\Adobe\ARM\S\2844\AdobeARMHelper.exe
"C:\ProgramData\Adobe\ARM\S\2844\AdobeARMHelper.exe" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\2844" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:3680

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D2FD816042084FF5540DF32B680A6396
2⤵
- Loads dropped DLL
PID:3528

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 4CB5F57619D48A890AE71A62466D5CB1 E Global\MSI0000
2⤵
- Loads dropped DLL
PID:4832

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
1⤵
- Executes dropped EXE
PID:3696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Cache\Arm_001824311644_204336287314678463627513344701223395859.msi
MD5
daef9610629678de57c4567339f6e52c

SHA1
3c2f60cce0d017c9f93fe0d09c80a7ca0dc63d0f

SHA256
9aebffc9bb8192c5ba7e51bf7b47246d53837fab2b435d71ccaeaee1cd74c701

SHA512
9a550ec8cb373b6ab488750aa9c679e419b8dfeddf3ccb02593c044553b5bb447516ceebc18e73db2b8c848b79f124ed6764484795b8f4a6d58d954b77f0b4a5

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
MD5
10a58da77ae2073d1baf4f13630ea516

SHA1
aed9c3190f2a2508a150b2f03568f9aa0b4f00c0

SHA256
cb914e1a70aa98cbaae25192df867d73605aa9ae5db4ef77c274c266c2d0b2d8

SHA512
a83454e609d88111463e620f0ea2f2e066ec87136716ccc5146fab432a5fba8778335d9597cbf7bdf475207962194e0f6cf9c97ad8830c4694a23f5aa0a7766d

Download Submit
C:\ProgramData\Adobe\ARM\S\2844\AdobeARM.msi
MD5
daef9610629678de57c4567339f6e52c

SHA1
3c2f60cce0d017c9f93fe0d09c80a7ca0dc63d0f

SHA256
9aebffc9bb8192c5ba7e51bf7b47246d53837fab2b435d71ccaeaee1cd74c701

SHA512
9a550ec8cb373b6ab488750aa9c679e419b8dfeddf3ccb02593c044553b5bb447516ceebc18e73db2b8c848b79f124ed6764484795b8f4a6d58d954b77f0b4a5

Download Submit
C:\ProgramData\Adobe\ARM\S\2844\AdobeARMHelper.exe
MD5
522026a14d6bc781d2a15c665e454310

SHA1
9451a39108326ba578793b1feb62f23a02bce916

SHA256
fd115ae8ebd2f37cf1ef72f75242206cf1331c7cb258305011302e981137ee5e

SHA512
4e4eb2f582c8590899a0ada6133b705d13775f60818f1ff4f9bb35e40e09d6570af4f7ac4c80b525b445a03702ca0f3a9867a93080f90697d8be668e2abe2fe7

Download Submit
C:\ProgramData\Adobe\ARM\S\2844\AdobeARMHelper.exe
MD5
522026a14d6bc781d2a15c665e454310

SHA1
9451a39108326ba578793b1feb62f23a02bce916

SHA256
fd115ae8ebd2f37cf1ef72f75242206cf1331c7cb258305011302e981137ee5e

SHA512
4e4eb2f582c8590899a0ada6133b705d13775f60818f1ff4f9bb35e40e09d6570af4f7ac4c80b525b445a03702ca0f3a9867a93080f90697d8be668e2abe2fe7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
f98ae4245822b70445e912db736520f6

SHA1
f33b8fc484a77e4bcc9c5aeda7705a2eb50f20d9

SHA256
907121709c4d79627c9c3901a1823c33ee1446a74d64ea79392283db42eba638

SHA512
0d1c790515079809193bf29b7864364f6ee4498206ed4961268b2f3bd4bb286a82fab550642444c4ed425fd2c84b711c5ffdb5bbae2b665f6a76def017417159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC
MD5
3ac120d84862f9be8ed63888fd4cb013

SHA1
1f951246f1840038cd7b62143f021a1ce47999df

SHA256
836a843489c1c014044e595abadc347e6e6032ace69160a555486c42b1baa027

SHA512
8fc2dba840d34ad345761ebff9139613a5237e8f9f8d3ca71e7c84b4462830c5979936a0dba8eb1f261ed27b63dbaa60e31cc58279e36d59f7dfbf19c96e6dc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
5ed8d1a4f5fc90724503bef27cf53f97

SHA1
5c30ab0052fcc0007c493e03ac3e543a38ce15c9

SHA256
bd08a81ba97eef237f6bfc5cdf420eca8e31ef54542c93731ba996df87d71869

SHA512
e0a8853b9a48a34252a13b49aa2c940427c8b2bb946190fd2cb09afb26afe16c90de461d689ba377d2c8796d1aab63719db42b72a5ec61a85eb6caee74df7d92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC
MD5
249afdca8e0943145da4efdb50ce5949

SHA1
3b9cb22c1e1e23df99b6d58a9fefe6b729ba8a74

SHA256
66649bb531bd06b2e32e8f21b77f377402c536eac82252abe3076c3e8c36ff7b

SHA512
8bb1c80a7a5028254e52f65e0676022b6cc45682af58ca1853ef39f74b6339a6c56b927a955de2b58471c274819c1154a234bcfd43c430e2152bb8bd67895173

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeARM.log
MD5
d862dbbccb600789594ab9d71fc793d7

SHA1
40ea6593e3a57a339439d9b1080ddbefa60efa6f

SHA256
e8f649e5f4c20a62c84afc0c1e5cb297de1efc3b40d6dd1bf9baa787571c161f

SHA512
9cfc4ca87990b511c36d16c233ca27c8d633aae3b8e68cb9d91f89b7e21d9058507535c927bd7bb252f8e2c7ee53d118d5fae4dafa8e9f899b8a272c92e6e2ef

Download Submit
C:\Windows\Installer\MSI6D25.tmp
MD5
fadffef98d0f28368b843c6e9afd9782

SHA1
578101fadf1034c4a928b978260b120b740cdfb9

SHA256
73f7e51214b775421f6679acabc51ac1d34b4271116f5f3dd3426df50d214886

SHA512
ba5ab56a7e5d2e54fc304d77c78a14b35b187fdd95a090d39193b3da6ab40ef1b38c3cd56b160edceded3d622c0b645376efaf3df8fc8c437f448f91587f3233

Download Submit
C:\Windows\Installer\MSI6D25.tmp
MD5
fadffef98d0f28368b843c6e9afd9782

SHA1
578101fadf1034c4a928b978260b120b740cdfb9

SHA256
73f7e51214b775421f6679acabc51ac1d34b4271116f5f3dd3426df50d214886

SHA512
ba5ab56a7e5d2e54fc304d77c78a14b35b187fdd95a090d39193b3da6ab40ef1b38c3cd56b160edceded3d622c0b645376efaf3df8fc8c437f448f91587f3233

Download Submit
C:\Windows\Installer\MSI7313.tmp
MD5
4184a5369d3bd6592b1db5cd2ac465ef

SHA1
be848190344933e38e0d40f0d56854594f113c42

SHA256
5f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5

SHA512
49c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1

Download Submit
C:\Windows\Installer\MSI7313.tmp
MD5
4184a5369d3bd6592b1db5cd2ac465ef

SHA1
be848190344933e38e0d40f0d56854594f113c42

SHA256
5f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5

SHA512
49c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1

Download Submit
C:\Windows\Installer\MSI73DF.tmp
MD5
4184a5369d3bd6592b1db5cd2ac465ef

SHA1
be848190344933e38e0d40f0d56854594f113c42

SHA256
5f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5

SHA512
49c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1

Download Submit
C:\Windows\Installer\MSI73DF.tmp
MD5
4184a5369d3bd6592b1db5cd2ac465ef

SHA1
be848190344933e38e0d40f0d56854594f113c42

SHA256
5f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5

SHA512
49c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1

Download Submit