Malware Analysis Report

2024-10-19 06:17

Sample ID 220320-3n8dfsggdk
Target http://167.89.118.52.80
Tags
prometheus persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file http://167.89.118.52.80 was found to be: Known bad.

Malicious Activity Summary

prometheus persistence ransomware

Registers COM server for autorun

Prometheus Ransomware

Sets file execution options in registry

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

0001-01-01 00:00

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-20 23:40

Reported

2022-03-21 00:11

Platform

win10-20220310-es

Max time kernel

1801s

Max time network

1593s

Command Line

cmd /c start microsoft-edge:http://167.89.118.52.80

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = e6df1580bc3cd801 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 136a1f80bc3cd801 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\ C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 082d21d5c634d801 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = e08d80de934cd801 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$blogger C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersio = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c start microsoft-edge:http://167.89.118.52.80

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.bing.com udp
US 204.79.197.200:443 www.bing.com tcp
US 204.79.197.200:443 www.bing.com tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2022-03-20 23:40

Reported

2022-03-21 00:12

Platform

win10v2004-es-20220113

Max time kernel

1759s

Max time network

1794s

Command Line

cmd /c start microsoft-edge:http://167.89.118.52.80

Signatures

Prometheus Ransomware

ransomware prometheus

Registers COM server for autorun

persistence

Sets file execution options in registry

persistence

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Elevation.tmp C:\Windows\syswow64\MsiExec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\uss-search\js\nls\ca-es\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\unified-share\images\s_close.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\HomeBanner_Dark.pdf C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\themes\dark\bg_patterns_header.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\js\nls\zh-tw\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\js\nls\ro-ro\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\js\faf-main.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvDX9.x3d C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_invite_24.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\win-scrollbar\themes\dark\arrow-down.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\images\themeless\Playstore\de_get.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\js\nls\nb-no\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\fullscreen-hover.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\hi_contrast\core_icons_hiContrast_wob.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\progress_spinner_dark.gif C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer-select\js\nls\ca-es\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\img\tools\circle.cur C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\illustrations.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\unified-share\images\Close.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-recent-files\js\nls\es-es\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_filter-dark-focus_32.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\app-center\js\nls\zh-cn\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\app-center\js\nls\it-it\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGM.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\uss-search\js\nls\zh-tw\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\home\images\icons.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\id_get.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\app-center\js\nls\uk-ua\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\win-scrollbar\arrow-up.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\send-for-sign\js\nls\eu-es\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\images\themeless\Playstore\az_get.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_fr_135x40.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\signatures\images\illustrations.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\img\tools\line.cur C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_filter-dark-disabled_32.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\ob-preview\images\themeless\action_poster.jpg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\images\themeless\Playstore\sv_get.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\sign-services-auth\js\nls\zh-tw\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\desktop-connector-files\js\nls\sl-si\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\app\dev\nls\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\core\dev\nls\en-il\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\uss-search\js\nls\da-dk\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\combinepdf\images\themes\dark\example_icons2x.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\img\core_icons_fw.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\chrome-ext.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Res.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DigSig.api C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_checkbox_selected_18.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\digsig\js\nls\nb-no\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\search-summary\js\nls\pt-br\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\exportpdfupsell-app\js\nls\pt-br\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\AppStore_icon.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\lv_get.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\js\home-view\selector.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\editpdf\js\nls\it-it\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\images\themes\dark\file_info2x.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_organize_18.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\uss-search\css\main.css C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\add-account\images\new_icons.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-recent-files\js\plugin.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\cs_get.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\FDFFile_8.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI250C.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1cf6a93.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1cf6a9e.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1cf6aa0.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1cf6ac0.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1cf6ae2.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1cf6ae9.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2686.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9350.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1cf6aae.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1cf6ad9.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI24DB.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1cf6aa2.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1cf6aed.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1cf6aff.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1cf6b0e.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1cf6a8f.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1cf6aaa.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1cf6ad1.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6E20.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1cf6a9b.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1cf6b07.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1cf6a99.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1cf6a9e.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1cf6abe.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBB0A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\APIFile_8.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI29D3.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1cf6aa7.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1cf6ab4.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1cf6ab7.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1cf6acd.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI24B9.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1cf6a8c.msp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1cf6ade.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1cf6af7.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEE0F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI244B.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1cf6aec.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1cf6af2.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1cf6af3.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1cf6b0b.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBC24.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{AC76BA86-0804-1033-1959-001824311644} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAD5D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI252C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1cf6aa1.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1cf6aa3.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1cf6ac7.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1cf6ad0.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1cf6ad8.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1cf6af9.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1cf6af8.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SecStoreFile.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6CB8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA1F1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1cf6a9f.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1cf6aad.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1cf6ab2.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1cf6af5.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1cf6a85.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1cf6aaf.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1cf6ab0.HDR C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\AppPath = "C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\Policy = "3" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\AppName = "AcroRd32.exe" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\AppName = "RdrCEF.exe" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\AppName = "AcroRd32.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\AppName = "AdobeARM.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\ C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\AppName = "AdobeCollabSync.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\AppName = "AcroRd32.exe" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\AppName = "AcroBroker.exe" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\Policy = "3" C:\Windows\system32\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20 C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\VersionIndependentProgID C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{36DE898D-AD48-40A5-B4B2-123F916BFBAB}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\AcroBroker.Broker\CurVer C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5007373A-20D7-458F-9FFB-ABC900E3A831}\ = "IPDomNode" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\AcroExch.pdfxml.1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XDPDoc\ = "Adobe Acrobat XML Data Package File" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\PDFPrevHndlr.PDFPreviewHandler.1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\ProgID\ = "AcroBroker.Broker.1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\68AB67CA7DA73301B744CAF070E41400 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{81F9B44F-BA3A-4F5D-9B51-090C74A9B3A4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD069A1-50AA-11D1-B8F0-00A0C9259304}\VersionIndependentProgID\ = "AFormAut.App" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\launchreader\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Patches\68AB67CA7DA700005205CA31A0E42800\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EE5A151A-AD2A-4CEE-AD65-228B59F5B4AD}\ C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\AcroExch.acrobatsecuritysettings.1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\ProxyStubClsid32\ = "{12BA069D-0FC6-4577-97C6-5DF634CE6E84}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3EF-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDE0D630-7801-47cd-984E-1F0AFBC5ACBF}\ = "Adobe Reader HTML Preview Class" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{5AAABB05-F91B-4bce-AB18-D8319DEDABA8}\ProgID C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{673E8454-7646-11D1-B90B-00A0C9259304} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Patches\68AB67CA7DA700005205CA31A0E42800\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00FFD6C4-1A94-44BC-AD3E-8AC18552E3E6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3F0-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{08A9E040-9A9C-4F42-B5F5-2029B8F17E1D}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{3B813CE7-7C10-4F84-AD06-9DF76D97A9AA}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PDXFileType\shell\Read C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\ = "Adobe Acrobat Document" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74A13FDD-9BCF-4229-9CAB-0079A5E17A25}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\AcroRD32.exe\shell\Read C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EB-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{74A13FDD-9BCF-4229-9CAB-0079A5E17A25}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.adobe.xdp+xml C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\acrobat2018\shell\open\command C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.api\OpenWithProgids C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\DataFormats\GetSet\8 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\68AB67CA7DA73301B744CAF070E41400\SearchAndIndex = "Reader_Big_Features" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\ C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3F0-4981-101B-9CA8-9240CE2738AE}\ = "CAcroHiliteList" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\ProgID\ = "AcroPDF.PDF.1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.adobe.pdfxml\CLSID = "{CA8A9780-280D-11CF-A24D-444553540000}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\VersionIndependentProgID C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.acrobatsecuritysettings\EditFlags = 00000100 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\DataFormats\GetSet\5\ = "NoteshNote, 1, 1, 1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41738EEA-442F-477F-92CF-2889BD6CD7E7}\1.0\0\win32\ = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroBroker.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\AcroRD32.exe\CurVer\ = "AcroExch.Document.DC" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA7DA73301B744CAF070E41400\ProductName = "Adobe Acrobat Reader DC" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\Control\ C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib\ = "{C523F390-9C83-11D3-9094-00104BD0D535}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{24DA047B-40C0-4018-841B-6B7409F730FC}\VersionIndependentProgID C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\ = "AcrobatAccess Class" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.pdfxml.1\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.FDFDoc\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3EB-4981-101B-9CA8-9240CE2738AE} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\AcroExch.Document.DC\shell\Print\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.pdfxml\CLSID\ = "{B801CA65-A1FC-11D0-85AD-444553540000}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{62776AC3-A015-4BA5-A1C7-DCD765881249}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}\Programmable\ C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3F0-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroPDF.PDF\CLSID\ = "{CA8A9780-280D-11CF-A24D-444553540000}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.pdfxml\OpenWithList\Acrobat.exe C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{BE79C475-D632-4A57-91B3-DA044FA27CDA}\1.0\HELPDIR C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7CD06992-50AA-11D1-B8F0-00A0C9259304}\1.0\ = "AFormAut 1.0 Type Library" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C} C:\Windows\syswow64\MsiExec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
N/A N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
N/A N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
N/A N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
N/A N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
N/A N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
N/A N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
N/A N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeLockMemoryPrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeMachineAccountPrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeSecurityPrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeLoadDriverPrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeSystemProfilePrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeSystemtimePrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeShutdownPrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeAuditPrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeUndockPrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeSyncAgentPrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeManageVolumePrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1356 wrote to memory of 2404 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1356 wrote to memory of 2404 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c start microsoft-edge:http://167.89.118.52.80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:http://167.89.118.52.80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffdb57046f8,0x7ffdb5704708,0x7ffdb5704718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,14963867564542929039,14748077940052294130,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,14963867564542929039,14748077940052294130,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,14963867564542929039,14748077940052294130,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14963867564542929039,14748077940052294130,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14963867564542929039,14748077940052294130,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14963867564542929039,14748077940052294130,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,14963867564542929039,14748077940052294130,131072 --lang=es --service-sandbox-type=service --mojo-platform-channel-handle=3192 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14963867564542929039,14748077940052294130,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14963867564542929039,14748077940052294130,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,14963867564542929039,14748077940052294130,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,14963867564542929039,14748077940052294130,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x240,0x244,0x248,0x21c,0x24c,0x7ff6aa9a5460,0x7ff6aa9a5470,0x7ff6aa9a5480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14963867564542929039,14748077940052294130,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1

C:\Program Files\Microsoft Office\Root\Office16\SDXHelper.exe

"C:\Program Files\Microsoft Office\Root\Office16\SDXHelper.exe" -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14963867564542929039,14748077940052294130,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14963867564542929039,14748077940052294130,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,14963867564542929039,14748077940052294130,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3312 /prefetch:2

C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe

"C:\ProgramData\Adobe\ARM\S\23528\AdobeARMHelper.exe" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\23528" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B6933F1ECDBD7DDF20BB1244E54A10E9

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 806FC68666FEF58A1ACB4CB9D77CB33C E Global\MSI0000

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\23528" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,14963867564542929039,14748077940052294130,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=5968 /prefetch:8

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 15523AEF77E54928480BAFC60A6709F9

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding E3769DB3060C47D057ED16ADE0469738 E Global\MSI0000

C:\Windows\Installer\MSIBDFC.tmp

"C:\Windows\Installer\MSIBDFC.tmp" /b 2 120 0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe" 19.010.20098 19.010.20069.0

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,14963867564542929039,14748077940052294130,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=3184 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,14963867564542929039,14748077940052294130,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=1616 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,14963867564542929039,14748077940052294130,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=4952 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,14963867564542929039,14748077940052294130,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=3344 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,14963867564542929039,14748077940052294130,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=5824 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,14963867564542929039,14748077940052294130,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=5572 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14963867564542929039,14748077940052294130,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=64 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,14963867564542929039,14748077940052294130,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=5928 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14963867564542929039,14748077940052294130,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
NL 20.73.130.64:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 smartscreen-prod.microsoft.com udp
NL 20.73.130.64:443 smartscreen-prod.microsoft.com tcp
NL 20.73.130.64:443 smartscreen-prod.microsoft.com tcp
NL 20.73.130.64:443 smartscreen-prod.microsoft.com tcp
NL 20.73.130.64:443 smartscreen-prod.microsoft.com tcp
NL 20.73.130.64:443 smartscreen-prod.microsoft.com tcp
NL 20.73.130.64:443 smartscreen-prod.microsoft.com tcp
NL 20.73.130.64:443 smartscreen-prod.microsoft.com tcp
US 8.8.8.8:53 www.bing.com udp
US 204.79.197.200:443 www.bing.com tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
NL 20.73.130.64:443 smartscreen-prod.microsoft.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 204.79.197.219:443 edge.microsoft.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 13.107.21.200:443 www.bing.com tcp
US 8.8.4.4:443 dns.google udp
US 204.79.197.203:443 tcp
N/A 224.0.0.251:5353 udp
NL 2.19.195.233:443 tcp
NL 2.19.195.233:443 tcp
NL 2.19.195.233:443 tcp
US 204.79.197.203:443 tcp
US 204.79.197.200:443 www.bing.com tcp
DE 13.226.145.35:443 tcp
US 8.8.8.8:53 dns.google udp
NL 104.110.240.193:443 tcp
KR 52.231.207.240:443 tcp
US 204.79.197.200:443 www.bing.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google udp
US 204.79.197.219:443 edge.microsoft.com tcp
US 8.8.4.4:443 dns.google tcp
NL 92.123.77.50:443 tcp
US 204.79.197.203:443 tcp
NL 2.19.195.233:443 tcp
NL 104.110.240.193:443 tcp
US 204.79.197.200:443 www.bing.com tcp
US 204.79.197.203:443 tcp
NL 2.19.195.233:443 tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
NL 104.110.191.133:80 tcp
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 dns.google udp
NL 2.19.195.233:443 tcp
US 8.8.8.8:53 dns.google udp
FR 2.22.22.129:80 ardownload.adobe.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 dns.google udp
US 204.79.197.219:443 edge.microsoft.com tcp
NL 92.123.77.50:443 tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
NL 178.79.208.1:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.4.4:443 dns.google tcp
US 204.79.197.219:443 edge.microsoft.com tcp
NL 178.79.208.1:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 204.79.197.219:443 edge.microsoft.com tcp
US 8.8.8.8:53 dns.google udp
US 204.79.197.219:443 edge.microsoft.com tcp
US 204.79.197.219:443 edge.microsoft.com tcp
US 204.79.197.219:443 edge.microsoft.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:53 dns.google udp
US 204.79.197.219:443 edge.microsoft.com tcp
US 8.8.8.8:443 dns.google tcp
NL 178.79.208.1:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:443 dns.google tcp
US 204.79.197.219:443 edge.microsoft.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 204.79.197.219:443 edge.microsoft.com tcp

Files

memory/1252-135-0x00007FFDD44B0000-0x00007FFDD44B1000-memory.dmp

\??\pipe\LOCAL\crashpad_2404_YXKFXBHKJHYOHOTO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4128-193-0x00007FFD946D0000-0x00007FFD946E0000-memory.dmp

memory/4128-192-0x00007FFD946D0000-0x00007FFD946E0000-memory.dmp

memory/4128-194-0x00007FFD946D0000-0x00007FFD946E0000-memory.dmp

memory/4128-195-0x00007FFD946D0000-0x00007FFD946E0000-memory.dmp

memory/4128-196-0x00007FFD946D0000-0x00007FFD946E0000-memory.dmp

memory/4128-199-0x00007FFDD4650000-0x00007FFDD4845000-memory.dmp

memory/4128-200-0x00007FFDD4650000-0x00007FFDD4845000-memory.dmp

memory/4128-202-0x00007FFD946D0000-0x00007FFD946E0000-memory.dmp

memory/4128-203-0x00007FFD946D0000-0x00007FFD946E0000-memory.dmp

memory/4128-204-0x00007FFD946D0000-0x00007FFD946E0000-memory.dmp

memory/4128-205-0x00007FFD946D0000-0x00007FFD946E0000-memory.dmp

memory/4128-206-0x00007FFDD4650000-0x00007FFDD4845000-memory.dmp

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Cache\Arm_001824311644_19452541556115566911172315525259386028.msi

MD5 daef9610629678de57c4567339f6e52c
SHA1 3c2f60cce0d017c9f93fe0d09c80a7ca0dc63d0f
SHA256 9aebffc9bb8192c5ba7e51bf7b47246d53837fab2b435d71ccaeaee1cd74c701
SHA512 9a550ec8cb373b6ab488750aa9c679e419b8dfeddf3ccb02593c044553b5bb447516ceebc18e73db2b8c848b79f124ed6764484795b8f4a6d58d954b77f0b4a5

C:\Windows\Installer\MSI6CB8.tmp

MD5 fadffef98d0f28368b843c6e9afd9782
SHA1 578101fadf1034c4a928b978260b120b740cdfb9
SHA256 73f7e51214b775421f6679acabc51ac1d34b4271116f5f3dd3426df50d214886
SHA512 ba5ab56a7e5d2e54fc304d77c78a14b35b187fdd95a090d39193b3da6ab40ef1b38c3cd56b160edceded3d622c0b645376efaf3df8fc8c437f448f91587f3233

C:\Windows\Installer\MSI6CB8.tmp

MD5 fadffef98d0f28368b843c6e9afd9782
SHA1 578101fadf1034c4a928b978260b120b740cdfb9
SHA256 73f7e51214b775421f6679acabc51ac1d34b4271116f5f3dd3426df50d214886
SHA512 ba5ab56a7e5d2e54fc304d77c78a14b35b187fdd95a090d39193b3da6ab40ef1b38c3cd56b160edceded3d622c0b645376efaf3df8fc8c437f448f91587f3233

C:\Windows\Installer\MSI6F59.tmp

MD5 4184a5369d3bd6592b1db5cd2ac465ef
SHA1 be848190344933e38e0d40f0d56854594f113c42
SHA256 5f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5
SHA512 49c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1

C:\Windows\Installer\MSI6F59.tmp

MD5 4184a5369d3bd6592b1db5cd2ac465ef
SHA1 be848190344933e38e0d40f0d56854594f113c42
SHA256 5f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5
SHA512 49c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

MD5 10a58da77ae2073d1baf4f13630ea516
SHA1 aed9c3190f2a2508a150b2f03568f9aa0b4f00c0
SHA256 cb914e1a70aa98cbaae25192df867d73605aa9ae5db4ef77c274c266c2d0b2d8
SHA512 a83454e609d88111463e620f0ea2f2e066ec87136716ccc5146fab432a5fba8778335d9597cbf7bdf475207962194e0f6cf9c97ad8830c4694a23f5aa0a7766d

C:\Windows\Installer\MSI6FF7.tmp

MD5 4184a5369d3bd6592b1db5cd2ac465ef
SHA1 be848190344933e38e0d40f0d56854594f113c42
SHA256 5f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5
SHA512 49c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1

C:\Windows\Installer\MSI6FF7.tmp

MD5 4184a5369d3bd6592b1db5cd2ac465ef
SHA1 be848190344933e38e0d40f0d56854594f113c42
SHA256 5f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5
SHA512 49c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

MD5 50b17d217f07d5968b34f42311638f74
SHA1 de0c092e9e157288c661f3471301fc5ee1bddbb5
SHA256 9ad7c8083743312c9742f5844f6eff38d9273c3e363ed872ec3640303764e74c
SHA512 5dddf066ebaecdffda6a023704f86b53849d8ba2806b196a71eadb6e250fc77681cab009c1feec691d27aaf0049d0358ac38d17ffe4d73d7a8af5952c5a2c6fb

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

MD5 50b17d217f07d5968b34f42311638f74
SHA1 de0c092e9e157288c661f3471301fc5ee1bddbb5
SHA256 9ad7c8083743312c9742f5844f6eff38d9273c3e363ed872ec3640303764e74c
SHA512 5dddf066ebaecdffda6a023704f86b53849d8ba2806b196a71eadb6e250fc77681cab009c1feec691d27aaf0049d0358ac38d17ffe4d73d7a8af5952c5a2c6fb

C:\ProgramData\Adobe\ARM\ArmReport.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

MD5 fd59fc6011af0e430fdc63aa15b6de75
SHA1 376a72f8ca10471b391d082e09d357a8a067e432
SHA256 28bafddf4f7f85cca3551a3920012e59a6fc4f9334ba80b9f755b43e605f9899
SHA512 11df7b783292f0d08df57eac67d25e1a2dac77010c2f3794dfc6895b532787a2cd2d57b7f72be04354db12a4082ed6760e322de766d6191c7b77c5e0f739c0b4

C:\Windows\Installer\MSI9051.tmp

MD5 c23d4d5a87e08f8a822ad5a8dbd69592
SHA1 317df555bc309dace46ae5c5589bec53ea8f137e
SHA256 6d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27
SHA512 fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b

C:\Windows\Installer\MSI9051.tmp

MD5 c23d4d5a87e08f8a822ad5a8dbd69592
SHA1 317df555bc309dace46ae5c5589bec53ea8f137e
SHA256 6d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27
SHA512 fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b

C:\Windows\Installer\MSI9350.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI9350.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI93AE.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI93AE.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI93FD.tmp

MD5 be0b6bea2e4e12bf5d966c6f74fa79b5
SHA1 8468ec23f0a30065eee6913bf8eba62dd79651ec
SHA256 6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512 dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

C:\Windows\Installer\MSI93FD.tmp

MD5 be0b6bea2e4e12bf5d966c6f74fa79b5
SHA1 8468ec23f0a30065eee6913bf8eba62dd79651ec
SHA256 6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512 dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

C:\Windows\Installer\MSI941E.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI941E.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI94AB.tmp

MD5 0e91605ee2395145d077adb643609085
SHA1 303263aa6889013ce889bd4ea0324acdf35f29f2
SHA256 5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b
SHA512 3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

C:\Windows\Installer\MSI94AB.tmp

MD5 0e91605ee2395145d077adb643609085
SHA1 303263aa6889013ce889bd4ea0324acdf35f29f2
SHA256 5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b
SHA512 3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

C:\Windows\Installer\MSI97E8.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI97E8.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI9857.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI9857.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSIA0D4.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSIA0D4.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSIA113.tmp

MD5 be0b6bea2e4e12bf5d966c6f74fa79b5
SHA1 8468ec23f0a30065eee6913bf8eba62dd79651ec
SHA256 6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512 dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

C:\Windows\Installer\MSIA113.tmp

MD5 be0b6bea2e4e12bf5d966c6f74fa79b5
SHA1 8468ec23f0a30065eee6913bf8eba62dd79651ec
SHA256 6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512 dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

C:\Windows\Installer\MSIA133.tmp

MD5 be0b6bea2e4e12bf5d966c6f74fa79b5
SHA1 8468ec23f0a30065eee6913bf8eba62dd79651ec
SHA256 6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512 dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

C:\Windows\Installer\MSIA133.tmp

MD5 be0b6bea2e4e12bf5d966c6f74fa79b5
SHA1 8468ec23f0a30065eee6913bf8eba62dd79651ec
SHA256 6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512 dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

C:\Windows\Installer\MSIA154.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSIA154.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSIA1F1.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSIA1F1.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSIAD5D.tmp

MD5 0e91605ee2395145d077adb643609085
SHA1 303263aa6889013ce889bd4ea0324acdf35f29f2
SHA256 5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b
SHA512 3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

C:\Windows\Installer\MSIAD5D.tmp

MD5 0e91605ee2395145d077adb643609085
SHA1 303263aa6889013ce889bd4ea0324acdf35f29f2
SHA256 5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b
SHA512 3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

C:\Windows\Installer\MSIBB0A.tmp

MD5 f88c6a79abbb5680ae8628fbc7a6915c
SHA1 6e1eb7906cdae149c6472f394fa8fe8dc274a556
SHA256 5ded99991217600ebd0b48f21c4cd946f3c7858f07d712fcfb93f743faa635ed
SHA512 33e150822331356e1cdcbff824b897ca5bf2bed0345d2fa39cf9b1f36a77201167819761b1cc3b6cb02a87625e0b6b85a8505281ccc575ca6b73af68e1e90361

C:\Windows\Installer\MSIBB0A.tmp

MD5 f88c6a79abbb5680ae8628fbc7a6915c
SHA1 6e1eb7906cdae149c6472f394fa8fe8dc274a556
SHA256 5ded99991217600ebd0b48f21c4cd946f3c7858f07d712fcfb93f743faa635ed
SHA512 33e150822331356e1cdcbff824b897ca5bf2bed0345d2fa39cf9b1f36a77201167819761b1cc3b6cb02a87625e0b6b85a8505281ccc575ca6b73af68e1e90361

C:\Windows\Installer\MSIBC24.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSIBC24.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSIBCB2.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSIBCB2.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSIBDAD.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSIBDAD.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-20 23:40

Reported

2022-03-21 00:11

Platform

win7-20220310-es

Max time kernel

533s

Max time network

1445s

Command Line

cmd /c start microsoft-edge:http://167.89.118.52.80

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c start microsoft-edge:http://167.89.118.52.80

C:\Windows\system32\taskeng.exe

taskeng.exe {DF2DF427-95B1-4277-9A67-67A9B3455DA2} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\system32\taskeng.exe

taskeng.exe {9F63D49A-2903-4A89-A303-EA04EAA90ABE} S-1-5-21-2932610838-281738825-1127631353-1000:NXLKCZKF\Admin:Interactive:[1]

C:\Program Files\Mozilla Firefox\default-browser-agent.exe

"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task

Network

N/A

Files

memory/904-54-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmp

memory/904-69-0x0000000001E80000-0x0000000001E81000-memory.dmp