deb90f81a8bd34bc27eb5f1864adfbfb2a5db9e6d59f5f21c6433be00752cfaa

Analysis

max time kernel
1643s
max time network
1429s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
17-03-2022 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deb90f81a8bd34bc27eb5f1864adfbfb2a5db9e6d59f5f21c6433be00752cfaa.pdf
Size

701KB
MD5

d2f132452ae442b554bd3f09722b442c
SHA1

ed24751ac3af2b9db775b5155fced9782b8e05e2
SHA256

deb90f81a8bd34bc27eb5f1864adfbfb2a5db9e6d59f5f21c6433be00752cfaa
SHA512

6bb708d092534fccee67fa47bd554ed654f2d1bcb89f01f2363f98fa1ea7ae75038bfc505a40494ee4b97435a9c44473b34f37a17ab4e6957b30bb3f9f16d5e2

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Executes dropped EXE 6 IoCs

Processes:

AdobeARMHelper.exearmsvc.exeAdobeARM.exeMSIDC13.tmpRdrServicesUpdater.exearmsvc.exe

pid process

5080 AdobeARMHelper.exe
628 armsvc.exe
4872 AdobeARM.exe
4180 MSIDC13.tmp
544 RdrServicesUpdater.exe
1328 armsvc.exe
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
5080	AdobeARMHelper.exe
628	armsvc.exe
4872	AdobeARM.exe
4180	MSIDC13.tmp
544	RdrServicesUpdater.exe
1328	armsvc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AdobeARMHelper.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	AdobeARMHelper.exe

Loads dropped DLL 52 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeRdrCEF.exeRdrCEF.exeRdrCEF.exeRdrCEF.exe

pid	process
1100	MsiExec.exe
700	MsiExec.exe
700	MsiExec.exe
2452	MsiExec.exe
2452	MsiExec.exe
2452	MsiExec.exe
2452	MsiExec.exe
2452	MsiExec.exe
2452	MsiExec.exe
2452	MsiExec.exe
2452	MsiExec.exe
2452	MsiExec.exe
2452	MsiExec.exe
2452	MsiExec.exe
2452	MsiExec.exe
2452	MsiExec.exe
2452	MsiExec.exe
2452	MsiExec.exe
2452	MsiExec.exe
740	MsiExec.exe
740	MsiExec.exe
740	MsiExec.exe
740	MsiExec.exe
740	MsiExec.exe
1760	RdrCEF.exe
224	RdrCEF.exe
3228	RdrCEF.exe
2680	RdrCEF.exe
740	MsiExec.exe
740	MsiExec.exe
740	MsiExec.exe
740	MsiExec.exe
740	MsiExec.exe
740	MsiExec.exe
740	MsiExec.exe
740	MsiExec.exe
740	MsiExec.exe
740	MsiExec.exe
740	MsiExec.exe
740	MsiExec.exe
740	MsiExec.exe
740	MsiExec.exe
740	MsiExec.exe
740	MsiExec.exe
740	MsiExec.exe
740	MsiExec.exe
740	MsiExec.exe
740	MsiExec.exe
2452	MsiExec.exe
2452	MsiExec.exe
2452	MsiExec.exe
2452	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

AdobeARMHelper.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AdobeARMHelper.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AdobeARMHelper.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in System32 directory 1 IoCs

Processes:

MsiExec.exe

description ioc process

File created C:\Windows\SysWOW64\Elevation.tmp MsiExec.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Elevation.tmp	MsiExec.exe

Drops file in Program Files directory 64 IoCs

Processes:

RdrServicesUpdater.exemsiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\uss-search\js\nls\hu-hu\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\sample-files\js\nls\en-il\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\sign-services-auth\js\nls\ru-ru\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\signatures\js\nls\pl-pl\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\desktop-connector-files\js\nls\zh-cn\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\apple-touch-icon-57x57-precomposed.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\core\dev\nls\zh-cn\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\dd_arrow_small.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\unified-share\images\s_radio_unselected_18.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\js\nls\da-dk\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\walk-through\images\checkmark.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\chrome-ext-2x.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\multi-tab-file-view-2x.png	RdrServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\createpdf.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon_2x.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\images\new_icons.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\uss-search\js\nls\cs-cz\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\images\themeless\Playstore\ro_get.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\files\dev\nls\en-gb\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\activity-badge\js\nls\ar-ae\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\digsig\js\nls\ru-ru\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-recent-files\js\nls\zh-tw\ui-strings.js	RdrServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\win-scrollbar\themes\dark\hscroll-thumb.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\pdf-ownership-variant2.gif	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\app\dev\nls\nb-no\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\images\themeless\Playstore\ar_get.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\exportpdfupsell-app\js\nls\fr-fr\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_filterselected-dark-down_32.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\send-for-sign\js\nls\pt-br\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\reviews\images\themes\dark\sat_logo_2x.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\unified-share\images\themes\dark\SearchEmail2x.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\js\nls\pl-pl\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\editpdf\js\nls\eu-es\ui-strings.js	RdrServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Search.api	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\file_types\selection-actions2x.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\pages-app\images\themes\dark\rhp_world_icon_hover_2x.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-de_de.gif	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\es-es\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\digsig\images\themes\dark\s_checkbox_selected_18.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\reviews\js\nls\es-es\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\HighBeamCardLogo.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\s_empty_folder_state.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\img\themes\dark\sample-thumb.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\tesselate.x3d	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\add-account\js\plugin.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\uss-search\js\nls\sl-sl\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\uss-search\js\nls\it-it\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\images\themeless\Playstore\fr_get.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\pl_get.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\images\themes\dark\illustrations_retina.png	RdrServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_invite_24.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\core\dev\nls\nl-nl\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\add-account\images\bg_patterns_header.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\pages-app\images\rhp_world_icon_hover.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_folder-default_32.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\next-arrow-default.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\reviews\js\nls\fi-fi\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\js\nls\de-de\ui-strings.js	RdrServicesUpdater.exe

Drops file in Windows directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\1cf75da.HDR	msiexec.exe
File created	C:\Windows\Installer\1cf75ec.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf75f3.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf75fe.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf7615.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf7591.msi	msiexec.exe
File created	C:\Windows\Installer\1cf75b7.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf75d4.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf75e0.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf75b3.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf75be.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf75f5.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf7605.HDR	msiexec.exe
File created	C:\Windows\Installer\1cf760a.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf7613.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7869.tmp	msiexec.exe
File created	C:\Windows\Installer\1cf759e.HDR	msiexec.exe
File created	C:\Windows\Installer\1cf75ca.HDR	msiexec.exe
File created	C:\Windows\Installer\1cf75de.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf75f1.HDR	msiexec.exe
File created	C:\Windows\Installer\1cf7612.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf7619.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf75ae.HDR	msiexec.exe
File created	C:\Windows\Installer\1cf75c3.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf75ce.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf75df.HDR	msiexec.exe
File created	C:\Windows\Installer\1cf75e0.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf75a7.HDR	msiexec.exe
File created	C:\Windows\Installer\1cf75c0.HDR	msiexec.exe
File created	C:\Windows\Installer\1cf75cd.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf75eb.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf75ec.HDR	msiexec.exe
File created	C:\Windows\Installer\1cf75f1.HDR	msiexec.exe
File created	C:\Windows\Installer\1cf759a.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf75a4.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf75a8.HDR	msiexec.exe
File created	C:\Windows\Installer\1cf75ba.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf75c9.HDR	msiexec.exe
File created	C:\Windows\Installer\1cf75e4.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4339.tmp	msiexec.exe
File created	C:\Windows\Installer\1cf75d3.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI78AB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf75c2.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf75c8.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf75db.HDR	msiexec.exe
File created	C:\Windows\Installer\1cf75ee.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-0804-1033-1959-001824311644}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\1cf75a8.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf75b6.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf75e6.HDR	msiexec.exe
File created	C:\Windows\Installer\1cf75e8.HDR	msiexec.exe
File created	C:\Windows\Installer\1cf75eb.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf75ed.HDR	msiexec.exe
File created	C:\Windows\Installer\1cf75ef.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf7606.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI44D0.tmp	msiexec.exe
File created	C:\Windows\Installer\1cf75bf.HDR	msiexec.exe
File created	C:\Windows\Installer\1cf75c2.HDR	msiexec.exe
File created	C:\Windows\Installer\1cf75a7.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf75b8.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf7609.HDR	msiexec.exe
File created	C:\Windows\Installer\1cf759c.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\1cf75cb.HDR	msiexec.exe
File created	C:\Windows\Installer\1cf75f5.HDR	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

Processes:

msiexec.exeMsiExec.exeAcroRd32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\Policy = "3"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\Policy = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\AppName = "AdobeCollabSync.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\AppName = "AcroBroker.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\AppName = "AdobeARM.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\AppName = "AcroRd32.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\AppName = "AcroRd32.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\Compatibility Flags = "1024"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\AppName = "AcroRd32.exe"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\Policy = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\AppName = "RdrCEF.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\AppPath = "C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\Policy = "3"	msiexec.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exeMsiExec.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{36DE898D-AD48-40A5-B4B2-123F916BFBAB}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AcroExch.SecStore\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5AAABB05-F91B-4bce-AB18-D8319DEDABA8}\ = "Adobe Reader Bitmap Factory Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}\InProcServer32\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroBroker.exe\""	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroAccess.AcrobatAccess.1\CLSID\ = "{C523F39F-9C83-11D3-9094-00104BD0D535}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AcroBroker.Broker\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7EA23D88-569E-4EFD-9851-A1528A7745F9}\ = "ISPOpenDocuments"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{46B89F5A-769D-4792-AD9A-E3755915CBC3}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\68AB67CA7DA73301B744CAF070E41400\Redistributables = "ReaderProgramFiles"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MIME\Database\Content Type\application/vnd.adobe.pdfxml	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3E9-4981-101B-9CA8-9240CE2738AE}\TypeLib\ = "{E64169B3-3592-47D2-816E-602C5C13F328}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\Control\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{46B89F5A-769D-4792-AD9A-E3755915CBC3}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PdfFile.OpenDocuments\CurVer\ = "AdobeAcrobat.OpenDocuments.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XFDFDoc\shell\Read\command\command = 3300340054004c006000690060005a00350028004e0033003200260028006a0046007b0029002100520065006100640065007200500072006f006700720061006d00460069006c00650073003e006600570044004b003600510062006e006400390033002600280053005e0046004a006900340030002000220025003100220000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\TypeLib	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17F2E344-8227-4AA7-A25A-E89424566BBA}\ = "IPDFPreviewHandler"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00FFD6C4-1A94-44BC-AD3E-8AC18552E3E6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{12BA069D-0FC6-4577-97C6-5DF634CE6E84}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74A13FDD-9BCF-4229-9CAB-0079A5E17A25}\TypeLib\ = "{05BFD3F1-6319-4F30-B752-C7A22889BCC4}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\AppID = "{BBAA0E44-3862-490C-8E63-AC2D2D6EF733}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AcroAccess.AcrobatAccess	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\VersionIndependentProgID\ = "PDFPrevHndlr.PDFPreviewHandler"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\ = "Adobe Acrobat DC Browser Control Implementation"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\EnableFullPage\.xdp\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EF-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AcroExch.acrobatsecuritysettings\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\AcroBroker.EXE	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\EnableFullPage\.xfdf\	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF9A1DA0-23C0-101B-B02E-FDFDFDFDFDFD}\AutoTreatAs\ = "{B801CA65-A1FC-11D0-85AD-444553540000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2DEA7885-1846-411F-A41E-017A8FD778FF}\TypeLib\ = "{E64169B3-3592-47D2-816E-602C5C13F328}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D3F22039-E3CF-4FC4-9A30-426A46056B8C}\TypeLib\ = "{41738EEA-442F-477F-92CF-2889BD6CD7E7}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3F0-4981-101B-9CA8-9240CE2738AE}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\TypeLib\ = "{41738EEA-442F-477F-92CF-2889BD6CD7E7}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pdx	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{566A7BC7-B295-41B7-A818-12F9E5CA46CA}\ProxyStubClsid32\ = "{671B6145-4169-4ADD-9AF3-E6990EB2B325}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{41C5FFFE-36DD-415D-9ED0-2976A342A1C8}\1.0\HELPDIR	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AcroPDF.PDF\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{03C2AEA5-BEFA-4C84-A187-C9245AC784F6}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D3F22039-E3CF-4FC4-9A30-426A46056B8C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}\InprocServer32	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.pdfxml\EditFlags = 00000100	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EE-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\Programmable	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{24DA047B-40C0-4018-841B-6B7409F730FC}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.secstore\AcroExch.SecStore\ShellNew	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AcroExch.Document	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SOFTWARE\Adobe\Acrobat\Exe	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5007373A-20D7-458F-9FFB-ABC900E3A831}\TypeLib\ = "{C523F390-9C83-11D3-9094-00104BD0D535}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F9F2FE81-F764-4BD0-AFA5-5DE841DDB625}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C523F390-9C83-11D3-9094-00104BD0D535}\3.0\0\win32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\MiscStatus\1\ = "131473"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{673E8454-7646-11D1-B90B-00A0C9259304}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xdp	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE5A151A-AD2A-4CEE-AD65-228B59F5B4AD}\	msiexec.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

AcroRd32.exeAdobeARM.exeAdobeARMHelper.exemsiexec.exeMsiExec.exemsedge.exemsedge.exe

pid	process
572	AcroRd32.exe
572	AcroRd32.exe
572	AcroRd32.exe
572	AcroRd32.exe
572	AcroRd32.exe
572	AcroRd32.exe
572	AcroRd32.exe
572	AcroRd32.exe
572	AcroRd32.exe
572	AcroRd32.exe
572	AcroRd32.exe
572	AcroRd32.exe
572	AcroRd32.exe
572	AcroRd32.exe
572	AcroRd32.exe
572	AcroRd32.exe
572	AcroRd32.exe
572	AcroRd32.exe
572	AcroRd32.exe
572	AcroRd32.exe
3628	AdobeARM.exe
3628	AdobeARM.exe
5080	AdobeARMHelper.exe
5080	AdobeARMHelper.exe
5080	AdobeARMHelper.exe
5080	AdobeARMHelper.exe
5080	AdobeARMHelper.exe
5080	AdobeARMHelper.exe
5080	AdobeARMHelper.exe
5080	AdobeARMHelper.exe
5080	AdobeARMHelper.exe
5080	AdobeARMHelper.exe
3512	msiexec.exe
3512	msiexec.exe
3512	msiexec.exe
3512	msiexec.exe
3512	msiexec.exe
3512	msiexec.exe
740	MsiExec.exe
740	MsiExec.exe
3512	msiexec.exe
3512	msiexec.exe
3512	msiexec.exe
3512	msiexec.exe
3512	msiexec.exe
740	MsiExec.exe
740	MsiExec.exe
740	MsiExec.exe
740	MsiExec.exe
740	MsiExec.exe
740	MsiExec.exe
3160	msedge.exe
3160	msedge.exe
1584	msedge.exe
1584	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

1584 msedge.exe
1584 msedge.exe
1584 msedge.exe
1584 msedge.exe

pid	process
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AdobeARMHelper.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	5080	AdobeARMHelper.exe
Token: SeIncreaseQuotaPrivilege	5080	AdobeARMHelper.exe
Token: SeSecurityPrivilege	3512	msiexec.exe
Token: SeCreateTokenPrivilege	5080	AdobeARMHelper.exe
Token: SeAssignPrimaryTokenPrivilege	5080	AdobeARMHelper.exe
Token: SeLockMemoryPrivilege	5080	AdobeARMHelper.exe
Token: SeIncreaseQuotaPrivilege	5080	AdobeARMHelper.exe
Token: SeMachineAccountPrivilege	5080	AdobeARMHelper.exe
Token: SeTcbPrivilege	5080	AdobeARMHelper.exe
Token: SeSecurityPrivilege	5080	AdobeARMHelper.exe
Token: SeTakeOwnershipPrivilege	5080	AdobeARMHelper.exe
Token: SeLoadDriverPrivilege	5080	AdobeARMHelper.exe
Token: SeSystemProfilePrivilege	5080	AdobeARMHelper.exe
Token: SeSystemtimePrivilege	5080	AdobeARMHelper.exe
Token: SeProfSingleProcessPrivilege	5080	AdobeARMHelper.exe
Token: SeIncBasePriorityPrivilege	5080	AdobeARMHelper.exe
Token: SeCreatePagefilePrivilege	5080	AdobeARMHelper.exe
Token: SeCreatePermanentPrivilege	5080	AdobeARMHelper.exe
Token: SeBackupPrivilege	5080	AdobeARMHelper.exe
Token: SeRestorePrivilege	5080	AdobeARMHelper.exe
Token: SeShutdownPrivilege	5080	AdobeARMHelper.exe
Token: SeDebugPrivilege	5080	AdobeARMHelper.exe
Token: SeAuditPrivilege	5080	AdobeARMHelper.exe
Token: SeSystemEnvironmentPrivilege	5080	AdobeARMHelper.exe
Token: SeChangeNotifyPrivilege	5080	AdobeARMHelper.exe
Token: SeRemoteShutdownPrivilege	5080	AdobeARMHelper.exe
Token: SeUndockPrivilege	5080	AdobeARMHelper.exe
Token: SeSyncAgentPrivilege	5080	AdobeARMHelper.exe
Token: SeEnableDelegationPrivilege	5080	AdobeARMHelper.exe
Token: SeManageVolumePrivilege	5080	AdobeARMHelper.exe
Token: SeImpersonatePrivilege	5080	AdobeARMHelper.exe
Token: SeCreateGlobalPrivilege	5080	AdobeARMHelper.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeSecurityPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

AcroRd32.exeAdobeARM.exemsedge.exe

pid process

572 AcroRd32.exe
4872 AdobeARM.exe
4872 AdobeARM.exe
4872 AdobeARM.exe
4872 AdobeARM.exe
1584 msedge.exe
1584 msedge.exe
1584 msedge.exe
1584 msedge.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

AdobeARM.exe

pid process

4872 AdobeARM.exe
4872 AdobeARM.exe
4872 AdobeARM.exe
4872 AdobeARM.exe

pid	process
4872	AdobeARM.exe
4872	AdobeARM.exe
4872	AdobeARM.exe
4872	AdobeARM.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

AcroRd32.exeAdobeARM.exeAdobeARM.exe

pid	process
572	AcroRd32.exe
572	AcroRd32.exe
572	AcroRd32.exe
572	AcroRd32.exe
572	AcroRd32.exe
572	AcroRd32.exe
572	AcroRd32.exe
3628	AdobeARM.exe
4872	AdobeARM.exe
4872	AdobeARM.exe
4872	AdobeARM.exe
572	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 572 wrote to memory of 4844	572	AcroRd32.exe	RdrCEF.exe
PID 572 wrote to memory of 4844	572	AcroRd32.exe	RdrCEF.exe
PID 572 wrote to memory of 4844	572	AcroRd32.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 1920	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 4892	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 4892	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 4892	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 4892	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 4892	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 4892	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 4892	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 4892	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 4892	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 4892	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 4892	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 4892	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 4892	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 4892	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 4892	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 4892	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 4892	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 4892	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 4892	4844	RdrCEF.exe	RdrCEF.exe
PID 4844 wrote to memory of 4892	4844	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\deb90f81a8bd34bc27eb5f1864adfbfb2a5db9e6d59f5f21c6433be00752cfaa.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:572

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:4844

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=38F22F8BC5DE651FFA0C77E54DFB21D4 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1920

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E809BDCCDD401F9714599E8B4C020160 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E809BDCCDD401F9714599E8B4C020160 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4892

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BCC2C9ED35B7BD2B5DC1B0E26975B002 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2472

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=AAE1067AFD5631646AC0058BA252AA33 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=AAE1067AFD5631646AC0058BA252AA33 --renderer-client-id=5 --mojo-platform-channel-handle=2168 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1088

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=50D750C8980E46933BAA761ADF714DD5 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4816

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FE5294902EB13551A81BFB1E91E357F5 --mojo-platform-channel-handle=2704 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3592

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=AF20358170D4281FE300F5F430AB222D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=AF20358170D4281FE300F5F430AB222D --renderer-client-id=10 --mojo-platform-channel-handle=2808 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4528

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3628

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
3⤵
PID:768

C:\ProgramData\Adobe\ARM\S\2850\AdobeARMHelper.exe
"C:\ProgramData\Adobe\ARM\S\2850\AdobeARMHelper.exe" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\2850" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU
3⤵
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\2850" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4872

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
PID:4740

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E31E46A1FC554E0EBB3C1D45943E1AC4 --mojo-platform-channel-handle=1720 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
- Loads dropped DLL
PID:1760

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=AA9302A977BD0CE159DC5FAA3EA7D8F2 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=AA9302A977BD0CE159DC5FAA3EA7D8F2 --renderer-client-id=2 --mojo-platform-channel-handle=1712 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4288

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B8049146888171E1F2363B5E4DBFB075 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B8049146888171E1F2363B5E4DBFB075 --renderer-client-id=4 --mojo-platform-channel-handle=2336 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4404

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=426F5FC7E9DBF83A685A7A0555E22BBD --mojo-platform-channel-handle=2680 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
- Loads dropped DLL
PID:224

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DF59E3FCA2508251326892D69318CABE --mojo-platform-channel-handle=2868 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
- Loads dropped DLL
PID:3228

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B07F3844870F0DAFEF0A845F28602E0A --mojo-platform-channel-handle=1724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
- Loads dropped DLL
PID:2680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://quotation/
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:1584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd4,0xfc,0x100,0xd8,0x104,0x7ffcdfd946f8,0x7ffcdfd94708,0x7ffcdfd94718
3⤵
PID:4320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,4789625185006785067,3905682378782941224,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
3⤵
PID:2200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,4789625185006785067,3905682378782941224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,4789625185006785067,3905682378782941224,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
3⤵
PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4789625185006785067,3905682378782941224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:1
3⤵
PID:3868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4789625185006785067,3905682378782941224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
3⤵
PID:2000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2164,4789625185006785067,3905682378782941224,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5244 /prefetch:8
3⤵
PID:3556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4789625185006785067,3905682378782941224,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
3⤵
PID:4156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4789625185006785067,3905682378782941224,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
3⤵
PID:2320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1468

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:3564

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding CBCD40BCF68A62493D1C4428FE80DF24
2⤵
- Loads dropped DLL
PID:1100

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 15AA76B8FBADA027E357D06E03D2BCB8 E Global\MSI0000
2⤵
- Loads dropped DLL
PID:700

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 784E92B798EB7E8DDC88F806422D0783
2⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:2452

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DA5D018EEEAFF853F79045498668EFE6 E Global\MSI0000
2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:740

C:\Windows\Installer\MSIDC13.tmp
"C:\Windows\Installer\MSIDC13.tmp" /b 2 120 0
2⤵
- Executes dropped EXE
PID:4180

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe" 19.010.20098 19.010.20069.0
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:544

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
1⤵
- Executes dropped EXE
PID:628

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
1⤵
- Executes dropped EXE
PID:1328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
MD5
50b17d217f07d5968b34f42311638f74

SHA1
de0c092e9e157288c661f3471301fc5ee1bddbb5

SHA256
9ad7c8083743312c9742f5844f6eff38d9273c3e363ed872ec3640303764e74c

SHA512
5dddf066ebaecdffda6a023704f86b53849d8ba2806b196a71eadb6e250fc77681cab009c1feec691d27aaf0049d0358ac38d17ffe4d73d7a8af5952c5a2c6fb

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
MD5
50b17d217f07d5968b34f42311638f74

SHA1
de0c092e9e157288c661f3471301fc5ee1bddbb5

SHA256
9ad7c8083743312c9742f5844f6eff38d9273c3e363ed872ec3640303764e74c

SHA512
5dddf066ebaecdffda6a023704f86b53849d8ba2806b196a71eadb6e250fc77681cab009c1feec691d27aaf0049d0358ac38d17ffe4d73d7a8af5952c5a2c6fb

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
MD5
fd59fc6011af0e430fdc63aa15b6de75

SHA1
376a72f8ca10471b391d082e09d357a8a067e432

SHA256
28bafddf4f7f85cca3551a3920012e59a6fc4f9334ba80b9f755b43e605f9899

SHA512
11df7b783292f0d08df57eac67d25e1a2dac77010c2f3794dfc6895b532787a2cd2d57b7f72be04354db12a4082ed6760e322de766d6191c7b77c5e0f739c0b4

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Cache\Arm_001824311644_18215768422033014461643109678232906026.msi
MD5
daef9610629678de57c4567339f6e52c

SHA1
3c2f60cce0d017c9f93fe0d09c80a7ca0dc63d0f

SHA256
9aebffc9bb8192c5ba7e51bf7b47246d53837fab2b435d71ccaeaee1cd74c701

SHA512
9a550ec8cb373b6ab488750aa9c679e419b8dfeddf3ccb02593c044553b5bb447516ceebc18e73db2b8c848b79f124ed6764484795b8f4a6d58d954b77f0b4a5

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
MD5
10a58da77ae2073d1baf4f13630ea516

SHA1
aed9c3190f2a2508a150b2f03568f9aa0b4f00c0

SHA256
cb914e1a70aa98cbaae25192df867d73605aa9ae5db4ef77c274c266c2d0b2d8

SHA512
a83454e609d88111463e620f0ea2f2e066ec87136716ccc5146fab432a5fba8778335d9597cbf7bdf475207962194e0f6cf9c97ad8830c4694a23f5aa0a7766d

Download Submit
C:\ProgramData\Adobe\ARM\ArmReport.ini
MD5
add8ceed4c365a2830ebf46690734b52

SHA1
ced3d4047b0446abda20838ff016254a03cc0336

SHA256
df37cc34b0cc8971942fd3de04d6d852d8ff865684cf43a4796a862c06b96bbc

SHA512
c11907d37e3acf50ab959a6fb1c73a43997458ca6d18aa26c74a79826f44b18bee7d5f4b9b63573364f6f2922a4dd743378deae95ec067d51161660a98059f03

Download Submit
C:\ProgramData\Adobe\ARM\ArmReport.ini
MD5
add8ceed4c365a2830ebf46690734b52

SHA1
ced3d4047b0446abda20838ff016254a03cc0336

SHA256
df37cc34b0cc8971942fd3de04d6d852d8ff865684cf43a4796a862c06b96bbc

SHA512
c11907d37e3acf50ab959a6fb1c73a43997458ca6d18aa26c74a79826f44b18bee7d5f4b9b63573364f6f2922a4dd743378deae95ec067d51161660a98059f03

Download Submit
C:\ProgramData\Adobe\ARM\S\2850\AdobeARM.msi
MD5
daef9610629678de57c4567339f6e52c

SHA1
3c2f60cce0d017c9f93fe0d09c80a7ca0dc63d0f

SHA256
9aebffc9bb8192c5ba7e51bf7b47246d53837fab2b435d71ccaeaee1cd74c701

SHA512
9a550ec8cb373b6ab488750aa9c679e419b8dfeddf3ccb02593c044553b5bb447516ceebc18e73db2b8c848b79f124ed6764484795b8f4a6d58d954b77f0b4a5

Download Submit
C:\ProgramData\Adobe\ARM\S\2850\AdobeARMHelper.exe
MD5
522026a14d6bc781d2a15c665e454310

SHA1
9451a39108326ba578793b1feb62f23a02bce916

SHA256
fd115ae8ebd2f37cf1ef72f75242206cf1331c7cb258305011302e981137ee5e

SHA512
4e4eb2f582c8590899a0ada6133b705d13775f60818f1ff4f9bb35e40e09d6570af4f7ac4c80b525b445a03702ca0f3a9867a93080f90697d8be668e2abe2fe7

Download Submit
C:\ProgramData\Adobe\ARM\S\2850\AdobeARMHelper.exe
MD5
522026a14d6bc781d2a15c665e454310

SHA1
9451a39108326ba578793b1feb62f23a02bce916

SHA256
fd115ae8ebd2f37cf1ef72f75242206cf1331c7cb258305011302e981137ee5e

SHA512
4e4eb2f582c8590899a0ada6133b705d13775f60818f1ff4f9bb35e40e09d6570af4f7ac4c80b525b445a03702ca0f3a9867a93080f90697d8be668e2abe2fe7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
7d0545359019f53ebf7f3ec7b447e5c4

SHA1
2b61f3adf4d577d4b42d40d56393c14319733aba

SHA256
bf978dbbb2c545c43998c8ae575c167fdc609342c24b7263d14cace4c4bf5107

SHA512
9dda549f23192fe3520efa1b90809951c8e945b23583fea200a604e8b8bccf8ade9663786d3a84540c2fdd50254c4a4bb348628bd221b18782b7335d838c7af3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC
MD5
1ad2c15d87054765573fc29ee2642881

SHA1
87a97ff75ee04825c4e06d9e899fdc6ea72fb6ed

SHA256
ff059219fa0b8db8378c83502c7d4311ab3f9214c120fd19426249a99dc9a488

SHA512
18df5d75a4f8b70b0d4da18aafdf51e50b5ba25fd90d402d23aa0530d3164a83c0651846bfb622aeb568a44352d4a97c6bfa1ebe7498b37d4f7de61a5d190ba8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
fa599500b7348e4863c2442ba119210d

SHA1
296498571bf1347bd53d877ff8145c77962f837e

SHA256
af5854dc85e000881b58beff28f2b2761cd4ff5cc2d5541f38baaaf89468e0e1

SHA512
121bc4da83843993c26b4f16bd56b169134a64001dddd317e0aca78b7570e8009e60e8d5eab45e08cad769a447e72597f3f823645174455cf0bcb59a04616cde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC
MD5
1c54ec32c274029419ce71a7dff3506d

SHA1
26eaa9bd2d8e2e68b1bf64c6e151a6fcd245220a

SHA256
5f90bb727981bcdb85c2b488f15f9f2405ae6e369fd2b0f51d622a755e68ed6b

SHA512
87ce373f1892d7fa4d169a6be4febacc5d73cd5b89e2290a1fc0085645a9c10165e0e13a75dbfe1d2ad7949ec892c872ba5eee058b47b9b930fe50c320b376d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeARM.log
MD5
97f93d239d511d770b829339bdec3c52

SHA1
72b4c21f5f40766d53d5610f74618cc73d94381a

SHA256
0063c085285eb45b632384d0bfad24f50f0054c1c5c002a324efd36b3512bcfa

SHA512
d9ef27ad7fd31170bc09078767576aff3cf853c2d1675b9859c4a194880afd08325584687fe050a141cdf542b5098fc2f83cfb1a14ba3dc77048c241020dade5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeARM.log
MD5
62c03971542876d81fc67ceb9c800328

SHA1
ff79b9cb0a7a63928b57e2f41d7c62609ff6fe44

SHA256
1076c315c5da325c049ac087cc643f568b9d5e71a921c1c5dffe0e6430210352

SHA512
e0a335a97b2d11d72561eb084d40a4023d38b0a60f194c626d4bcc8249b76c3d660af2f6273df530c4eac2588d69c2c495a856949ce2b57d3c27e26e6a336940

Download Submit
C:\Users\Admin\AppData\Local\Temp\ArmUI.ini
MD5
864c22fb9a1c0670edf01c6ed3e4fbe4

SHA1
bf636f8baed998a1eb4531af9e833e6d3d8df129

SHA256
b4d4dcd9594d372d7c0c975d80ef5802c88502895ed4b8a26ca62e225f2f18b0

SHA512
ff23616ee67d51daa2640ae638f59a8d331930a29b98c2d1bd3b236d2f651f243f9bae38d58515714886cfbb13b9be721d490aad4f2d10cbba74d7701ab34e09

Download Submit
C:\Windows\Installer\MSI78BE.tmp
MD5
fadffef98d0f28368b843c6e9afd9782

SHA1
578101fadf1034c4a928b978260b120b740cdfb9

SHA256
73f7e51214b775421f6679acabc51ac1d34b4271116f5f3dd3426df50d214886

SHA512
ba5ab56a7e5d2e54fc304d77c78a14b35b187fdd95a090d39193b3da6ab40ef1b38c3cd56b160edceded3d622c0b645376efaf3df8fc8c437f448f91587f3233

Download Submit
C:\Windows\Installer\MSI78BE.tmp
MD5
fadffef98d0f28368b843c6e9afd9782

SHA1
578101fadf1034c4a928b978260b120b740cdfb9

SHA256
73f7e51214b775421f6679acabc51ac1d34b4271116f5f3dd3426df50d214886

SHA512
ba5ab56a7e5d2e54fc304d77c78a14b35b187fdd95a090d39193b3da6ab40ef1b38c3cd56b160edceded3d622c0b645376efaf3df8fc8c437f448f91587f3233

Download Submit
C:\Windows\Installer\MSI7D92.tmp
MD5
4184a5369d3bd6592b1db5cd2ac465ef

SHA1
be848190344933e38e0d40f0d56854594f113c42

SHA256
5f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5

SHA512
49c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1

Download Submit
C:\Windows\Installer\MSI7D92.tmp
MD5
4184a5369d3bd6592b1db5cd2ac465ef

SHA1
be848190344933e38e0d40f0d56854594f113c42

SHA256
5f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5

SHA512
49c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1

Download Submit
C:\Windows\Installer\MSI7E6E.tmp
MD5
4184a5369d3bd6592b1db5cd2ac465ef

SHA1
be848190344933e38e0d40f0d56854594f113c42

SHA256
5f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5

SHA512
49c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1

Download Submit
C:\Windows\Installer\MSI7E6E.tmp
MD5
4184a5369d3bd6592b1db5cd2ac465ef

SHA1
be848190344933e38e0d40f0d56854594f113c42

SHA256
5f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5

SHA512
49c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1

Download Submit
C:\Windows\Installer\MSIA35C.tmp
MD5
c23d4d5a87e08f8a822ad5a8dbd69592

SHA1
317df555bc309dace46ae5c5589bec53ea8f137e

SHA256
6d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27

SHA512
fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b

Download Submit
C:\Windows\Installer\MSIA35C.tmp
MD5
c23d4d5a87e08f8a822ad5a8dbd69592

SHA1
317df555bc309dace46ae5c5589bec53ea8f137e

SHA256
6d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27

SHA512
fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b

Download Submit
C:\Windows\Installer\MSIA561.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIA561.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIA5EE.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIA5EE.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIA64D.tmp
MD5
be0b6bea2e4e12bf5d966c6f74fa79b5

SHA1
8468ec23f0a30065eee6913bf8eba62dd79651ec

SHA256
6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164

SHA512
dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

Download Submit
C:\Windows\Installer\MSIA64D.tmp
MD5
be0b6bea2e4e12bf5d966c6f74fa79b5

SHA1
8468ec23f0a30065eee6913bf8eba62dd79651ec

SHA256
6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164

SHA512
dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

Download Submit
C:\Windows\Installer\MSIA67D.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIA67D.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIA70A.tmp
MD5
0e91605ee2395145d077adb643609085

SHA1
303263aa6889013ce889bd4ea0324acdf35f29f2

SHA256
5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b

SHA512
3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

Download Submit
C:\Windows\Installer\MSIA70A.tmp
MD5
0e91605ee2395145d077adb643609085

SHA1
303263aa6889013ce889bd4ea0324acdf35f29f2

SHA256
5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b

SHA512
3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

Download Submit
C:\Windows\Installer\MSIA99C.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIA99C.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIAA0A.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIAA0A.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIB8F0.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIB8F0.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIB94E.tmp
MD5
be0b6bea2e4e12bf5d966c6f74fa79b5

SHA1
8468ec23f0a30065eee6913bf8eba62dd79651ec

SHA256
6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164

SHA512
dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

Download Submit
C:\Windows\Installer\MSIB94E.tmp
MD5
be0b6bea2e4e12bf5d966c6f74fa79b5

SHA1
8468ec23f0a30065eee6913bf8eba62dd79651ec

SHA256
6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164

SHA512
dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

Download Submit
C:\Windows\Installer\MSIB98E.tmp
MD5
be0b6bea2e4e12bf5d966c6f74fa79b5

SHA1
8468ec23f0a30065eee6913bf8eba62dd79651ec

SHA256
6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164

SHA512
dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

Download Submit
C:\Windows\Installer\MSIB98E.tmp
MD5
be0b6bea2e4e12bf5d966c6f74fa79b5

SHA1
8468ec23f0a30065eee6913bf8eba62dd79651ec

SHA256
6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164

SHA512
dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

Download Submit
C:\Windows\Installer\MSIB9AE.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIB9AE.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIBA4B.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIBA4B.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIC8C4.tmp
MD5
0e91605ee2395145d077adb643609085

SHA1
303263aa6889013ce889bd4ea0324acdf35f29f2

SHA256
5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b

SHA512
3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

Download Submit
C:\Windows\Installer\MSIC8C4.tmp
MD5
0e91605ee2395145d077adb643609085

SHA1
303263aa6889013ce889bd4ea0324acdf35f29f2

SHA256
5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b

SHA512
3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

Download Submit
C:\Windows\Installer\MSID856.tmp
MD5
f88c6a79abbb5680ae8628fbc7a6915c

SHA1
6e1eb7906cdae149c6472f394fa8fe8dc274a556

SHA256
5ded99991217600ebd0b48f21c4cd946f3c7858f07d712fcfb93f743faa635ed

SHA512
33e150822331356e1cdcbff824b897ca5bf2bed0345d2fa39cf9b1f36a77201167819761b1cc3b6cb02a87625e0b6b85a8505281ccc575ca6b73af68e1e90361

Download Submit
C:\Windows\Installer\MSID856.tmp
MD5
f88c6a79abbb5680ae8628fbc7a6915c

SHA1
6e1eb7906cdae149c6472f394fa8fe8dc274a556

SHA256
5ded99991217600ebd0b48f21c4cd946f3c7858f07d712fcfb93f743faa635ed

SHA512
33e150822331356e1cdcbff824b897ca5bf2bed0345d2fa39cf9b1f36a77201167819761b1cc3b6cb02a87625e0b6b85a8505281ccc575ca6b73af68e1e90361

Download Submit
C:\Windows\Installer\MSID9AF.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSID9AF.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIDA6B.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIDA6B.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIDBB4.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIDBB4.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIDC13.tmp
MD5
260cc3aeb3c5994f5a07dbeaf1d80d43

SHA1
ed1ff111c77b3422ad282c43cdde06254d1fa8b4

SHA256
65671cf7ac4ae49a411c47592cc337fe0b8ffa3cfb0a1ce5a219cae8c22012b8

SHA512
4aba5ade56ade7b27c93be844d88737ad7b3fa99e1bde484cd97f46b3bf05d82c394310d025167a4702fedba45bcbb14710c94a57b03f8f0e31ca5abba11cadc

Download Submit
C:\Windows\Installer\MSIDC13.tmp
MD5
260cc3aeb3c5994f5a07dbeaf1d80d43

SHA1
ed1ff111c77b3422ad282c43cdde06254d1fa8b4

SHA256
65671cf7ac4ae49a411c47592cc337fe0b8ffa3cfb0a1ce5a219cae8c22012b8

SHA512
4aba5ade56ade7b27c93be844d88737ad7b3fa99e1bde484cd97f46b3bf05d82c394310d025167a4702fedba45bcbb14710c94a57b03f8f0e31ca5abba11cadc

Download Submit
C:\Windows\Installer\MSIDC14.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIDC14.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSIDCC1.tmp
MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
memory/2200-231-0x00007FFCFCD80000-0x00007FFCFCD81000-memory.dmp

Filesize
4KB

Download