Malware Analysis Report

2025-08-05 13:07

Sample ID 220323-ntlz3sdbf4
Target readme
SHA256 77457f0b7da19036041ca3a0071e141909d889eb7e2d28d6ad0df73bc3c81636
Tags
gozi_ifsb 7627 banker trojan evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

77457f0b7da19036041ca3a0071e141909d889eb7e2d28d6ad0df73bc3c81636

Threat Level: Known bad

The file readme was found to be: Known bad.

Malicious Activity Summary

gozi_ifsb 7627 banker trojan evasion persistence

Gozi, Gozi IFSB

Registers COM server for autorun

Executes dropped EXE

Sets file execution options in registry

Loads dropped DLL

Enumerates connected drives

Checks whether UAC is enabled

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-23 11:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-23 11:41

Reported

2022-03-23 11:44

Platform

win7-20220310-it

Max time kernel

4294178s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\readme.dll,#1

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\readme.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\readme.dll,#1

Network

N/A

Files

memory/856-54-0x0000000000000000-mapping.dmp

memory/856-55-0x00000000765B1000-0x00000000765B3000-memory.dmp

memory/856-56-0x00000000002A0000-0x000000000031A000-memory.dmp

memory/856-58-0x0000000000200000-0x000000000020E000-memory.dmp

memory/856-57-0x0000000000200000-0x000000000020E000-memory.dmp

memory/856-59-0x0000000000200000-0x000000000020E000-memory.dmp

memory/856-60-0x0000000000200000-0x000000000020E000-memory.dmp

memory/856-61-0x0000000000130000-0x000000000013C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-23 11:41

Reported

2022-03-23 11:44

Platform

win10v2004-it-20220113

Max time kernel

121s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\readme.dll,#1

Signatures

Registers COM server for autorun

persistence

Sets file execution options in registry

persistence

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Elevation.tmp C:\Windows\syswow64\MsiExec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_download_pdf_18.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\js\nls\hr-hr\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-recent-files\js\nls\es-es\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\logsession.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_sortedby_18.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\uss-search\js\nls\en-gb\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\reviews\images\dd_arrow_small.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\digsig\images\themes\dark\s_checkbox_selected_18.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\fil_get.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\read_EX_Challenger_1_DT.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected] C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\ind_prog.gif C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\add-account\images\themes\dark\bg_pattern_RHP.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\add-account\js\nls\ko-kr\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\digsig\js\nls\eu-es\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\generic-rhp-app\css\main-selector.css C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\js\nls\fi-fi\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\el_get.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\desktop-connector-files\js\nls\nb-no\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\delete.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-recent-files\js\nls\pt-br\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\js\nls\nb-no\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\app\dev\nls\ko-kr\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\virgo-new-folder.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\images\themeless\Playstore\vi_get.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\js\nls\es-es\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\win8-scrollbar\arrow-down.gif C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\add-account\js\nls\ru-ru\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\new_icons.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\viewer\nls\fr-fr\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\desktop-connector-files\js\nls\sv-se\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\pages-app\images\rhp_world_icon.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\css\main-selector.css C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libcef.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\file_types\rename.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\add-account\images\icons.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\js\nls\hu-hu\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\search-summary\js\nls\ko-kr\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\share.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\uss-search\js\nls\sk-sk\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\css\main.css C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\edit-pdf.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\desktop-connector-files\js\nls\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\editpdf\js\plugins\editpdf-selector.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\js\nls\fr-fr\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_filterselected-dark-down_32.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\task-handler\images\example_icons2x.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\walk-through\js\nls\nl-nl\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\combinepdf\js\nls\cs-cz\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\images\themes\dark\logo_retina.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\images\themeless\Playstore\da_get.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\sign-services-auth\js\nls\fr-fr\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer-select\js\nls\en-ae\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\pages-app\css\main-selector.css C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\files\dev\nls\fi-fi\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\files\dev\nls\pt-br\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\signatures\js\nls\hr-hr\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer-select\js\nls\nb-no\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI9A0F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2D7.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce45fb.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce4624.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce4636.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce4660.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce4660.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce465f.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce4633.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce4668.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce45f6.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce461d.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce4623.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce462b.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce462e.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\FDFFile_8.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce464f.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce4653.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce465d.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce4662.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce4672.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce460e.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce461b.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce4659.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce465a.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce45eb.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce460a.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce4611.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce4621.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce4610.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce466c.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\XFDFFile_8.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce4626.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce4667.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI48AA.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7B23.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8343.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce4602.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce4606.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce462b.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce463a.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFEA7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce4674.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI97E9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDDBE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6D6F.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce45f7.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce4632.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce4666.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce4671.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce460c.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce4612.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce463e.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce4661.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID925.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9941.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\XFDFFile_8.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFFE3.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6B5A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce461a.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce461f.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce463c.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce4656.HDR C:\Windows\system32\msiexec.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\AppName = "AdobeCollabSync.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\AppName = "RdrCEF.exe" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\AppName = "AcroRd32.exe" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\AppName = "AcroBroker.exe" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\Policy = "3" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\AppName = "AdobeARM.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\ C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\AppPath = "C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\AppName = "AcroRd32.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\AppName = "AcroRd32.exe" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3} C:\Windows\system32\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20 C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3E7-4981-101B-9CA8-9240CE2738AE}\ = "CAcroPDDoc" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EB-4981-101B-9CA8-9240CE2738AE}\ = "CAcroPDAnnot" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{3B813CE7-7C10-4F84-AD06-9DF76D97A9AA}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{74A13FDD-9BCF-4229-9CAB-0079A5E17A25}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Adobe.AcrobatSearch.1\CLSID\ = "{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{46B89F5A-769D-4792-AD9A-E3755915CBC3}\TypeLib\ = "{47A7A4B0-2723-41BA-865E-EBBB7081A602}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\AcroBroker.Broker\CurVer C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\AcroRD32.exe\CurVer\ = "AcroExch.Document.DC" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\ToolboxBitmap32\ = "C:\\PROGRA~2\\COMMON~1\\Adobe\\Acrobat\\ActiveX\\AcroPDF.dll, 102" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{5AAABB05-F91B-4bce-AB18-D8319DEDABA8}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3E7-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\acrobat\shell\open\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" /u \"%1\"" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD069A1-50AA-11D1-B8F0-00A0C9259304}\ProgID\ = "AFormAut.App.1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{BDE0D630-7801-47cd-984E-1F0AFBC5ACBF}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D3F22039-E3CF-4FC4-9A30-426A46056B8C} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.acrobatsecuritysettings\CurVer\ = "AcroExch.acrobatsecuritysettings.1" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Document\EditFlags = 00000100 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\DataFormats\GetSet\8\ = "Rich Text Format, 1, 1, 1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EE5A151A-AD2A-4CEE-AD65-228B59F5B4AD}\ProxyStubClsid32\ = "{EE5A151A-AD2A-4CEE-AD65-228B59F5B4AD}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Document.DC\protocol\ C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE5A151A-AD2A-4CEE-AD65-228B59F5B4AD}\InProcServer32\ThreadingModel = "Both" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\AcroExch.Document.DC\shell\Read C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}\TypeLib\ = "{47A7A4B0-2723-41BA-865E-EBBB7081A602}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\AcroExch.Plugin\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Plugin\DefaultIcon\ = "C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\APIFile_8.ico,0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.acrobatsecuritysettings\CLSID\ = "{B801CA65-A1FC-11D0-85AD-444553540000}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{673E8452-7646-11D1-B90B-00A0C9259304}\ProxyStubClsid C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{17F2E344-8227-4AA7-A25A-E89424566BBA}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\68AB67CA7DA73301B744CAF070E41400\SearchAndIndex = "Reader_Big_Features" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17F2E344-8227-4AA7-A25A-E89424566BBA}\ = "IPDFPreviewHandler" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\DocObject C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.pdfxml.1\DefaultIcon\ = "C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\PDFFile_8.ico,0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.xfdf\AcroExch.XFDFDoc\ShellNew C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.adobe.xfdf\Extension = ".xfdf" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.pdf C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\AcroAccess.AcrobatAccess C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{41738EEA-442F-477F-92CF-2889BD6CD7E7}\1.0\HELPDIR C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.acrobatsecuritysettings\OpenWithProgids\AcroExch.acrobatsecuritysettings = "0" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3E6-4981-101B-9CA8-9240CE2738AE}\TypeLib\ = "{E64169B3-3592-47D2-816E-602C5C13F328}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7CD069A0-50AA-11D1-B8F0-00A0C9259304}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{24DA047B-40C0-4018-841B-6B7409F730FC}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\ C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\InprocServer32\ = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\plug_ins\\Accessibility.api" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\DataFormats\GetSet\7\ = "2, 1, 16, 1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{673E8452-7646-11D1-B90B-00A0C9259304}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\launchreader C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\MiscStatus C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.adobe.pdx\Extension = ".pdx" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\AuxUserType\2\ = "Acrobat Document" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\DataFormats\GetSet\0 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3E7-4981-101B-9CA8-9240CE2738AE} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{C523F390-9C83-11D3-9094-00104BD0D535}\3.0\HELPDIR C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\68AB67CA7DA73301B744CAF070E41400\ReaderAIRIntegration = "ReaderProgramFiles" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9F2FE81-F764-4BD0-AFA5-5DE841DDB625}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D38406DA-E8AA-484b-B80D-3D3DBDCC2FB2}\LocalServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PDXFileType\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3EF-4981-101B-9CA8-9240CE2738AE} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{62776AC3-A015-4BA5-A1C7-DCD765881249}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\VersionIndependentProgID C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EE-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA408033019195008142136144\Version = "17301504" C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeLockMemoryPrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeMachineAccountPrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeSecurityPrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeLoadDriverPrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeSystemProfilePrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeSystemtimePrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeShutdownPrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeAuditPrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeUndockPrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeSyncAgentPrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeManageVolumePrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1008 wrote to memory of 3044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1008 wrote to memory of 3044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1008 wrote to memory of 3044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1216 wrote to memory of 2580 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1216 wrote to memory of 2580 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1216 wrote to memory of 2580 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1216 wrote to memory of 3720 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1216 wrote to memory of 3720 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1216 wrote to memory of 3720 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3068 wrote to memory of 208 N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
PID 3068 wrote to memory of 208 N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
PID 3068 wrote to memory of 208 N/A C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
PID 1216 wrote to memory of 3720 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1216 wrote to memory of 3720 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1216 wrote to memory of 3720 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1216 wrote to memory of 4016 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1216 wrote to memory of 4016 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1216 wrote to memory of 4016 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1216 wrote to memory of 1820 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI9981.tmp
PID 1216 wrote to memory of 1820 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI9981.tmp
PID 1216 wrote to memory of 1820 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI9981.tmp
PID 1216 wrote to memory of 3432 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe
PID 1216 wrote to memory of 3432 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe
PID 1216 wrote to memory of 3432 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\readme.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\readme.dll,#1

C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe

"C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\7729" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B9BF8A9D52CC38AD3789D56DBE7F71A6

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 6578CDAA941952C379CF8FC2DFFD8FEF E Global\MSI0000

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\7729" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 90EC29F971E0E77E3759A02027439C85

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 2222BCD1214A0DE5188B8DF5648ECB34 E Global\MSI0000

C:\Windows\Installer\MSI9981.tmp

"C:\Windows\Installer\MSI9981.tmp" /b 2 120 0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe" 19.010.20098 19.010.20069.0

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.msn.com udp
US 204.79.197.203:443 api.msn.com tcp
US 8.8.8.8:53 ardownload.adobe.com udp
NL 104.109.143.25:80 ardownload.adobe.com tcp
US 72.21.81.240:80 tcp
US 72.21.81.240:80 tcp

Files

memory/3044-133-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Cache\Arm_001824311644_342239762179321502817039085331334157879.msi

MD5 daef9610629678de57c4567339f6e52c
SHA1 3c2f60cce0d017c9f93fe0d09c80a7ca0dc63d0f
SHA256 9aebffc9bb8192c5ba7e51bf7b47246d53837fab2b435d71ccaeaee1cd74c701
SHA512 9a550ec8cb373b6ab488750aa9c679e419b8dfeddf3ccb02593c044553b5bb447516ceebc18e73db2b8c848b79f124ed6764484795b8f4a6d58d954b77f0b4a5

memory/2580-137-0x0000000000000000-mapping.dmp

C:\Windows\Installer\MSI48AA.tmp

MD5 fadffef98d0f28368b843c6e9afd9782
SHA1 578101fadf1034c4a928b978260b120b740cdfb9
SHA256 73f7e51214b775421f6679acabc51ac1d34b4271116f5f3dd3426df50d214886
SHA512 ba5ab56a7e5d2e54fc304d77c78a14b35b187fdd95a090d39193b3da6ab40ef1b38c3cd56b160edceded3d622c0b645376efaf3df8fc8c437f448f91587f3233

C:\Windows\Installer\MSI48AA.tmp

MD5 fadffef98d0f28368b843c6e9afd9782
SHA1 578101fadf1034c4a928b978260b120b740cdfb9
SHA256 73f7e51214b775421f6679acabc51ac1d34b4271116f5f3dd3426df50d214886
SHA512 ba5ab56a7e5d2e54fc304d77c78a14b35b187fdd95a090d39193b3da6ab40ef1b38c3cd56b160edceded3d622c0b645376efaf3df8fc8c437f448f91587f3233

memory/3720-142-0x0000000000000000-mapping.dmp

C:\Windows\Installer\MSI4C84.tmp

MD5 4184a5369d3bd6592b1db5cd2ac465ef
SHA1 be848190344933e38e0d40f0d56854594f113c42
SHA256 5f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5
SHA512 49c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1

C:\Windows\Installer\MSI4C84.tmp

MD5 4184a5369d3bd6592b1db5cd2ac465ef
SHA1 be848190344933e38e0d40f0d56854594f113c42
SHA256 5f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5
SHA512 49c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

MD5 10a58da77ae2073d1baf4f13630ea516
SHA1 aed9c3190f2a2508a150b2f03568f9aa0b4f00c0
SHA256 cb914e1a70aa98cbaae25192df867d73605aa9ae5db4ef77c274c266c2d0b2d8
SHA512 a83454e609d88111463e620f0ea2f2e066ec87136716ccc5146fab432a5fba8778335d9597cbf7bdf475207962194e0f6cf9c97ad8830c4694a23f5aa0a7766d

C:\Windows\Installer\MSI4D9F.tmp

MD5 4184a5369d3bd6592b1db5cd2ac465ef
SHA1 be848190344933e38e0d40f0d56854594f113c42
SHA256 5f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5
SHA512 49c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1

C:\Windows\Installer\MSI4D9F.tmp

MD5 4184a5369d3bd6592b1db5cd2ac465ef
SHA1 be848190344933e38e0d40f0d56854594f113c42
SHA256 5f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5
SHA512 49c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

MD5 50b17d217f07d5968b34f42311638f74
SHA1 de0c092e9e157288c661f3471301fc5ee1bddbb5
SHA256 9ad7c8083743312c9742f5844f6eff38d9273c3e363ed872ec3640303764e74c
SHA512 5dddf066ebaecdffda6a023704f86b53849d8ba2806b196a71eadb6e250fc77681cab009c1feec691d27aaf0049d0358ac38d17ffe4d73d7a8af5952c5a2c6fb

memory/208-151-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

MD5 50b17d217f07d5968b34f42311638f74
SHA1 de0c092e9e157288c661f3471301fc5ee1bddbb5
SHA256 9ad7c8083743312c9742f5844f6eff38d9273c3e363ed872ec3640303764e74c
SHA512 5dddf066ebaecdffda6a023704f86b53849d8ba2806b196a71eadb6e250fc77681cab009c1feec691d27aaf0049d0358ac38d17ffe4d73d7a8af5952c5a2c6fb

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

MD5 fd59fc6011af0e430fdc63aa15b6de75
SHA1 376a72f8ca10471b391d082e09d357a8a067e432
SHA256 28bafddf4f7f85cca3551a3920012e59a6fc4f9334ba80b9f755b43e605f9899
SHA512 11df7b783292f0d08df57eac67d25e1a2dac77010c2f3794dfc6895b532787a2cd2d57b7f72be04354db12a4082ed6760e322de766d6191c7b77c5e0f739c0b4

C:\ProgramData\Adobe\ARM\ArmReport.ini

MD5 7055918a7fdd63eec68d7305257d321c
SHA1 299d9e87c6fac259f271b1acbef0536ed843f86e
SHA256 7615450c28e6247da5cc4a6b07d2253d7eee1012a9d902de72891f28937822ee
SHA512 9cf0c1939c5010ec13a070b934d1d64a20825a4563cb4df7ccfdc9f7b029dfddf2c4e89bafd855ecedc0e4f18c1b2e34cb4aa950cb5f10391e2c2e94399e01b0

memory/3720-155-0x0000000000000000-mapping.dmp

C:\Windows\Installer\MSI6A4F.tmp

MD5 c23d4d5a87e08f8a822ad5a8dbd69592
SHA1 317df555bc309dace46ae5c5589bec53ea8f137e
SHA256 6d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27
SHA512 fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b

C:\Windows\Installer\MSI6A4F.tmp

MD5 c23d4d5a87e08f8a822ad5a8dbd69592
SHA1 317df555bc309dace46ae5c5589bec53ea8f137e
SHA256 6d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27
SHA512 fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b

C:\Windows\Installer\MSI6B5A.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI6B5A.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI6D30.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI6D30.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI6D6F.tmp

MD5 be0b6bea2e4e12bf5d966c6f74fa79b5
SHA1 8468ec23f0a30065eee6913bf8eba62dd79651ec
SHA256 6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512 dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

C:\Windows\Installer\MSI6D6F.tmp

MD5 be0b6bea2e4e12bf5d966c6f74fa79b5
SHA1 8468ec23f0a30065eee6913bf8eba62dd79651ec
SHA256 6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512 dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

C:\Windows\Installer\MSI6D8F.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI6D8F.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI6E0D.tmp

MD5 0e91605ee2395145d077adb643609085
SHA1 303263aa6889013ce889bd4ea0324acdf35f29f2
SHA256 5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b
SHA512 3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

C:\Windows\Installer\MSI6E0D.tmp

MD5 0e91605ee2395145d077adb643609085
SHA1 303263aa6889013ce889bd4ea0324acdf35f29f2
SHA256 5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b
SHA512 3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

C:\Windows\Installer\MSI711C.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI711C.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI71B9.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI71B9.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI7A94.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI7A94.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI7AE3.tmp

MD5 be0b6bea2e4e12bf5d966c6f74fa79b5
SHA1 8468ec23f0a30065eee6913bf8eba62dd79651ec
SHA256 6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512 dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

C:\Windows\Installer\MSI7AE3.tmp

MD5 be0b6bea2e4e12bf5d966c6f74fa79b5
SHA1 8468ec23f0a30065eee6913bf8eba62dd79651ec
SHA256 6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512 dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

C:\Windows\Installer\MSI7B03.tmp

MD5 be0b6bea2e4e12bf5d966c6f74fa79b5
SHA1 8468ec23f0a30065eee6913bf8eba62dd79651ec
SHA256 6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512 dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

C:\Windows\Installer\MSI7B03.tmp

MD5 be0b6bea2e4e12bf5d966c6f74fa79b5
SHA1 8468ec23f0a30065eee6913bf8eba62dd79651ec
SHA256 6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512 dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

C:\Windows\Installer\MSI7B23.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI7B23.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI7BA1.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI7BA1.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI84DB.tmp

MD5 0e91605ee2395145d077adb643609085
SHA1 303263aa6889013ce889bd4ea0324acdf35f29f2
SHA256 5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b
SHA512 3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

C:\Windows\Installer\MSI84DB.tmp

MD5 0e91605ee2395145d077adb643609085
SHA1 303263aa6889013ce889bd4ea0324acdf35f29f2
SHA256 5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b
SHA512 3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

C:\Windows\Installer\MSI9602.tmp

MD5 f88c6a79abbb5680ae8628fbc7a6915c
SHA1 6e1eb7906cdae149c6472f394fa8fe8dc274a556
SHA256 5ded99991217600ebd0b48f21c4cd946f3c7858f07d712fcfb93f743faa635ed
SHA512 33e150822331356e1cdcbff824b897ca5bf2bed0345d2fa39cf9b1f36a77201167819761b1cc3b6cb02a87625e0b6b85a8505281ccc575ca6b73af68e1e90361

C:\Windows\Installer\MSI9602.tmp

MD5 f88c6a79abbb5680ae8628fbc7a6915c
SHA1 6e1eb7906cdae149c6472f394fa8fe8dc274a556
SHA256 5ded99991217600ebd0b48f21c4cd946f3c7858f07d712fcfb93f743faa635ed
SHA512 33e150822331356e1cdcbff824b897ca5bf2bed0345d2fa39cf9b1f36a77201167819761b1cc3b6cb02a87625e0b6b85a8505281ccc575ca6b73af68e1e90361

C:\Windows\Installer\MSI975B.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI975B.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

memory/4016-190-0x0000000000000000-mapping.dmp

C:\Windows\Installer\MSI97E9.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI97E9.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI9941.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI9941.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

memory/1820-197-0x0000000000000000-mapping.dmp

C:\Windows\Installer\MSI9982.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI9981.tmp

MD5 260cc3aeb3c5994f5a07dbeaf1d80d43
SHA1 ed1ff111c77b3422ad282c43cdde06254d1fa8b4
SHA256 65671cf7ac4ae49a411c47592cc337fe0b8ffa3cfb0a1ce5a219cae8c22012b8
SHA512 4aba5ade56ade7b27c93be844d88737ad7b3fa99e1bde484cd97f46b3bf05d82c394310d025167a4702fedba45bcbb14710c94a57b03f8f0e31ca5abba11cadc

C:\Windows\Installer\MSI9982.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI9981.tmp

MD5 260cc3aeb3c5994f5a07dbeaf1d80d43
SHA1 ed1ff111c77b3422ad282c43cdde06254d1fa8b4
SHA256 65671cf7ac4ae49a411c47592cc337fe0b8ffa3cfb0a1ce5a219cae8c22012b8
SHA512 4aba5ade56ade7b27c93be844d88737ad7b3fa99e1bde484cd97f46b3bf05d82c394310d025167a4702fedba45bcbb14710c94a57b03f8f0e31ca5abba11cadc

C:\Windows\Installer\MSI9A0F.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI9A0F.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI9A6E.tmp

MD5 be0b6bea2e4e12bf5d966c6f74fa79b5
SHA1 8468ec23f0a30065eee6913bf8eba62dd79651ec
SHA256 6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512 dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

C:\Windows\Installer\MSI9A6E.tmp

MD5 be0b6bea2e4e12bf5d966c6f74fa79b5
SHA1 8468ec23f0a30065eee6913bf8eba62dd79651ec
SHA256 6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512 dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

C:\Windows\Installer\MSIC52F.tmp

MD5 f88c6a79abbb5680ae8628fbc7a6915c
SHA1 6e1eb7906cdae149c6472f394fa8fe8dc274a556
SHA256 5ded99991217600ebd0b48f21c4cd946f3c7858f07d712fcfb93f743faa635ed
SHA512 33e150822331356e1cdcbff824b897ca5bf2bed0345d2fa39cf9b1f36a77201167819761b1cc3b6cb02a87625e0b6b85a8505281ccc575ca6b73af68e1e90361

C:\Windows\Installer\MSIC52F.tmp

MD5 f88c6a79abbb5680ae8628fbc7a6915c
SHA1 6e1eb7906cdae149c6472f394fa8fe8dc274a556
SHA256 5ded99991217600ebd0b48f21c4cd946f3c7858f07d712fcfb93f743faa635ed
SHA512 33e150822331356e1cdcbff824b897ca5bf2bed0345d2fa39cf9b1f36a77201167819761b1cc3b6cb02a87625e0b6b85a8505281ccc575ca6b73af68e1e90361

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\agm.dll

MD5 295f6591c5c26759be449da7c8ab97fe
SHA1 4d00cf9aa0e8fe86657582462e21447b24a1f18c
SHA256 a919132fccf28cb7f5869617e6b427a479644650b526d9110029329866842902
SHA512 e5b571aba70aba393ee961795713ca5e40fcb5406802c2d07eaaa7beeeb09d4fa3a1eb63dbc438ffc24769ef37ff710cca8d8d892d625bf060b1c83b5c914be2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cooltype.dll

MD5 ce82b0cc43ee46dcfc68368376db3fba
SHA1 4a9f9eb4423ebb94ef5cfde4c09e78880645b39d
SHA256 ec52eabc7d3392dcee6aadbba3bbca0bf3c1cae48faad5e9c2ee6115577ac661
SHA512 e91df2c41864e978b746ddede49dc44846e93d1b3c8488f305075e9ec913285cf0ca82e7b1c6701d5f977461344a7507d9cb302b9446fe8c0602ebd06fe1dd1e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\bib.dll

MD5 1dc7a191a1e70fcd220ac8550fec6c06
SHA1 96fdb2fafa0cd151e45cce72f83c7fc6099d4eb1
SHA256 0713fdb60f212b6c7e6f2f1c36fea288608efd354b4640fee25d91b155b229de
SHA512 ce66e2d4974dc371670554759d0d87fdc00bb4e6271ef7954d051cd084ee344d34225a9ca711d04e51c2837d45273d15d91b829a7d8f1d065d25258797d7a6d2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrord32res.dll

MD5 86df49559091bd6f42e250c2cf30908a
SHA1 b54a8abd361c7755ce5ca01c5701fe3f2507a39a
SHA256 2136a588e9d39d55d2b7066264fc4204c8437f892190547f6198a0677631e0e8
SHA512 7fd20046811cb7126c1d4ff16538730d1490e9981f586837b126dab13fbf635af816f084d5bb59eac2023eee13271a08595dd8aa8e98855360e918d1d6805b13

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrord32.dll

MD5 e64a1303be233669724fd73bac659590
SHA1 92d40bdd915425abc611f9dad162673b24d1ae3d
SHA256 d1a2de3a8e940e0647cbbc2e555d7c5631a83adc21e274fcb89e012433d58d2a
SHA512 abade0f280054fe330b909bb721b67a2f450840c7bc6a487c4b0085b080f48a26f61e262b30e8aac8ff1f9978a904e91a7b4d7cac54e98df15404754f4079df7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrord32.exe

MD5 2f8d93826b8cbf9290bc57535c7a6817
SHA1 b36e4ee6b7c9db78e73bf58d8e69680f8f840a32
SHA256 edf4bd6c6ce4b5a2f7eceb2c10ff3a61934f48d75ae2b8b556b0e4bac7e7a168
SHA512 df342416bd82dd7e6b6444f9c66afddc193cae5b918b0b1f207c518cdebfdf9eb7c4f900d67c10561f8a675dbcf2348747df894db34a5624f81ae8d69f6ecb4d

memory/3432-214-0x0000000000000000-mapping.dmp