hxxp://drive[.]google[.]com

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-08-2024 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://drive.google.com

Score

7^/10

adware discovery persistence stealer

Malware Config

Signatures

Loads dropped DLL 30 IoCs

pid	Process
1944	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe
2632	MsiExec.exe
2632	MsiExec.exe
2632	MsiExec.exe
888	msiexec.exe
888	msiexec.exe
2632	MsiExec.exe
2632	MsiExec.exe
2632	MsiExec.exe
2632	MsiExec.exe
2632	MsiExec.exe
2224	MsiExec.exe
2632	MsiExec.exe
2632	MsiExec.exe
2632	MsiExec.exe
2632	MsiExec.exe
2632	MsiExec.exe
2632	MsiExec.exe
2632	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS\Installed = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI\NoChange = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI\Installed = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Speed Launcher = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\Reader_sl.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL\Installed = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "AcroIEHelperStub"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\NoExplorer = "1"	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
8	drive.google.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Elevation.tmp	MsiExec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\authplay.dll	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\Words.pdf	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeXMP.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\AcroRead.msi	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeAUM_rootCert.cer	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.SYD	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PDDom.api	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\DigSig.api	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvSOFT.x3d	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ACE.dll	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.LIC	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\EScript.api	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search.api	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx	msiexec.exe

Drops file in Windows directory 58 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\RMFFile_8.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID25F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID4A5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID640.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SecStoreFile.ico	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSIC42D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SecStoreFile.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID3A8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\FDFFile_8.ico	MsiExec.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\PDFFile_8.ico	MsiExec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.4763\ul_catalog.63E949F6_03BC_5C40_FF1F_C8B3B9A1E18E	msiexec.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\PDFFile_8.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC53A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC598.tmp	msiexec.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\XDPFile_8.ico	msiexec.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SecStoreFile.ico	msiexec.exe
File created	C:\Windows\Installer\f76c17d.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID4B5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\PDXFile_8.ico	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSID4B6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76c17d.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC4BB.tmp	msiexec.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\FDFFile_8.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\XDPFile_8.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID437.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC0EF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC6B2.tmp	msiexec.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\PDFFile_8.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID24E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\XDPFile_8.ico	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSIC9E2.tmp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.4763\ul_catalog.63E949F6_03BC_5C40_FF1F_C8B3B9A1E18E	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID23D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\APIFile_8.ico	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSIC4BC.tmp	msiexec.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	msiexec.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\APIFile_8.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC6C3.tmp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.4763\ul_manifest.63E949F6_03BC_5C40_FF1F_C8B3B9A1E18E	msiexec.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\PDXFile_8.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID630.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC9D2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.4763\ul_manifest.63E949F6_03BC_5C40_FF1F_C8B3B9A1E18E	msiexec.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\PDXFile_8.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSID4C7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID3C8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC14D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC992.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\FDFFile_8.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\APIFile_8.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID1C0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\RMFFile_8.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID29E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC17D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC1FB.tmp	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BC8F2E01-5FDA-11EF-84B3-46A49AEEEEC8} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\AppPath = "C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{358E6F10-DE8A-4602-8424-179CA217F8EE}\AppPath = "C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{358E6F10-DE8A-4602-8424-179CA217F8EE}\AppName = "AcroRd32Info.exe"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\AppName = "AdobeCollabSync.exe"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{358E6F10-DE8A-4602-8424-179CA217F8EE}\Policy = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\Policy = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\Policy = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{08E8D305-8D6D-49fe-8603-03A926E46AE0}\AppPath = "C:\\Program Files (x86)\\Common Files\\Adobe\\Updater6"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\Compatibility Flags = "1024"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\AppPath = "C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\AppName = "AcroBroker.exe"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{08E8D305-8D6D-49fe-8603-03A926E46AE0}	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\AppPath = "C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{08E8D305-8D6D-49fe-8603-03A926E46AE0}\Policy = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{08E8D305-8D6D-49fe-8603-03A926E46AE0}\AppName = "Adobe_Updater.exe"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\AppName = "AcroRd32.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{358E6F10-DE8A-4602-8424-179CA217F8EE}	msiexec.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E790E1D1-9DE8-4853-8AC6-933D4FD9C927}\	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\PersistentHandler	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AcroIEHelperShim.AcroIEHelperShimObj\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Document.7\protocol\StdFileEditing\server\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Acrobat\\Acrobat.exe\""	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AcroExch.pdfxml.1\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\IA3DServer.A3DMemoryManager\CurVer	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\Printable	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FDA6EEC2-325B-4E8A-A8C7-1C75DFBE72D5}\ = "PSFactoryBuffer"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithList\AcroRd32.exe\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E64169B3-3592-47d2-816E-602C5C13F328}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\EnableFullPage\.xfd	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B4CD3EB-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{17F2E344-8227-4AA7-A25A-E89424566BBA}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{9B4CD3E8-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C523F390-9C83-11D3-9094-00104BD0D535}\3.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{36DE898D-AD48-40A5-B4B2-123F916BFBAB}\TypeLib\ = "{C523F390-9C83-11D3-9094-00104BD0D535}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B4CD3F1-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{00FFD6C4-1A94-44BC-AD3E-8AC18552E3E6}\{B4848E37-7C66-40A6-9F66-D3A9BC8F4636}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00FFD6C4-1A94-44BC-AD3E-8AC18552E3E6}\ = "IPDDomDocument"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.adobe.pdx\Extension = ".pdx"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{673E8452-7646-11D1-B90B-00A0C9259304}\ = "IFields"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EE5A151A-AD2A-4CEE-AD65-228B59F5B4AD}\ = "IAcroFDFHandler"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BA069D-0FC6-4577-97C6-5DF634CE6E84}\ = "PSFactoryBuffer"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFShellServer.PDFShellInfo.1\CLSID\ = "{98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BB2200E-5672-4A32-902A-5A98DB1C58DC}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\MiscStatus\1\ = "131473"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\VersionIndependentProgID\ = "AcroExch.Document"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MIME\Database\Content Type\application/vnd.adobe.pdfxml	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.RMFFile\shell\Read	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{9B4CD3EB-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00FFD6C4-1A94-44BC-AD3E-8AC18552E3E6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4A894040-247E-4AFF-BB08-3489E9905235}\TypeLib\ = "{C523F390-9C83-11D3-9094-00104BD0D535}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AcroExch.acrobatsecuritysettings\CurVer	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.acrobatsecuritysettings\ = "AcroExch.acrobatsecuritysettings"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDXFileType\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F6D3808-7974-4B1A-94C2-3200767EACE8}\1.0\ = "PDFPrevHndlr 1.0 Type Library"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Document.7\protocol\StdFileEditing\RequestDataFormats\ = "NoteshNote"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MIME\Database\Content Type\application/vnd.adobe.xdp+xml	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\DataFormats\GetSet\6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B4CD3E9-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\InprocServer32\ = "C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\plug_ins\\Accessibility.api"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{08A9E040-9A9C-4F42-B5F5-2029B8F17E1D}\ProxyStubClsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B813CE7-7C10-4F84-AD06-9DF76D97A9AA}\ = "IAcroAXDocShim"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5F226421-415D-408D-9A09-0DCD94E25B48}\1.0\0\win32\ = "C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEHelper.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDA6EEC2-325B-4E8A-A8C7-1C75DFBE72D5}\NumMethods\ = "7"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{67E94227-7662-4050-9C72-746983CF37A2}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AcroExch.acrobatsecuritysettings.1	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{5BB2200E-5672-4A32-902A-5A98DB1C58DC}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroIEHelper.AcroIEHlprObj\CurVer\ = "AcroIEHelper.AcroIEHlprObj.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{41C5FFFE-36DD-415D-9ED0-2976A342A1C8}\1.0\HELPDIR	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XFDFDoc\CLSID\ = "{B801CA65-A1FC-11D0-85AD-444553540000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\InprocServer32\ = "C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\pdfprevhndlr.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08A9E040-9A9C-4F42-B5F5-2029B8F17E1D}\ = "IAcroAXDoc"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4A894040-247E-4AFF-BB08-3489E9905235}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}\AppID = "{A5090E95-F1E2-41C8-BDA1-5AEB6C321FDE}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.adobe.xfdf\CLSID = "{CA8A9780-280D-11CF-A24D-444553540000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroPDF.PDF\CurVer\ = "AcroPDF.PDF.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AcroExch.FDFDoc\AcrobatVersion	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8978DA6-047F-4E3D-9C78-CDBE46041603}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2DEA7885-1846-411F-A41E-017A8FD778FF}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XFDFDoc\shell\Read	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\DataFormats\GetSet\6\ = "3, 1, 32, 1"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1944	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
440	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2200	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2200	msiexec.exe
Token: SeRestorePrivilege	888	msiexec.exe
Token: SeTakeOwnershipPrivilege	888	msiexec.exe
Token: SeSecurityPrivilege	888	msiexec.exe
Token: SeCreateTokenPrivilege	2200	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2200	msiexec.exe
Token: SeLockMemoryPrivilege	2200	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2200	msiexec.exe
Token: SeMachineAccountPrivilege	2200	msiexec.exe
Token: SeTcbPrivilege	2200	msiexec.exe
Token: SeSecurityPrivilege	2200	msiexec.exe
Token: SeTakeOwnershipPrivilege	2200	msiexec.exe
Token: SeLoadDriverPrivilege	2200	msiexec.exe
Token: SeSystemProfilePrivilege	2200	msiexec.exe
Token: SeSystemtimePrivilege	2200	msiexec.exe
Token: SeProfSingleProcessPrivilege	2200	msiexec.exe
Token: SeIncBasePriorityPrivilege	2200	msiexec.exe
Token: SeCreatePagefilePrivilege	2200	msiexec.exe
Token: SeCreatePermanentPrivilege	2200	msiexec.exe
Token: SeBackupPrivilege	2200	msiexec.exe
Token: SeRestorePrivilege	2200	msiexec.exe
Token: SeShutdownPrivilege	2200	msiexec.exe
Token: SeDebugPrivilege	2200	msiexec.exe
Token: SeAuditPrivilege	2200	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2200	msiexec.exe
Token: SeChangeNotifyPrivilege	2200	msiexec.exe
Token: SeRemoteShutdownPrivilege	2200	msiexec.exe
Token: SeUndockPrivilege	2200	msiexec.exe
Token: SeSyncAgentPrivilege	2200	msiexec.exe
Token: SeEnableDelegationPrivilege	2200	msiexec.exe
Token: SeManageVolumePrivilege	2200	msiexec.exe
Token: SeImpersonatePrivilege	2200	msiexec.exe
Token: SeCreateGlobalPrivilege	2200	msiexec.exe
Token: SeRestorePrivilege	888	msiexec.exe
Token: SeTakeOwnershipPrivilege	888	msiexec.exe
Token: SeRestorePrivilege	888	msiexec.exe
Token: SeTakeOwnershipPrivilege	888	msiexec.exe
Token: SeRestorePrivilege	888	msiexec.exe
Token: SeTakeOwnershipPrivilege	888	msiexec.exe
Token: SeRestorePrivilege	888	msiexec.exe
Token: SeTakeOwnershipPrivilege	888	msiexec.exe
Token: SeRestorePrivilege	888	msiexec.exe
Token: SeTakeOwnershipPrivilege	888	msiexec.exe
Token: SeRestorePrivilege	888	msiexec.exe
Token: SeTakeOwnershipPrivilege	888	msiexec.exe
Token: SeRestorePrivilege	888	msiexec.exe
Token: SeTakeOwnershipPrivilege	888	msiexec.exe
Token: SeRestorePrivilege	888	msiexec.exe
Token: SeTakeOwnershipPrivilege	888	msiexec.exe
Token: SeRestorePrivilege	888	msiexec.exe
Token: SeTakeOwnershipPrivilege	888	msiexec.exe
Token: SeRestorePrivilege	888	msiexec.exe
Token: SeTakeOwnershipPrivilege	888	msiexec.exe
Token: SeRestorePrivilege	888	msiexec.exe
Token: SeTakeOwnershipPrivilege	888	msiexec.exe
Token: SeRestorePrivilege	888	msiexec.exe
Token: SeTakeOwnershipPrivilege	888	msiexec.exe
Token: SeRestorePrivilege	888	msiexec.exe
Token: SeTakeOwnershipPrivilege	888	msiexec.exe
Token: SeRestorePrivilege	888	msiexec.exe
Token: SeTakeOwnershipPrivilege	888	msiexec.exe
Token: SeRestorePrivilege	888	msiexec.exe
Token: SeTakeOwnershipPrivilege	888	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1968	iexplore.exe
2200	msiexec.exe
2200	msiexec.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1968	iexplore.exe
1968	iexplore.exe
2824	IEXPLORE.EXE
2824	IEXPLORE.EXE
440	AcroRd32.exe
440	AcroRd32.exe
440	AcroRd32.exe
440	AcroRd32.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2824	1968	iexplore.exe	30
PID 1968 wrote to memory of 2824	1968	iexplore.exe	30
PID 1968 wrote to memory of 2824	1968	iexplore.exe	30
PID 1968 wrote to memory of 2824	1968	iexplore.exe	30
PID 440 wrote to memory of 2200	440	AcroRd32.exe	33
PID 440 wrote to memory of 2200	440	AcroRd32.exe	33
PID 440 wrote to memory of 2200	440	AcroRd32.exe	33
PID 440 wrote to memory of 2200	440	AcroRd32.exe	33
PID 440 wrote to memory of 2200	440	AcroRd32.exe	33
PID 440 wrote to memory of 2200	440	AcroRd32.exe	33
PID 440 wrote to memory of 2200	440	AcroRd32.exe	33
PID 888 wrote to memory of 1944	888	msiexec.exe	35
PID 888 wrote to memory of 1944	888	msiexec.exe	35
PID 888 wrote to memory of 1944	888	msiexec.exe	35
PID 888 wrote to memory of 1944	888	msiexec.exe	35
PID 888 wrote to memory of 1944	888	msiexec.exe	35
PID 888 wrote to memory of 1944	888	msiexec.exe	35
PID 888 wrote to memory of 1944	888	msiexec.exe	35
PID 888 wrote to memory of 2632	888	msiexec.exe	36
PID 888 wrote to memory of 2632	888	msiexec.exe	36
PID 888 wrote to memory of 2632	888	msiexec.exe	36
PID 888 wrote to memory of 2632	888	msiexec.exe	36
PID 888 wrote to memory of 2632	888	msiexec.exe	36
PID 888 wrote to memory of 2632	888	msiexec.exe	36
PID 888 wrote to memory of 2632	888	msiexec.exe	36
PID 888 wrote to memory of 2224	888	msiexec.exe	37
PID 888 wrote to memory of 2224	888	msiexec.exe	37
PID 888 wrote to memory of 2224	888	msiexec.exe	37
PID 888 wrote to memory of 2224	888	msiexec.exe	37
PID 888 wrote to memory of 2224	888	msiexec.exe	37
PID 888 wrote to memory of 2224	888	msiexec.exe	37
PID 888 wrote to memory of 2224	888	msiexec.exe	37

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://drive.google.com
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1968 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2824

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:440
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /I {AC76BA86-7AD7-1033-7B44-A90000000001} REINSTALL="ALL" REINSTALLMODE="omus" /qb
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2200

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:888
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 33DFC4F117F3ADB2D089A37D42964E51
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1944
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1CCF32A127DF8681DC0E24A8DB24D0B6 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2632
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\authplay.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76c17e.rbs

Filesize
476KB

MD5
4cac73997551f961ca0588915ee59c1a

SHA1
46ebd2bf2df38c82d49c1fbe5c7353698f6cbc7d

SHA256
e22bfef4322f06bb59651c6b6f074075a440ffaeb2fda78bb657d62d5631a181

SHA512
c7be5663a8e979d0b267b0e054b827a87388c3fc7dba813980caa677f5de9109242e1e56a1f245151205e343469f71f082fe9d8b18330e9dbd05f28e67d8e89f

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H

Filesize
6KB

MD5
6c641ae185949c2bc460339da24e7fad

SHA1
27e52a90f80c1ab5e80853c05d0e2b40f9742d8f

SHA256
e266347319d97af4effe213d404a4a6584f546e06788f3e36222f47016aa472a

SHA512
868361106295feeeb15de52001e0140e34f24dd34b1f12580685373316290a32126d308a3097eb8a8539eb37d5b5c966e65b9c8059bdae5b6a9aa46ec90f402d

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V

Filesize
1KB

MD5
6e8235b12b8fd8440d821d5d10503bac

SHA1
5a7b7531a69c048cb70c2fb04bd6eda0fa191f57

SHA256
23cddb13c0d7da90751a7f1746e2a59a310f4a64e35ca2875f492673cf60625b

SHA512
fd3dbc0bccdad732d2f72f73e68f681b52074cb78d7953493216f498f6278f4a513d9e5ad4b45cc788ac6da6aa5422f4e3ee068cade1f0a00d93a4b97c0ba033

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\APIFile_8.ico

Filesize
288KB

MD5
7db5afdff5369aff13559810ce3cb3ff

SHA1
0241c6a9c1efc3b8776c762b94a77bb166f47903

SHA256
fd2f0d47e3d7024496f4c84d770dcf76b47154d9e195c6fc6424cdb265e91c5d

SHA512
f99b07d031a2dd168fe322792d033790c4977c32dc9845fe0a23d6f1cc2cf7e63178066c1804870cf54b8d09511b573d37010015099b1929aa1620339a51b426

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\FDFFile_8.ico

Filesize
288KB

MD5
978ee8389c1db28afc725eb2bae4934c

SHA1
1857419efe7dbcd200c2431a9b066dccb414409e

SHA256
738a47a0a877ec50fe42b9ea4f350674f54f799789f685176acc8b15bb23f89e

SHA512
ad1075b47145c8be735cea8badb8d3e5e2c18849d07de4e91d5eb41ce2e6f030a9a6f7df43d122212a9c87af699fa391badc3b5f6c1e76aeca0a7672d7ff0861

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDFFile_8.ico

Filesize
288KB

MD5
bfdd2c458a143f4d2209c78d8c9b8871

SHA1
59fdd2a4a6613d6582502cfe127de74890da7fec

SHA256
d5741e41b534670435fb6908a687f622abd8616b9057cf104730da2ba7fc53ce

SHA512
17bf4da5c2c85db84be896201d3cbdcc64be29bd9b8f5851169501634f4cab2b23624bcc3b4101b868dfccbacdded35b31fe35b61e51f6ce875159f9c62adfef

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDXFile_8.ico

Filesize
288KB

MD5
e9dac60a98b0ec9845e85c3bab47dc9e

SHA1
fc3de7f919c3d252200c076f39fc5f1c50ef100f

SHA256
67effe324cd9cfd6305f133f73132f395db80610d021ec49c034be8787427865

SHA512
5eb58d770342885417e8c2369118f9a8bd97a0a6791ce80fe41dcbbee2e6ea1b18b7b28bc3b0f8281e7a9cb1eba6bfdf26d4f49f0af93c69d8437949b4e27a2c

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe

Filesize
288KB

MD5
01bbe782a1da233c59881ed2d18f4f06

SHA1
723d4dfdab2b477633455d4775e32bd52f081c7b

SHA256
7ded5e3c9c066789a50305a048639afeab4dffcc9673ae7f1092e5af7c6a91b1

SHA512
492b202ab850c4f120c4ac7854bf7e7acc865505679d8973736ed3ea28f4b77b645c8a15d806805064ebc81ebd1b4bf07e1fd4023307673d3ce4b81d49c7d175

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SecStoreFile.ico

Filesize
288KB

MD5
6bf1b2146ba3540545448a926ff40165

SHA1
66b963a3f0e97eb71492843a68ac3267b61930d3

SHA256
02e55933849f8531e8962b00e4cbce4ea15a02601a59ae1a5391db50351320a3

SHA512
3d5885b62493f2d1f5cc5cc4d5cb7df275aa32d0d895b6aa0c88d4998dd069fad3a721e55b848ad86e89d9864a48faa39166de2022b2f23e44a29779b6e3a49a

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\XDPFile_8.ico

Filesize
288KB

MD5
4f09f865a9fd5d8f05cb77b6ea920eb5

SHA1
83e702dfe668f12f4c351e4114af85bdffb08003

SHA256
602bdde954c8a106a09260eb1b03fb2df8aba378716de04528aa4c3b33a68ab4

SHA512
94307e522ed4db259549394f24ff41a78c5c6400080d6cd98098a79c33ac1bfe80022d30f8d2c5e73c8ec74d313793e7d175025b695aa57595b4de3654c59201

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt

Filesize
27KB

MD5
712aa429360369f240a35bd484a37a8a

SHA1
b6491d0f00978298213379460a667cfaee37d3d1

SHA256
944c02f5496032b714f197189f6cd2ee3dae254a9dcfd66ff27e8afce675dde5

SHA512
15ca3e4d08f80059cc01f1f536ca853f565a9ff1c408211275b8d79a14e21223f1eee287fa1293c113b9027e96fc3f20c047376001c0f501deedba7b6f0b3d83

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
0c16fedd5820bb1623041d2569570ee0

SHA1
3382bcf0902377250b6858fad41ed6f2199261be

SHA256
eb256f0720364a61b9af70443e65200175e9597879e8c0fc59ff668974c41f77

SHA512
d74dc45dcc96f5b3f9ea05c5f845f9a7405073772c220fadd1d329805347befb538438bc9b7e75351b6f9b99672e2619588e5989579cbb5bf9af88db9e71bd01

Download Submit
C:\Windows\Installer\MSIC0EF.tmp

Filesize
112KB

MD5
8f680e0f517d35bb14f984a7f197e35c

SHA1
1ad84f7120c2712a32ef5aa82edde5b704eeb27f

SHA256
030d6e3dadf9da76a1f5e15657cb7673265ea545402f181624cbf64a45e53805

SHA512
dda5cec6042f2c255dcc814c5f19e7692beb07de9ab950bf817169d076b368cdfb268aff1b5b5caa12409058e015124206a9b87714133226b84d3eb5b850013a

Download Submit
C:\Windows\Installer\MSIC14D.tmp

Filesize
156KB

MD5
a44986470c4513447017ebf68fd2903b

SHA1
d5816fd82873fc9b1b35131624daf70fb86c2e72

SHA256
b75408cd4961060f0ebc89340d37fb94c42509c17d7540464f6a13e6a94c57c5

SHA512
1b28e5f30049d8b50e1d4245b988a995a5901a250f8af3fea21a6b9155c7529ba6720784f7da0f63ad2be33b118c5a8f6c734939d8c49711d20486dd89ea0b84

Download Submit
C:\Windows\Installer\MSIC17D.tmp

Filesize
84KB

MD5
94ee5f4e1500435f1d8eba5a54c231ed

SHA1
d8ab879fd681cdbf7cfab010523ab7c950b68e87

SHA256
5fec0c3e5c0dafcb9950eb84e2b5e59a679877bd128bb9cf7290b47ed76f9495

SHA512
10ea6ff3497d13b2f8e4f20e833297603f68f90ff42ac6224933d04aea8fd28365383b414acb513c155e032b642df33cd948ecb321bd337494de62a1b2f523a7

Download Submit
C:\Windows\Installer\MSIC6C3.tmp

Filesize
28KB

MD5
85221b3bcba8dbe4b4a46581aa49f760

SHA1
746645c92594bfc739f77812d67cfd85f4b92474

SHA256
f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

SHA512
060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

Download Submit
\Program Files (x86)\Adobe\Reader 9.0\Reader\authplay.dll

Filesize
3.5MB

MD5
73268e1e7631874e7a0bee23401ab33c

SHA1
d7f83969a451d0de4a63222de728372c60f2d8dd

SHA256
bc4f488a26fd622c64f01e579d74b27047ada3e26a73ae8529222b1b8029d04e

SHA512
2b9f8e2c69393370e8940082adee9aa52e8fd1e4f899dbda58790af0cf7c8d0c7bed2ab6e0f528a95d8a04bbe82b29e16fdf31ba26b012af03535a9c852cd5d4

Download Submit
\Program Files (x86)\Adobe\Reader 9.0\Reader\icudt36.dll

Filesize
92KB

MD5
bffee4f37b42ba3d2a45f99862dae391

SHA1
3673487da9c5b8b2402fd190f981c279d5fed7a8

SHA256
f51ab4da2b60760c654318f84fff0f62ddafc1f33f4327d13e74e80d6df24412

SHA512
f64f343ae84147f1465488a3fb36108ae1f163eac900a55720165ad24b9b271d861897070cb258a97210b49141d68b16677ed8f9e919a561e5c882249acc32be

Download Submit
memory/440-158-0x0000000000CF0000-0x0000000000D08000-memory.dmp

Filesize
96KB

Download
memory/440-156-0x0000000000BD0000-0x0000000000BE6000-memory.dmp

Filesize
88KB

Download