hxxp://drive[.]google[.]com

Resubmissions

21-08-2024 16:37

240821-t49f1szakc 6

21-08-2024 16:31

240821-t1htwsselm 8

Analysis

max time kernel
147s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
21-08-2024 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://drive.google.com

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 16 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe\DisableExceptionChainValidation = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe\DisableExceptionChainValidation = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe\DisableExceptionChainValidation = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe\DisableExceptionChainValidation = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe\MitigationOptions = "256"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe\MitigationOptions = "256"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe\MitigationOptions = "256"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe\MitigationOptions = "256"	MsiExec.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 1 IoCs

pid	Process
1188	RdrServicesUpdater.exe

Loads dropped DLL 60 IoCs

pid	Process
4436	MsiExec.exe
4436	MsiExec.exe
4436	MsiExec.exe
4436	MsiExec.exe
4436	MsiExec.exe
4436	MsiExec.exe
4436	MsiExec.exe
4436	MsiExec.exe
4436	MsiExec.exe
4436	MsiExec.exe
4436	MsiExec.exe
4436	MsiExec.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
4436	MsiExec.exe
4436	MsiExec.exe
2060	MsiExec.exe
2060	MsiExec.exe
2060	MsiExec.exe
2060	MsiExec.exe
2060	MsiExec.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2060	MsiExec.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2060	MsiExec.exe
2060	MsiExec.exe
2060	MsiExec.exe
2060	MsiExec.exe
2060	MsiExec.exe
2060	MsiExec.exe
2060	MsiExec.exe
2060	MsiExec.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2060	MsiExec.exe
2060	MsiExec.exe
2060	MsiExec.exe
2060	MsiExec.exe
2060	MsiExec.exe
2060	MsiExec.exe
2060	MsiExec.exe
2060	MsiExec.exe
2060	MsiExec.exe
2060	MsiExec.exe
4436	MsiExec.exe
4436	MsiExec.exe
4436	MsiExec.exe
4436	MsiExec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
9	drive.google.com

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvcr100.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp100.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcr110.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp110.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vccorlib110.dll	msiexec.exe
File created	C:\Windows\SysWOW64\Elevation.tmp	MsiExec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_newfolder-default.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\HighBeamCardLogo.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\chrome-ext-2x.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\editpdf\js\plugins\editpdf-selector.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\img\core_icons.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_ellipses-hover.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\fullscreen-hover.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\unified-share\images\themes\dark\s_radio_selected_18.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\warning.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\app\dev\nls\root\ui-strings.js	RdrServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\reflow.api	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\createpdfupsell-app\css\main-selector.css	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\js\nls\uk-ua\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\sample-files\js\nls\ca-es\ui-strings.js	RdrServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\SY______.PFB	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\digsig\js\nls\hr-hr\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\error-icon.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\app\dev\nls\pt-br\ui-strings.js	RdrServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\tesselate.x3d	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_sendforcomments_18.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\js\nls\es-es\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\new_icons_retina.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\img\themes\dark\core_icons_fw.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\win8-scrollbar\arrow-right.gif	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\file_types\s_agreement_filetype.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\search-summary\js\nls\fi-fi\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\js\nls\uk-ua\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\js\nls\en-gb\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\editpdf\js\nls\pt-br\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_gridview-hover.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\digsig\css\main.css	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer-select\js\nls\cs-cz\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\send-for-sign\images\s_agreement_filetype.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\send-for-sign\js\nls\ja-jp\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\sample-files\js\nls\eu-es\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\compare-2x.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\chrome-ext.png	RdrServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_email.gif	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_duplicate_18.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\nub.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\img\tools\@1x\[email protected]	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\app\dev\nls\da-dk\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\js\nls\sv-se\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\themes\dark\virgo_mycomputer_folder_icon.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\file_types\share.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\app-api\dev\app-api.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\send-for-sign\css\main.css	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\generic-rhp-app\js\nls\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\tr_get.svg	RdrServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\excluded.txt	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\back-arrow-disabled.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\win-scrollbar\hscroll-thumb.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\js\nls\ca-es\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\sample-files\js\nls\es-es\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\combinepdf\js\nls\zh-tw\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\js\nls\hu-hu\ui-strings.js	RdrServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Adobe.Reader.Dependencies.manifest	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_newfolder_18.svg	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\send-for-sign\images\cloud_secured_lg.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\unified-share\images\SearchEmail2x.png	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\search-summary\js\nls\sl-si\ui-strings.js	RdrServicesUpdater.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\editpdf\js\nls\hr-hr\ui-strings.js	RdrServicesUpdater.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSICF29.tmp	msiexec.exe
File created	C:\Windows\Installer\e57cfc5.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cfe0.HDR	msiexec.exe
File created	C:\Windows\Installer\e57cff8.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE1D4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID945.tmp	msiexec.exe
File created	C:\Windows\Installer\e57cfa7.HDR	msiexec.exe
File created	C:\Windows\Installer\e57cfa8.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cfbb.HDR	msiexec.exe
File created	C:\Windows\Installer\e57cfc3.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cfd1.HDR	msiexec.exe
File created	C:\Windows\Installer\e57cfd2.HDR	msiexec.exe
File created	C:\Windows\Installer\e57cfe5.HDR	msiexec.exe
File created	C:\Windows\Installer\e57d001.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFA33.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cfaa.HDR	msiexec.exe
File created	C:\Windows\Installer\e57cff3.HDR	msiexec.exe
File created	C:\Windows\Installer\e57d004.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEA0E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cfa7.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cfc7.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cfd6.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cfe6.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d002.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d007.HDR	msiexec.exe
File created	C:\Windows\Installer\e57d00b.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SecStoreFile.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cfd0.HDR	msiexec.exe
File created	C:\Windows\Installer\e57cff2.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cff6.HDR	msiexec.exe
File created	C:\Windows\Installer\e57d006.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE93D.tmp	msiexec.exe
File created	C:\Windows\Installer\e57cfb0.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cfb4.HDR	msiexec.exe
File created	C:\Windows\Installer\e57cfbc.HDR	msiexec.exe
File created	C:\Windows\Installer\e57cfbd.HDR	msiexec.exe
File created	C:\Windows\Installer\e57cfeb.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cfeb.HDR	msiexec.exe
File created	C:\Windows\Installer\e57cfee.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cff9.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d020.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFA74.tmp	msiexec.exe
File created	C:\Windows\Installer\e57cff9.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cffe.HDR	msiexec.exe
File created	C:\Windows\Installer\e57d00d.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID491.tmp	msiexec.exe
File created	C:\Windows\Installer\e57cfcf.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cff3.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d00b.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d025.HDR	msiexec.exe
File created	C:\Windows\Installer\e57cfab.HDR	msiexec.exe
File created	C:\Windows\Installer\e57cfb8.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cfbc.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cfce.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE96F.tmp	msiexec.exe
File created	C:\Windows\Installer\e57cfac.HDR	msiexec.exe
File created	C:\Windows\Installer\e57cfc0.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cfd3.HDR	msiexec.exe
File created	C:\Windows\Installer\e57cff4.HDR	msiexec.exe
File created	C:\Windows\Installer\e57d003.HDR	msiexec.exe
File created	C:\Windows\Installer\e57d00e.HDR	msiexec.exe
File created	C:\Windows\Installer\e57d01d.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE272.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\FDFFile_8.ico	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrServicesUpdater.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\Policy = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\Policy = "3"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader"	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\AppName = "RdrCEF.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\AppName = "AcroRd32.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\AppName = "AcroBroker.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\Policy = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\Policy = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\AppName = "AdobeARM.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\AppName = "AcroRd32.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\AppName = "AdobeCollabSync.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\AppName = "AcroRd32.exe"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\AppPath = "C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\"	msiexec.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{2DEA7885-1846-411F-A41E-017A8FD778FF}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdfxml\OpenWithProgids\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.FDFDoc\shell\Read	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05BFD3F1-6319-4F30-B752-C7A22889BCC4}\	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AcroExch.Document.DC\Shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{7CD06992-50AA-11D1-B8F0-00A0C9259304}\1.0\FLAGS	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MIME\Database\Content Type\application/vnd.adobe.xfd+xml	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00FFD6C4-1A94-44BC-AD3E-8AC18552E3E6}\{B4848E37-7C66-40A6-9F66-D3A9BC8F4636}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{673E8452-7646-11D1-B90B-00A0C9259304}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\MiscStatus\1	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XFDFDoc\DefaultIcon\ = "C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\XFDFFile_8.ico,0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithList\	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\Verb\0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{3F77C747-A942-45B2-A812-097A1F5CFE6F}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24DA047B-40C0-4018-841B-6B7409F730FC}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{0C52A2CC-66F1-4B2B-A9E4-9723791F0BBD}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.adobe.xfd+xml\CLSID = "{CA8A9780-280D-11CF-A24D-444553540000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl64.dll, 102"	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3ED-4981-101B-9CA8-9240CE2738AE}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F1E6C7A4-6B15-4C06-B1EF-88A4F2A886CB}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\68AB67CA7DA73301B744CAF070E41400\Redistributables = "ReaderProgramFiles"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pdf\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3ED-4981-101B-9CA8-9240CE2738AE}\TypeLib\Version = "1.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{12BA069D-0FC6-4577-97C6-5DF634CE6E84}\NumMethods\ = "6"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{673E8454-7646-11D1-B90B-00A0C9259304}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.pdfxml.1\shell\ = "Read"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xfdf\ = "AcroExch.XFDFDoc"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}\ = "PSFactoryBuffer"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EF-4981-101B-9CA8-9240CE2738AE}\TypeLib\Version = "1.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41C5FFFE-36DD-415D-9ED0-2976A342A1C8}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{00FFD6C4-1A94-44BC-AD3E-8AC18552E3E6}\{B4848E37-7C66-40A6-9F66-D3A9BC8F4636}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{671B6145-4169-4ADD-9AF3-E6990EB2B325}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xdp\ = "AcroExch.XDPDoc"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AcroPDF.PDF.1\DocObject	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{198F17AE-B921-4308-9543-288D426A5C2B}\ = "IPDomElement"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\EnableFullPage\.fdf	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12BA069D-0FC6-4577-97C6-5DF634CE6E84}\ = "PSFactoryBuffer"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B813CE7-7C10-4F84-AD06-9DF76D97A9AA}\	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\acrobat\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{BDE0D630-7801-47cd-984E-1F0AFBC5ACBF}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.acrobatsecuritysettings.1\shell\Printto\command\ = "\"\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\"\" /t \"%1\" \"%2\" \"%3\" \"%4\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5AAABB05-F91B-4bce-AB18-D8319DEDABA8}\AppID = "{5AAABB05-F91B-4bce-AB18-D8319DEDABA8}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XDPDoc\BrowseInPlace = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EB-4981-101B-9CA8-9240CE2738AE}\TypeLib\Version = "1.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{08A9E040-9A9C-4F42-B5F5-2029B8F17E1D}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C523F390-9C83-11D3-9094-00104BD0D535}\3.0\HELPDIR	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{7EA23D88-569E-4EFD-9851-A1528A7745F9}\ProxyStubClsid	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.acrobatsecuritysettings.1\shell\Read\ = "Open with Adobe Acrobat Reader DC"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.api\OpenWithProgids\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}\ = "Acrobat Search"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Document.DC\protocol\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9F2FE81-F764-4BD0-AFA5-5DE841DDB625}\TypeLib\Version = "3.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24DA047B-40C0-4018-841B-6B7409F730FC}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AcroExch.FDFDoc	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xdp	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pdf\OpenWithList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xdp\OpenWithProgids	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler\CLSID\ = "{DC6EFB56-9CFA-464D-8880-44885D7DC193}"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2888	msedge.exe
2888	msedge.exe
1432	msedge.exe
1432	msedge.exe
2060	MsiExec.exe
2060	MsiExec.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2060	MsiExec.exe
2060	MsiExec.exe
2060	MsiExec.exe
2060	MsiExec.exe
2060	MsiExec.exe
2060	MsiExec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2284	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2284	msiexec.exe
Token: SeSecurityPrivilege	4820	msiexec.exe
Token: SeCreateTokenPrivilege	2284	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2284	msiexec.exe
Token: SeLockMemoryPrivilege	2284	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2284	msiexec.exe
Token: SeMachineAccountPrivilege	2284	msiexec.exe
Token: SeTcbPrivilege	2284	msiexec.exe
Token: SeSecurityPrivilege	2284	msiexec.exe
Token: SeTakeOwnershipPrivilege	2284	msiexec.exe
Token: SeLoadDriverPrivilege	2284	msiexec.exe
Token: SeSystemProfilePrivilege	2284	msiexec.exe
Token: SeSystemtimePrivilege	2284	msiexec.exe
Token: SeProfSingleProcessPrivilege	2284	msiexec.exe
Token: SeIncBasePriorityPrivilege	2284	msiexec.exe
Token: SeCreatePagefilePrivilege	2284	msiexec.exe
Token: SeCreatePermanentPrivilege	2284	msiexec.exe
Token: SeBackupPrivilege	2284	msiexec.exe
Token: SeRestorePrivilege	2284	msiexec.exe
Token: SeShutdownPrivilege	2284	msiexec.exe
Token: SeDebugPrivilege	2284	msiexec.exe
Token: SeAuditPrivilege	2284	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2284	msiexec.exe
Token: SeChangeNotifyPrivilege	2284	msiexec.exe
Token: SeRemoteShutdownPrivilege	2284	msiexec.exe
Token: SeUndockPrivilege	2284	msiexec.exe
Token: SeSyncAgentPrivilege	2284	msiexec.exe
Token: SeEnableDelegationPrivilege	2284	msiexec.exe
Token: SeManageVolumePrivilege	2284	msiexec.exe
Token: SeImpersonatePrivilege	2284	msiexec.exe
Token: SeCreateGlobalPrivilege	2284	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeTakeOwnershipPrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeTakeOwnershipPrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeTakeOwnershipPrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeTakeOwnershipPrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeTakeOwnershipPrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeTakeOwnershipPrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeTakeOwnershipPrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeTakeOwnershipPrivilege	4820	msiexec.exe
Token: SeDebugPrivilege	4436	MsiExec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeTakeOwnershipPrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeTakeOwnershipPrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeTakeOwnershipPrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeTakeOwnershipPrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeTakeOwnershipPrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeTakeOwnershipPrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe
Token: SeTakeOwnershipPrivilege	4820	msiexec.exe
Token: SeRestorePrivilege	4820	msiexec.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
2284	msiexec.exe
2284	msiexec.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe
2844	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 3588	1432	msedge.exe	81
PID 1432 wrote to memory of 3588	1432	msedge.exe	81
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2840	1432	msedge.exe	82
PID 1432 wrote to memory of 2888	1432	msedge.exe	83
PID 1432 wrote to memory of 2888	1432	msedge.exe	83
PID 1432 wrote to memory of 2416	1432	msedge.exe	84
PID 1432 wrote to memory of 2416	1432	msedge.exe	84
PID 1432 wrote to memory of 2416	1432	msedge.exe	84
PID 1432 wrote to memory of 2416	1432	msedge.exe	84
PID 1432 wrote to memory of 2416	1432	msedge.exe	84
PID 1432 wrote to memory of 2416	1432	msedge.exe	84
PID 1432 wrote to memory of 2416	1432	msedge.exe	84
PID 1432 wrote to memory of 2416	1432	msedge.exe	84
PID 1432 wrote to memory of 2416	1432	msedge.exe	84
PID 1432 wrote to memory of 2416	1432	msedge.exe	84
PID 1432 wrote to memory of 2416	1432	msedge.exe	84
PID 1432 wrote to memory of 2416	1432	msedge.exe	84
PID 1432 wrote to memory of 2416	1432	msedge.exe	84
PID 1432 wrote to memory of 2416	1432	msedge.exe	84
PID 1432 wrote to memory of 2416	1432	msedge.exe	84
PID 1432 wrote to memory of 2416	1432	msedge.exe	84
PID 1432 wrote to memory of 2416	1432	msedge.exe	84
PID 1432 wrote to memory of 2416	1432	msedge.exe	84
PID 1432 wrote to memory of 2416	1432	msedge.exe	84
PID 1432 wrote to memory of 2416	1432	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://drive.google.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb37df3cb8,0x7ffb37df3cc8,0x7ffb37df3cd8
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1712,6506942402193618698,10710361967365025106,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1792 /prefetch:2
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1712,6506942402193618698,10710361967365025106,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1712,6506942402193618698,10710361967365025106,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,6506942402193618698,10710361967365025106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,6506942402193618698,10710361967365025106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,6506942402193618698,10710361967365025106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:2624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1488

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2844
- C:\Windows\SysWOW64\msiexec.exe
  C:\Windows\system32\msiexec.exe /I {AC76BA86-7AD7-1033-7B44-AC0F074E4100} REINSTALL="ALL" REINSTALLMODE="omus" /qb
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2284
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1240
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=201E389DE46BCFE2732A14C357A8D493 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1836
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E3D7C92A82DFCA61180153C62546E834 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E3D7C92A82DFCA61180153C62546E834 --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2664
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BBD60593E16E9444582CA96DC422CE6C --mojo-platform-channel-handle=2296 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3672
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=ABF08BBFF87A7270C9134C878BB0A663 --mojo-platform-channel-handle=1904 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2128
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=87648A8B971AD5658744564BD98716F1 --mojo-platform-channel-handle=1944 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2608
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1976
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=22B760E46CF8EC18577D7F0F13472C0B --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:736
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2F8FB33EBDD7952F2158A24ECBA789D1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2F8FB33EBDD7952F2158A24ECBA789D1 --renderer-client-id=2 --mojo-platform-channel-handle=1720 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1616
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4323E948EA5AFE419C0B7175E69E5BB8 --mojo-platform-channel-handle=2508 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2368
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4AC78540CB7096A02234916A750DB0EA --mojo-platform-channel-handle=2452 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2476
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5A7CFAB94589C96E84A16F957E858627 --mojo-platform-channel-handle=1856 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4632

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4820
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 20553F730458F23482061AC625219406
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4436
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B5B008A9851D252F992AA46E94635C9E E Global\MSI0000
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2060
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe" 19.010.20069 19.010.20069.0
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57d027.rbs

Filesize
838KB

MD5
b063c3a3d0265aa0053f4406c730c61d

SHA1
382b678b516182850da14c581e5cdc19163b2f8e

SHA256
d7622081eea2a5fe7fd04233f404b6e560ab53dab3ab507c554dcfc056485150

SHA512
7c2dbdbec34ec743e09451dcf436fb36aae8e400156e52224cbfad7dd86203df7a1d65cabd391323a94517b4d12d6e824aad7e2d418c31c677e8ac4b23f6ab61

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXSLE.dll

Filesize
684KB

MD5
fe23dcbe27b6a93614db887be5d2ed66

SHA1
ee115773c0364d5b1c0f3f26e74a5f7895d0b7e7

SHA256
757e72c22ed4a6056e71735d0617ec3ac98b34cb16ad8595f6c23c7f73003442

SHA512
aa256596c4f9e9bf068890e30f0fb66828d803408dc5826341efda5c2d64b3312f56409906b3fd211b9b010be89dbf9db75e6cd24b8037188712d7c2fd2b3870

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_remove_18.svg

Filesize
711B

MD5
8bb62cfad37334a15129a0da2091d472

SHA1
a9f223eb2bd355c8cbf7d17db501db834f39cb6c

SHA256
94f76b160568e3705f1e0d2d6ff3ee6927bd812032498d373bbcc516af2864f7

SHA512
da08c15accffeca9c1ec985899ebf234aa881546dfb80862c72bfe206dfbf92772582ff87c0636ca0a4cdeeb03635de7a24aecacba86e22683a1d689724d6dab

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\rhp_world_icon.png

Filesize
445B

MD5
ed537606a39879a091a8c085cf95ff38

SHA1
86c73d85094efbfdcd80abf119f03b64a71cbd0f

SHA256
42c312aa2a038ca54e9a6fe4bad8c9c044c35b4c5f421496f289c00c957d7591

SHA512
fc331c2e1ec84a6a83b51f365484033b3069d73c5987094cf526c45a92c3297df22fe2a35ec20382ed4d563ee604ecbdbdf17fb735f7e0118ab444b4d5db8e9d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\rhp_world_icon_2x.png

Filesize
611B

MD5
37d179c947c13f64b7b6356f57441032

SHA1
9d1c1bd0c370336c229baeb2cd7f80d7b3cf4d0a

SHA256
71039e6370f68913e67cb8451d3127c22d3e1045ca644e4dc9821e9f6f6899aa

SHA512
3034a8b9694bbde20be0f7fa2596fbca8fd3f1e45810b15a5cb1a2bc6f4ef852afc36639a56f82a4e582d74684724d5c4ee43cbf5e33c94c6cf00b3c059757bf

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\rhp_world_icon_hover.png

Filesize
388B

MD5
6d8f7e9751f955452a9ceeb815456035

SHA1
e6903b2ec0f2c5632d4288f88d993d4a41f04527

SHA256
8bcf53efcb1b630087d4cfcedf5e48a7abaa9c71dd13745eedfd2c7cfa6827f5

SHA512
c869a94a224bce8ed553f5a86ffdea6d8a279e06a1c060b311cc52e4538b89e07fc0a4a76f85a28e2f62e8629a7c67101e990cc12bef2d0e2d6d7d3c1d4d7d90

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\rhp_world_icon_hover_2x.png

Filesize
552B

MD5
f364ee8508831e375004ac82b924efd5

SHA1
b04bc510ef53760bdd22ce0dd9d2e2f248c16df7

SHA256
87da831caa04bd303918a32265830ff97648dc8adc18881ba14d1cc1d28cde85

SHA512
399b2da615c0373214e3cf421f502fd0de02bdb9473da644e9f23df9ea7fc792da7d36bde61a456c2451276f74877232c8bedbe55e57098c1ffd13719206bac3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon.png

Filesize
388B

MD5
39be6b8bd8dce3ff5a1c20ac41ba993f

SHA1
a49d8a0c769601bf922c8aa1673bfd3a92d67855

SHA256
854a09f1f875a3a2e6566c593af465c9c8a3aa9b9112eb755bb09cee76224a63

SHA512
9fd5d4f02aa9d24ce9591ac0542d0abadf2b26208c3043220d2a0f036298199131ad804f9be20c6cc67f39e2921eebec65efb3a1e435ee7318fd8591fcc2fa2a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_2x.png

Filesize
552B

MD5
b34c8c3b8117b038839beefa0df5a7ce

SHA1
c8d1e8eb4c71d5aa02e36fe3b7365374a9e4e32b

SHA256
bfef65c62bfc309f698e8e0b999edfc06ad272b87d805f183551c43f08d704a9

SHA512
89fa9f31f62c6e119e6280dbc475c35dd7bb37c27457732a0b1cb04809a35fec44a12ccb6a3a626586d596a0636d754a9ff79ecd9ed739c5c6edea50738a60d7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_hover.png

Filesize
388B

MD5
2ca9f57d61ed45337ec4e6565480367f

SHA1
fa06ed14d72ad8ced6ad98a4e223bc80cccc5e75

SHA256
a584379ebf9aa0d3c0239edb7e1f114f01a9865f01c68494d5f28d410ba8d873

SHA512
83a172f2f304b2f634c313e248b62c11b7798f416872929ef233134bfc4ad8f44b1b4dfa123e8378a233417e1298a73088258f5671ace96ff677d1f26447de87

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_hover_2x.png

Filesize
552B

MD5
74af10749d7f19d15c8dca65a7453415

SHA1
dc96d9dbffe472600548dc64c724055e62620d8d

SHA256
0e0084df79ab98e5df48ed1e01987f7ac3fcf4a038dd5453708d868f73a073a8

SHA512
83d190bf6f9cb77894e7aaf84029c40a2a0335e43d08062ca2275a2cb7a784a29b3b7b8be820c7dfb2f1458ab0528fcdfe45f05491be673b30495e1ed916999e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\icons.png

Filesize
7KB

MD5
d3963e6fe853dbd9d22f794d5ece4c48

SHA1
db35a3e565d0b6dca7ad243443a5560a1247eb33

SHA256
a870c4e9ff6c433b5583a8f09fcdfbe712241c7e7d64cd59a10c2ad592f64fe5

SHA512
fe60a1b2a20d3c11152df2d6fbee05c3d6b80c89486d258dd6d318c3f89deef3e91a116c502c117d79a5020489e394194310f5c7a7ea3d4b7d284ca5a3e43ca7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\themes\dark\icons_ie8.gif

Filesize
7KB

MD5
d4585d0ccf35ae69b1246339cfb46b90

SHA1
1fffc3492684a5db89e949d2d8b612eabb38994b

SHA256
d6707a7a393687bccd92de05cecbd746be791f3a670cb4fc106252f49d2a0a2a

SHA512
a85560cabd3ce3dd21177948884a921385c0325b431dd281edda61d3585a69ceef28cb339c5a88d167597451ce22d54828b03d69823b5737bf3e253bd9bda9f6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\themes\dark\icons_retina.png

Filesize
15KB

MD5
7045217d47de04c1d72eea7413b780c4

SHA1
04c73e38fa17d35a1f684577cc79d77615c09e02

SHA256
8c659d0904687a97d9c6b649e4b74e99b286265e92252908824efcd07f956b66

SHA512
abe433cb154598ad2c0de6070d6e75bb70274a58ce92007ce200201f788553517bb579b0df5cbde3b4f2bebdca1243f0e54836d125d72ea206b3ccba1d15a385

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\themes\dark\new_icons.png

Filesize
8KB

MD5
0e366a48bdf6a3b140508e56eed0bf0f

SHA1
bcd76a4a537fc00d8c468b9496d3d5b5dd6a2a7e

SHA256
a311b5a78e1b856505337b90e53edb4ba380160234e1b4e8801c231ba8d590a5

SHA512
1830e3e260a50f79553673bec5775c0ba623284d233c25a2da016f273e67e218f5d2f49bed5f9e68842c7dc14b852e979fbfc7ed336f9a34dafd04a48742f827

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\themes\dark\new_icons_retina.png

Filesize
17KB

MD5
28a435033f504be69def6f9d52efd2b8

SHA1
6f50318e05b79851a445f98d4b3ae3d65feb22ad

SHA256
f84c7c93947e86e2a499117d4c55910de9fbaefb6d703a8d0f90f4867c69c182

SHA512
a2b410bb6bb328eb1e3af794259bacce7918f44698c8145fa530af9be6bfc22a064c1f0ee5d7ce289f4a60a50fce9b56a720793d19ec477340b1d7ef158df6b0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\images\bg_pattern_RHP.png

Filesize
179B

MD5
117ec36a5cc6d82e63e8b3beae4a3099

SHA1
4c692192be53827f8ec8015ceb129f6e0f89e923

SHA256
041917c06c638a1b1accaf0d2f0b2a6dd335dea629de602e104553024d822ea4

SHA512
abb02a02a9161ece12464020676e880f1eed96b43a9dfd4f7ca06dc203fe633b0a712da5f151d36a5644d65aad7b2880c135df0bc42d7c1e61b44006807a8c9d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\images\illustrations_retina.png

Filesize
19KB

MD5
ff84cb8f89545b86e32abd27a9694e1e

SHA1
3cde537531f8689772bc9eb39a12c687da5d5225

SHA256
8b32854c17056ea617a680cd26ea91015e77d68260f656758984583eb6895a87

SHA512
2690d712ba02fbaa769689d0eae380d0988721c6fcb710e04e1e2aba56496cb58f5d4168fe75540139afce179b1250c2ceb11fc4c3d589a3615ad20dccacc8f1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\images\themes\dark\bg_patterns_header.png

Filesize
703B

MD5
ccc8d470e94b3441e41521572ba86ccd

SHA1
d294d7e78b596fefcc8084fab7917c54d3043e27

SHA256
a7cdf870b0b1b8459e94ed25a29daa87f5e9050294bf6cdff3bc72f93b928f94

SHA512
f3b2ca4d3160a089f6959b7c8e3e6c213c0facb2733f7948a7222196d3bd8c7350015602569df2cdc7408e38b0ff6700306d7e3439f0892b4d13d9f2d5329e42

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\images\themes\dark\illustrations.png

Filesize
8KB

MD5
f6e318123e7ad5933a49669eb035c737

SHA1
ed8938fa3c13af75978bbd0bcdd3e8bd40a02004

SHA256
19f68990146444907956056019aaee514c522c3c00ae00604da44a1bec2f8f51

SHA512
b2506a283dbdcf40ba0cac63b4fd0249463218cc9511ce52cae5ab8c36706090fc1f1942f1082204dcdad5d80e7b655d9e12326c820ac21f64a508999e130743

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\js\nls\ui-strings.js

Filesize
1KB

MD5
d59d8ff7aaa17ee875adbe48b7a77e78

SHA1
7405acc07f6137b7fd9575f99a2b4354135956ef

SHA256
d74c0782682efde01c1c30e46814256f7d16d7df00a7167d90f2bd55ebaab626

SHA512
63fc8bef9e8ef833e45d99f954a9eb99d6bbcae39b2eca8a7000ac11b976cdd0ce0581e5e5e6b2f1bb2bdc911e31690e503dad945f0a3ea702dfe404896eded8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\pages-app\images\example_icons.png

Filesize
683B

MD5
a0522ef468697e74b90c444ceb4aa17a

SHA1
31fa5bb9b4ada150c9001b6e9f3213644117187f

SHA256
57804748e775c08ae188b4d860f31e4482ab99b44ed1d8489780daa6756fb11c

SHA512
bbb91f8b3c204c4c04da2ad635eb18e9f224f73395dac509c438c0a645316162b6ff78e03e7af76d5da2d9e84cd0c4b5e9db1d4dc08bc3f524bcc55c1f4dbbd3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\pages-app\images\example_icons2x.png

Filesize
1KB

MD5
99a1fefa123aa745b30727cc5ad50126

SHA1
c48f74cee78f8ed8463634d80c4112f3e12bd566

SHA256
7a610114be56ff131462bc67f9a23bcd4fde4fdd0158691448ab9e4a3eb2ca3b

SHA512
504800f03a4aa57c1cfa15b28542382728b5f3dd85309fe12ebfd711980d78d15d8241d5f54956ee41da2cd65203b7764ab7b15119457b74ebc07fcf8e55a742

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\search-summary\js\nls\ui-strings.js

Filesize
1KB

MD5
3dde11f8594519f004ded2687db9b90e

SHA1
fcf1854df851616a25d7cf1439a9120b16902420

SHA256
196c132938d324c62184ddc85bdb1cd642af830712e0fbf0fb3230978316d510

SHA512
adc2cb3a37dbf5fe2ae79f5752c0d38d2427a95e333e848ffa113046f630eaa967b3cb29c049dcdd9b921d57e23392562d779c24207f770aba6e92392064f17b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\task-handler\js\nls\fi-fi\ui-strings.js

Filesize
823B

MD5
5e884e2f05ac036b7a6cded3efc2ea2d

SHA1
807c1cf1bf0943404601b6241bf4bcf9fcc29c9e

SHA256
b333de3a4a7be7749b82302085ed26ad868f0f8eccd09d2a8bb8840414e624d6

SHA512
6665aa6fa35e05d01a4a2312a93faf52d6b39409bfaa861c187b0cc2fc51e74aa253ebf56061872d548cb6d3d7bbf1f7c2568de81e5287e0a1d6591c1e780f15

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\css\home-selector.css

Filesize
802B

MD5
bfeb063e064c71e44ce75898e79c61bc

SHA1
c4dcb4b6814cbee53b415a2a5df02fa500510ef3

SHA256
af439ebb0d55750003f7dbec517e7b0b26a6a0506b21e3b74d800cd1c7faa004

SHA512
0835ebe63867fba6d69a25c83dca767ffd9c57907ba76d9c71012be18510e2145a358d37c1cf4e4ad35d1cdd4f67ffd5928e70e18a376db607d8482356f12219

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png

Filesize
2KB

MD5
4c27ad089d04cfefd979d56f2a67b172

SHA1
63289f9198ee4553759b07de7a4229ad370fa976

SHA256
e34bcd5b8436d3bc45f98dd913d41f185c6b06326b66937d6e0d5c6434b16fe7

SHA512
23f9283f769fd310dcac26cac00d2eb033763d73bd45b0d148ea1ec3a3c75b073572c9fa9234699372a7e1caad7fcde7629d004815536df1d39d291f2d2d96a9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png

Filesize
2KB

MD5
61bd39ed095fa82ffd334fbd7982616c

SHA1
51af9c2cd42743c5cf81200e0fba3cfaff801885

SHA256
237a70fe0388ce6884f5424692c460625691ef7acb0bf80403ec6b25f348b94a

SHA512
54dd8e1a5c19a9d51892a12e9501b7f6f69e09e0c446ec36f7ddfd9ad0d9cef52604ab2f8071c71ce63989510a703f1cfd5492e1ac20c8b37258ba21f8952400

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png

Filesize
4KB

MD5
543415ad8ba14db1b75a93a551a4abfc

SHA1
3d4737451e899240fe19daa07f3c58ce9a623631

SHA256
03bcfd7fcbd98e48b1954f912ecd66ce0bd5c181da0c2408beed01486ed23804

SHA512
7c4bd1cf6fc8d7aeedb1c666ca45c95615927fe76cad3d3c4f4dafc987f4ac04f527ecaebb3103f593eb080302e768fcd77739ce8344ff2e7ec10efdd1113cd0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png

Filesize
385B

MD5
c789d387908d7b7f21c6474a86e84019

SHA1
1c36fc6954178c43d9249a5ff3c7246057c6aead

SHA256
223f32512aec50c1c00fafc476d8e4ce61e79aa748c67b72fe55514882a31a5a

SHA512
1cab85dff119b591046049b69b6208283ca5e009d95129bb407df2768c82da30fd2af8debf6f1bbd91f37518538f3ba6bcda32b63d1d278b56fdd1f5f93439ca

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png

Filesize
1003B

MD5
c5aab3d175e0a3753ed2c3bbd7b929c1

SHA1
3ebee0101ad62449a67f506df9c8e7dacc39f877

SHA256
2e187b74e926afe70eafe0648c7125817e99f5586eee3e2e05446e360d4cc1bd

SHA512
e967020462477c3e9465e3383c544cf468dd89f4da084193634f5bcdc001b90f5bad3f4f6dda9e95ebe068108986daf41504e02331f4922ea25e7ffee1f27040

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png

Filesize
1KB

MD5
808971f45b803583d9d1f812803d81b7

SHA1
0f6aaecba7c976ed8c2f53782b3d3148f41b2905

SHA256
c25d9409ddf9645c2731ec785cacbb7568005bfc78fe0aec7df3ae3c4d30e333

SHA512
121e6b01125f9e9d4894f7d498bb4d39ce676ce51e29cbcd148e0c1feed46fbc58267cea7d5f66654be831dc479e4643be8b28b005467309b7df5cc7fbcd0dbe

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png

Filesize
2KB

MD5
ad68c0b141ea1dbfcadb540c1817289f

SHA1
548a46167f7f5193c5a1335753bc208bf92aa504

SHA256
537ac64cd204d7ef82cfe41c932deb9cb1ae738b2156eff4dbf73208384c0a13

SHA512
269ae39458a9f30351166f304825b777f3ff143b7914b98e83e01600fa04c7790e6e813466c2a1c5396ce13cd2199792905cf0baba1cd28a420440efce0843e8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\dd_arrow_small.png

Filesize
289B

MD5
36503740756a442b7be294947462be83

SHA1
a1203ae869deb46f59a3273f6d130e7457bf5321

SHA256
d188ab283c552eee50677129f3b0ffd8d97828c4e7007bea258174c9a2200e87

SHA512
6ff98b15c7d757dd351bf50a1c4ac759a73fdafe03d5fad506478550987d0ec016ba9e617c099e6bf7b0263846eddc4eb32cb70fb1fbbc1189791defe556967a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js

Filesize
840B

MD5
32147da1c647161e45a1004eb1b16349

SHA1
a953c222cce91729ebab36bddd43bd5a795a69cc

SHA256
434731fdc6d2f5115c5f7786ac989fedef7d0f60cd2ad4385cc98f6d2160566c

SHA512
8c825f8d38519cdac2a49e4ee8a9564ae72839199562ce9acfe72b4fbb94f8946775054782cf26a9566eaf8cf944a26e42b7b372c4e7349b33a8e17dcd13df94

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_asym.dll

Filesize
212KB

MD5
1f43a1a4126c353930b871673f1d17cd

SHA1
7ecaa94e8f0741b327b490bca2af022677e17b45

SHA256
c61e91ec0d9dcef748fe0093a8ad129484ac3dc4a8726a98b2b8da2105efdb01

SHA512
f65a54f181e1b9a591e4f149309b870a4321c69cefd3211bcb973d0011550335595a7f4e3f4ec09b5243f5df13f540e02e927a716d25ed7c684ac838af3f7153

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_base.dll

Filesize
395KB

MD5
b0b681686373063842ca58b72c0213ac

SHA1
56709a3cfa4823a45f63357a7a4ee9048abed1f5

SHA256
19dfedc0dbfc2cbe9f03a866c65b19449aa1eeee5ff9e3798aece495d16c68e2

SHA512
4d8efa00d68b69e9efd9ec794f13012cbf6c9cc7f425541d6682ffb611e44d8cfdad031f8fdc6c96ead58f2300db393d808227cddd7198e580ce2e4d255498bb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_base_non_fips.dll

Filesize
371KB

MD5
ec30bceb1a53313cfb7e7a8c078a2e18

SHA1
a97898e470452221231e0dc0a9358436acb03744

SHA256
3a850ce90e25b9fd9150347f1185286d9113b5ca3a4b3e2915657c50572186ba

SHA512
8db6aca0148b6e400d8704586a3905dc04a83f133a941f2f8b14f235cb654ff449f4bb0bcb14bbab1e0a0374afe8c0994e59203310908478fafa994a4fdebcf2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_ecc.dll

Filesize
492KB

MD5
2c7bc2de81314578a4e9c8dd0abb7467

SHA1
ea54122c747816255707381d5f2257fc9b89156a

SHA256
3a435d4165c38d65dfaad6495aa5cf0ea8c9bc49ffdbf0e92abb7529031d61e6

SHA512
9f72023b70fd3ca53522f4ed7df9c145979697657c56718eadec3907de24678b07c880c2d315454c3f440251d34ebc699ca52836f276b9f449397bceefd9c217

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.dll

Filesize
213KB

MD5
60e213a4363114546d55bc94046dc704

SHA1
2e2cda4f9692c711f2cdfb0d79c4756472a94b77

SHA256
366b6728dfb14391986b21bca32fa0e0d2aa7a0c6252cd8fa0545cf10e72b04c

SHA512
262d24fef76223b2f0085f3c747c760bb1234c4d5ac1d8c515435c9a7a1af963b93003cd60be532c6dcd88bf27264c5c9e8ff215c631614be06d509b9b53d1d4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm.api

Filesize
13.0MB

MD5
7510d2d5c4385fd18eea88f3ad03cc7b

SHA1
09355b458b101f3d5476fa009ae6038c21422da5

SHA256
32a94723d87b069eff918a29b86d725866b2471e86197c8dc3639f7f59e97788

SHA512
ecb9975b02696c49cb540d8def711761d06be9773113b56e50922e147e36bc5e1173280954a2a58bc78374ab43a213e37bbee2c133520f62c17ba79b8b846b83

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api

Filesize
7.0MB

MD5
45dd162913ea060a5e3b9d3e427bb791

SHA1
896ce478b1693d011951dcb0f61717dfc253ddac

SHA256
50a5e55f345379ba2b5d9ee501d926b9a5df301a24671b0b5f2ef8246f85ef64

SHA512
f6a6a460f9c91259497a6e2a59df37b7f5e04ebb7eeb097c67e67841bd89767301f159f1d41a08fce1098d980642f350fc6fc9f46b6d761151e5019d6a2bd299

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DigSig.api

Filesize
1.3MB

MD5
eb6daa123061cb2667bfee4261798b94

SHA1
84d3548203fdf5071b7366bd776b64f3e7062a49

SHA256
e42cd1d032871f61c0a0eb47b9118877167e337bd31aa4e872dc80af91c8e62f

SHA512
0772ccc40283f4aae98761352c0bb2b2f87c04cbf3428da54163b7a956f317242aea261d394ffd74b4124a206b3c6c65070d6651e3d4e073c3dce4807799df40

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\EScript.api

Filesize
2.5MB

MD5
a5ed0f5dff17c24bf2569d4f2f333381

SHA1
76be9734de0cfcbdf3bdd99a575a7c3ee9c5a07f

SHA256
da780c414230d163af3063f5202d1ac1769b24bb37da7bfd838282ccfb9e769a

SHA512
5e20f0b85584a1f2cc0b6442417741cb6b4699ce4e74b970f64eb523791b422fbba84732c3a40c94287901cce07e8336639f03fe467750e54e2e48bf08f09cbe

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\IA32.api

Filesize
118KB

MD5
ea22c1dd5696b9ebc2cb8df671bba65c

SHA1
93e7d8482982574e51362351712693ff2208e03b

SHA256
f01a4d33848affdd8151b47c238b29a2a16999bdf31c23efc00184cd58a315fc

SHA512
e74c7306c3127cd09c85ed93d1473537fa2a7b3a1826f3869b74732db8a9610830a159a929fe4867692adec39d1201101e97255bda47bb80a97da0b79315f51d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PPKLite.api

Filesize
6.9MB

MD5
3353de0590edf7f1186b7007efb78d76

SHA1
4b4a910f02a9c1bbabfac2f3c1d3e9234333ae27

SHA256
b751bbbc6a5a14b6e91550f29c7944a9199fa6c044d91776e3a78418e6eb0c75

SHA512
fc5b096a9071bba4eaa758e9bdf5f29f45ae97147007ecbdddebef64f87a6a235f5350bfbc0c5b9e7ddfe5a4453d759adf97735540c79f78a143bb06e42a73e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_1

Filesize
264KB

MD5
a74208ec898bf422511c92f8b419f52e

SHA1
3ab44e08e8a2a03c33dcedb35b2537d295ce80d9

SHA256
982fd6720b98021190d0afa46bcf7fa416656c0113a58afb6473a981ae5fc397

SHA512
9223fd297ef114d82b62248c941a6995ee1400459d9b354b795261ab2ba79c31237325d8b9eff64d470926d9a0ba8f0471c01a1515947c8ef49d4c8e95493859

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Filesize
292B

MD5
e2580db98510305bee800ec75b4469bc

SHA1
145337f482e344dab2e10011d45a16e6749493de

SHA256
d900f587f005ead8b35334976782caf2f7add5566102d79476c55ed5f7abda66

SHA512
25fe4eb1873f24e33b3d9b636e2d41d378f66a5ee77b64b6f96042dc60f6a3245e8208a2cbb614b38abb02d4350166c4a14125c9941d9bfd2e719cb824cccd3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links

Filesize
128KB

MD5
35324c644417933988ddd9a0b901f2f6

SHA1
875df8b20304c7b6ebaca4341972ba07ea3e9d5c

SHA256
c44fd74b1db07cd339efb596344c6acf385e9322941c161773546e07db705e54

SHA512
8cc396a218bb83b93551840cbc5f5c348fb9147f25deb9a17d57822525f84c6dfdc608bc13f9ee0c0e783358109474b54d06a27e549b9b8031928f742334115b

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
0522c3cc26ec30f135521a42a311ebdd

SHA1
472ba0ae2320a8662ecc09e0d839410c3cb0f959

SHA256
8f0097e2ffef38e646e71cdc99e5399574be7b2fcb71821f677c3b7ff6ea8591

SHA512
b9dbdfb832d79ce507819dc490434e54c604867800866da4f62285452aaa6e776ce76e4504a959d9c3d3cc2c6bdbb958ca0694a0d5d6b5c47ba4c510b70546ee

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
9f860d28c4128e93379ecd02d7150448

SHA1
1b3a5c6321f04da57ec6078e3b13ef44776e7e86

SHA256
3bd12a01c229173eb7de66747fa696b70a5f446fd4cd9eae4cc90513a9822264

SHA512
60dc731daa5658f6c00552d843cc65b9b59dd32e668bc28ea2d11c1961099c363d8a70effee0e48be1f70376cbd42bf9e48fe51894a2369eb035477f2e0f0cf6

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
23914ba41092e0aefc8e4347a068abf4

SHA1
b74b339e99f89a4f98a5ce8862cb5fb89d05a2ff

SHA256
94783d4a89f1ecdc343565fc6b6c3f5ed85ef44c2f31e6e1a5e35c653808311e

SHA512
e672638912875909f597ba268387c87c5f048964d87592c2f366f8d1d8a88b8e2a9b5a6bf77977308ddda16adc4c6be6bebc906bfad5d9cd25562fc7d689a047

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8276eab0f8f0c0bb325b5b8c329f64f

SHA1
8ce681e4056936ca8ccd6f487e7cd7cccbae538b

SHA256
847f60e288d327496b72dbe1e7aa1470a99bf27c0a07548b6a386a6188cd72da

SHA512
42f91bf90e92220d0731fa4279cc5773d5e9057a9587f311bee0b3f7f266ddceca367bd0ee7f1438c3606598553a2372316258c05e506315e4e11760c8f13918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
058032c530b52781582253cb245aa731

SHA1
7ca26280e1bfefe40e53e64345a0d795b5303fab

SHA256
1c3a7192c514ef0d2a8cf9115cfb44137ca98ec6daa4f68595e2be695c7ed67e

SHA512
77fa3cdcd53255e7213bb99980049e11d6a2160f8130c84bd16b35ba9e821a4e51716371526ec799a5b4927234af99e0958283d78c0799777ab4dfda031f874f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
a43ce802a403e03942705caa8a7b6fc8

SHA1
50076cadeb3e0a48cff616598731e4ee531b3ce8

SHA256
c290789e2b3fa19d25493a024483a1de1fa4b98eba3136473de5f209a827dd9f

SHA512
51efbc25eae80d06afa5610f097b79d7504da5c79f3ab0bd7f430582a164d6c8482e62dd74a6e1de697e459653c95358160e6038536b001998dd3950a87b56a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1014B

MD5
96a63fee45f29cc6baea1033eb2305fb

SHA1
0521dd93327462a76906b109c2cff5f0aaa8e9e7

SHA256
3467b5630a60f81f23880ab1b65e97c0ed73b79a35462c0797444a79d89da1e6

SHA512
d42babc2aee7e9de5efc2df8951db4053f768558c515e9b96293e02a3ee6ed586fdfd1101a6330fb2527b5de9b01989639c1ecd47902e0b669f45e015e9af71b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
54d0eaa3b0bc863797f6600aaea29f48

SHA1
548b44679f8e83d84dcfaedfc58b0c56985a6a5b

SHA256
b55dfd32dd6b2e5406b0f61f1a5a713859ba350220180be67da7537c3a82bdfe

SHA512
e5e0b2bb37ccd9b933ef2730a10af3090ee0983b4a57e7621f0631292c9f04912924c28b6942dc6e9e6e3f0cc0f8cee22dcdbf3a693b762f15bb64bcb664bdcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f52cca95a4f27f5fe1002509f00ac505

SHA1
f59679c78eb0fa063156abf7ad59c01571d2ed7f

SHA256
670d9b4aa4ebe5bc83438fb65fd3edb444e80b2999348fbbe0aec4b019abb364

SHA512
c253fc79272eae8f20352fefa6afab223d18cf2e414896dec86bb7bf974bd2f8a2e3acb6615cf231e27e3954dcf700cef98cb01da731bf5a00f12d8fbe33c712

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
51ce1c3da2a1513fd998ddd7b2cec76f

SHA1
c868409bac587b7b0f7f37e2f2df13919cff0048

SHA256
30fb34dfdb0f85e751aebedac5ce631633f4db1557d4ae8af0ec7434eddc967c

SHA512
104fc11d2a35e18b88c2df0631ebfde4478ae042090aeb90c92dbf8ece8f89242e0ff4b3c30967a92b1e8cfe9a230c8649c51956bd93129cc811dc78693a634a

Download Submit
C:\Windows\Installer\MSICE6C.tmp

Filesize
57KB

MD5
c23d4d5a87e08f8a822ad5a8dbd69592

SHA1
317df555bc309dace46ae5c5589bec53ea8f137e

SHA256
6d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27

SHA512
fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b

Download Submit
C:\Windows\Installer\MSICEF9.tmp

Filesize
418KB

MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSICF59.tmp

Filesize
148KB

MD5
be0b6bea2e4e12bf5d966c6f74fa79b5

SHA1
8468ec23f0a30065eee6913bf8eba62dd79651ec

SHA256
6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164

SHA512
dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

Download Submit
C:\Windows\Installer\MSICFB9.tmp

Filesize
209KB

MD5
0e91605ee2395145d077adb643609085

SHA1
303263aa6889013ce889bd4ea0324acdf35f29f2

SHA256
5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b

SHA512
3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

Download Submit
C:\Windows\Installer\MSIE116.tmp

Filesize
271KB

MD5
f88c6a79abbb5680ae8628fbc7a6915c

SHA1
6e1eb7906cdae149c6472f394fa8fe8dc274a556

SHA256
5ded99991217600ebd0b48f21c4cd946f3c7858f07d712fcfb93f743faa635ed

SHA512
33e150822331356e1cdcbff824b897ca5bf2bed0345d2fa39cf9b1f36a77201167819761b1cc3b6cb02a87625e0b6b85a8505281ccc575ca6b73af68e1e90361

Download Submit
C:\Windows\Installer\e57cfef.HDR

Filesize
35B

MD5
f0fe0d0a7b4408605d4813bdc5d17c90

SHA1
99b1742d32df55b476a3afb968024d0d87aa7e28

SHA256
8700160de81b068dffcb99c65f89fc3dcd202083afb4c5d650935bcd2641c444

SHA512
24e0ba30a3e2a20281a7371b85f9da6c74f8a37958119d7ec4d6a9162839202aefab322ebf0c9942357c58cc29c1c69b1abbdce1f3a74da87d650f937c4a9863

Download Submit
C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\PDXFile_8.ico

Filesize
340KB

MD5
d07cea5fbf17f2ffa4fdcb38e395dbaf

SHA1
c0218a4f53428d71f19f1121b8532b3fe0d178b9

SHA256
c5ba5c23decaa64a9176f20f8b18a8c89b42ed54f55f3285bd400fd74051e37e

SHA512
98ad990280e9db23ee91e23ee5d0ebc8e289eed7923cd07bb31b845af28ebe0a09bc49f9de2c7e81a49a041d9f87f089a4a67402e1182c41e0d41a3e47264d4f

Download Submit