Analysis
-
max time kernel
213s -
max time network
216s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
06-04-2022 17:56
Static task
static1
Behavioral task
behavioral1
Sample
B9B8BC0D8669C6E55F651DCA76E9A1A9.exe
Resource
win7-20220331-en
General
-
Target
B9B8BC0D8669C6E55F651DCA76E9A1A9.exe
-
Size
15.7MB
-
MD5
b9b8bc0d8669c6e55f651dca76e9a1a9
-
SHA1
1f59d1d5501b5d5a9417b56a09b9d34cc6375a6d
-
SHA256
ccc6a5077b55f9c96e1bb37bd963ffa1586764f74ae0431bb13e97aab099e0fe
-
SHA512
0f88efdd16ffb7faf4ca415179dd78ddcb0e2974eda7f3748f76291826c189e53587019c365a7b157e9c4a283cf6f3536666822d55f9ff20f521036a9ff7a15f
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
is-73S33.tmpunins000.exe_iu14D2N.tmppid process 1104 is-73S33.tmp 4980 unins000.exe 1944 _iu14D2N.tmp -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
is-73S33.tmpdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Control Panel\International\Geo\Nation is-73S33.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe -
Drops file in Windows directory 1 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e576179.msi msiexec.exe -
HTTP links in PDF interactive object 2 IoCs
Detects HTTP links in interactive objects within PDF files.
Processes:
resource yara_rule C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Guia del usuario prevalidador reporte conciliacion fiscal - Formato 2517v4.pdf pdf_with_link_action C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Guia para la carga y envio de Archivo xml formato 2517v4.pdf pdf_with_link_action -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exesvchost.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe -
Checks processor information in registry 2 TTPs 21 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWINWORD.EXEWINWORD.EXEAcroRd32.exeAcroRd32.exeAcroRd32.exeAcroRd32.exeAcroRd32.exeAcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
Processes:
WINWORD.EXEWINWORD.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Modifies registry class 1 IoCs
Processes:
is-73S33.tmpdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\Local Settings is-73S33.tmp -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
Processes:
WINWORD.EXEWINWORD.EXEWINWORD.EXEpid process 1372 WINWORD.EXE 1372 WINWORD.EXE 4884 WINWORD.EXE 2764 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
msiexec.exeAcroRd32.exeAdobeARM.exepid process 3160 msiexec.exe 3160 msiexec.exe 3648 AcroRd32.exe 3648 AcroRd32.exe 3648 AcroRd32.exe 3648 AcroRd32.exe 3648 AcroRd32.exe 3648 AcroRd32.exe 3648 AcroRd32.exe 3648 AcroRd32.exe 3648 AcroRd32.exe 3648 AcroRd32.exe 3648 AcroRd32.exe 3648 AcroRd32.exe 3648 AcroRd32.exe 3648 AcroRd32.exe 3648 AcroRd32.exe 3648 AcroRd32.exe 3648 AcroRd32.exe 3648 AcroRd32.exe 3648 AcroRd32.exe 3648 AcroRd32.exe 4548 AdobeARM.exe 4548 AdobeARM.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exesrtasks.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 608 msiexec.exe Token: SeIncreaseQuotaPrivilege 608 msiexec.exe Token: SeSecurityPrivilege 3160 msiexec.exe Token: SeCreateTokenPrivilege 608 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 608 msiexec.exe Token: SeLockMemoryPrivilege 608 msiexec.exe Token: SeIncreaseQuotaPrivilege 608 msiexec.exe Token: SeMachineAccountPrivilege 608 msiexec.exe Token: SeTcbPrivilege 608 msiexec.exe Token: SeSecurityPrivilege 608 msiexec.exe Token: SeTakeOwnershipPrivilege 608 msiexec.exe Token: SeLoadDriverPrivilege 608 msiexec.exe Token: SeSystemProfilePrivilege 608 msiexec.exe Token: SeSystemtimePrivilege 608 msiexec.exe Token: SeProfSingleProcessPrivilege 608 msiexec.exe Token: SeIncBasePriorityPrivilege 608 msiexec.exe Token: SeCreatePagefilePrivilege 608 msiexec.exe Token: SeCreatePermanentPrivilege 608 msiexec.exe Token: SeBackupPrivilege 608 msiexec.exe Token: SeRestorePrivilege 608 msiexec.exe Token: SeShutdownPrivilege 608 msiexec.exe Token: SeDebugPrivilege 608 msiexec.exe Token: SeAuditPrivilege 608 msiexec.exe Token: SeSystemEnvironmentPrivilege 608 msiexec.exe Token: SeChangeNotifyPrivilege 608 msiexec.exe Token: SeRemoteShutdownPrivilege 608 msiexec.exe Token: SeUndockPrivilege 608 msiexec.exe Token: SeSyncAgentPrivilege 608 msiexec.exe Token: SeEnableDelegationPrivilege 608 msiexec.exe Token: SeManageVolumePrivilege 608 msiexec.exe Token: SeImpersonatePrivilege 608 msiexec.exe Token: SeCreateGlobalPrivilege 608 msiexec.exe Token: SeBackupPrivilege 780 vssvc.exe Token: SeRestorePrivilege 780 vssvc.exe Token: SeAuditPrivilege 780 vssvc.exe Token: SeBackupPrivilege 3160 msiexec.exe Token: SeRestorePrivilege 3160 msiexec.exe Token: SeBackupPrivilege 4980 srtasks.exe Token: SeRestorePrivilege 4980 srtasks.exe Token: SeSecurityPrivilege 4980 srtasks.exe Token: SeTakeOwnershipPrivilege 4980 srtasks.exe Token: SeBackupPrivilege 4980 srtasks.exe Token: SeRestorePrivilege 4980 srtasks.exe Token: SeSecurityPrivilege 4980 srtasks.exe Token: SeTakeOwnershipPrivilege 4980 srtasks.exe Token: SeBackupPrivilege 4980 srtasks.exe Token: SeRestorePrivilege 4980 srtasks.exe Token: SeSecurityPrivilege 4980 srtasks.exe Token: SeTakeOwnershipPrivilege 4980 srtasks.exe Token: SeShutdownPrivilege 3656 msiexec.exe Token: SeIncreaseQuotaPrivilege 3656 msiexec.exe Token: SeCreateTokenPrivilege 3656 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3656 msiexec.exe Token: SeLockMemoryPrivilege 3656 msiexec.exe Token: SeIncreaseQuotaPrivilege 3656 msiexec.exe Token: SeMachineAccountPrivilege 3656 msiexec.exe Token: SeTcbPrivilege 3656 msiexec.exe Token: SeSecurityPrivilege 3656 msiexec.exe Token: SeTakeOwnershipPrivilege 3656 msiexec.exe Token: SeLoadDriverPrivilege 3656 msiexec.exe Token: SeSystemProfilePrivilege 3656 msiexec.exe Token: SeSystemtimePrivilege 3656 msiexec.exe Token: SeProfSingleProcessPrivilege 3656 msiexec.exe Token: SeIncBasePriorityPrivilege 3656 msiexec.exe -
Suspicious use of FindShellTrayWindow 11 IoCs
Processes:
msiexec.exeAcroRd32.exeWINWORD.EXEWINWORD.EXEWINWORD.EXEmsiexec.exepid process 608 msiexec.exe 608 msiexec.exe 3648 AcroRd32.exe 1372 WINWORD.EXE 2764 WINWORD.EXE 4884 WINWORD.EXE 2764 WINWORD.EXE 1372 WINWORD.EXE 4884 WINWORD.EXE 3656 msiexec.exe 3656 msiexec.exe -
Suspicious use of SetWindowsHookEx 60 IoCs
Processes:
AcroRd32.exeAcroRd32.exeAcroRd32.exeAcroRd32.exeAcroRd32.exeWINWORD.EXEWINWORD.EXEWINWORD.EXEAdobeARM.exeunins000.exe_iu14D2N.tmpAcroRd32.exepid process 3648 AcroRd32.exe 3504 AcroRd32.exe 4384 AcroRd32.exe 3864 AcroRd32.exe 4732 AcroRd32.exe 3648 AcroRd32.exe 3648 AcroRd32.exe 3648 AcroRd32.exe 3648 AcroRd32.exe 3648 AcroRd32.exe 1372 WINWORD.EXE 4884 WINWORD.EXE 2764 WINWORD.EXE 1372 WINWORD.EXE 4884 WINWORD.EXE 2764 WINWORD.EXE 1372 WINWORD.EXE 4884 WINWORD.EXE 2764 WINWORD.EXE 1372 WINWORD.EXE 1372 WINWORD.EXE 1372 WINWORD.EXE 1372 WINWORD.EXE 2764 WINWORD.EXE 2764 WINWORD.EXE 2764 WINWORD.EXE 2764 WINWORD.EXE 1372 WINWORD.EXE 1372 WINWORD.EXE 2764 WINWORD.EXE 2764 WINWORD.EXE 1372 WINWORD.EXE 4884 WINWORD.EXE 2764 WINWORD.EXE 3648 AcroRd32.exe 1372 WINWORD.EXE 2764 WINWORD.EXE 4884 WINWORD.EXE 1372 WINWORD.EXE 1372 WINWORD.EXE 2764 WINWORD.EXE 2764 WINWORD.EXE 4884 WINWORD.EXE 4884 WINWORD.EXE 3648 AcroRd32.exe 3648 AcroRd32.exe 1372 WINWORD.EXE 1372 WINWORD.EXE 4884 WINWORD.EXE 1372 WINWORD.EXE 2764 WINWORD.EXE 4884 WINWORD.EXE 2764 WINWORD.EXE 3648 AcroRd32.exe 3648 AcroRd32.exe 3648 AcroRd32.exe 4548 AdobeARM.exe 4980 unins000.exe 1944 _iu14D2N.tmp 3644 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
B9B8BC0D8669C6E55F651DCA76E9A1A9.exeis-73S33.tmpmsiexec.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 2292 wrote to memory of 1104 2292 B9B8BC0D8669C6E55F651DCA76E9A1A9.exe is-73S33.tmp PID 2292 wrote to memory of 1104 2292 B9B8BC0D8669C6E55F651DCA76E9A1A9.exe is-73S33.tmp PID 2292 wrote to memory of 1104 2292 B9B8BC0D8669C6E55F651DCA76E9A1A9.exe is-73S33.tmp PID 1104 wrote to memory of 608 1104 is-73S33.tmp msiexec.exe PID 1104 wrote to memory of 608 1104 is-73S33.tmp msiexec.exe PID 1104 wrote to memory of 608 1104 is-73S33.tmp msiexec.exe PID 3160 wrote to memory of 4980 3160 msiexec.exe srtasks.exe PID 3160 wrote to memory of 4980 3160 msiexec.exe srtasks.exe PID 1104 wrote to memory of 4384 1104 is-73S33.tmp AcroRd32.exe PID 1104 wrote to memory of 4384 1104 is-73S33.tmp AcroRd32.exe PID 1104 wrote to memory of 4384 1104 is-73S33.tmp AcroRd32.exe PID 1104 wrote to memory of 4884 1104 is-73S33.tmp WINWORD.EXE PID 1104 wrote to memory of 4884 1104 is-73S33.tmp WINWORD.EXE PID 1104 wrote to memory of 1372 1104 is-73S33.tmp WINWORD.EXE PID 1104 wrote to memory of 1372 1104 is-73S33.tmp WINWORD.EXE PID 1104 wrote to memory of 2764 1104 is-73S33.tmp WINWORD.EXE PID 1104 wrote to memory of 2764 1104 is-73S33.tmp WINWORD.EXE PID 1104 wrote to memory of 3504 1104 is-73S33.tmp AcroRd32.exe PID 1104 wrote to memory of 3504 1104 is-73S33.tmp AcroRd32.exe PID 1104 wrote to memory of 3504 1104 is-73S33.tmp AcroRd32.exe PID 1104 wrote to memory of 3864 1104 is-73S33.tmp AcroRd32.exe PID 1104 wrote to memory of 3864 1104 is-73S33.tmp AcroRd32.exe PID 1104 wrote to memory of 3864 1104 is-73S33.tmp AcroRd32.exe PID 1104 wrote to memory of 3648 1104 is-73S33.tmp AcroRd32.exe PID 1104 wrote to memory of 3648 1104 is-73S33.tmp AcroRd32.exe PID 1104 wrote to memory of 3648 1104 is-73S33.tmp AcroRd32.exe PID 1104 wrote to memory of 4732 1104 is-73S33.tmp AcroRd32.exe PID 1104 wrote to memory of 4732 1104 is-73S33.tmp AcroRd32.exe PID 1104 wrote to memory of 4732 1104 is-73S33.tmp AcroRd32.exe PID 3648 wrote to memory of 800 3648 AcroRd32.exe RdrCEF.exe PID 3648 wrote to memory of 800 3648 AcroRd32.exe RdrCEF.exe PID 3648 wrote to memory of 800 3648 AcroRd32.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe PID 800 wrote to memory of 3560 800 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\B9B8BC0D8669C6E55F651DCA76E9A1A9.exe"C:\Users\Admin\AppData\Local\Temp\B9B8BC0D8669C6E55F651DCA76E9A1A9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\is-UUC41.tmp\is-73S33.tmp"C:\Users\Admin\AppData\Local\Temp\is-UUC41.tmp\is-73S33.tmp" /SL4 $140054 "C:\Users\Admin\AppData\Local\Temp\B9B8BC0D8669C6E55F651DCA76E9A1A9.exe" 16185951 522242⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\msxmlspa.msi"3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:608 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\VerAyuda.pdf"3⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:4384 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Preguntas frecuentes Reporte de Conciliacion Fiscal Anexo Formulario 210 - Formato 2517V4.docx" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4884 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Guia para la carga y enviio de Archivo xml formato 2517v4.docx" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1372 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Guia del usuario prevalidador reporte conciliacion fiscal - Formato 2517v4.docx" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2764 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Preguntas frecuentes Reporte de Conciliacion Fiscal Anexo Formulario 210 - Formato 2517V4.pdf"3⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:3504 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Guia para la carga y envio de Archivo xml formato 2517v4.pdf"3⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:3864 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Guia del usuario prevalidador reporte conciliacion fiscal - Formato 2517v4.pdf"3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=021F4C4DADE58078056D88440BECD91F --mojo-platform-channel-handle=1716 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:3560
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=359DDBC5CD698CA4E17AC48BB2A306B1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=359DDBC5CD698CA4E17AC48BB2A306B1 --renderer-client-id=2 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job /prefetch:15⤵PID:1644
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=06EBBA2AE9AFAE53866B6E44480267BD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=06EBBA2AE9AFAE53866B6E44480267BD --renderer-client-id=4 --mojo-platform-channel-handle=2280 --allow-no-sandbox-job /prefetch:15⤵PID:4680
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=96DA5761B5FDE4E020D27AE8CE5834E6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=96DA5761B5FDE4E020D27AE8CE5834E6 --renderer-client-id=5 --mojo-platform-channel-handle=2300 --allow-no-sandbox-job /prefetch:15⤵PID:868
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F5667FE096B0E8EC6AB75EC5D2674026 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F5667FE096B0E8EC6AB75EC5D2674026 --renderer-client-id=6 --mojo-platform-channel-handle=2408 --allow-no-sandbox-job /prefetch:15⤵PID:1308
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=235982A33BDA077588F458F155CA1888 --mojo-platform-channel-handle=3040 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:3364
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F4004BCDDD8C5B303782C3C63355A6F3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F4004BCDDD8C5B303782C3C63355A6F3 --renderer-client-id=8 --mojo-platform-channel-handle=3280 --allow-no-sandbox-job /prefetch:15⤵PID:4880
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=804C2D9196CFDCEA8BF472729A3ED313 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=804C2D9196CFDCEA8BF472729A3ED313 --renderer-client-id=9 --mojo-platform-channel-handle=3428 --allow-no-sandbox-job /prefetch:15⤵PID:608
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FE10E59A786711D93FF67A2691871759 --mojo-platform-channel-handle=3872 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:1332
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=225469FE1C57868EA2EC05E264FA219C --mojo-platform-channel-handle=3896 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:3920
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:34⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4548 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"5⤵PID:8
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Anexo_4_Guia de diligenciamiento del formato 2517 V3.pdf"3⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:4732
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:780
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4168
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4468
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{5AAABB05-F91B-4BCE-AB18-D8319DEDABA8}1⤵PID:368
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4252
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\msxmlspa.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3656
-
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\unins000.exe"C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\unins000.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp"C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\unins000.exe" /FIRSTPHASEWND=$4037A2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1944
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\VerAyuda.pdf"1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:3644
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Anexo_4_Guia de diligenciamiento del formato 2517 V3.pdfFilesize
808KB
MD5ecf271a2e80a019dc0d5d370cf0462cf
SHA1e1537793a67a57ca743a8d2f12998d290af22dc9
SHA2562b44db50d29627134bef4d778484a4477f2305b59d609aa94d5d486dccc8ca62
SHA51230fd2646a494c6b8eb69e8ac62fce22d0e437dd2da8e21da776e3e897c32ccd2112a9162c5fd57f876b72e90caee140d432f1c68edc885f26c1a7a63061b8335
-
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Guia del usuario prevalidador reporte conciliacion fiscal - Formato 2517v4.docxFilesize
2.6MB
MD5fcd5db248499c842077c4d6fb6732fc4
SHA1a62f20999344e68f1590c8485600454d18d7f278
SHA256ede8d37bd7128698d0146297df66e6fcb6b25567bdc7b524ce7c694480867498
SHA512cc944c190a0614585cc42f7e9b2d7513bce3a1cce5f8b8ca11ea9135d3223bfdc0a8707d13e6592b92c4b63a6dacfd4ed3d0d1de54db3e10e55646a9ec359847
-
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Guia del usuario prevalidador reporte conciliacion fiscal - Formato 2517v4.pdfFilesize
2.4MB
MD59ddccc7b834872af7e1e759f44b20e64
SHA1e40f131640c693ec77aaa21f4dc9c05dba0a170e
SHA25659b71445836292c8ad4e8f1ffc6813b449d5231acf2602c98ec1d9dc54093201
SHA5126d92fbc95f8b4591706b345b613e2f55461cfc3e687dd6ca8895b5fe07e6346aa81c1b3f0469c199bdf236525d621272b81c257038e84e96f6009b27f95b32c4
-
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Guia para la carga y enviio de Archivo xml formato 2517v4.docxFilesize
2.3MB
MD5b41a72df7d7895c1edf0f2df7884737e
SHA14b360b28912a56732616394f2c3e13555eed7432
SHA256b939c0aa433e4d01c55b5d1fcf48b001156c9e774b153f2099aaf62f01dc1458
SHA5128a8773bb5141ade5a803081463f3cefe54502d4dbdbd0c93f84eb5d544fb3f7a65b3d6a4c08c26360532c6f7d9c53d04b75368b5d483557f88d6dbb87280a024
-
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Guia para la carga y envio de Archivo xml formato 2517v4.pdfFilesize
1.8MB
MD55cd56659be9ff30cc7dda3ecdf4475a8
SHA10e57a43952031bddc528449dfb25effe0a1a9396
SHA256e51218cfb5b3e30422cca7935c02287a118b128403bffccc34ca453d8c7ad98f
SHA5125fcfb65efeb2480f069fd1887c4813c36d8fa888685fc3364cda89dad2fb8b73f474aca735e8d42e0d3f96b7d180526e1b00393a354c3f709890c7350550abf2
-
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Preguntas frecuentes Reporte de Conciliacion Fiscal Anexo Formulario 210 - Formato 2517V4.docxFilesize
179KB
MD51c1431f92005213acd8d937df2bb097d
SHA1c51b039b73850202a1d63aa2a320dcac9a75cca0
SHA256318909f3e8e43c1f7e5d4b5deeb0bb172a77ac35d3789d063013452490a80cdf
SHA512c0c2858ead45c296964d5053c9917030b53742e8a224f5ecd56df1f7305f1ed9d7dfef7e57befe9fd0bac64aee210ac2dca25038a506ae2ca12fd611ac9c907b
-
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Preguntas frecuentes Reporte de Conciliacion Fiscal Anexo Formulario 210 - Formato 2517V4.pdfFilesize
456KB
MD52925f7829727157e4605b29f27dc70d2
SHA1ff5d3a9daa38d168c97352c508aa270bd7fdc007
SHA256da85df5f1cc39ac907284c7523da5dc3282144735a84f943d4040b519854f561
SHA512145024d337b2c7ce84755803989a87507fad7f605c48512aa8ef9db4d57824ac1fc3a5d03824d7ae5181bcc61b17609962f23a4f80e9b8fe31245644b32ae34a
-
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022.xlsmFilesize
2.8MB
MD5ff2431f2316442f03aaa5be9d8685c45
SHA17e1ba375d4d40bc624aef37e35e45de0ee591a54
SHA256c7c94f90ef3d0d6184790dc86d5c69afc14e2a625e55b773e966e9f0c4b10f7b
SHA5126b5319888b76389d8c17896d612265246705c6b5c36a7a361575d58ffcbc2eb6264f4b3b9e8dc1e027948b1c7642a8ccf3d2dbf8ac4a261ad9a124d66916c651
-
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\VerAyuda.pdfFilesize
808KB
MD5ecf271a2e80a019dc0d5d370cf0462cf
SHA1e1537793a67a57ca743a8d2f12998d290af22dc9
SHA2562b44db50d29627134bef4d778484a4477f2305b59d609aa94d5d486dccc8ca62
SHA51230fd2646a494c6b8eb69e8ac62fce22d0e437dd2da8e21da776e3e897c32ccd2112a9162c5fd57f876b72e90caee140d432f1c68edc885f26c1a7a63061b8335
-
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\msxmlspa.msiFilesize
5.0MB
MD5f7697ac65e6d75f5e964d642c9d2ca94
SHA17249c988032b56ba92d0208bb229b9979eb90364
SHA256f2ecfbbb3afb50e93a690a51eb6adee1091a81173990b2ae991aa57216f19e7a
SHA512e6bf24e4535cb0913b39f663206597dbac11378f41370311e3c0031677680c98fab2d4812e34803288559efb152e65e92e0d2472727232b15bbd400a96fb599e
-
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\unins000.datFilesize
7KB
MD54943968b3b11aaa7b3d773e225ad25e0
SHA171fefd2c408c531cad7721a179b805bbf6d8b545
SHA256663ce172bee3c5afcf25689bc7c0a6a2dec71d3feab2c7b1bc6f83b59f1be4e5
SHA5124bb58f8d2d1f10e884e1a50571b389f6590321bc2ed21b3423ad40e1245e19deddfc1e3993ecb39c44d9ef81fc333856d2a1750e46dca8a0ca271cc2ce9f44ce
-
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\unins000.exeFilesize
667KB
MD580c134e287795665f14ffa476f3fe769
SHA16a390801f191c6e8cb980588dba7e12b2b8cd4da
SHA25685fd4c73c137101ccbe9f576a5c9622c49203f604bf36be36a6ba9738da84ac3
SHA512b22984f917503510345039ae9027386ab66bcf0ef9c537b595e3ed85a810e01ab5013d35e62e6d86ad2c58246c74260572996062ad04c2598221b9a56b67cd85
-
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\unins000.exeFilesize
667KB
MD580c134e287795665f14ffa476f3fe769
SHA16a390801f191c6e8cb980588dba7e12b2b8cd4da
SHA25685fd4c73c137101ccbe9f576a5c9622c49203f604bf36be36a6ba9738da84ac3
SHA512b22984f917503510345039ae9027386ab66bcf0ef9c537b595e3ed85a810e01ab5013d35e62e6d86ad2c58246c74260572996062ad04c2598221b9a56b67cd85
-
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\xsd\2517.xsdFilesize
18KB
MD510b50c95fd4f4ae3e4c92f4fe39d082e
SHA1f26cad5d9b2d95db57e7503189ec438716b49155
SHA2568f3157f15904dcf62417c632f88f05959fac030b09e9169f23721dc4a3e3568b
SHA51245fb98b4f8ff2e3562401023afc16cd2a817d063bd1a89bde4cdb1460ce8a1cd0a25a82563ff7bcea89a7b5a1a7aaa252010f0c91ab9603a0149bca3f0141a41
-
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-220406195744Z-256.bmpFilesize
69KB
MD5c6092d886f3ca2455086e65ce055e2ef
SHA15ee63ec7a622ccc5e067a38c6e7aa117a501e39b
SHA256260528ebff4e41b14eb79bd9d97286a5ca70f4f402924c4094aae9af65e97a00
SHA512fc6770bb28e28d6f2e91d7cb143ec6ec09e5bc11cde3cb4c19121c048b73da333e40165a18b3ab0bb004752609c16d8f9321c9842277df5c0b77bc9b8d365a8a
-
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-220406195745Z-264.bmpFilesize
69KB
MD54c9df47496d54c6b05f22a64e6c213bc
SHA1e28947bc8f767701d4a60ec7674de63c3b251aa5
SHA256f6bce446e06dfd3b25fea22729d14932790f6d4570fc241679027eaecd532a29
SHA5127092954d6309c663641eb5331da196aba152a2795b10bc4689431e6fa5813bbae9531dc8f02dd1793f3597627cca6be2bcbdd130f59b9e03f72ef420461c9e06
-
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-220406195745Z-266.bmpFilesize
69KB
MD54c9df47496d54c6b05f22a64e6c213bc
SHA1e28947bc8f767701d4a60ec7674de63c3b251aa5
SHA256f6bce446e06dfd3b25fea22729d14932790f6d4570fc241679027eaecd532a29
SHA5127092954d6309c663641eb5331da196aba152a2795b10bc4689431e6fa5813bbae9531dc8f02dd1793f3597627cca6be2bcbdd130f59b9e03f72ef420461c9e06
-
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-220406195746Z-319.bmpFilesize
69KB
MD556df8cbc8d43c2f5554ef1c489b2a41e
SHA1fd36e207e81db49b3cfdbe14056bc4c94e8afd0e
SHA256947cc5c0b38b4eef492d559be4f8580109c3205c94b219f91477dc5733e707b4
SHA5128bbea96bdc9d3d393530365aa7ad20c869ff8c1208b332fb69aa9567699987429d69f54fc249879f84e0bcd63052dcf0b8f5895e3b1da30cf790885fdc6e6883
-
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-220406195747Z-344.bmpFilesize
69KB
MD545a37f50ebe528c1dd0e5965b1ea837b
SHA14c61396c71c1d1f7eba79011d04a6904c803480e
SHA256e98261c40a923dc776b3089a03a6c40e567ec4f547f724736f6fca26827d7633
SHA512e4420014e33d492e7d1a9b0156a4671b7c2ecfe5a33b2e12eb0c4d5aadd39bc033043333a6f225e2838a8147dc02bf9e9724549a6072d215f9be6802c041a8fd
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\8C4B3EC2-2E95-4D3B-AD79-AE1F337F7F7BFilesize
142KB
MD5afb67dd2efa9fab3534d5b1f027dc542
SHA18634fe562a176945405d3a39eafead29ed3ac439
SHA2561eebc88eac2b7c4340b03370a23e2f390c62f1fd4c8ee1dc0c9591258db74541
SHA512dbb657edd7a43b5b9752402e78d7b8faca642b324c7fd850456c458a2af8d2e99caf5117876a45c126f9a94e0024d44ae989594d11a2139b6a33ff79125364a2
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xmlFilesize
306KB
MD5299cf5ea41d183f6963a6c552c663fd9
SHA1feffbb799532a9ee58e26a2943740ebaef610639
SHA256019bd59bd49dcff430ab72c68525bd43b3c9eb286e20737220b1ac884937c2dd
SHA5121b882bcb4151b5c9cbbfdbd55374b998b41a3e8911b9cb8ad861608d3f7c5956dcfb866858b9b11af84e0698e2b2ba442687ad76a5f435a15d83c190b636f23b
-
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xmlFilesize
76B
MD50f8eb2423d2bf6cb5b8bdb44cb170ca3
SHA1242755226012b4449a49b45491c0b1538ebf6410
SHA256385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944
SHA512a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886
-
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xmlFilesize
76B
MD50f8eb2423d2bf6cb5b8bdb44cb170ca3
SHA1242755226012b4449a49b45491c0b1538ebf6410
SHA256385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944
SHA512a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walFilesize
8KB
MD53331e5522d348254cd9d6a616b69ea9b
SHA1532f0b081524a90ffdbc601c6de0329aa41abe4a
SHA2561377bbc17b5cb47860dae43f67dd9f6ca532d08b2a93f81fea7c74433a9262c2
SHA512d31cbb52ab6bfe4efaedb14a411ee83170a8aa6593fa10e5fc8c3ac5778d6ef9d7fbf185dedf574cb4f2badd65d83dc317766ae6d114c75bea0df60498ddc69b
-
C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmpFilesize
667KB
MD580c134e287795665f14ffa476f3fe769
SHA16a390801f191c6e8cb980588dba7e12b2b8cd4da
SHA25685fd4c73c137101ccbe9f576a5c9622c49203f604bf36be36a6ba9738da84ac3
SHA512b22984f917503510345039ae9027386ab66bcf0ef9c537b595e3ed85a810e01ab5013d35e62e6d86ad2c58246c74260572996062ad04c2598221b9a56b67cd85
-
C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmpFilesize
667KB
MD580c134e287795665f14ffa476f3fe769
SHA16a390801f191c6e8cb980588dba7e12b2b8cd4da
SHA25685fd4c73c137101ccbe9f576a5c9622c49203f604bf36be36a6ba9738da84ac3
SHA512b22984f917503510345039ae9027386ab66bcf0ef9c537b595e3ed85a810e01ab5013d35e62e6d86ad2c58246c74260572996062ad04c2598221b9a56b67cd85
-
C:\Users\Admin\AppData\Local\Temp\is-UUC41.tmp\is-73S33.tmpFilesize
656KB
MD54fa180886ff7c0fd86a65f760ede6318
SHA12c89c271c71531362e84ddab5d3028f0756a9281
SHA2561d9026c60374b056720cdfcfa598a641cc8fbc9932590d69b4cfbc32cd09871c
SHA512a278b1d36332be9f3c284c0a4716c5e130cc6e1524c03bd693769497aeed97360c74fb8466b2d0ffd474ea8fe545c6961674ea2668a0867aee270659ad0142cd
-
C:\Users\Admin\AppData\Local\Temp\is-UUC41.tmp\is-73S33.tmpFilesize
656KB
MD54fa180886ff7c0fd86a65f760ede6318
SHA12c89c271c71531362e84ddab5d3028f0756a9281
SHA2561d9026c60374b056720cdfcfa598a641cc8fbc9932590d69b4cfbc32cd09871c
SHA512a278b1d36332be9f3c284c0a4716c5e130cc6e1524c03bd693769497aeed97360c74fb8466b2d0ffd474ea8fe545c6961674ea2668a0867aee270659ad0142cd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
664B
MD5d0d7a7b71f59d72224dc3e1180d8f54a
SHA19eb5e6c1702a44641088d2d1b93c6336d7b1f9d3
SHA2562bb14fb2cd064f4b32a63b822198b4249b5a9009af658dbfe3f6bde6e06bdbfc
SHA512f47818aa43a03d5b0b9dee3aafe2d86ea601230f9f511caa80cc0ca18b763077a1d3cec6aaab4a3d7afa9a51cef79ba0538d54577f54670c6a70247c3f16a24f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
664B
MD5d0d7a7b71f59d72224dc3e1180d8f54a
SHA19eb5e6c1702a44641088d2d1b93c6336d7b1f9d3
SHA2562bb14fb2cd064f4b32a63b822198b4249b5a9009af658dbfe3f6bde6e06bdbfc
SHA512f47818aa43a03d5b0b9dee3aafe2d86ea601230f9f511caa80cc0ca18b763077a1d3cec6aaab4a3d7afa9a51cef79ba0538d54577f54670c6a70247c3f16a24f
-
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryES240a.lexFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5b648832a144c9650ade25006e8192fc1
SHA149cf4dc8a7191d04686565c0573cc9352e43de39
SHA2569d1cac82f8824e241acbd60aa04d109f8bf4ba95e3bd560b2e9065f366b0a16f
SHA512653fa94d853993ad42979311b2ced49c0c11a59dd421ba50b27e37e8deeadb589b0606f210b887fe93368b678f04808a57be1d8cb9c516c7b863e15873f2d987
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD530242978b212a0f8f2c473959c530dc1
SHA1933a92e7f27e0dff0a8630a2c548324d92196489
SHA2565b59413980e0ed0d0b73294bc4f3732ccbdc6587a7da8a2fcd719eae053431a8
SHA51285e3fa41f7cc3b01ce1d3f35e78ef45ae11a0d8640366a0ff98ed5ffc6bc2aba32a40a7a5401b394e683c3493ed1602986fcc94f05c1324a12fbe1bf3c5210f2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
4KB
MD503be57265d15b0d6121017dca1144efd
SHA1283ffdf59ce5d1b3fd8efdc1dee74b8ba157fa7d
SHA25674d6db8bae34fedc9343915c0663e744178d9eb086ced38fcf484f8b0472b41d
SHA51265bcbf6d83b1175985238a679187520188a77045e475d8c7b5bd64b52d3f5aca5b47bc929d990bb223701afda4b14703f20f37f2e545810e62afc7dc0faad257
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
4KB
MD515fd147e2a5855241b386a46847d7ec5
SHA1fc03bcbd7e075751673a0cf7d2db3c49ce14a960
SHA256c4506a63c1dcbe8188816d06cb70215825e43d951fe76c90f4b81a29d41ead2f
SHA51211fbf0e3c6ddb7cf5ec05fd91f54cd295d3616b6ff781e27ede909aec7be741130d244f38f597d1de5f78f0d1067decd73fe35cf4c7af11395c5c7f60008bdfc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
4KB
MD59f48925c98077231b325051cdd32e76a
SHA10a30628ac4201c7a4b73c5017ef784883b32626e
SHA256f33aabf69d29dbb05e4fb267f452d944235249410aa8d0757087626e0dc3f3b6
SHA5128daf2aad9cabffc285a1eded617e0c9396828af5088648dcb81135d5c83a0c90b1ffb7769f241dd016669696a2ee0ff4af1f298656cfd3fcc8841dea325d0080
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Prevalidador DIAN Prevalidador Reporte Conciliacón Fiscal v2.1.0-19\Carpeta de Salida.lnkFilesize
860B
MD5d9b5597583cb1690905ebbbe63e92ad8
SHA195ef3b1a21da2a3b797c341f8e004e12ef721672
SHA256b537e06b4c9e048a18fde0829a055d50b44e1cbe1fb2730d75bf7c0c1dc8a02a
SHA512156528b24d9034af84d4de2fda4375c192c83e0afb4e8fba6152c3aed203dce4e690278c43765e6c88fffebe0652bc010f1fb01c4ba8c19c4d110870dd8466c3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Prevalidador DIAN Prevalidador Reporte Conciliacón Fiscal v2.1.0-19\Desinstalar.lnkFilesize
896B
MD5ebc32a37c78da86d5f6ff2d2952ca22a
SHA1a14ad5e0e946b40a4c4e2a9ecccf74b72fae33c4
SHA256bb20d074a4e2c24eb4bd3afcc8f49fb5649c9155161a1f664b47d54dc3df1238
SHA512ebe57c16e09eb9c39acf97b72a62bac5b079912d03286febd58f3c5be2095b04203e0a7a8ff175c14f20ec459798a255a729efe659aa8cd6692b2e738e397e29
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Prevalidador DIAN Prevalidador Reporte Conciliacón Fiscal v2.1.0-19\Manual.lnkFilesize
1KB
MD5f5df818869b2239831b0938536530fbe
SHA19db715f7ab87afb4e5ad4dd878019117f337d2a4
SHA2565cc8e5504f49d7d60fcf8ae9f9d3a6e8f426365e95484f8b8adb90bc07c39dd7
SHA5125abf1bb58bcc662bb360ce0d7bdc166fcaaf64787fa9a288adb8a89253165106b375dbc08a34cdbf76cff091d3112cc65fb1e1bafe3550fcfb56a8d2e8e18b22
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Prevalidador DIAN Prevalidador Reporte Conciliacón Fiscal v2.1.0-19\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022.lnkFilesize
1KB
MD5119ced64ce0f5c416735534316845188
SHA1512d595ad0161674e65ce87db88ba81209113ec2
SHA256600560b3c6eb79aa60b68dca573968667aa660b92417c39b317a35512cd331c9
SHA5127a4780696e257584939a3137b4782b052eec80cd481a858d2d71b37be0d486b7205fcad8f6384afb79e15eeef94e9bcf69d4e569b6269ab72fcd97049943cf0f
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
21.4MB
MD56162dc0d922b3ffcdbcce0d98d0d958d
SHA114402a85d3d8ef7a3cf569d21307fe50e3ba3ba3
SHA2569fd2c794f277895ddcf00c549af68124701ec98ec691d6682a658d0fe5712666
SHA5123d0a878c349dee774a22994357f9b72c3d0841349d7769ca508153ba0e57f69c9d65d0cbd3b0e3fea89f8f075edd7ecfa5463689d9b68785ca7fb75758d34b73
-
\??\Volume{a02f78f7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5ce9bc0c-fdf4-484f-ac30-a01ff1652a9a}_OnDiskSnapshotPropFilesize
5KB
MD5a2bf1be8d1651d8f39d655317260f264
SHA18611980bcd6b24763c97f6b20c1172c47dd5f173
SHA256ef93dba2a5e4bd5f683ddce97cf14f491dee549be2ca07ca43485f1fbced7f94
SHA512b3f04423da0cacd306478dc8fc47498c022e92f26bd284519b01ae1262b8989b8dba72cac874ababd50316b2ef7d4d24ba94806b4361da88da5ba1881c4b8143
-
memory/8-226-0x0000000000000000-mapping.dmp
-
memory/608-200-0x0000000000000000-mapping.dmp
-
memory/608-129-0x0000000000000000-mapping.dmp
-
memory/800-162-0x0000000000000000-mapping.dmp
-
memory/868-179-0x0000000000000000-mapping.dmp
-
memory/1104-125-0x0000000000000000-mapping.dmp
-
memory/1308-184-0x0000000000000000-mapping.dmp
-
memory/1332-207-0x0000000000000000-mapping.dmp
-
memory/1372-155-0x00007FFC6C070000-0x00007FFC6C080000-memory.dmpFilesize
64KB
-
memory/1372-136-0x0000000000000000-mapping.dmp
-
memory/1372-143-0x00007FFC6C070000-0x00007FFC6C080000-memory.dmpFilesize
64KB
-
memory/1644-170-0x0000000000000000-mapping.dmp
-
memory/1944-230-0x0000000000000000-mapping.dmp
-
memory/2292-127-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2292-124-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2764-146-0x00007FFC6C070000-0x00007FFC6C080000-memory.dmpFilesize
64KB
-
memory/2764-149-0x00007FFC6C070000-0x00007FFC6C080000-memory.dmpFilesize
64KB
-
memory/2764-137-0x0000000000000000-mapping.dmp
-
memory/3364-191-0x0000000000000000-mapping.dmp
-
memory/3504-138-0x0000000000000000-mapping.dmp
-
memory/3560-167-0x0000000000000000-mapping.dmp
-
memory/3648-140-0x0000000000000000-mapping.dmp
-
memory/3864-139-0x0000000000000000-mapping.dmp
-
memory/3920-210-0x0000000000000000-mapping.dmp
-
memory/4384-134-0x0000000000000000-mapping.dmp
-
memory/4548-225-0x0000000000000000-mapping.dmp
-
memory/4680-176-0x0000000000000000-mapping.dmp
-
memory/4732-141-0x0000000000000000-mapping.dmp
-
memory/4880-197-0x0000000000000000-mapping.dmp
-
memory/4884-152-0x00007FFC6C070000-0x00007FFC6C080000-memory.dmpFilesize
64KB
-
memory/4884-135-0x0000000000000000-mapping.dmp
-
memory/4980-131-0x0000000000000000-mapping.dmp