formbook | 382db49b891a9d2df05ce4ca1335868fa3cff3896ca905d56c84baa5b28371b0

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20220310-es
submitted
16-03-2022 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lista de orden?.0927272829229.PDF.exe
Size

683KB
MD5

5879dcb6632d8c3d53f39a29e86cdcce
SHA1

97c358a006711c52a4647c3db520a9fdb575e952
SHA256

a84bdf209b862ffbdf3d963611eec3c1c2d70024e24041727a49bc618d6ff4cd
SHA512

80778f7cfdea1f20b8a44a4633558dfc22475cadeb54b9477cb739d59f85c70a26b8b9dab84c62347d719438849cb91ef0da8de174af022c09b87d2a06c6d4eb

Score

10^/10

formbook 3nop persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

3nop

Decoy

videohm.com

panache-rose.com

alnooncars-kw.com

trueblue2u.com

brussels-cafe.com

ip2c.net

influenzerr.com

rbcoq.com

zzful.com

drainthe.com

sumaholesson.com

cursosaprovados.com

genotecinc.com

dbrulhart.com

theapiarystudios.com

kensyu-kan.com

dkku88.com

tikhyper.com

aztecnort.com

homebrim.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 3640 created 2928 3640 svchost.exe OneDriveSetup.exe
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

description	pid	process	target process
PID 3640 created 2928	3640	svchost.exe	OneDriveSetup.exe

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1964-151-0x0000000072480000-0x00000000724AE000-memory.dmp	formbook
behavioral2/memory/2188-158-0x0000000000FD0000-0x0000000000FFE000-memory.dmp	formbook

Executes dropped EXE 5 IoCs

Processes:

armsvc.exeAdobeARM.exeMSIF53.tmpRdrServicesUpdater.exearmsvc.exe

pid process

4712 armsvc.exe
4780 AdobeARM.exe
2692 MSIF53.tmp
5012 RdrServicesUpdater.exe
2816 armsvc.exe
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
4712	armsvc.exe
4780	AdobeARM.exe
2692	MSIF53.tmp
5012	RdrServicesUpdater.exe
2816	armsvc.exe

Loads dropped DLL 44 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exe

pid	process
4616	MsiExec.exe
4668	MsiExec.exe
4668	MsiExec.exe
1288	MsiExec.exe
1288	MsiExec.exe
1288	MsiExec.exe
1288	MsiExec.exe
1288	MsiExec.exe
1288	MsiExec.exe
1288	MsiExec.exe
1288	MsiExec.exe
1288	MsiExec.exe
1288	MsiExec.exe
1288	MsiExec.exe
1288	MsiExec.exe
1288	MsiExec.exe
1288	MsiExec.exe
1288	MsiExec.exe
1288	MsiExec.exe
4472	MsiExec.exe
4472	MsiExec.exe
4472	MsiExec.exe
4472	MsiExec.exe
4472	MsiExec.exe
4472	MsiExec.exe
4472	MsiExec.exe
4472	MsiExec.exe
4472	MsiExec.exe
4472	MsiExec.exe
4472	MsiExec.exe
4472	MsiExec.exe
4472	MsiExec.exe
4472	MsiExec.exe
4472	MsiExec.exe
4472	MsiExec.exe
4472	MsiExec.exe
4472	MsiExec.exe
4472	MsiExec.exe
4472	MsiExec.exe
4472	MsiExec.exe
4472	MsiExec.exe
4472	MsiExec.exe
4472	MsiExec.exe
4472	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Lista de orden_.0927272829229.PDF.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pgkotdp = "C:\\Users\\Public\\pdtokgP.url"	Lista de orden_.0927272829229.PDF.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 1 IoCs

Processes:

MsiExec.exe

description ioc process

File created C:\Windows\SysWOW64\Elevation.tmp MsiExec.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Elevation.tmp	MsiExec.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

logagent.exehelp.exe

description	pid	process	target process
PID 1964 set thread context of 3124	1964	logagent.exe	Explorer.EXE
PID 2188 set thread context of 3124	2188	help.exe	Explorer.EXE

Drops file in Program Files directory 64 IoCs

Processes:

RdrServicesUpdater.exemsiexec.exeAdobeARMHelper.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_da_135x40.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\js\nls\en-gb\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\desktop-connector-files\js\nls\uk-ua\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Checkers.api	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\weblink.api	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\file_types\themes\dark\selection-actions.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\next-arrow-disabled.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\win8-scrollbar\themes\dark\arrow-up.gif	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\add-account\images\icons.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\bg_pattern_RHP.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\editpdf\images\themes\dark\rhp_world_icon_2x.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\desktop-connector-files\js\nls\de-de\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_removeme-default_18.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_folder-focus_32.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\files\dev\nls\nb-no\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\createpdfupsell-app\images\themes\dark\example_icons.png	RdrServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Protect_R_RHP.aapp	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_folder-hover_32.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\send-for-sign\images\themes\dark\cloud_secured.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\img\tools\text.cur	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\ob-preview\js\nls\sk-sk\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\digsig\css\main.css	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\walk-through\js\nls\nb-no\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\editpdf\js\nls\sv-se\ui-strings.js	RdrServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\over-arrow-navigation.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_sortedby_selected_18.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\createpdfupsell-app\js\nls\sk-sk\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_delete_18.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\hi_contrast\core_icons_hiContrast_bow.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\desktop.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_gridview_selected-hover.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\activity-badge\js\nls\en-ae\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\search-summary\js\nls\es-es\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\exportpdfupsell-app\js\nls\nb-no\ui-strings.js	RdrServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\digsig\js\nls\fr-fr\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\js\nls\ja-jp\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\unified-share\js\nls\nl-nl\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\images\themeless\Playstore\fr_get.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\pages-app\images\rhp_world_icon_2x.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\close.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\file_types\sendforcomments.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\task-handler\js\nls\it-it\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\task-handler\js\nls\nl-nl\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\unified-share\js\nls\fr-ma\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\de-de\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\img\themes\dark\faf_icons_retina.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\app\dev\nls\cs-cz\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\desktop-connector-files\js\selector.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Cache\Arm_001824311644_152539051349955165413993922351359178853.msi	AdobeARMHelper.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\MoreTools.aapp	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\images\email\adobe_logo.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\viewer\nls\nb-no\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\images\themeless\flags@2x.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\js\nls\zh-tw\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\app\dev\nls\en-il\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\activity-badge\js\nls\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\images\icons_retina.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\app-center\js\nls\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_sortedby_18.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\ui-strings.js	RdrServicesUpdater.exe

Drops file in Windows directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\1d072fb.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d0729b.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d072bd.HDR	msiexec.exe
File created	C:\Windows\Installer\1d072d0.HDR	msiexec.exe
File created	C:\Windows\Installer\1d072d8.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d072b1.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d072b8.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d07305.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\APIFile_8.ico	msiexec.exe
File created	C:\Windows\Installer\1d072a8.HDR	msiexec.exe
File created	C:\Windows\Installer\1d072cf.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d072d0.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d072d2.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI77DF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD2B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB133.tmp	msiexec.exe
File created	C:\Windows\Installer\1d0729a.HDR	msiexec.exe
File created	C:\Windows\Installer\1d072e8.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d0730b.HDR	msiexec.exe
File created	C:\Windows\Installer\1d07312.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4C2B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\1d072ab.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d072ca.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d072e8.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d072f3.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d072eb.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d072f1.HDR	msiexec.exe
File created	C:\Windows\Installer\1d072fc.HDR	msiexec.exe
File created	C:\Windows\Installer\1d07310.HDR	msiexec.exe
File created	C:\Windows\Installer\1d072b8.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d072bf.HDR	msiexec.exe
File created	C:\Windows\Installer\1d072c2.HDR	msiexec.exe
File created	C:\Windows\Installer\1d072dc.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d07315.HDR	msiexec.exe
File created	C:\Windows\Installer\1d07298.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d072a0.HDR	msiexec.exe
File created	C:\Windows\Installer\1d072ab.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d072cf.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d072d7.HDR	msiexec.exe
File created	C:\Windows\Installer\1d072e1.HDR	msiexec.exe
File created	C:\Windows\Installer\1d072e4.HDR	msiexec.exe
File created	C:\Windows\Installer\1d072f0.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d0729c.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d072b9.HDR	msiexec.exe
File created	C:\Windows\Installer\1d072cc.HDR	msiexec.exe
File created	C:\Windows\Installer\1d072d1.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4BCB.tmp	msiexec.exe
File created	C:\Windows\Installer\1d072ee.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d0730d.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7527.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\1d0728f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID725.tmp	msiexec.exe
File created	C:\Windows\Installer\1d0729c.HDR	msiexec.exe
File created	C:\Windows\Installer\1d072ce.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB23E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID5AA.tmp	msiexec.exe
File created	C:\Windows\Installer\1d0729f.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d072fe.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1d072be.HDR	msiexec.exe
File created	C:\Windows\Installer\1d072d6.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDCB.tmp	msiexec.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\XDPFile_8.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB4B2.tmp	msiexec.exe
File created	C:\Windows\Installer\1d072bc.HDR	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

msiexec.exeMsiExec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\AppName = "AdobeCollabSync.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\AppPath = "C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\AppName = "RdrCEF.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\AppName = "AcroBroker.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\AppName = "AcroRd32.exe"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\AppName = "AcroRd32.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\AppName = "AcroRd32.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\Compatibility Flags = "1024"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\Policy = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\AppName = "AdobeARM.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\Policy = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\Policy = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\Policy = "3"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\Policy = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\Policy = "3"	msiexec.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exeMsiExec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\.pdfxml\OpenWithList\AcroRd32.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05BFD3F1-6319-4F30-B752-C7A22889BCC4}\1.0\FLAGS\ = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{36DE898D-AD48-40A5-B4B2-123F916BFBAB}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\acrobat\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24DA047B-40C0-4018-841B-6B7409F730FC}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.api\OpenWithProgids\AcroExch.Plugin = "0"	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MIME\Database\Content Type\application/vnd.adobe.xfd+xml	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroPDF.PDF.1\	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{2DEA7885-1846-411F-A41E-017A8FD778FF}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74A13FDD-9BCF-4229-9CAB-0079A5E17A25}\TypeLib\ = "{05BFD3F1-6319-4F30-B752-C7A22889BCC4}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.secstore\OpenWithProgids\AcroExch.SecStore = "0"	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{DF9A1DA0-23C0-101B-B02E-FDFDFDFDFDFD}\AutoTreatAs	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{566A7BC7-B295-41B7-A818-12F9E5CA46CA}\NumMethods\ = "10"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\MiscStatus\ = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AcroBroker.EXE\AppID = "{F2383816-917A-46CC-AD2A-5013BED3800F}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroBroker.Broker.1\CLSID\ = "{BD57A9B2-4E7D-4892-9107-9F4106472DA4}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.pdfxml.1\CLSID\ = "{B801CA65-A1FC-11D0-85AD-444553540000}"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XFDFDoc\shell\Read\command\command = 3300340054004c006000690060005a00350028004e0033003200260028006a0046007b0029002100520065006100640065007200500072006f006700720061006d00460069006c00650073003e006600570044004b003600510062006e006400390033002600280053005e0046004a006900340030002000220025003100220000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\DataFormats\GetSet\8	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\DataFormats\GetSet\4\ = "NotesDocInfo, 1, 1, 2"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{198F17AE-B921-4308-9543-288D426A5C2B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xfdf\OpenWithProgids	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XDPDoc\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E790E1D1-9DE8-4853-8AC6-933D4FD9C927}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AdobeAcrobat.OpenDocuments.3	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA408033019195008142136144\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/pdf\CLSID = "{CA8A9780-280D-11CF-A24D-444553540000}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3E6-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xfdf\AcroExch.XFDFDoc\ShellNew	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3F1-4981-101B-9CA8-9240CE2738AE}\TypeLib\Version = "1.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Document.DC\DefaultIcon\ = "C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\PDFFile_8.ico,0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7EA23D88-569E-4EFD-9851-A1528A7745F9}\TypeLib\ = "{05BFD3F1-6319-4F30-B752-C7A22889BCC4}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3E7-4981-101B-9CA8-9240CE2738AE}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C523F390-9C83-11D3-9094-00104BD0D535}\3.0\HELPDIR	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\AcroRD32.exe	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroAccess.AcrobatAccess\CurVer\ = "AcroAccess.AcrobatAccess.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\DataFormats\GetSet\1\ = "14,1,64,1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.adobe.pdx\Extension = ".pdx"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00FFD6C4-1A94-44BC-AD3E-8AC18552E3E6}\{B4848E37-7C66-40A6-9F66-D3A9BC8F4636}\ = "ISelectText"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA7DA73301B744CAF070E41400\Patches\Patches = 3600380041004200360037004300410037004400410037003000300030003000350032003000350043004100330031004100300045003400320038003000300000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\EnableFullPage\.xfd	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\AcroPDF.DLL	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3E6-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{566A7BC7-B295-41B7-A818-12F9E5CA46CA}\ = "IAdobePreviewHandler"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{671B6145-4169-4ADD-9AF3-E6990EB2B325}\ProxyStubClsid32\ = "{671B6145-4169-4ADD-9AF3-E6990EB2B325}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7CD06992-50AA-11D1-B8F0-00A0C9259304}\1.0\0\win32\ = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\plug_ins\\AcroForm.api"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\ProgID\ = "AcroBroker.Broker.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.fdf\CLSID = "{CA8A9780-280D-11CF-A24D-444553540000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3E7-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3ED-4981-101B-9CA8-9240CE2738AE}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08A9E040-9A9C-4F42-B5F5-2029B8F17E1D}\TypeLib\Version = "1.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\Version\ = "1.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9F2FE81-F764-4BD0-AFA5-5DE841DDB625}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\ProgID\ = "PDFPrevHndlr.PDFPreviewHandler.1"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\AcroRD32.exe\shell\Read\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}\Programmable\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}\VersionIndependentProgID\ = "Adobe.AcrobatSearch"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3E8-4981-101B-9CA8-9240CE2738AE}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3EA-4981-101B-9CA8-9240CE2738AE}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.acrobatsecuritysettings\Content Type = "application/vnd.adobe.acrobat-security-settings"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

logagent.exehelp.exeAdobeARMHelper.exeMsiExec.exe

pid	process
1964	logagent.exe
1964	logagent.exe
1964	logagent.exe
1964	logagent.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
4488	AdobeARMHelper.exe
4488	AdobeARMHelper.exe
4488	AdobeARMHelper.exe
4488	AdobeARMHelper.exe
4488	AdobeARMHelper.exe
4488	AdobeARMHelper.exe
4488	AdobeARMHelper.exe
4488	AdobeARMHelper.exe
4488	AdobeARMHelper.exe
4488	AdobeARMHelper.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
4472	MsiExec.exe
4472	MsiExec.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe
2188	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3124 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

logagent.exehelp.exe

pid process

1964 logagent.exe
1964 logagent.exe
1964 logagent.exe
2188 help.exe
2188 help.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

logagent.exeExplorer.EXEhelp.exesvchost.exeAdobeARMHelper.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1964	logagent.exe
Token: SeShutdownPrivilege	3124	Explorer.EXE
Token: SeCreatePagefilePrivilege	3124	Explorer.EXE
Token: SeShutdownPrivilege	3124	Explorer.EXE
Token: SeCreatePagefilePrivilege	3124	Explorer.EXE
Token: SeDebugPrivilege	2188	help.exe
Token: SeShutdownPrivilege	3124	Explorer.EXE
Token: SeCreatePagefilePrivilege	3124	Explorer.EXE
Token: SeShutdownPrivilege	3124	Explorer.EXE
Token: SeCreatePagefilePrivilege	3124	Explorer.EXE
Token: SeShutdownPrivilege	3124	Explorer.EXE
Token: SeCreatePagefilePrivilege	3124	Explorer.EXE
Token: SeShutdownPrivilege	3124	Explorer.EXE
Token: SeCreatePagefilePrivilege	3124	Explorer.EXE
Token: SeTcbPrivilege	3640	svchost.exe
Token: SeTcbPrivilege	3640	svchost.exe
Token: SeShutdownPrivilege	3124	Explorer.EXE
Token: SeCreatePagefilePrivilege	3124	Explorer.EXE
Token: SeShutdownPrivilege	3124	Explorer.EXE
Token: SeCreatePagefilePrivilege	3124	Explorer.EXE
Token: SeShutdownPrivilege	3124	Explorer.EXE
Token: SeCreatePagefilePrivilege	3124	Explorer.EXE
Token: SeShutdownPrivilege	3124	Explorer.EXE
Token: SeCreatePagefilePrivilege	3124	Explorer.EXE
Token: SeShutdownPrivilege	3124	Explorer.EXE
Token: SeCreatePagefilePrivilege	3124	Explorer.EXE
Token: SeShutdownPrivilege	3124	Explorer.EXE
Token: SeCreatePagefilePrivilege	3124	Explorer.EXE
Token: SeShutdownPrivilege	3124	Explorer.EXE
Token: SeCreatePagefilePrivilege	3124	Explorer.EXE
Token: SeShutdownPrivilege	3124	Explorer.EXE
Token: SeCreatePagefilePrivilege	3124	Explorer.EXE
Token: SeShutdownPrivilege	3124	Explorer.EXE
Token: SeCreatePagefilePrivilege	3124	Explorer.EXE
Token: SeShutdownPrivilege	3124	Explorer.EXE
Token: SeCreatePagefilePrivilege	3124	Explorer.EXE
Token: SeShutdownPrivilege	3124	Explorer.EXE
Token: SeCreatePagefilePrivilege	3124	Explorer.EXE
Token: SeShutdownPrivilege	4488	AdobeARMHelper.exe
Token: SeIncreaseQuotaPrivilege	4488	AdobeARMHelper.exe
Token: SeSecurityPrivilege	4544	msiexec.exe
Token: SeCreateTokenPrivilege	4488	AdobeARMHelper.exe
Token: SeAssignPrimaryTokenPrivilege	4488	AdobeARMHelper.exe
Token: SeLockMemoryPrivilege	4488	AdobeARMHelper.exe
Token: SeIncreaseQuotaPrivilege	4488	AdobeARMHelper.exe
Token: SeMachineAccountPrivilege	4488	AdobeARMHelper.exe
Token: SeTcbPrivilege	4488	AdobeARMHelper.exe
Token: SeSecurityPrivilege	4488	AdobeARMHelper.exe
Token: SeTakeOwnershipPrivilege	4488	AdobeARMHelper.exe
Token: SeLoadDriverPrivilege	4488	AdobeARMHelper.exe
Token: SeSystemProfilePrivilege	4488	AdobeARMHelper.exe
Token: SeSystemtimePrivilege	4488	AdobeARMHelper.exe
Token: SeProfSingleProcessPrivilege	4488	AdobeARMHelper.exe
Token: SeIncBasePriorityPrivilege	4488	AdobeARMHelper.exe
Token: SeCreatePagefilePrivilege	4488	AdobeARMHelper.exe
Token: SeCreatePermanentPrivilege	4488	AdobeARMHelper.exe
Token: SeBackupPrivilege	4488	AdobeARMHelper.exe
Token: SeRestorePrivilege	4488	AdobeARMHelper.exe
Token: SeShutdownPrivilege	4488	AdobeARMHelper.exe
Token: SeDebugPrivilege	4488	AdobeARMHelper.exe
Token: SeAuditPrivilege	4488	AdobeARMHelper.exe
Token: SeSystemEnvironmentPrivilege	4488	AdobeARMHelper.exe
Token: SeChangeNotifyPrivilege	4488	AdobeARMHelper.exe
Token: SeRemoteShutdownPrivilege	4488	AdobeARMHelper.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

Explorer.EXEAdobeARM.exe

pid	process
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
4780	AdobeARM.exe
3124	Explorer.EXE
3124	Explorer.EXE
4780	AdobeARM.exe
4780	AdobeARM.exe
4780	AdobeARM.exe
3124	Explorer.EXE
3124	Explorer.EXE

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXEAdobeARM.exe

pid process

3124 Explorer.EXE
4780 AdobeARM.exe
4780 AdobeARM.exe
4780 AdobeARM.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

SDXHelper.exeAdobeARM.exe

pid process

3800 SDXHelper.exe
4780 AdobeARM.exe
4780 AdobeARM.exe
4780 AdobeARM.exe

pid	process
3800	SDXHelper.exe
4780	AdobeARM.exe
4780	AdobeARM.exe
4780	AdobeARM.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

Lista de orden_.0927272829229.PDF.exeExplorer.EXEhelp.exesvchost.exemsiexec.exeAdobeARMHelper.exe

description	pid	process	target process
PID 3364 wrote to memory of 1964	3364	Lista de orden_.0927272829229.PDF.exe	logagent.exe
PID 3364 wrote to memory of 1964	3364	Lista de orden_.0927272829229.PDF.exe	logagent.exe
PID 3364 wrote to memory of 1964	3364	Lista de orden_.0927272829229.PDF.exe	logagent.exe
PID 3364 wrote to memory of 1964	3364	Lista de orden_.0927272829229.PDF.exe	logagent.exe
PID 3364 wrote to memory of 1964	3364	Lista de orden_.0927272829229.PDF.exe	logagent.exe
PID 3364 wrote to memory of 1964	3364	Lista de orden_.0927272829229.PDF.exe	logagent.exe
PID 3124 wrote to memory of 2188	3124	Explorer.EXE	help.exe
PID 3124 wrote to memory of 2188	3124	Explorer.EXE	help.exe
PID 3124 wrote to memory of 2188	3124	Explorer.EXE	help.exe
PID 2188 wrote to memory of 2756	2188	help.exe	cmd.exe
PID 2188 wrote to memory of 2756	2188	help.exe	cmd.exe
PID 2188 wrote to memory of 2756	2188	help.exe	cmd.exe
PID 3640 wrote to memory of 3928	3640	svchost.exe	OneDriveSetup.exe
PID 3640 wrote to memory of 3928	3640	svchost.exe	OneDriveSetup.exe
PID 3640 wrote to memory of 3928	3640	svchost.exe	OneDriveSetup.exe
PID 4544 wrote to memory of 4616	4544	msiexec.exe	MsiExec.exe
PID 4544 wrote to memory of 4616	4544	msiexec.exe	MsiExec.exe
PID 4544 wrote to memory of 4616	4544	msiexec.exe	MsiExec.exe
PID 4544 wrote to memory of 4668	4544	msiexec.exe	MsiExec.exe
PID 4544 wrote to memory of 4668	4544	msiexec.exe	MsiExec.exe
PID 4544 wrote to memory of 4668	4544	msiexec.exe	MsiExec.exe
PID 4488 wrote to memory of 4780	4488	AdobeARMHelper.exe	AdobeARM.exe
PID 4488 wrote to memory of 4780	4488	AdobeARMHelper.exe	AdobeARM.exe
PID 4488 wrote to memory of 4780	4488	AdobeARMHelper.exe	AdobeARM.exe
PID 4544 wrote to memory of 1288	4544	msiexec.exe	MsiExec.exe
PID 4544 wrote to memory of 1288	4544	msiexec.exe	MsiExec.exe
PID 4544 wrote to memory of 1288	4544	msiexec.exe	MsiExec.exe
PID 4544 wrote to memory of 4472	4544	msiexec.exe	MsiExec.exe
PID 4544 wrote to memory of 4472	4544	msiexec.exe	MsiExec.exe
PID 4544 wrote to memory of 4472	4544	msiexec.exe	MsiExec.exe
PID 4544 wrote to memory of 2692	4544	msiexec.exe	MSIF53.tmp
PID 4544 wrote to memory of 2692	4544	msiexec.exe	MSIF53.tmp
PID 4544 wrote to memory of 2692	4544	msiexec.exe	MSIF53.tmp
PID 4544 wrote to memory of 5012	4544	msiexec.exe	RdrServicesUpdater.exe
PID 4544 wrote to memory of 5012	4544	msiexec.exe	RdrServicesUpdater.exe
PID 4544 wrote to memory of 5012	4544	msiexec.exe	RdrServicesUpdater.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3124

C:\Users\Admin\AppData\Local\Temp\Lista de orden_.0927272829229.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Lista de orden_.0927272829229.PDF.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3364

C:\Windows\SysWOW64\logagent.exe
C:\Windows\System32\logagent.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\logagent.exe"
3⤵
PID:2756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:1588

C:\Program Files\Microsoft Office\Root\Office16\SDXHelper.exe
"C:\Program Files\Microsoft Office\Root\Office16\SDXHelper.exe" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3800

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update
1⤵
PID:2928

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
2⤵
PID:3928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3640

C:\ProgramData\Adobe\ARM\S\12879\AdobeARMHelper.exe
"C:\ProgramData\Adobe\ARM\S\12879\AdobeARMHelper.exe" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\12879" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4488

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\12879" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4780

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 51A5E01A36CAD371B6BBDE1015643AA8
2⤵
- Loads dropped DLL
PID:4616

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9A849BAF38A0B0C2610B2C4C2DF0EDEE E Global\MSI0000
2⤵
- Loads dropped DLL
PID:4668

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F3EA2AB85F75263292894C6E128F406E
2⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:1288

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D69E0467633360232927FAF5B26AC903 E Global\MSI0000
2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4472

C:\Windows\Installer\MSIF53.tmp
"C:\Windows\Installer\MSIF53.tmp" /b 2 120 0
2⤵
- Executes dropped EXE
PID:2692

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe" 19.010.20098 19.010.20069.0
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5012

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
1⤵
- Executes dropped EXE
PID:4712

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
1⤵
- Executes dropped EXE
PID:2816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrord32.exe
MD5
2f8d93826b8cbf9290bc57535c7a6817

SHA1
b36e4ee6b7c9db78e73bf58d8e69680f8f840a32

SHA256
edf4bd6c6ce4b5a2f7eceb2c10ff3a61934f48d75ae2b8b556b0e4bac7e7a168

SHA512
df342416bd82dd7e6b6444f9c66afddc193cae5b918b0b1f207c518cdebfdf9eb7c4f900d67c10561f8a675dbcf2348747df894db34a5624f81ae8d69f6ecb4d

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
MD5
50b17d217f07d5968b34f42311638f74

SHA1
de0c092e9e157288c661f3471301fc5ee1bddbb5

SHA256
9ad7c8083743312c9742f5844f6eff38d9273c3e363ed872ec3640303764e74c

SHA512
5dddf066ebaecdffda6a023704f86b53849d8ba2806b196a71eadb6e250fc77681cab009c1feec691d27aaf0049d0358ac38d17ffe4d73d7a8af5952c5a2c6fb

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
MD5
50b17d217f07d5968b34f42311638f74

SHA1
de0c092e9e157288c661f3471301fc5ee1bddbb5

SHA256
9ad7c8083743312c9742f5844f6eff38d9273c3e363ed872ec3640303764e74c

SHA512
5dddf066ebaecdffda6a023704f86b53849d8ba2806b196a71eadb6e250fc77681cab009c1feec691d27aaf0049d0358ac38d17ffe4d73d7a8af5952c5a2c6fb

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
MD5
fd59fc6011af0e430fdc63aa15b6de75

SHA1
376a72f8ca10471b391d082e09d357a8a067e432

SHA256
28bafddf4f7f85cca3551a3920012e59a6fc4f9334ba80b9f755b43e605f9899

SHA512
11df7b783292f0d08df57eac67d25e1a2dac77010c2f3794dfc6895b532787a2cd2d57b7f72be04354db12a4082ed6760e322de766d6191c7b77c5e0f739c0b4

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Cache\Arm_001824311644_152539051349955165413993922351359178853.msi
MD5
daef9610629678de57c4567339f6e52c

SHA1
3c2f60cce0d017c9f93fe0d09c80a7ca0dc63d0f

SHA256
9aebffc9bb8192c5ba7e51bf7b47246d53837fab2b435d71ccaeaee1cd74c701

SHA512
9a550ec8cb373b6ab488750aa9c679e419b8dfeddf3ccb02593c044553b5bb447516ceebc18e73db2b8c848b79f124ed6764484795b8f4a6d58d954b77f0b4a5

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
MD5
10a58da77ae2073d1baf4f13630ea516

SHA1
aed9c3190f2a2508a150b2f03568f9aa0b4f00c0

SHA256
cb914e1a70aa98cbaae25192df867d73605aa9ae5db4ef77c274c266c2d0b2d8

SHA512
a83454e609d88111463e620f0ea2f2e066ec87136716ccc5146fab432a5fba8778335d9597cbf7bdf475207962194e0f6cf9c97ad8830c4694a23f5aa0a7766d

Download Submit
C:\ProgramData\Adobe\ARM\ArmReport.ini
MD5
2a4b971264db5c0340bc6b540c0f3fad

SHA1
51f64f6ae865643aa302cf1aaa45300d22495885

SHA256
a05012d2322ff082dd30f78638a39b861bfbe021df7e2deb3d9060fa18723d37

SHA512
178ea6b6c50638041463024759a69de10484f0957fd4586df05297d3e759d1e797415b37ad6ba0ac130aadceed46751b31e4be9a1768581cd87678187c820f9a

Download Submit
C:\ProgramData\Adobe\ARM\Reader_19.010.20069\AcroRdrDCUpd1901020098.msp
MD5
3404522672187ad49ad74aec689075c0

SHA1
af6b91326f443b04088cd3718b93334a7247ce1a

SHA256
0ef813051b890501283103fb2999aaa01438227b681dcf711d09c10c5846d72d

SHA512
35d47d228977ae3e77b1510e67fc082da37a39f346a23d4d5f65d91ac46ae51581ccb3c507efe6b33a8ac26af11e58ee2128f98a16ba4b1f2bf9b14e70389f18

Download Submit
C:\ProgramData\Adobe\ARM\Reader_19.010.20069\ReaderDCManifest2.msi
MD5
6f014505b038aa70695dc6557662df8b

SHA1
25607777270af2b0a38da97d8d98ab9bc7926980

SHA256
52040d7492e91856c658e4779bdc2de38a81f47e5136d9a772f4559178fbe7fc

SHA512
25c53e4b7c273b3699be727e5a6688dbfad7b6633d78d29e753bc3446b8e2b5e8c752a8842870264fe10a2b3a0246c335bea7457daa289faec67f7ca7c2aaac0

Download Submit
C:\ProgramData\Adobe\ARM\S\ARM.msi
MD5
daef9610629678de57c4567339f6e52c

SHA1
3c2f60cce0d017c9f93fe0d09c80a7ca0dc63d0f

SHA256
9aebffc9bb8192c5ba7e51bf7b47246d53837fab2b435d71ccaeaee1cd74c701

SHA512
9a550ec8cb373b6ab488750aa9c679e419b8dfeddf3ccb02593c044553b5bb447516ceebc18e73db2b8c848b79f124ed6764484795b8f4a6d58d954b77f0b4a5

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
MD5
ea10ff29d493b539c968793838918c55

SHA1
6a460ef0a77723aa30cbf901f50a9ffc541c1ca5

SHA256
0251219a4562903ccb87b756815c55e5c50f2883c01e6af32608bcadbf0a61ce

SHA512
824db27530eec234de63b69c925802e396fe1e7ce2bcbec261be5b835dbd94832e30b042079bc37f18293cf8f8d364af6edc28e6c8b9f6858b9ad604891737fc

Download Submit
C:\Windows\Installer\MSI1021.tmp
MD5
be0b6bea2e4e12bf5d966c6f74fa79b5

SHA1
8468ec23f0a30065eee6913bf8eba62dd79651ec

SHA256
6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164

SHA512
dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

Download Submit
C:\Windows\Installer\MSI1021.tmp
MD5
be0b6bea2e4e12bf5d966c6f74fa79b5

SHA1
8468ec23f0a30065eee6913bf8eba62dd79651ec

SHA256
6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164

SHA512
dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

Download Submit
C:\Windows\Installer\MSI3F09.tmp
MD5
f88c6a79abbb5680ae8628fbc7a6915c

SHA1
6e1eb7906cdae149c6472f394fa8fe8dc274a556

SHA256
5ded99991217600ebd0b48f21c4cd946f3c7858f07d712fcfb93f743faa635ed

SHA512
33e150822331356e1cdcbff824b897ca5bf2bed0345d2fa39cf9b1f36a77201167819761b1cc3b6cb02a87625e0b6b85a8505281ccc575ca6b73af68e1e90361

Download Submit
C:\Windows\Installer\MSI3F09.tmp
MD5
f88c6a79abbb5680ae8628fbc7a6915c

SHA1
6e1eb7906cdae149c6472f394fa8fe8dc274a556

SHA256
5ded99991217600ebd0b48f21c4cd946f3c7858f07d712fcfb93f743faa635ed

SHA512
33e150822331356e1cdcbff824b897ca5bf2bed0345d2fa39cf9b1f36a77201167819761b1cc3b6cb02a87625e0b6b85a8505281ccc575ca6b73af68e1e90361

Download Submit
C:\Windows\Installer\MSI7609.tmp
MD5
fadffef98d0f28368b843c6e9afd9782

SHA1
578101fadf1034c4a928b978260b120b740cdfb9

SHA256
73f7e51214b775421f6679acabc51ac1d34b4271116f5f3dd3426df50d214886

SHA512
ba5ab56a7e5d2e54fc304d77c78a14b35b187fdd95a090d39193b3da6ab40ef1b38c3cd56b160edceded3d622c0b645376efaf3df8fc8c437f448f91587f3233

Download Submit
C:\Windows\Installer\MSI7609.tmp
MD5
fadffef98d0f28368b843c6e9afd9782

SHA1
578101fadf1034c4a928b978260b120b740cdfb9

SHA256
73f7e51214b775421f6679acabc51ac1d34b4271116f5f3dd3426df50d214886

SHA512
ba5ab56a7e5d2e54fc304d77c78a14b35b187fdd95a090d39193b3da6ab40ef1b38c3cd56b160edceded3d622c0b645376efaf3df8fc8c437f448f91587f3233

Download Submit
C:\Windows\Installer\MSI7986.tmp
MD5
4184a5369d3bd6592b1db5cd2ac465ef

SHA1
be848190344933e38e0d40f0d56854594f113c42

SHA256
5f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5

SHA512
49c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1

Download Submit
C:\Windows\Installer\MSI7986.tmp
MD5
4184a5369d3bd6592b1db5cd2ac465ef

SHA1
be848190344933e38e0d40f0d56854594f113c42

SHA256
5f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5

SHA512
49c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1

Download Submit
C:\Windows\Installer\MSI7A52.tmp
MD5
4184a5369d3bd6592b1db5cd2ac465ef

SHA1
be848190344933e38e0d40f0d56854594f113c42

SHA256
5f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5

SHA512
49c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1

Download Submit
C:\Windows\Installer\MSI7A52.tmp
MD5
4184a5369d3bd6592b1db5cd2ac465ef

SHA1
be848190344933e38e0d40f0d56854594f113c42

SHA256
5f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5

SHA512
49c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1

Download Submit
C:\Windows\Installer\MSIAD2B.tmp
MD5
c23d4d5a87e08f8a822ad5a8dbd69592

SHA1
317df555bc309dace46ae5c5589bec53ea8f137e

SHA256
6d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27

SHA512
fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b

Download Submit
C:\Windows\Installer\MSIAD2B.tmp
MD5
c23d4d5a87e08f8a822ad5a8dbd69592

SHA1
317df555bc309dace46ae5c5589bec53ea8f137e

SHA256
6d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27

SHA512
fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b

Download Submit
C:\Windows\Installer\MSIB133.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIB133.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIB23E.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIB23E.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIB2EB.tmp
MD5
be0b6bea2e4e12bf5d966c6f74fa79b5

SHA1
8468ec23f0a30065eee6913bf8eba62dd79651ec

SHA256
6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164

SHA512
dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

Download Submit
C:\Windows\Installer\MSIB2EB.tmp
MD5
be0b6bea2e4e12bf5d966c6f74fa79b5

SHA1
8468ec23f0a30065eee6913bf8eba62dd79651ec

SHA256
6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164

SHA512
dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

Download Submit
C:\Windows\Installer\MSIB33A.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIB33A.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIB4B2.tmp
MD5
0e91605ee2395145d077adb643609085

SHA1
303263aa6889013ce889bd4ea0324acdf35f29f2

SHA256
5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b

SHA512
3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

Download Submit
C:\Windows\Installer\MSIB4B2.tmp
MD5
0e91605ee2395145d077adb643609085

SHA1
303263aa6889013ce889bd4ea0324acdf35f29f2

SHA256
5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b

SHA512
3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

Download Submit
C:\Windows\Installer\MSIBA6.tmp
MD5
f88c6a79abbb5680ae8628fbc7a6915c

SHA1
6e1eb7906cdae149c6472f394fa8fe8dc274a556

SHA256
5ded99991217600ebd0b48f21c4cd946f3c7858f07d712fcfb93f743faa635ed

SHA512
33e150822331356e1cdcbff824b897ca5bf2bed0345d2fa39cf9b1f36a77201167819761b1cc3b6cb02a87625e0b6b85a8505281ccc575ca6b73af68e1e90361

Download Submit
C:\Windows\Installer\MSIBA6.tmp
MD5
f88c6a79abbb5680ae8628fbc7a6915c

SHA1
6e1eb7906cdae149c6472f394fa8fe8dc274a556

SHA256
5ded99991217600ebd0b48f21c4cd946f3c7858f07d712fcfb93f743faa635ed

SHA512
33e150822331356e1cdcbff824b897ca5bf2bed0345d2fa39cf9b1f36a77201167819761b1cc3b6cb02a87625e0b6b85a8505281ccc575ca6b73af68e1e90361

Download Submit
C:\Windows\Installer\MSIC1A3.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIC1A3.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIC32B.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIC32B.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSID1E.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSID1E.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSID5AA.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSID5AA.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSID5F9.tmp
MD5
be0b6bea2e4e12bf5d966c6f74fa79b5

SHA1
8468ec23f0a30065eee6913bf8eba62dd79651ec

SHA256
6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164

SHA512
dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

Download Submit
C:\Windows\Installer\MSID5F9.tmp
MD5
be0b6bea2e4e12bf5d966c6f74fa79b5

SHA1
8468ec23f0a30065eee6913bf8eba62dd79651ec

SHA256
6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164

SHA512
dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

Download Submit
C:\Windows\Installer\MSID629.tmp
MD5
be0b6bea2e4e12bf5d966c6f74fa79b5

SHA1
8468ec23f0a30065eee6913bf8eba62dd79651ec

SHA256
6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164

SHA512
dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

Download Submit
C:\Windows\Installer\MSID629.tmp
MD5
be0b6bea2e4e12bf5d966c6f74fa79b5

SHA1
8468ec23f0a30065eee6913bf8eba62dd79651ec

SHA256
6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164

SHA512
dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

Download Submit
C:\Windows\Installer\MSID659.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSID659.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSID725.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSID725.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIDCB.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIDCB.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIEAAF.tmp
MD5
0e91605ee2395145d077adb643609085

SHA1
303263aa6889013ce889bd4ea0324acdf35f29f2

SHA256
5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b

SHA512
3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

Download Submit
C:\Windows\Installer\MSIEAAF.tmp
MD5
0e91605ee2395145d077adb643609085

SHA1
303263aa6889013ce889bd4ea0324acdf35f29f2

SHA256
5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b

SHA512
3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

Download Submit
C:\Windows\Installer\MSIF04.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIF04.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIF53.tmp
MD5
260cc3aeb3c5994f5a07dbeaf1d80d43

SHA1
ed1ff111c77b3422ad282c43cdde06254d1fa8b4

SHA256
65671cf7ac4ae49a411c47592cc337fe0b8ffa3cfb0a1ce5a219cae8c22012b8

SHA512
4aba5ade56ade7b27c93be844d88737ad7b3fa99e1bde484cd97f46b3bf05d82c394310d025167a4702fedba45bcbb14710c94a57b03f8f0e31ca5abba11cadc

Download Submit
C:\Windows\Installer\MSIF53.tmp
MD5
260cc3aeb3c5994f5a07dbeaf1d80d43

SHA1
ed1ff111c77b3422ad282c43cdde06254d1fa8b4

SHA256
65671cf7ac4ae49a411c47592cc337fe0b8ffa3cfb0a1ce5a219cae8c22012b8

SHA512
4aba5ade56ade7b27c93be844d88737ad7b3fa99e1bde484cd97f46b3bf05d82c394310d025167a4702fedba45bcbb14710c94a57b03f8f0e31ca5abba11cadc

Download Submit
C:\Windows\Installer\MSIF54.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIF54.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIFC3.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIFC3.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
memory/1588-136-0x0000020EFCF60000-0x0000020EFCF70000-memory.dmp

Filesize
64KB

Download
memory/1588-137-0x0000020EFCFC0000-0x0000020EFCFD0000-memory.dmp

Filesize
64KB

Download
memory/1588-138-0x0000020EFD380000-0x0000020EFD384000-memory.dmp

Filesize
16KB

Download
memory/1964-154-0x000000007249E000-0x000000007249F000-memory.dmp

Filesize
4KB

Download
memory/1964-150-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/1964-153-0x00000000026A0000-0x00000000029EA000-memory.dmp

Filesize
3.3MB

Download
memory/1964-151-0x0000000072480000-0x00000000724AE000-memory.dmp

Filesize
184KB

Download
memory/1964-155-0x0000000000A40000-0x0000000000A54000-memory.dmp

Filesize
80KB

Download
memory/2188-165-0x0000000001720000-0x00000000017B3000-memory.dmp

Filesize
588KB

Download
memory/2188-159-0x00000000018D0000-0x0000000001C1A000-memory.dmp

Filesize
3.3MB

Download
memory/2188-157-0x0000000000D00000-0x0000000000D07000-memory.dmp

Filesize
28KB

Download
memory/2188-158-0x0000000000FD0000-0x0000000000FFE000-memory.dmp

Filesize
184KB

Download
memory/3124-156-0x00000000082B0000-0x0000000008454000-memory.dmp

Filesize
1.6MB

Download
memory/3124-166-0x0000000002CA0000-0x0000000002D8C000-memory.dmp

Filesize
944KB

Download
memory/3364-134-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/3364-141-0x0000000003AD6000-0x0000000003AD7000-memory.dmp

Filesize
4KB

Download
memory/3800-149-0x00007FF857310000-0x00007FF857505000-memory.dmp

Filesize
2.0MB

Download
memory/3800-164-0x00007FF857310000-0x00007FF857505000-memory.dmp

Filesize
2.0MB

Download
memory/3800-163-0x00007FF817390000-0x00007FF8173A0000-memory.dmp

Filesize
64KB

Download
memory/3800-143-0x00007FF817390000-0x00007FF8173A0000-memory.dmp

Filesize
64KB

Download
memory/3800-144-0x00007FF817390000-0x00007FF8173A0000-memory.dmp

Filesize
64KB

Download
memory/3800-145-0x00007FF817390000-0x00007FF8173A0000-memory.dmp

Filesize
64KB

Download
memory/3800-146-0x00007FF857310000-0x00007FF857505000-memory.dmp

Filesize
2.0MB

Download
memory/3800-162-0x00007FF817390000-0x00007FF8173A0000-memory.dmp

Filesize
64KB

Download
memory/3800-142-0x00007FF817390000-0x00007FF8173A0000-memory.dmp

Filesize
64KB

Download
memory/3800-161-0x00007FF817390000-0x00007FF8173A0000-memory.dmp

Filesize
64KB

Download
memory/3800-140-0x00007FF817390000-0x00007FF8173A0000-memory.dmp

Filesize
64KB

Download
memory/3800-160-0x00007FF817390000-0x00007FF8173A0000-memory.dmp

Filesize
64KB

Download
memory/3800-147-0x00007FF857310000-0x00007FF857505000-memory.dmp

Filesize
2.0MB

Download
memory/3800-148-0x00007FF857310000-0x00007FF857505000-memory.dmp

Filesize
2.0MB

Download